Re: PF for a VPS
Thanks for the answers! Yes, it's a single physical machine running Debian (OpenBSD is not an option for my friends, and I don't know anything about virtualization in OpenBSD, just that there isn't a native support). Answering to Tomas: 1) This is the host (physical machine) http://www.hetzner.de/hosting/produkte_rootserver/ex40 2) I'm going to test it, but I wanted some advices about it's performance and if it will fit our our needs, so that way I won't loose any time setting it up. 3) As far as I know now, the more common type of traffic will be: HTTP/S, VPN, Owncloud and bittorrent sync, VoIP and XMPP. 4) We only have a single physical machine, and they 3 of them (we are 5) never used OpenBSD, and they are not exactly excited about using it. 2014-04-11 7:18 GMT+02:00 Tomas Bodzar tomas.bod...@gmail.com: On Fri, Apr 11, 2014 at 1:35 AM, Sinosuke Noara capitan.shinc...@gmail.com wrote: Hi guys, I've rented a virtual private server with some friends and we would like to deploy a firewall. I suggested packet filter and OpenBSD because I have it at home, but really don't know about the performace of the OpenBSD packet filter into a virtual machine. The idea is to have some (6-9) different virtual machines running at the same time, 2 of then (apart from the firewall) will have a lot of incoming traffic and at least 1 will have a lot of outgoing network traffic, so my mates are thinking that PF into a virtual machine running OpenBSD is not going to have a good performance, maybe because (as far as I know) PF can't work using more than one core. Any of you have some experience about this? Could you give me some info about performance or some nice arguments to convince them? Thanks in advance! Excuse my english, but I don't practice it regularly. 1) You don't mention which VPS are you planning to use 2) PF can handle a lot of traffic just fine, but you must test in YOUR scenario 3) You don't mention expected amount of traffic and type of that traffic 4) Why exactly are your friends against it? Maybe they don't know OpenBSD well, maybe VPS doesn't support OpenBSD and so on
Re: FYA: http://heartbleed.com/
John Moser john.r.mo...@gmail.com wrote: On Thu, Apr 10, 2014 at 4:18 PM, John Moser john.r.mo...@gmail.com wrote: Also why has nobody corrected me on this yet? I've read El Reg's analysis, and they missed a critical detail that I didn't see until I read the code in context: IT ALLOCATES TOO SMALL OF A WRITE BUFFER, TOO. Okay, it would send out the payload on exploit. It would also kill a heap canary that glibc should catch on free(). Christ maybe you're right. I'm looking at this again and I'm wrong: it DOES allocate big enough of a payload. Obviously I am not a programmer. There actually is no memory allocator bug in this code; it uses the allocator entirely correctly. I have never seen before such technical news in a normal newspaper: http://www.faz.net/aktuell/feuilleton/openssl-sicherheitsluecke-jetzt-muss-jeder-jedes-passwort-aendern-12889676.html Rodrigo.
Re: sudo -u environment help
Would this be better asked on tech@? On 2014-04-08 Tue 09:26 AM |, Craig R. Skinner wrote: To clarify, there are no ~/. shell dot files. $PATH umask are set in /etc/login.conf $MAIL is the default set by login(1) /etc/profile sources /etc/ksh.kshrc, which just sets $PS1, window decor some aliases, nothing major. This arrangement works fine when logging in directly, or via sudo su -l user From my reading of sudo(8), I thought the same environment could be gained with something like sudo -H -i -u username. Am I missing sudo flags or settings in /etc/sudoers? On 2014-04-04 Fri 11:30 AM |, Craig R. Skinner wrote: Hi, When sudo'ing to another user, how can I obtain all of their environment settings as they receive when logging in themselves? When I use sudo in this manner, settings such as $PATH, $MAIL umask aren't being honoured: $ echo $LOGNAME; echo $PATH; echo $MAIL; umask craig /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Here, $PATH, $MAIL umask are unchanged: $ sudo -H -i -u david $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin /var/mail/craig 027 Compare the difference when logging in as that user: $ login david ... $ echo $LOGNAME; echo $PATH; echo $MAIL; umask david /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin /var/mail/david 022 /etc/login.conf: default:\ :passwordcheck=/usr/local/bin/pwqcheck -1:\ :passwordtries=0:\ :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\ :umask=022:\ :datasize-cur= staff:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin /usr/site/bin /usr/site/sbin ~/bin:\ :umask=027:\ :datasize-cur= $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^# Defaults env_keep +=DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE Defaults env_keep +=MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE Defaults env_keep +=PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR Defaults env_keep +=RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL Defaults env_keep +=WRKOBJDIR Defaults always_set_home, ignore_dot, use_loginclass login(1): login enters information into the environment (see environ(7)) specifying the user's home directory (HOME), command interpreter (SHELL), search path (PATH), terminal type (TERM), and user name (both LOGNAME and USER). ENVIRONMENT login sets the following environment variables: HOME MAIL sudo(8): Command Environment .. On BSD systems, if the use_loginclass option is enabled, the environment is initialized based on the path and setenv settings in /etc/login.conf. The new environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition to variables from the invoking process permitted by the env_check and env_keep options. This is effectively a whitelist for environment variables. How can I become another user - without knowing their password, and gain their 'natural' environment? e.g. from wheel group to a users group member. 'su -l username' 'login username' require their password. I thought 'sudo -H -i -u username' would do it. Any suggestions on what else I need to configure?
Re: PF for a VPS
On 2014-04-11 Fri 09:10 AM |, Sinosuke Noara wrote: 1) This is the host (physical machine) http://www.hetzner.de/hosting/produkte_rootserver/ex40 Have you seen this: http://www.bsws.de/en/root-server/
Re: OpenBSD users web page updates
ping (http://thread.gmane.org/gmane.os.openbsd.misc/211666) On 2014-03-31 Mon 14:59 PM |, Brad Smith wrote: On 31/03/14 1:34 PM, Craig R. Skinner wrote: A few updates for the page: http://www.OpenBSD.org/users.html#isp * Fix broken Swebase link. * Add Devio.us * Add Grex * Add Polar Home It looks like Reverse.Net should be removed. Their website makes it pretty clear they don't run OpenBSD anymore. IMO the same thing should be done for any other entries where it is known or can be determined that a particular listed user isn't using OpenBSD anymore.
Re: OpenBSD Foundation 2014 Fundraising Campaign.
Hi all, - 1) If I search for openbsdfoundation on: - Facebook - Twitter - Youtube - Instagram - Flickr - Slideshare - etc.. I get ZERO results regarding the topic. We are writing 2014. The people are on social sites.. More could be reached if these mentioned sites would have marketing for the foundation too. - 2) If I go to: http://www.openbsdfoundation.org I just can't see any page on the website that has logos, html codes (that can be CTRL+C'ed simply), what can people put out on their blogs, webpages (openbsdfoundation logo/donate/etc. - a little picture that is an URL to the foundations website - donations.html page), so that their visitors can see that there is a good project waiting for foundations. Thanks! On Thu, Apr 10, 2014 at 6:26 PM, Loganaden Velvindron logana...@gmail.comwrote: On Thu, Apr 10, 2014 at 8:23 PM, Bob Beck b...@openbsdfoundation.org wrote: The OpenBSD Foundation is happy to report that the $150,000 goal of the 2014 fundraising campaign has been reached. We wish to thank our contributors large and small. We will continue our fundraising efforts both in the current year and next year. The success of this year's effort has allowed the Foundation to reverse the recent decline in the support we were able to offer the OpenBSD project. The Foundation has been able to assume responsibility for funding more aspects of the project infrastructure, such as the server electricity bill. The Foundation is now able to support efforts underway to rebuild a significant part of the project server infrastructure. This included a few things that were, literally, rotting. 2014's slate of hackathons has been solidified, ensuring these critical events will continue to provide a stream of improvements to the OpenBSD and related projects. We would like to especially thank the contributors who have made commitments for continuing donations to the Foundation. Every recurring regular donation allows us to budget and plan more effectively. The Foundation will continue to strive to improve its financial resources, and hopes to be able to provide further support to the projects in the future. Please continue to contribute! Congratulations ! $200k as target next year :-) -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
Re: FYA: http://heartbleed.com/
On 08/04/14 21:40, Theo de Raadt wrote: On Tue, Apr 08, 2014 at 15:09, Mike Small wrote: nobody openbsd.as.a.desk...@gmail.com writes: read overrun, so ASLR won't save you What if malloc's G option were turned on? You know, assuming the subset of the worlds' programs you use is good enough to run with that. No. OpenSSL has exploit mitigation countermeasures to make sure it's exploitable. What Ted is saying may sound like a joke... So years ago we added exploit mitigations counter measures to libc malloc and mmap, so that a variety of bugs can be exposed. Such memory accesses will cause an immediate crash, or even a core dump, then the bug can be analyed, and fixed forever. Some other debugging toolkits get them too. To a large extent these come with almost no performance cost. But around that time OpenSSL adds a wrapper around malloc free so that the library will cache memory on it's own, and not free it to the protective malloc. You can find the comment in their sources ... #ifndef OPENSSL_NO_BUF_FREELISTS /* On some platforms, malloc() performance is bad enough that you can't just OH, because SOME platforms have slow performance, it means even if you build protective technology into malloc() and free(), it will be ineffective. On ALL PLATFORMS, because that option is the default, and Ted's tests show you can't turn it off because they haven't tested without it in ages. So then a bug shows up which leaks the content of memory mishandled by that layer. If the memoory had been properly returned via free, it would likely have been handed to munmap, and triggered a daemon crash instead of leaking your keys. OpenSSL is not developed by a responsible team. Just for completion on this interesting debate about this malloc wrapper issue that has been raised here, I have forwarded it to the OpenSSL developers: http://thread.gmane.org/gmane.comp.encryption.openssl.devel/24208 I guessed that you might be interested in knowing that. Regards! [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: feature patch - replace /etc/crontab by /etc/cron.d/
Le 2014-04-09 00:48, czark...@gmail.com a écrit : Remy said: here is a simple patch to replace /etc/crontab by /etc/cron.d/. FWIW why? I find it far easier to have multiples crontab files in /etc/cron.d/ than keeping a single crontab. At works, we are heavily using crontabs, and when we update our own apps on the servers, I need to check the changes needed for the app in the crontab. With a /etc/cron.d/my_app_1 file, I would just replace it with the new one, or I can even let the developers update their cron file, but I won't let them mess the global crontab (root or user). Of course, I can manage the crontab by hand because I don't modify it very often, but I find the cron.d easier.
OpenSMTPD exits with value 1 when clients attempd to authenticate
Hi people, I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After a recent update, using authentication for sending mail cause smtpd to exit with exit value 1. A (stripped down) configuration that exhibits the issue is the following: pki server certificate /etc/mail/certs/server.crt pki server key /etc/mail/certs/server.key listen on egress port submission tls-require pki server auth tag AUTH accept tagged AUTH from local for any relay When running smtpd with that configuration and attempting to send an email, this is the output I get from smtpd -dv: [... Usual smtpd startup for OpenSMTPD 5.4.3 ...] debug: smtp: new client on listener: 0x768b632a000 smtp-in: New session 5d471824a3b1c9d2 from host eduroam-75-222.uni-paderborn.de [131.234.75.222] debug: lka: looking up pki server debug: session_start_ssl: switching to SSL smtp-in: Started TLS on session 5d471824a3b1c9d2: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtpd: session_imsg: unexpected IMSG_LKA_AUTHENTICATE imsg warn: lka - pony: pipe closed warn: parent - pony: pipe closed warn: mfa - pony: pipe closed warn: queue - pony: pipe closed warn: control - pony: pipe closed warn: scheduler - control: pipe closed [... After this, smtpd has exited with status 1 ...] The client (mail/msmtp from ports) prints the following: msmtp: cannot read from TLS connection: a protocol violating EOF occured The debug output from msmtp is the following: loaded system configuration file /etc/msmtprc loaded user configuration file /home/gbe/.msmtprc using account unobtanium from /home/gbe/.msmtprc host = unobtanium.de port = 587 timeout = off protocol = smtp domain= localhost auth = choose user = gbe password = * passwordeval = (not set) ntlmdomain= (not set) tls = on tls_starttls = on tls_trust_file= (not set) tls_crl_file = (not set) tls_fingerprint = EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D tls_key_file = (not set) tls_cert_file = (not set) tls_certcheck = on tls_force_sslv3 = off tls_min_dh_prime_bits = (not set) tls_priorities= (not set) auto_from = off maildomain= (not set) from = g...@unobtanium.de dsn_notify= (not set) dsn_return= (not set) keepbcc = off logfile = /home/gbe/log/msmtp/log syslog= (not set) aliases = (not set) reading recipients from the command line -- 220 neon.unobtanium.de ESMTP OpenSMTPD -- EHLO localhost -- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you -- 250-8BITMIME -- 250-ENHANCEDSTATUSCODES -- 250-SIZE 36700160 -- 250-DSN -- 250-STARTTLS -- 250 HELP -- STARTTLS -- 220 2.0.0: Ready to start TLS TLS certificate information: Owner: Common Name: gbe.ring0.de Issuer: Common Name: CAcert Class 3 Root Organization: CAcert Inc. Organizational unit: http://www.CAcert.org Validity: Activation time: Sun Jul 7 18:28:15 2013 Expiration time: Tue Jul 7 18:28:15 2015 Fingerprints: SHA1: EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D MD5: 69:40:AD:DD:02:63:41:C1:67:55:34:3E:63:95:06:6A -- EHLO localhost -- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you -- 250-8BITMIME -- 250-ENHANCEDSTATUSCODES -- 250-SIZE 36700160 -- 250-DSN -- 250-AUTH PLAIN LOGIN -- 250 HELP -- AUTH PLAIN AGdiZQA0bjRyY2hZXw== Yes, the certificate is weird (common name does not match the host name), but that should not cause the smtp daemon to exit. The setup worked before my last update, but I can't pinpoint the previous version of OpenSMTPD because the maillog rotated away before I noticed the issue. What am I doing wrong here? And how can I debug this further? -- Gregor Best
Re: PF for a VPS
Em 11-04-2014 04:10, Sinosuke Noara escreveu: Thanks for the answers! Yes, it's a single physical machine running Debian (OpenBSD is not an option for my friends, and I don't know anything about virtualization in OpenBSD, just that there isn't a native support). Answering to Tomas: 1) This is the host (physical machine) http://www.hetzner.de/hosting/produkte_rootserver/ex40 2) I'm going to test it, but I wanted some advices about it's performance and if it will fit our our needs, so that way I won't loose any time setting it up. 3) As far as I know now, the more common type of traffic will be: HTTP/S, VPN, Owncloud and bittorrent sync, VoIP and XMPP. 4) We only have a single physical machine, and they 3 of them (we are 5) never used OpenBSD, and they are not exactly excited about using it. 2014-04-11 7:18 GMT+02:00 Tomas Bodzar tomas.bod...@gmail.com: On Fri, Apr 11, 2014 at 1:35 AM, Sinosuke Noara capitan.shinc...@gmail.com wrote: Hi guys, I've rented a virtual private server with some friends and we would like to deploy a firewall. I suggested packet filter and OpenBSD because I have it at home, but really don't know about the performace of the OpenBSD packet filter into a virtual machine. The idea is to have some (6-9) different virtual machines running at the same time, 2 of then (apart from the firewall) will have a lot of incoming traffic and at least 1 will have a lot of outgoing network traffic, so my mates are thinking that PF into a virtual machine running OpenBSD is not going to have a good performance, maybe because (as far as I know) PF can't work using more than one core. Any of you have some experience about this? Could you give me some info about performance or some nice arguments to convince them? Thanks in advance! Excuse my english, but I don't practice it regularly. 1) You don't mention which VPS are you planning to use 2) PF can handle a lot of traffic just fine, but you must test in YOUR scenario 3) You don't mention expected amount of traffic and type of that traffic 4) Why exactly are your friends against it? Maybe they don't know OpenBSD well, maybe VPS doesn't support OpenBSD and so on I have one virtualized PF firewall in my home and one in my company. In both of them the bare metal is a ubuntu and I'm using KVM for virtualization. I found that using the virtio interfaces in OpenBSD has a great performance benefit. I doubt that your traffic will make you firewall to fail, if you use PF. Your friends are probably against it because they don't know it. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Hardware donation possible - FB-DIMMs and Ultra320 SCSI drive
Hi, I have some leftover hardware available for donation if anyone is interested: - Kingston KVR 2x4G modules (kit) KVR667D2D4F5K2/8G / 4G 2RX4 PC2-5300F-555-11-E0 - new - Micron 4x512M modules, DDR, 400 CL3, ECC, REG / MT9VDDF6472Y-40BF1 / PC3200R-30331-G0 - used - ULTRA320 SCSI ST373307LW HDD 3,5 - used to be spare, not sure if ever used Would any developer like to have these or should I trash it? Thank you, jvl -- Be the change you want to see in the world.
Re: OpenSMTPD exits with value 1 when clients attempd to authenticate
On Fri, Apr 11, 2014 at 12:44:47PM +0200, Gregor Best wrote: Hi people, Hi, I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After a recent update, using authentication for sending mail cause smtpd to exit with exit value 1. A (stripped down) configuration that exhibits the issue is the following: [...] smtpd: session_imsg: unexpected IMSG_LKA_AUTHENTICATE imsg [...] Hi, This is a fallout due to the merging of multiple processes. It's been fixed in cvs two days agos. Rebuild smtpd from src and you'll be fine. Eric.
Re: feature patch - replace /etc/crontab by /etc/cron.d/
On Fri, Apr 11, 2014 at 12:05 PM, Sélène sel...@bsd.zplay.eu wrote: Le 2014-04-09 00:48, czark...@gmail.com a écrit : Remy said: here is a simple patch to replace /etc/crontab by /etc/cron.d/. FWIW why? I find it far easier to have multiples crontab files in /etc/cron.d/ than keeping a single crontab. At works, we are heavily using crontabs, and when we update our own apps on the servers, I need to check the changes needed for the app in the crontab. With a /etc/cron.d/my_app_1 file, I would just replace it with the new one, or I can even let the developers update their cron file, but I won't let them mess the global crontab (root or user). Of course, I can manage the crontab by hand because I don't modify it very often, but I find the cron.d easier. And why not to use CFEngine, Puppet and similar for that?
Re: OpenSMTPD exits with value 1 when clients attempd to authenticate
Gregor Best wrote: Hi people, I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After a recent update, using authentication for sending mail cause smtpd to exit with exit value 1. A (stripped down) configuration that exhibits the issue is the following: pki server certificate /etc/mail/certs/server.crt pki server key /etc/mail/certs/server.key listen on egress port submission tls-require pki server auth tag AUTH accept tagged AUTH from local for any relay When running smtpd with that configuration and attempting to send an email, this is the output I get from smtpd -dv: [... Usual smtpd startup for OpenSMTPD 5.4.3 ...] debug: smtp: new client on listener: 0x768b632a000 smtp-in: New session 5d471824a3b1c9d2 from host eduroam-75-222.uni-paderborn.de [131.234.75.222] debug: lka: looking up pki server debug: session_start_ssl: switching to SSL smtp-in: Started TLS on session 5d471824a3b1c9d2: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtpd: session_imsg: unexpected IMSG_LKA_AUTHENTICATE imsg warn: lka - pony: pipe closed warn: parent - pony: pipe closed warn: mfa - pony: pipe closed warn: queue - pony: pipe closed warn: control - pony: pipe closed warn: scheduler - control: pipe closed [... After this, smtpd has exited with status 1 ...] The client (mail/msmtp from ports) prints the following: msmtp: cannot read from TLS connection: a protocol violating EOF occured The debug output from msmtp is the following: loaded system configuration file /etc/msmtprc loaded user configuration file /home/gbe/.msmtprc using account unobtanium from /home/gbe/.msmtprc host = unobtanium.de port = 587 timeout = off protocol = smtp domain= localhost auth = choose user = gbe password = * passwordeval = (not set) ntlmdomain= (not set) tls = on tls_starttls = on tls_trust_file= (not set) tls_crl_file = (not set) tls_fingerprint = EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D tls_key_file = (not set) tls_cert_file = (not set) tls_certcheck = on tls_force_sslv3 = off tls_min_dh_prime_bits = (not set) tls_priorities= (not set) auto_from = off maildomain= (not set) from = g...@unobtanium.de dsn_notify= (not set) dsn_return= (not set) keepbcc = off logfile = /home/gbe/log/msmtp/log syslog= (not set) aliases = (not set) reading recipients from the command line -- 220 neon.unobtanium.de ESMTP OpenSMTPD -- EHLO localhost -- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you -- 250-8BITMIME -- 250-ENHANCEDSTATUSCODES -- 250-SIZE 36700160 -- 250-DSN -- 250-STARTTLS -- 250 HELP -- STARTTLS -- 220 2.0.0: Ready to start TLS TLS certificate information: Owner: Common Name: gbe.ring0.de Issuer: Common Name: CAcert Class 3 Root Organization: CAcert Inc. Organizational unit: http://www.CAcert.org Validity: Activation time: Sun Jul 7 18:28:15 2013 Expiration time: Tue Jul 7 18:28:15 2015 Fingerprints: SHA1: EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D MD5: 69:40:AD:DD:02:63:41:C1:67:55:34:3E:63:95:06:6A -- EHLO localhost -- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you -- 250-8BITMIME -- 250-ENHANCEDSTATUSCODES -- 250-SIZE 36700160 -- 250-DSN -- 250-AUTH PLAIN LOGIN -- 250 HELP -- AUTH PLAIN AGdiZQA0bjRyY2hZXw== Yes, the certificate is weird (common name does not match the host name), but that should not cause the smtp daemon to exit. The setup worked before my last update, but I can't pinpoint the previous version of OpenSMTPD because the maillog rotated away before I noticed the issue. What am I doing wrong here? And how can I debug this further? Is this commit the culprit: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/cert.pem?rev=1.24
two node openbsd 5.4 cluster crashed ca 5 min after deleting carp and vlan interfaces
Hi! I have run two node active-passive cluster with OpenBSD successfully over several years, there have been problems too but at least now i know how to escape them. Now i run into major issue and i would like to ask for help, maybe its software bug or i just manage my system inappropriately, i welcome a suggestion what to do differently. Hardware is # sysctl hw .. hw.machine=amd64 hw.model=Intel(R) Xeon(R) CPU E5520 @ 2.27GHz hw.cpuspeed=2267 hw.vendor=IBM hw.product=49Y6498 hw.version=00 hw.serialno=KD8300D hw.uuid=ad7604f6-7846-3f90-8cc8-776d95280e29 hw.physmem=12857503744 hw.usermem=12857462784 and operating system OpenBSD 5.4 (patched until 005_sha512.patch), dmesg is below. It has about 20 vlan interfaces over four physical interfaces, and 19 carp interfaces, two vethers, three rdomains (most traffic running in default domain). Mostly ipv4 but very little ipv6 also. Besides so to say usual processes are bgpd (at the time problem occured it run only on active node, ipv4 and ipv6) isakmpd (only on active) spamd (only on active) dhcpd (only on active) ftp-proxy and from packages are symon and zabbix_agentd. Usually system has 30k states and traffic around couple on MBait/s flowing thru it. Number of pf rules is 555. Multicore 64 bit kernel. Being in the middle of transfering one internal vlan over to the other firewall system (fortigate) i did the following 0. killed dhcpd daemon that was using vlan901 1. said on the passive ifconfig carp201 destroy 2. on the active ifconfig carp201 destroy 3. on the passive ifconfig vlan901 destroy 4. on the active ifconfig vlan901 destroy (For afterwards i left to check which rules to delete with pfctl -nf /etc/pf.conf and then deleting-rechecking until all right, to that part i didnt get). All good, four interfaces gone, firewalls humming but in five minutes or so i lost connection to both firewalls and at the console they said 1. on active panic: Data modified on freelist: word 12 of object 0x80efe780 size 0x28 previous type xform_data (0xdeafbeac != deafbeac) Stopped at Debugger+0x5: leave RUN AT LEAST 'trace' ... ddb{2} 2. on passive panic: Data modified on freelist: word 12 of object 0x80b5c940 size 0x38 previous type vnodes (0xdeafbeac != deafbeac) Stopped at Debugger+0x5: leave RUN AT LEAST 'trace' ... ddb{0} They are java remote consoles and they usually get keyboard input but unfortunately it wast possible to ask trace, ps etc. Resolution was to power down passive and recycle power and check filesystems on active and it works again, i was lucky it didnt happen at noon but in the evening. I would like to ask if it is a known problem that while configuring carp and vlan cerntain conditions are met system may get unstable? And in general, what is suggested procedure in removing carp and vlan interfaces? Actually i have done it like this (and added interfcases too) without problems many times before (at least in erarlier OpenBSD versions). Unfortunately i dont have other logs at hand (/var/log/messages etc). But from other sources i see there was no sudden massive network activity etc. Best regards, Imre OpenBSD 5.4 (GENERIC.MP) #0: Wed Mar 12 17:16:34 EET 2014 root@xxx:/usr/src/sys/arch/amd64/compile/GENERIC.MP RTC BIOS diagnostic error 80clock_battery real mem = 12857503744 (12261MB) avail mem = 12507508736 (11928MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x7f6bd000 (74 entries) bios0: vendor IBM Corp. version -[D6E126AUS-1.02]- date 06/26/2009 bios0: IBM 49Y6498 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S5 acpi0: tables DSDT FACP TCPA APIC MCFG SLIC HPET SSDT ERST DMAR acpi0: wakeup devices UHC1(S4) UHC2(S4) UHC3(S4) UHC4(S4) UHC5(S4) EHC1(S4) EHC2(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz, 2267.02 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz, 2266.75 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz, 2266.75 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC
Re: OpenSMTPD exits with value 1 when clients attempd to authenticate
Hi Remco, On Fri, Apr 11, 2014 at 01:18:54PM +0200, Remco wrote: [...] Is this commit the culprit: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/cert.pem?rev=1.24 [...] I think that is quite unlikely. I still have the old version of /etc/ssl/cert.pem because I didn't see the point of removing certificate authorities I use myself. Also, I don't think a missing certificate authority for the server's own certificate would cause the smtp daemon do exit, especially since it doesn't print out any message regarding certificate validity. -- Gregor Best
Re: feature patch - replace /etc/crontab by /etc/cron.d/
Le 2014-04-11 14:21, Tomas Bodzar a écrit : On Fri, Apr 11, 2014 at 12:05 PM, Sélène sel...@bsd.zplay.eu wrote: Le 2014-04-09 00:48, czark...@gmail.com a écrit : Remy said: here is a simple patch to replace /etc/crontab by /etc/cron.d/. FWIW why? I find it far easier to have multiples crontab files in /etc/cron.d/ than keeping a single crontab. At works, we are heavily using crontabs, and when we update our own apps on the servers, I need to check the changes needed for the app in the crontab. With a /etc/cron.d/my_app_1 file, I would just replace it with the new one, or I can even let the developers update their cron file, but I won't let them mess the global crontab (root or user). Of course, I can manage the crontab by hand because I don't modify it very often, but I find the cron.d easier. And why not to use CFEngine, Puppet and similar for that? I am using SALT Stack now, it changed my admin life :)
Re: two node openbsd 5.4 cluster crashed ca 5 min after deleting carp and vlan interfaces
Hi again! I forgot to mention that although carp is configured i do not use there pfsync (even no pfsync0 interface). (There have been problems with pfsync, at least in the past and for me). Imre On Fri, 2014-04-11 at 15:45 +0300, Imre Oolberg wrote: Hi! I have run two node active-passive cluster with OpenBSD successfully over several years, there have been problems too but at least now i know how to escape them. Now i run into major issue and i would like to ask for help, maybe its software bug or i just manage my system inappropriately, i welcome a suggestion what to do differently. Hardware is # sysctl hw .. hw.machine=amd64 hw.model=Intel(R) Xeon(R) CPU E5520 @ 2.27GHz hw.cpuspeed=2267 hw.vendor=IBM hw.product=49Y6498 hw.version=00 hw.serialno=KD8300D hw.uuid=ad7604f6-7846-3f90-8cc8-776d95280e29 hw.physmem=12857503744 hw.usermem=12857462784 and operating system OpenBSD 5.4 (patched until 005_sha512.patch), dmesg is below. It has about 20 vlan interfaces over four physical interfaces, and 19 carp interfaces, two vethers, three rdomains (most traffic running in default domain). Mostly ipv4 but very little ipv6 also. Besides so to say usual processes are bgpd (at the time problem occured it run only on active node, ipv4 and ipv6) isakmpd (only on active) spamd (only on active) dhcpd (only on active) ftp-proxy and from packages are symon and zabbix_agentd. Usually system has 30k states and traffic around couple on MBait/s flowing thru it. Number of pf rules is 555. Multicore 64 bit kernel. Being in the middle of transfering one internal vlan over to the other firewall system (fortigate) i did the following 0. killed dhcpd daemon that was using vlan901 1. said on the passive ifconfig carp201 destroy 2. on the active ifconfig carp201 destroy 3. on the passive ifconfig vlan901 destroy 4. on the active ifconfig vlan901 destroy (For afterwards i left to check which rules to delete with pfctl -nf /etc/pf.conf and then deleting-rechecking until all right, to that part i didnt get). All good, four interfaces gone, firewalls humming but in five minutes or so i lost connection to both firewalls and at the console they said 1. on active panic: Data modified on freelist: word 12 of object 0x80efe780 size 0x28 previous type xform_data (0xdeafbeac != deafbeac) Stopped at Debugger+0x5: leave RUN AT LEAST 'trace' ... ddb{2} 2. on passive panic: Data modified on freelist: word 12 of object 0x80b5c940 size 0x38 previous type vnodes (0xdeafbeac != deafbeac) Stopped at Debugger+0x5: leave RUN AT LEAST 'trace' ... ddb{0} They are java remote consoles and they usually get keyboard input but unfortunately it wast possible to ask trace, ps etc. Resolution was to power down passive and recycle power and check filesystems on active and it works again, i was lucky it didnt happen at noon but in the evening. I would like to ask if it is a known problem that while configuring carp and vlan cerntain conditions are met system may get unstable? And in general, what is suggested procedure in removing carp and vlan interfaces? Actually i have done it like this (and added interfcases too) without problems many times before (at least in erarlier OpenBSD versions). Unfortunately i dont have other logs at hand (/var/log/messages etc). But from other sources i see there was no sudden massive network activity etc. Best regards, Imre OpenBSD 5.4 (GENERIC.MP) #0: Wed Mar 12 17:16:34 EET 2014 root@xxx:/usr/src/sys/arch/amd64/compile/GENERIC.MP RTC BIOS diagnostic error 80clock_battery real mem = 12857503744 (12261MB) avail mem = 12507508736 (11928MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x7f6bd000 (74 entries) bios0: vendor IBM Corp. version -[D6E126AUS-1.02]- date 06/26/2009 bios0: IBM 49Y6498 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S5 acpi0: tables DSDT FACP TCPA APIC MCFG SLIC HPET SSDT ERST DMAR acpi0: wakeup devices UHC1(S4) UHC2(S4) UHC3(S4) UHC4(S4) UHC5(S4) EHC1(S4) EHC2(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz, 2267.02 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz, 2266.75 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu1: 256KB 64b/line
Re: OpenBSD Foundation 2014 Fundraising Campaign.
On Apr 11 11:46:12, openbsd.as.a.desk...@gmail.com wrote: Hi all, - 1) If I search for openbsdfoundation on: - Facebook - Twitter - Youtube - Instagram - Flickr - Slideshare - etc.. I get ZERO results regarding the topic. If I search for openbsdfoundation on Google, I get the right thing as the first hit. We are writing 2014. The people are on social sites.. More could be reached if these mentioned sites would have marketing for the foundation too. Ah, so there are people willing to donate to OpenBSD, but they don't even know about it, as it is only to be found on Google, right? That's bullshit. But if you really think so, go ahead: set yourself up on all those sites and make OpenBSD visible. - 2) If I go to: http://www.openbsdfoundation.org I just can't see any page on the website that has logos, html codes (that can be CTRL+C'ed simply), what can people put out on their blogs, You mean, such as www.openbsdfoundation.org? webpages (openbsdfoundation logo/donate/etc. - a little picture that is an URL to the foundations website - donations.html page), so that their visitors can see that there is a good project waiting for foundations. Dear search engines (twitter etc), please spread this: a href=http://www.openbsdfoundation.org/donations.html;img src=kitten.gifa good project waiting for foundations/a (Now let's wait for the money pouring in.)
Re: feature patch - replace /etc/crontab by /etc/cron.d/
On Fri, Apr 11, 2014 at 12:05, Sélène wrote: Le 2014-04-09 00:48, czark...@gmail.com a écrit : Remy said: here is a simple patch to replace /etc/crontab by /etc/cron.d/. FWIW why? I find it far easier to have multiples crontab files in /etc/cron.d/ than keeping a single crontab. At works, we are heavily using crontabs, and when we update our own apps on the servers, I need to check the changes needed for the app in the crontab. With a /etc/cron.d/my_app_1 file, I would just replace it with the new one, or I can even let the developers update their cron file, but I won't let them mess the global crontab (root or user). cat /etc/cron.d/* /etc/crontab
Re: OpenBSD Foundation 2014 Fundraising Campaign.
On 11 April 2014 11:15, Jan Stary h...@stare.cz wrote: On Apr 11 11:46:12, openbsd.as.a.desk...@gmail.com wrote: Hi all, - 1) If I search for openbsdfoundation on: - Facebook - Twitter - Youtube - Instagram - Flickr - Slideshare - etc.. I get ZERO results regarding the topic. If I search for openbsdfoundation on Google, I get the right thing as the first hit. We are writing 2014. The people are on social sites.. More could be reached if these mentioned sites would have marketing for the foundation too. Ah, so there are people willing to donate to OpenBSD, but they don't even know about it, as it is only to be found on Google, right? That's bullshit. But if you really think so, go ahead: set yourself up on all those sites and make OpenBSD visible. - 2) If I go to: http://www.openbsdfoundation.org I just can't see any page on the website that has logos, html codes (that can be CTRL+C'ed simply), what can people put out on their blogs, You mean, such as www.openbsdfoundation.org? I must be dense. I fire up lynx(1) with 'www.openbsdfoundation.org' and once the page has loaded, I type CTRL+C. I get Exiting via interrupt: 2. Seems pretty simple already and does not appear to rely on adding any pages. Of course it also seems kinda pointless. Ken webpages (openbsdfoundation logo/donate/etc. - a little picture that is an URL to the foundations website - donations.html page), so that their visitors can see that there is a good project waiting for foundations. Dear search engines (twitter etc), please spread this: a href=http://www.openbsdfoundation.org/donations.html;img src=kitten.gifa good project waiting for foundations/a (Now let's wait for the money pouring in.)
Re: OpenBSD Foundation 2014 Fundraising Campaign.
On 4/10/14, Bob Beck b...@openbsdfoundation.org wrote: The Foundation will continue to strive to improve its financial resources, and hopes to be able to provide further support to the projects in the future. Please continue to contribute! Where can I read your financial reports?
Re: OpenBSD Foundation 2014 Fundraising Campaign.
On the web site at www.openbsdfoundation.org. On Fri, Apr 11, 2014 at 10:15 AM, trifle menot trifleme...@gmail.com wrote: On 4/10/14, Bob Beck b...@openbsdfoundation.org wrote: The Foundation will continue to strive to improve its financial resources, and hopes to be able to provide further support to the projects in the future. Please continue to contribute! Where can I read your financial reports?
Re: OpenBSD Foundation 2014 Fundraising Campaign.
On Fri, Apr 11, 2014 at 8:15 AM, Jan Stary h...@stare.cz wrote: On Apr 11 11:46:12, openbsd.as.a.desk...@gmail.com wrote: Hi all, - 1) If I search for openbsdfoundation on: - Facebook - Twitter - Youtube - Instagram - Flickr - Slideshare - etc.. I get ZERO results regarding the topic. If I search for openbsdfoundation on Google, I get the right thing as the first hit. We are writing 2014. The people are on social sites.. More could be reached if these mentioned sites would have marketing for the foundation too. Ah, so there are people willing to donate to OpenBSD, but they don't even know about it, as it is only to be found on Google, right? That's bullshit. But if you really think so, go ahead: set yourself up on all those sites and make OpenBSD visible. - 2) If I go to: http://www.openbsdfoundation.org I just can't see any page on the website that has logos, html codes (that can be CTRL+C'ed simply), what can people put out on their blogs, You mean, such as www.openbsdfoundation.org? webpages (openbsdfoundation logo/donate/etc. - a little picture that is an URL to the foundations website - donations.html page), so that their visitors can see that there is a good project waiting for foundations. Dear search engines (twitter etc), please spread this: a href=http://www.openbsdfoundation.org/donations.html;img src=kitten.gifa good project waiting for foundations/a (Now let's wait for the money pouring in.) When I searched 'openbsd foundation' on facebook I was taken to an auto-generated 'fan' page. When I searched for 'openbsdfoundation' the zuckerberg skynet gave me web search results, the top 5 of which went to the foundation site. Who knows what it's worth but I've been blasting the mailing list chatter all over reddit and facebook. Only takes a few minutes. Various 'Occupy' groups seemed to appreciate it. Whether or not it turns into donations, beats me.
grammar error in ssl(8)
Near the end of ssl(8) there is the following phrase: which allowed users to enable full function without recompiling the applications. The word function here should instead be functionality I assume.
003_ftp.patch, cert ref count
Was looking at http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/003_ftp.patch.sig this last chunk... + if (ssl_verify) { + X509 *cert; + + cert = SSL_get_peer_certificate(ssl); + if (cert == NULL) { + fprintf(ttyout, %s: no server certificate\n, + getprogname()); + goto cleanup_url_get; + } + + if (ssl_check_hostname(cert, host) != 0) { + fprintf(ttyout, %s: host `%s' not present in + server certificate\n, + getprogname(), host); + goto cleanup_url_get; + } + + X509_free(cert); } If that second check fails and you goto cleanup_url_get you skip X509_free(cert). Wouldn't that screw up the reference count? Or does that not matter after SSL_Shutdown and SSL_Free are called?
Re: acpitz3: critical temperature exceeded with HP nc6320 Laptop
On Fri, Apr 11, 2014 at 1:34 AM, Tomas Bodzar tomas.bod...@gmail.com wrote: Using -current is easy, just start with latest snapshot from mirror and use snapshot path for packages in PKG_PATH as well. From that time on easy like with regular system. Plus is you have binary upgrades to new snapshot mostly everyday (if you want to) - man sysmerge - checking current.html page IF some manual intervention needed - pkg_add -u . All of that takes like 15 minutes or so, depends on speed of your network and interval how often you will update between snapshots. Generally more stable then some so called stable/lts/whatever distros and you have latest fixes. My gosh Tomas, you are so incredibly helpful thank you. I now have an avenue to supply a laptop to a Dev :-) In parallel though, I'll still be taking this opportunity to learn -current and other shiny new (to me) things For BIOS I meant if there's something related to ACPI in fixes from vendor. Oh, right, sorry. I will check Steve
Re: FYA: http://heartbleed.com/
| [NSA] knew for at least two years about ... the | Heartbleed bug, and regularly used it to gather | critical intelligence, two people familiar with | the matter said. I was waiting for someone to say this. | ... the NSA has more than 1,000 experts | devoted to ferreting out such flaws using | sophisticated analysis techniques, many of them | classified. The agency found Heartbleed shortly | after its introduction, according to one of the | people familiar with the matter, and it became a | basic part of the agency's toolkit for stealing | account passwords and other common tasks. found! OK. so it wasn't implanted in there... what a relief! | Currently, the NSA has a trove of thousands of | such vulnerabilities that can be used to breach | some of the world's most sensitive computers, | according to a person briefed on the matter. | Intelligence chiefs have said the country's | ability to spot terrorist threats and understand | the intent of hostile leaders would be vastly | diminished if their use were prohibited. source: http://www.businessweek.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers See? This was all for the good of freedom loving people after all! I wonder when they'll leak the backdoor implan...I mean they found in OpenBSD. --patrick On 4/10/14, Carlos Alberto Lopez Perez clo...@igalia.com wrote: On 08/04/14 21:40, Theo de Raadt wrote: On Tue, Apr 08, 2014 at 15:09, Mike Small wrote: nobody openbsd.as.a.desk...@gmail.com writes: read overrun, so ASLR won't save you What if malloc's G option were turned on? You know, assuming the subset of the worlds' programs you use is good enough to run with that. No. OpenSSL has exploit mitigation countermeasures to make sure it's exploitable. What Ted is saying may sound like a joke... So years ago we added exploit mitigations counter measures to libc malloc and mmap, so that a variety of bugs can be exposed. Such memory accesses will cause an immediate crash, or even a core dump, then the bug can be analyed, and fixed forever. Some other debugging toolkits get them too. To a large extent these come with almost no performance cost. But around that time OpenSSL adds a wrapper around malloc free so that the library will cache memory on it's own, and not free it to the protective malloc. You can find the comment in their sources ... #ifndef OPENSSL_NO_BUF_FREELISTS /* On some platforms, malloc() performance is bad enough that you can't just OH, because SOME platforms have slow performance, it means even if you build protective technology into malloc() and free(), it will be ineffective. On ALL PLATFORMS, because that option is the default, and Ted's tests show you can't turn it off because they haven't tested without it in ages. So then a bug shows up which leaks the content of memory mishandled by that layer. If the memoory had been properly returned via free, it would likely have been handed to munmap, and triggered a daemon crash instead of leaking your keys. OpenSSL is not developed by a responsible team. Just for completion on this interesting debate about this malloc wrapper issue that has been raised here, I have forwarded it to the OpenSSL developers: http://thread.gmane.org/gmane.comp.encryption.openssl.devel/24208 I guessed that you might be interested in knowing that. Regards! [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]