Getting errors during security(8) maintenance
Some time ago start getting errors after nightly Secutiry running: What problem can be? Running security(8): Checking root sh paths, umask values: /etc/profile /root/.profile The root path includes . Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in -d at /usr/libexec/security line 386. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Thank you. Denis
Re: Dell R630 with PERC H730
On 26.3.2015. 11:40, Or Elimelech wrote: Hello Misc I am trying to install OpenBSD 5.6 on the above machine. 1. While using Lifecycle controller and deploy OS I get weird disk layout with MSDos partition which cannot be removed. 2. While trying to init the raid myself through the raid controller and init the raid 1 I see none in the disks while trying to install Has anyone encountered this issue? Thanks [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Hi, wait for 5.7 or install current ...
Re: relayd crashes often
On Thu, Mar 26, 2015 at 12:37 AM, Yonas Yanfa yo...@fizk.net wrote: On 15-03-24 03:26 AM, Claudio Jeker wrote: On Mon, Mar 23, 2015 at 11:54:41PM -0400, Yonas Yanfa wrote: Hi, I'm running relayd/OpenBSD 5.6-stable on a KVM virtual machine. relayd always crashes within a few hours of restarting it, but works properly before that. I guess you are talking about reloading relayd (as in relayctl reload)... Killing all relayd processes and then running relayd. When relayd stops working, sometimes the relayd process is up but `relayctl show summary` says that /var/run/relayd.sock doesn't exist. Other times none of the relayd processes are running. I hit similar issues and came up with the following diff against -current. It may apply to 5.6 but did not test that at all. I'm not 100% sure about the ca.c change since OpenSSL is a black box. Thanks for the patches. Before I try to apply the patches, I think the issue might be caused by having too many CLOSE_WAIT connections. I seem to have 2,236 CLOSE_WAIT connections: $ netstat -n|grep CLOSE_WAIT|wc -l 2236 And relayd seems to have 501 active connections: relay www, session 1806 (501 active), 0, xxx.xxx.xxx.xxx - :0, hard timeout How can I get relayd to close these connections? Cheers, Yonas I can confirm this has also been observed on my end, using relayd as a forward ssl-inspecting proxy on amd64 hardware. Runs without issue for a few hours, next time I look all the (ca|hfe|pfe) processes are gone, only relays and the parent process remains. Killing all of them and restarting the daemon solves the problem.
Re: make build errors on me (perl does not install properly)
Ok, so if somebody interested in - h2ph is expecting files on its
command line, not something else. (that was an issue with a unix
socket, sneaked in to the /usr/include as the the result of maybe a
power loss issue I had. the system builds ok now.
the proposed patch, to eliminate the possibility of such problems in the
future:
Index: Makefile.bsd-wrapper
===
RCS file: /cvs/src/gnu/usr.bin/perl/Makefile.bsd-wrapper,v
retrieving revision 1.99
diff -u -p -u -r1.99 Makefile.bsd-wrapper
--- Makefile.bsd-wrapper26 Nov 2014 18:27:21 - 1.99
+++ Makefile.bsd-wrapper26 Mar 2015 10:59:24 -
@@ -107,7 +107,7 @@ install: install.lib install.perl manins
-mkdir -p
${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_ARCH}-openbsd
(cd ${DESTDIR}/usr/include; ${H2PH} \
-d
${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_ARCH}-openbsd \
- `find . -name '*.h'`; \
+ `find . -type f -name '*.h'`; \
pax -rw `find . -type l \! -name '*.h' | sed 's/^..//'` \
${DESTDIR}/usr/libdata/perl5/site_perl/${MACHINE_ARCH}-openbsd)
-chmod -R a+rX ${DESTDIR}/usr/libdata/perl5
On 03/18/2015 02:02 PM, Gregory Edigarov wrote:
On 03/18/2015 12:04 PM, Gregory Edigarov wrote:
On 03/17/2015 08:44 PM, patrick keshishian wrote:
On 3/17/15, Gregory Edigarov ediga...@qarea.com wrote:
On 03/16/2015 10:21 PM, Stuart Henderson wrote:
On 2015-03-16, Gregory Edigarov ediga...@qarea.com wrote:
Hello,
I know I am re-asking the same question again, but what are the
possible
reasons of such behaviour?
Obviously the system builds ok, but perl doesn't install correctly.
I need my system to be correctly built from sources because i am
going
to make some experimental changes. (I am starting from the most
fresh
binary snapshot available).
# env make clean obj build
[skip many correct lines]
I don't know if it's implicated in this problem, but don't run the
multiple targets on one line like that, run them separately or do
make clean make obj make build.
Also check you don't have any bogus files in your checkout (cvs
up -Pd -I \! -I obj -I CVS) and it's a good idea to clean /usr/obj
if you're having problems.
Hi, Stuart.
I've tried your advice.
did
# cvs up -Pd -I \! -I obj -I CVS
Just a WAG, do you possible have a (or a few) file(s) with
a sticky Tag? If you are working off head of the CVS tree
use a -APd to clear out any possible Tags.
--patrick
hmmm, no. It was a clean checkout from a server. so I don't think
that's a case.
well, I've tried cvs up -APd - still the same result.
# rm -rf /usr/obj/*
# env make clean env make obj env make build
and it again errors on me:
./tls.h - ./tls.ph
./siphash.h - ./siphash.ph
*** Error 1 in gnu/usr.bin/perl (Makefile.bsd-wrapper:112 'install')
*** Error 1 in gnu/usr.bin (bsd.subdir.mk:48 'realinstall')
*** Error 1 in gnu (bsd.subdir.mk:48 'realinstall')
*** Error 1 in . (bsd.subdir.mk:48 'realinstall')
*** Error 1 in /usr/src (Makefile:82 'build')
# make clean make obj make build
what could be the reason?
--
With best regards,
Gregory Edigarov
Dell R630 with PERC H730
Hello Misc I am trying to install OpenBSD 5.6 on the above machine. 1. While using Lifecycle controller and deploy OS I get weird disk layout with MSDos partition which cannot be removed. 2. While trying to init the raid myself through the raid controller and init the raid 1 I see none in the disks while trying to install Has anyone encountered this issue? Thanks [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Dell R630 with PERC H730
Is this for sure will solve the problem? Is it a known issue? On Mar 26, 2015, at 12:56 PM, Hrvoje Popovski hrv...@srce.hr wrote: On 26.3.2015. 11:40, Or Elimelech wrote: Hello Misc I am trying to install OpenBSD 5.6 on the above machine. 1. While using Lifecycle controller and deploy OS I get weird disk layout with MSDos partition which cannot be removed. 2. While trying to init the raid myself through the raid controller and init the raid 1 I see none in the disks while trying to install Has anyone encountered this issue? Thanks [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Hi, wait for 5.7 or install current ...
Re: Getting errors during security(8) maintenance
On 03/26/15 04:32, Denis Lapshin wrote: Some time ago start getting errors after nightly Secutiry running: What problem can be? Running security(8): Checking root sh paths, umask values: /etc/profile /root/.profile The root path includes . This would not be a bad thing to fix. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in -d at /usr/libexec/security line 386. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Stunning lack of information, but sounds like you botched an upgrade somewhere. Nick.
Re: Dell R630 with PERC H730
Thanks mate, current works like a charm. On Mar 26, 2015, at 2:23 PM, Hrvoje Popovski hrv...@srce.hr wrote: On 26.3.2015. 12:40, Or Elimelech wrote: Is this for sure will solve the problem? Is it a known issue? well, dell r630 is really new hardware and there was few issues with h330 and h730 at the beginning of 2015 you could try current just to see will you be able to install openbsd on it...
httpd cgi (5.6-stable)
Hello.
I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on default
/var/www but without success:
# cat /var/www/logs/httpd-access.log
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:30:24 +0300] GET / HTTP/1.1
200 376 Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0) Gecko/20100101
Firefox/22.0
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:30:24 +0300] GET
/favicon.ico HTTP/1.1 404 0 Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0)
Gecko/20100101 Firefox/22.0
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:30:24 +0300] GET
/favicon.ico HTTP/1.1 404 0 Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0)
Gecko/20100101 Firefox/22.0
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:30:27 +0300] GET
/cgi-bin/bgplg HTTP/1.1 500 0 Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0)
Gecko/20100101 Firefox/22.0
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:31:22 +0300] GET / HTTP/1.1
200 376 Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0) Gecko/20100101
Firefox/22.0
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:31:24 +0300] GET
/cgi-bin/bgplg HTTP/1.1 500 0 Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0)
Gecko/20100101 Firefox/22.0
stats.example.com 192.0.2.101 - - [26/Mar/2015:15:31:26 +0300] GET
/cgi-bin/bgplg HTTP/1.1 500 0 Mozilla/5.0 (X11; OpenBSD amd64; rv:22.0)
Gecko/20100101 Firefox/22.0
Please tell me what I'm doing wrong?
My environment:
# cat /etc/httpd.conf
#
# Macros
#
listen_address=10.0.0.1
#
# Global Options
#
prefork 3
chroot /var/www
#
# Servers
#
# The HTTPS server
server stats.example.com {
log { \
access httpd-access.log \
error httpd-errors.log\
style combined \
no syslog \
}
listen on $listen_address port 80
location /cgi-bin/* {
fastcgi
root /
directory { \
no auto index \
no index\
}
}
location /* {
root /htdocs/bgplg
directory { \
no auto index \
index index.html\
}
}
}
# ps -axwwu | egrep ^USER|httpd | fgrep -v grep
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
www 27370 0.0 0.0 1012 1716 ?? I 3:29PM0:00.02 httpd: logger
(httpd)
www 18968 0.0 0.0 884 1620 ?? I 3:29PM0:00.01 httpd: server
(httpd)
root 6872 0.0 0.0 1116 1892 ?? Is 3:29PM0:00.03 httpd: parent
(httpd)
www 8008 0.0 0.0 884 1632 ?? I 3:29PM0:00.02 httpd: server
(httpd)
www 22607 0.0 0.0 984 1832 ?? I 3:29PM0:00.02 httpd: server
(httpd)
# cd /var/www
# # ls -laR .
total 1
drwxr-xr-x 9 root daemon 512 Mar 23 14:08 .
drwxr-xr-x 29 root wheel 512 Mar 26 15:26 ..
drwxr-xr-x 2 root daemon 512 Aug 8 2014 bin
drwx-T 2 www daemon 512 Aug 8 2014 cache
drwxr-xr-x 2 root daemon 512 Aug 8 2014 cgi-bin
drwxr-xr-x 2 root daemon 512 Mar 13 18:21 conf
drwxr-xr-x 3 root daemon 512 Jan 16 15:27 htdocs
drwxr-x--- 2 root www 512 Mar 13 16:29 logs
drwxr-xr-x 2 root daemon 512 Aug 8 2014 run
./bin:
total 2
drwxr-xr-x 2 root daemon 512 Aug 8 2014 .
drwxr-xr-x 9 root daemon 512 Mar 23 14:08 ..
-- 1 root bin 259280 Aug 8 2014 bgpctl
-- 1 root bin 210128 Aug 8 2014 ping
-- 1 root bin 238800 Aug 8 2014 ping6
-- 1 root bin 197840 Aug 8 2014 traceroute
-- 1 root bin 197840 Aug 8 2014 traceroute6
./cache:
total 1
drwx-T 2 www daemon 512 Aug 8 2014 .
drwxr-xr-x 9 root daemon 512 Mar 23 14:08 ..
./cgi-bin:
total 1
drwxr-xr-x 2 root daemon 512 Aug 8 2014 .
drwxr-xr-x 9 root daemon 512 Mar 23 14:08 ..
-- 1 root bin 144592 Aug 8 2014 bgplg
./conf:
total 1
drwxr-xr-x 2 root daemon 512 Mar 13 18:21 .
drwxr-xr-x 9 root daemon 512 Mar 23 14:08 ..
-rw-r--r-- 1 root wheel88 Aug 8 2014 bgplg.css
-rw-r--r-- 1 root wheel13 Aug 8 2014 bgplg.foot
-rw-r--r-- 1 root wheel 194 Aug 8 2014 bgplg.head
./htdocs:
total 1
drwxr-xr-x 3 root daemon 512 Jan 16 15:27 .
drwxr-xr-x 9 root daemon 512 Mar 23 14:08 ..
-r--r--r-- 1 root bin 537 Aug 8 2014 50x.html
drwxr-xr-x 2 root wheel 512 Jan 16 15:27 bgplg
./htdocs/bgplg:
total 1
drwxr-xr-x 2 root wheel 512 Jan 16 15:27 .
drwxr-xr-x 3 root daemon512 Jan 16 15:27 ..
-rw-r--r-- 1 root wheel 376 Aug 8 2014 index.html
-rw-r--r-- 1 root wheel 75238 Aug 8 2014 openbgpd.gif
./logs:
total 1
drwxr-x--- 2 root www 512 Mar 13 16:29 .
drwxr-xr-x 9 root daemon 512 Mar 23 14:08 ..
-rw-r--r-- 1 root daemon 1178 Mar 26 15:31
Re: Fund raising
On 03/26/15 01:40, worik wrote: ... Today I spent $US5 on an ebook containing tutorials for software I am considering using. By exercising my mouse I could have got it for free. I did not. So I am bringing this up again. I do not want CDROMs. I have been to the trouble of paying for one and insisting they do not post it, but it was a lot of bother. I would pay for a collection of release notes for each new release. I support this project and I would like to support Theo directly - as CD sales do. So once again (at the risk of infuriating idle clowns) I respectfully suggest that the project consider such a release beside and as well as CDROMs. ... There's a major problem in the world...most people don't understand very basic economics of running a business. You are looking at it as $5 for something that costs nothing to distribute -- so infinite profit margin ($5/$0), how can you go wrong? Well... composing such a document takes time. Let's use the FAQ as an example. Well, it's rather short for a book, and realistically, if you were to be expected to pay MONEY for it, it would have to be pretty substantially reworked for better quality, better organization. But let's pretend that people would spend $5 for a neatened up version of the FAQ in ebook format. So, I quit my day job, and spend a month or so rewriting things. No major new content, just reorganizing and reworking what is there. Understand that I love the OpenBSD project, a LOT of my income goes into OpenBSD related expenses, and I'm glad and honored to do that, but I really can't just quit getting income for a month without a huge hit to the bank account. So I'm going to need some pay. It doesn't need to meet my current job's income, but it would be nice if it were close AND covers lots of taxes and costs that my employer pays. Not only that...when I'm done, I'll need to go get another job, as I suspect my employer will fill my current position, so I'll have to find a job elsewhere. So, better add another month of pay to my costs. Now, divide that cost by $5...can we sell that many copies of something that can be got for free? I doubt it. And that's just to BREAK EVEN, as if NOTHING ever happened. To actually make it worth while, we would have to sell many times that number of copies. Oh, but wait! not done yet. Now, we need a way to process $5 payments fast and efficient enough so that the majority of the $5 actually goes to the project, not to the time spent processing things. And when something goes wrong, customers will expect that someone answer the phone or at least e-mail in a timely manner. And every release, we need to do it all over again. Realistically, the money that we get for this e-document is really just an act of charity anyway. Why not just give the project the money, and not make us jump through hoops that cost lots of money and provide no benefit to anyone? Besides, the artwork and stickers in the CD sets are great. Really. I've been buying CDs since 2.6, and I look forward to getting every single one. And this is from someone who works with the project and pays the same price everyone else does (and historically, usually got it AFTER many of you guys are bragging about getting yours). Nick.
Re: Dell R630 with PERC H730
On 26.3.2015. 12:40, Or Elimelech wrote: Is this for sure will solve the problem? Is it a known issue? well, dell r630 is really new hardware and there was few issues with h330 and h730 at the beginning of 2015 you could try current just to see will you be able to install openbsd on it...
Gource
http://www.echothrust.com/blogs/monitoring-pf-logs-gource
Re: httpd tls - what am i missing?
Is the certificate and key PEM encoded?
Re: relayd crashes often
On 15-03-26 07:26 AM, Felipe Scarel wrote: On Thu, Mar 26, 2015 at 12:37 AM, Yonas Yanfa yo...@fizk.net wrote: On 15-03-24 03:26 AM, Claudio Jeker wrote: On Mon, Mar 23, 2015 at 11:54:41PM -0400, Yonas Yanfa wrote: Hi, I'm running relayd/OpenBSD 5.6-stable on a KVM virtual machine. relayd always crashes within a few hours of restarting it, but works properly before that. I guess you are talking about reloading relayd (as in relayctl reload)... Killing all relayd processes and then running relayd. When relayd stops working, sometimes the relayd process is up but `relayctl show summary` says that /var/run/relayd.sock doesn't exist. Other times none of the relayd processes are running. I hit similar issues and came up with the following diff against -current. It may apply to 5.6 but did not test that at all. I'm not 100% sure about the ca.c change since OpenSSL is a black box. Thanks for the patches. Before I try to apply the patches, I think the issue might be caused by having too many CLOSE_WAIT connections. I seem to have 2,236 CLOSE_WAIT connections: $ netstat -n|grep CLOSE_WAIT|wc -l 2236 And relayd seems to have 501 active connections: relay www, session 1806 (501 active), 0, xxx.xxx.xxx.xxx - :0, hard timeout How can I get relayd to close these connections? Cheers, Yonas I can confirm this has also been observed on my end, using relayd as a forward ssl-inspecting proxy on amd64 hardware. Runs without issue for a few hours, next time I look all the (ca|hfe|pfe) processes are gone, only relays and the parent process remains. Killing all of them and restarting the daemon solves the problem. From what I understand, relayd is suppose to send an ACK packet when the connection is in the CLOSE_WAIT state. There must be a bug in relayd that prevents this from happening. If this happened, the connection would be in LAST_ACK instead of CLOSE_WAIT. The connection could be also be closed if it receiving the following ACK. Yonas
Re: Getting errors during security(8) maintenance
I forgot to say, this happens on OpenBSD 5.4. Where is no any changes has been made in the system before. No upgrade etc. Please ask for more information if its help. What I have to check to fix this? Thanks Denis On 26.03.2015 14:40, Nick Holland wrote: On 03/26/15 04:32, Denis Lapshin wrote: Some time ago start getting errors after nightly Secutiry running: What problem can be? Running security(8): Checking root sh paths, umask values: /etc/profile /root/.profile The root path includes . This would not be a bad thing to fix. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 356. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 369. Use of uninitialized value $home in -d at /usr/libexec/security line 386. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 406. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Use of uninitialized value $home in concatenation (.) or string at /usr/libexec/security line 434. Stunning lack of information, but sounds like you botched an upgrade somewhere. Nick. -- Denis Lapshin mailto: den...@mindall.org
Re: SNMP and PID file
# /etc/rc.d/snmpd restart httpd2 (pid 29518) already running # uname -a OpenBSD name 5.2 GENERIC#278 i386 # ps aux | grep snmpd root 23284 0.0 0.1 556 980 ?? IsWed04PM0:00.00 snmpd: parent (snmpd) _snmpd 28300 0.0 0.1 676 1380 ?? I Wed04PM0:00.55 snmpd: snmp engine (snmpd) root 23789 0.0 0.0 592 4 p0 R+ 6:06PM0:00.00 grep snmpd (ksh) # ls -la /var/run/ total 192 drwxr-xr-x 3 root wheel512 Mar 25 16:59 . drwxr-xr-x 25 root wheel512 Mar 29 2014 .. -rw-r--r-- 1 root wheel 6 Nov 13 08:17 cron.pid -rw-r--r-- 1 root wheel 49152 Nov 13 08:17 dev.db -rw-r--r-- 1 root wheel 9124 Nov 13 08:17 dmesg.boot -rw-r--r-- 1 root wheel 5 Nov 13 08:17 inetd.pid -r--r--r-- 1 root wheel 12460 Nov 13 08:17 ld.so.hints drwxr-xr-x 2 root wheel512 Nov 13 08:17 rc.d -rw--- 1 root wheel 70 Nov 13 08:17 sendmail.pid srw-rw 1 root wheel 0 Mar 25 16:59 snmpd.sock -rw-r--r-- 1 root wheel 5 Nov 13 08:17 sshd.pid -rw-r--r-- 1 root wheel 6 Nov 13 08:17 syslog.pid -rw-rw-r-- 1 root utmp7200 Mar 26 18:04 utmp Please look at first command's output. It looks like a bug or something like this. Of course I can find a pid and than kill this process, but... On Wed, Mar 25, 2015 at 6:09 PM, Joshua Smith jsm...@mail.wvnet.edu wrote: /etc/rc.d/snmpd restart always worked for me to restart snmpd. On Wed, Mar 25, 2015 at 06:02:30PM +0100, Alex Naumov wrote: Hello, I just want to ask about snmpd(8). As I can see, snmpd don't create pid file in /var/run directory. Is it correct? How to reboot this daemon? There is just sock-file. Thank you, Alex -- Joshua Smith Montani Semper Liberi
Re: httpd cgi (5.6-stable) - solved
On 03/26/15 19:55, Carlin Bingham wrote: On Fri, 27 Mar 2015, at 05:41 AM, Alexei Malinin wrote: On 03/26/15 18:33, Carlin Bingham wrote: On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote: Hello. I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on default /var/www but without success: [...] Please tell me what I'm doing wrong? [...] ./cgi-bin: total 1 drwxr-xr-x 2 root daemon 512 Aug 8 2014 . drwxr-xr-x 9 root daemon 512 Mar 23 14:08 .. -- 1 root bin 144592 Aug 8 2014 bgplg Check the man page for bgplg(8); you need to set the permissions to make it executable. I set the permissions to 0555 - result was the same as before. Have you started slowcgi(8)? Thank you! Starting slowcgi resolved the problem. PS. Patches for httpd(8) httpd.conf(5): --- httpd.conf.5.orig Wed Jan 28 21:17:23 2015 +++ httpd.conf.5Thu Mar 26 20:09:03 2015 @@ -397,7 +397,8 @@ include /etc/nginx/mime.types .Ed .Sh SEE ALSO -.Xr httpd 8 +.Xr httpd 8 , +.Xr slowcgi 8 .Sh AUTHORS .An -nosplit The --- httpd.8.origWed Jan 28 21:17:23 2015 +++ httpd.8 Thu Mar 26 20:08:52 2015 @@ -81,7 +81,8 @@ Default error log file. .El .Sh SEE ALSO -.Xr httpd.conf 5 +.Xr httpd.conf 5 , +.Xr slowcgi 8 .Sh HISTORY The .Nm -- Alexei
L2TP using Npppd and IPsec
Hi Misc, I need to provide secure access to a web application running on my servers to handful typical desktop users. I am thinking of requiring them to have L2TP/IPSec VPN tunnel before they can browse my application. HTTPS is not good enough due to the nature of the application. Why L2TP? I am not a Windows uses but it seems that it should be trivial to setup client side https://www.hideipvpn.com/2010/03/howto-windows-7-ipsecl2tp-vpn-setup-tutorial/ and avoid customer service requests, on another hand I am reading man pages for npppd and ipsec on 5.7 and Giovanni's slides from two years ago http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd for the talk he gave at BSDCan IIRC. I don't need to use RADIUS just a local authentication database. It is in the base and it seems very easy to configure. Is anybody running similar setup in production? Any caveats? Any other advises before I take a plunge. Predrag P.S. I have quite a bit experience with OpenVPN server on OpenBSD but in my experience getting credentials to a Windows client is pain because a typical user knows only to double click and I don't know now to properly make Windows packages.
Re: httpd cgi (5.6-stable)
On Fri, 27 Mar 2015, at 05:41 AM, Alexei Malinin wrote: On 03/26/15 18:33, Carlin Bingham wrote: On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote: Hello. I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on default /var/www but without success: [...] Please tell me what I'm doing wrong? [...] ./cgi-bin: total 1 drwxr-xr-x 2 root daemon 512 Aug 8 2014 . drwxr-xr-x 9 root daemon 512 Mar 23 14:08 .. -- 1 root bin 144592 Aug 8 2014 bgplg Check the man page for bgplg(8); you need to set the permissions to make it executable. I set the permissions to 0555 - result was the same as before. Have you started slowcgi(8)? -- Carlin
Re: httpd cgi (5.6-stable)
On 03/26/15 18:33, Carlin Bingham wrote: On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote: Hello. I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on default /var/www but without success: [...] Please tell me what I'm doing wrong? [...] ./cgi-bin: total 1 drwxr-xr-x 2 root daemon 512 Aug 8 2014 . drwxr-xr-x 9 root daemon 512 Mar 23 14:08 .. -- 1 root bin 144592 Aug 8 2014 bgplg Check the man page for bgplg(8); you need to set the permissions to make it executable. I set the permissions to 0555 - result was the same as before. -- Alexei
Re: Set PKG_PATH using Time Zone?
Routing from certain countries can also be funny sometimes (for example, I'm pretty sure users in Peru would get better speeds downloading from US servers rather than from Brazil, despite the geographical proximity). On Thu, Mar 26, 2015 at 4:18 PM, Joshua Smith jsm...@mail.wvnet.edu wrote: On Thu, Mar 26, 2015 at 06:55:50PM +, L.R. D.S. wrote: Is really boring write the package repository everytime we install. Why not set the repository using the Time Zone as a reference? For example, if you set Japan as your zone, then run export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/ What about regions which contain multiple mirrors? -- Joshua Smith Montani Semper Liberi
Leap seconds
As you know, the leap second issue will occour on 29th. June. I saw articles on some Linux distro's web page. It looks like there is a bug on the Linux kernel and it was effected on 2012. I would like to ask, is there anything which i should do on my OpenBSD 5.6 ? Sorry for my English
Re: Getting errors during security(8) maintenance
On Thu, Mar 26, 2015 at 03:42:07PM +0100, Ingo Schwarze wrote:
Hi Andrew (or any other developer),
OK to commit the following fix?
Note that chomping after splitting is important because split
drops trailing empty fields.
A blank home_dir is valid? I will defer to others on that but seems
surprising to me.
Although I haven't had time to apply the patch and try it, the
implementation looks sane given that above is as expected.
OK afresh1@
Index: security
===
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.32
diff -u -p -r1.32 security
--- security 4 Dec 2014 00:07:21 - 1.32
+++ security 26 Mar 2015 14:23:53 -
@@ -336,7 +336,16 @@ sub find_homes {
nag !(open my $fh, '', $filename),
open: $filename: $!
and return [];
- my $homes = [ map [ @{[split /:/]}[0,2,5] ], $fh ];
+ my $homes = [];
+ while ($fh) {
+ my $entry = [ @{[split /:/]}[0,2,5] ];
+ chomp;
+ nag !defined $entry-[2],
+ Incomplete line \$_\ in $filename.
+ and next;
+ chomp $entry-[2];
+ push @$homes, $entry;
+ }
close $fh;
return $homes;
}
--
andrew - http://afresh1.com
Unix is very simple,
but it takes a genius to understand the simplicity.
-- Dennis Ritchie
Re: Set PKG_PATH using Time Zone?
On Thu, 26 Mar 2015, L.R. D.S. wrote:
Is really boring write the package repository everytime we install.
Why not set the repository using the Time Zone as a reference?
For example, if you set Japan as your zone, then run
export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/
#!/usr/bin/perl -w
use strict;
chomp( my( $uname_r, $uname_m ) = ( `uname -r`, `uname -m` ) );
chomp( my $zone = join( '/', ( split('/', `ls -l /etc/localtime`) )[-2,-1] ) );
my %mirror = (
Canada/Mountain = ftp://ftp.openbsd.org/pub/OpenBSD;,
# okay, I'm bored now... hopefully L.R. D.S. will help
);
print $mirror{$zone}/$uname_r/packages/$uname_m/;
Re: httpd tls - what am i missing?
On Thu, 26 Mar 2015 08:30:23 +0100 mxb wrote: Thank you for the suggestion. I was not aware of pound. I’d rather go for relayd. Which is out of the box. No need to install “yet another port and make sure it is up2date”. httpd is based on relayd code which would reduce the scope of the test (a cluestick). When I try https://10.0.128.67/index.html; - I get a nice message from firefox asking me to accept a problem certificate (this was expected, the certificate is the correct one), and when I do accept the certificate, I get the index page. So, I am not sure what is wrong, but it appears httpd is not responding to https requests, even with the listen on tls line in the configuration file. Is there anything for me to look at/consider in trying to correct this? I don't understand what you are saying by 'correct one' but to me this suggests you have issues even with pound and perhaps I would try another browser or firefox on another client and try another certificate perhaps from another CA or install a newer snapshot or re-install a release before wondering if there is an issue with httpd or libressl whilst monitoring the list to see if anyone else has an issue? Thankfully re-install on OpenBSD is super quick but you do have to follow www.openbsd.org/current.html for snapshots and I think www.openbsd.org/plus.html for release upgrades (4.5 - 4.6 etc.)
Re: SNMP and PID file
You are running a pretty old ( 2 years) old version of openBSD. Perhaps it is a bug that has been fixed in a later release? On Thu, Mar 26, 2015 at 06:11:37PM +0100, Alex Naumov wrote: # /etc/rc.d/snmpd restart httpd2 (pid 29518) already running # uname -a OpenBSD name 5.2 GENERIC#278 i386 # ps aux | grep snmpd root 23284 0.0 0.1 556 980 ?? IsWed04PM0:00.00 snmpd: parent (snmpd) _snmpd 28300 0.0 0.1 676 1380 ?? I Wed04PM0:00.55 snmpd: snmp engine (snmpd) root 23789 0.0 0.0 592 4 p0 R+ 6:06PM0:00.00 grep snmpd (ksh) # ls -la /var/run/ total 192 drwxr-xr-x 3 root wheel512 Mar 25 16:59 . drwxr-xr-x 25 root wheel512 Mar 29 2014 .. -rw-r--r-- 1 root wheel 6 Nov 13 08:17 cron.pid -rw-r--r-- 1 root wheel 49152 Nov 13 08:17 dev.db -rw-r--r-- 1 root wheel 9124 Nov 13 08:17 dmesg.boot -rw-r--r-- 1 root wheel 5 Nov 13 08:17 inetd.pid -r--r--r-- 1 root wheel 12460 Nov 13 08:17 ld.so.hints drwxr-xr-x 2 root wheel512 Nov 13 08:17 rc.d -rw--- 1 root wheel 70 Nov 13 08:17 sendmail.pid srw-rw 1 root wheel 0 Mar 25 16:59 snmpd.sock -rw-r--r-- 1 root wheel 5 Nov 13 08:17 sshd.pid -rw-r--r-- 1 root wheel 6 Nov 13 08:17 syslog.pid -rw-rw-r-- 1 root utmp7200 Mar 26 18:04 utmp Please look at first command's output. It looks like a bug or something like this. Of course I can find a pid and than kill this process, but... On Wed, Mar 25, 2015 at 6:09 PM, Joshua Smith jsm...@mail.wvnet.edu wrote: /etc/rc.d/snmpd restart always worked for me to restart snmpd. On Wed, Mar 25, 2015 at 06:02:30PM +0100, Alex Naumov wrote: Hello, I just want to ask about snmpd(8). As I can see, snmpd don't create pid file in /var/run directory. Is it correct? How to reboot this daemon? There is just sock-file. Thank you, Alex -- Joshua Smith Montani Semper Liberi -- Joshua Smith Montani Semper Liberi
Change routes with multipath?
Hello everyone, I hope I posted this in the right area, I don't usually join mailing lists so I am still a bit of a noob. Anyways, hoping someone could help me out. I am coming up empty on my searches figuring this out. If I have 2 default gateways configured with priorities, how would I modify the priorities using route change? I would prefer not to have to delete the route and re-add them. $ sudo route add -mpath default 64.4.4.4 -priority 1 $ sudo route add -mpath default 129.2.2.2 -priority 15 $ sudo netstat -rn | grep default ~ # default 64.4.4.4 UGS3 3308 - 1 em0 # default129.2.2.2 UGS00 -15 em1 If I try to change priorities: $ sudo route change -mpath default 129.2.2.2 -priority 1 ~ # route: writing to routing socket: No such process # change net default: gateway 129.2.2.2: not in table Any hints as to how I can change priority on a default multipath route? I would appreciate it greatly. Thanks for reading.
Set PKG_PATH using Time Zone?
Is really boring write the package repository everytime we install. Why not set the repository using the Time Zone as a reference? For example, if you set Japan as your zone, then run export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/
Re: httpd cgi (5.6-stable) - solved
On Thu, Mar 26, 2015 at 08:12:27PM +0300, Alexei Malinin wrote: PS. Patches for httpd(8) httpd.conf(5): committed, thanks. jmc --- httpd.conf.5.orig Wed Jan 28 21:17:23 2015 +++ httpd.conf.5Thu Mar 26 20:09:03 2015 @@ -397,7 +397,8 @@ include /etc/nginx/mime.types .Ed .Sh SEE ALSO -.Xr httpd 8 +.Xr httpd 8 , +.Xr slowcgi 8 .Sh AUTHORS .An -nosplit The --- httpd.8.origWed Jan 28 21:17:23 2015 +++ httpd.8 Thu Mar 26 20:08:52 2015 @@ -81,7 +81,8 @@ Default error log file. .El .Sh SEE ALSO -.Xr httpd.conf 5 +.Xr httpd.conf 5 , +.Xr slowcgi 8 .Sh HISTORY The .Nm -- Alexei
Re: Set PKG_PATH using Time Zone?
On Thu, Mar 26, 2015 at 06:55:50PM +, L.R. D.S. wrote: Is really boring write the package repository everytime we install. Why not set the repository using the Time Zone as a reference? For example, if you set Japan as your zone, then run export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/ What about regions which contain multiple mirrors? -- Joshua Smith Montani Semper Liberi
Re: httpd tls - what am i missing?
Quoting Kevin Chadwick m8il1i...@gmail.com: On Thu, 26 Mar 2015 08:30:23 +0100 mxb wrote: Thank you for the suggestion. I was not aware of pound. I?d rather go for relayd. Which is out of the box. No need to install ?yet another port and make sure it is up2date?. httpd is based on relayd code which would reduce the scope of the test (a cluestick). When I try https://10.0.128.67/index.html; - I get a nice message from firefox asking me to accept a problem certificate (this was expected, the certificate is the correct one), and when I do accept the certificate, I get the index page. So, I am not sure what is wrong, but it appears httpd is not responding to https requests, even with the listen on tls line in the configuration file. Is there anything for me to look at/consider in trying to correct this? I don't understand what you are saying by 'correct one' but to me this suggests you have issues even with pound and perhaps I would try another browser or firefox on another client and try another certificate perhaps from another CA or install a newer snapshot or re-install a release before wondering if there is an issue with httpd or libressl whilst monitoring the list to see if anyone else has an issue? Thankfully re-install on OpenBSD is super quick but you do have to follow www.openbsd.org/current.html for snapshots and I think www.openbsd.org/plus.html for release upgrades (4.5 - 4.6 etc.) Hello: I am sorry, I have been unable to try some of the suggestions today as of yet. I am a bit busy at work, and probably won't be able to look at this until tomorrow. However, I wanted to clarify my comment. When I said correct one in regards to the certificate working with https and pound, my comment was intended only to imply that any issues were purposefully induced ones. As I said, the new machine with the httpd issue is going to replace another machine. To make my like easy going forward, I installed a certificate for the machine as it will be in the future, not as it is now. So, when firefox connects with https to the machine, it is connecting to 10.0.128.67, but gets a certificate back saying 10.0.128.100; and warns me of the inconsistency. This is a completely expected issue, and I do verify that the 10.0.128.100 certificate is being presented form the 10.0.128.67 machine. There was NO other problem using pound. With pound, as well as a https connection to the old machine with the new certificate, the browser opens the https connection with no problems. Also, as I noted yesterday, the browser's hanging behaivor stops the second afer I kill the httpd process. I have also tried to connect with IE from a windows machine, and get the same results (http is ok, https hangs). I missed the -d -v flags for httpd (i feel a bit stupid, it's right there in the man page), and was going to fire up httpd and see what happens when the secure connection is initiated. Hopefully, tomorrow. Thanks Ted
Re: SNMP and PID file
It will be interesting to find information about this bug, if it's really bug. I can't update this system... but it will be interesting to figure out why it happen ;) On Thu, Mar 26, 2015 at 7:04 PM, Joshua Smith jsm...@mail.wvnet.edu wrote: You are running a pretty old ( 2 years) old version of openBSD. Perhaps it is a bug that has been fixed in a later release? On Thu, Mar 26, 2015 at 06:11:37PM +0100, Alex Naumov wrote: # /etc/rc.d/snmpd restart httpd2 (pid 29518) already running # uname -a OpenBSD name 5.2 GENERIC#278 i386 # ps aux | grep snmpd root 23284 0.0 0.1 556 980 ?? IsWed04PM0:00.00 snmpd: parent (snmpd) _snmpd 28300 0.0 0.1 676 1380 ?? I Wed04PM0:00.55 snmpd: snmp engine (snmpd) root 23789 0.0 0.0 592 4 p0 R+ 6:06PM0:00.00 grep snmpd (ksh) # ls -la /var/run/ total 192 drwxr-xr-x 3 root wheel512 Mar 25 16:59 . drwxr-xr-x 25 root wheel512 Mar 29 2014 .. -rw-r--r-- 1 root wheel 6 Nov 13 08:17 cron.pid -rw-r--r-- 1 root wheel 49152 Nov 13 08:17 dev.db -rw-r--r-- 1 root wheel 9124 Nov 13 08:17 dmesg.boot -rw-r--r-- 1 root wheel 5 Nov 13 08:17 inetd.pid -r--r--r-- 1 root wheel 12460 Nov 13 08:17 ld.so.hints drwxr-xr-x 2 root wheel512 Nov 13 08:17 rc.d -rw--- 1 root wheel 70 Nov 13 08:17 sendmail.pid srw-rw 1 root wheel 0 Mar 25 16:59 snmpd.sock -rw-r--r-- 1 root wheel 5 Nov 13 08:17 sshd.pid -rw-r--r-- 1 root wheel 6 Nov 13 08:17 syslog.pid -rw-rw-r-- 1 root utmp7200 Mar 26 18:04 utmp Please look at first command's output. It looks like a bug or something like this. Of course I can find a pid and than kill this process, but... On Wed, Mar 25, 2015 at 6:09 PM, Joshua Smith jsm...@mail.wvnet.edu wrote: /etc/rc.d/snmpd restart always worked for me to restart snmpd. On Wed, Mar 25, 2015 at 06:02:30PM +0100, Alex Naumov wrote: Hello, I just want to ask about snmpd(8). As I can see, snmpd don't create pid file in /var/run directory. Is it correct? How to reboot this daemon? There is just sock-file. Thank you, Alex -- Joshua Smith Montani Semper Liberi -- Joshua Smith Montani Semper Liberi
Re: Getting errors during security(8) maintenance
Hi Andrew,
Andrew Fresh wrote on Thu, Mar 26, 2015 at 01:12:39PM -0700:
On Thu, Mar 26, 2015 at 03:42:07PM +0100, Ingo Schwarze wrote:
Hi Andrew (or any other developer),
OK to commit the following fix?
Note that chomping after splitting is important because split
drops trailing empty fields.
A blank home_dir is valid?
Certainly not in general, but it does occur in the +:*:0:0:::
YP entry.
I will defer to others on that but seems surprising to me.
In case we want security(8) to catch that, the right function
to do so would be check_passwd(), not find_homes().
But i would consider that a separate matter.
Although I haven't had time to apply the patch and try it, the
implementation looks sane given that above is as expected.
OK afresh1@
Thanks for checking!
Ingo
Index: security
===
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.32
diff -u -p -r1.32 security
--- security 4 Dec 2014 00:07:21 - 1.32
+++ security 26 Mar 2015 14:23:53 -
@@ -336,7 +336,16 @@ sub find_homes {
nag !(open my $fh, '', $filename),
open: $filename: $!
and return [];
-my $homes = [ map [ @{[split /:/]}[0,2,5] ], $fh ];
+my $homes = [];
+while ($fh) {
+my $entry = [ @{[split /:/]}[0,2,5] ];
+chomp;
+nag !defined $entry-[2],
+Incomplete line \$_\ in $filename.
+and next;
+chomp $entry-[2];
+push @$homes, $entry;
+}
close $fh;
return $homes;
}
Re: Change routes with multipath?
On 26/03/15(Thu) 14:07, rizz2pro . wrote: Hello everyone, I hope I posted this in the right area, I don't usually join mailing lists so I am still a bit of a noob. Anyways, hoping someone could help me out. I am coming up empty on my searches figuring this out. If I have 2 default gateways configured with priorities, how would I modify the priorities using route change? I would prefer not to have to delete the route and re-add them. $ sudo route add -mpath default 64.4.4.4 -priority 1 $ sudo route add -mpath default 129.2.2.2 -priority 15 $ sudo netstat -rn | grep default ~ # default 64.4.4.4 UGS3 3308 - 1 em0 # default129.2.2.2 UGS00 -15 em1 If I try to change priorities: $ sudo route change -mpath default 129.2.2.2 -priority 1 ~ # route: writing to routing socket: No such process # change net default: gateway 129.2.2.2: not in table Any hints as to how I can change priority on a default multipath route? I would appreciate it greatly. Does it work with -priority 2? The number 1 is special and reserved for routes representing local (your own) addresses. I just realized that this is not (and should) be documented.
Re: Fund raising
On 26 March 2015 at 05:20, Nick Holland n...@holland-consulting.net wrote: Realistically, the money that we get for this e-document is really just an act of charity anyway. Why not just give the project the money, and not make us jump through hoops that cost lots of money and provide no benefit to anyone? Yes, donate on release day. I plan to do that in May and then in November. I'll probably donate again for the use of openntpd, openssh, libressl and all the other small wonderful projects everyone forgets about. Besides, the artwork and stickers in the CD sets are great. Really. I've been buying CDs since 2.6, and I look forward to getting every single one. And this is from someone who works with the project and pays the same price everyone else does (and historically, usually got it AFTER many of you guys are bragging about getting yours). The artwork and songs are great! I've annoyed my family by playing almost all the songs on more than one occasion. I can't say I'll buy the CD set but I ordered the 5.7 poster the moment I found out it was available. I'll get the 5.7, if it's made. I'm actually wearing an openbsd shirt now with an openssh poster behind me on the wall. What's the URL to the legacy store? I want to see what remains in their inventory. -- --- inum: 883510009027723 sip: jungleboo...@sip2sip.info xmpp: jungle-boo...@jit.si
Re: httpd tls - what am i missing?
Also i would try something like tcpdump while connecting to a new machine with https. On Thu, 26 Mar 2015 23:55 Theodore Wynnychenko t...@wynnychenko.com wrote: Quoting Kevin Chadwick m8il1i...@gmail.com: On Thu, 26 Mar 2015 08:30:23 +0100 mxb wrote: Thank you for the suggestion. I was not aware of pound. I?d rather go for relayd. Which is out of the box. No need to install ?yet another port and make sure it is up2date?. httpd is based on relayd code which would reduce the scope of the test (a cluestick). When I try https://10.0.128.67/index.html; - I get a nice message from firefox asking me to accept a problem certificate (this was expected, the certificate is the correct one), and when I do accept the certificate, I get the index page. So, I am not sure what is wrong, but it appears httpd is not responding to https requests, even with the listen on tls line in the configuration file. Is there anything for me to look at/consider in trying to correct this? I don't understand what you are saying by 'correct one' but to me this suggests you have issues even with pound and perhaps I would try another browser or firefox on another client and try another certificate perhaps from another CA or install a newer snapshot or re-install a release before wondering if there is an issue with httpd or libressl whilst monitoring the list to see if anyone else has an issue? Thankfully re-install on OpenBSD is super quick but you do have to follow www.openbsd.org/current.html for snapshots and I think www.openbsd.org/plus.html for release upgrades (4.5 - 4.6 etc.) Hello: I am sorry, I have been unable to try some of the suggestions today as of yet. I am a bit busy at work, and probably won't be able to look at this until tomorrow. However, I wanted to clarify my comment. When I said correct one in regards to the certificate working with https and pound, my comment was intended only to imply that any issues were purposefully induced ones. As I said, the new machine with the httpd issue is going to replace another machine. To make my like easy going forward, I installed a certificate for the machine as it will be in the future, not as it is now. So, when firefox connects with https to the machine, it is connecting to 10.0.128.67, but gets a certificate back saying 10.0.128.100; and warns me of the inconsistency. This is a completely expected issue, and I do verify that the 10.0.128.100 certificate is being presented form the 10.0.128.67 machine. There was NO other problem using pound. With pound, as well as a https connection to the old machine with the new certificate, the browser opens the https connection with no problems. Also, as I noted yesterday, the browser's hanging behaivor stops the second afer I kill the httpd process. I have also tried to connect with IE from a windows machine, and get the same results (http is ok, https hangs). I missed the -d -v flags for httpd (i feel a bit stupid, it's right there in the man page), and was going to fire up httpd and see what happens when the secure connection is initiated. Hopefully, tomorrow. Thanks Ted
Re: Set PKG_PATH using Time Zone?
On Mar 26, 2015, at 1:39 PM, Dale Lindskog dale.linds...@gmail.com wrote:
On Thu, 26 Mar 2015, L.R. D.S. wrote:
Is really boring write the package repository everytime we install.
Why not set the repository using the Time Zone as a reference?
For example, if you set Japan as your zone, then run
export PKG_PATH=http://www.ftp.ne.jp/OpenBSD/'uname -r'/packages/'uname -m'/
#!/usr/bin/perl -w
use strict;
chomp( my( $uname_r, $uname_m ) = ( `uname -r`, `uname -m` ) );
chomp( my $zone = join( '/', ( split('/', `ls -l /etc/localtime`) )[-2,-1] )
);
my %mirror = (
Canada/Mountain = ftp://ftp.openbsd.org/pub/OpenBSD;,
# okay, I'm bored now... hopefully L.R. D.S. will help
);
print $mirror{$zone}/$uname_r/packages/$uname_m/;
Why not go whole hog and traceroute -I everything and see which is faster? :-P
BTW: ftp5.usa.openbsd.org seems to not be responding on HTTP, so I dropped them
a note. But then I found sonic has a mirror, that, though geographically
further, is about 1/2 a ms faster (and two fewer hops). So, it's not just
going to other countries where this happens.
Sean
Re: Fund raising
I'm not going to give you any shit. I think you are well intentioned. However the number of people who would pay for such a thing is so small that it is not worth the time and effort to create it. One of the worst side effects of Linux and the FSF is that now their are millions of pricks who think *EVERYTHING* should be free. This attitude screws projects like OpenBSD. What is so much trouble and bother about buying a CD? I have bought CD releases. Most of them, in fact. Not once was it any trouble or bother. If you don't want the CD just give it away. On Thu, Mar 26, 2015, at 01:40 AM, worik wrote: I got a lot of shit on this list for suggesting that the OpenBSD project sell documentation collections (that are freely available elsewhere) as a method of raising funds for the project as CD rom sales dry up. A lot of shit on list and especially off list (one clown made up a gmail address especially to tell me to fuck off. Way too much time some people have) Today I spent $US5 on an ebook containing tutorials for software I am considering using. By exercising my mouse I could have got it for free. I did not. So I am bringing this up again. I do not want CDROMs. I have been to the trouble of paying for one and insisting they do not post it, but it was a lot of bother. I would pay for a collection of release notes for each new release. I support this project and I would like to support Theo directly - as CD sales do. So once again (at the risk of infuriating idle clowns) I respectfully suggest that the project consider such a release beside and as well as CDROMs. I do realise that I am proposing a good idea for some one else to do. I cannot lead such a task as I am a OpenBSD newbie. W PS For those who might care I bought Backbone Tutorials by Thomas Davis. https://leanpub.com/backbonetutorials -- Why is the legal status of chardonnay different to that of cannabis? worik.stan...@gmail.com 021-1680650, (03) 4821804 Aotearoa (New Zealand) I voted for love
Re: httpd tls - what am i missing?
On 25 mar 2015, at 23:44, Theodore Wynnychenko t...@uchicago.edu wrote: Thank you for the suggestion. I was not aware of pound. Iâd rather go for relayd. Which is out of the box. No need to install âyet another port and make sure it is up2dateâ. //mxb
Re: Fund raising
I got a lot of shit on this list for suggesting that the OpenBSD project sell documentation collections (that are freely available elsewhere) as a method of raising funds for the project as CD rom sales dry up. A lot of shit on list and especially off list (one clown made up a gmail address especially to tell me to fuck off. Way too much time some people have) Today I spent $US5 on an ebook containing tutorials for software I am considering using. By exercising my mouse I could have got it for free. I did not. So I am bringing this up again. I do not want CDROMs. I have been to the trouble of paying for one and insisting they do not post it, but it was a lot of bother. I would pay for a collection of release notes for each new release. I support this project and I would like to support Theo directly - as CD sales do. So once again (at the risk of infuriating idle clowns) I respectfully suggest that the project consider such a release beside and as well as CDROMs. I do realise that I am proposing a good idea for some one else to do. I cannot lead such a task as I am a OpenBSD newbie. W PS For those who might care I bought Backbone Tutorials by Thomas Davis. https://leanpub.com/backbonetutorials The release CDs contain documentation in a file called X.Y/*/manXY.tgz, where X.X and XX are the release numbers. So you can already buy the documentation, in a way which has been a historical success for OpenBSD. (As opposed to your idea, which has no track record anywhere).
Re: Getting errors during security(8) maintenance
Hi Andrew (or any other developer),
OK to commit the following fix?
Note that chomping after splitting is important because split
drops trailing empty fields.
Hi Denis,
Denis Lapshin wrote on Thu, Mar 26, 2015 at 11:33:16AM +0300:
Some time ago start getting errors after nightly Secutiry running:
What problem can be?
Your file /etc/passwd contains two incomplete entries.
Never edit it by hand. Always use vipw(8) to change
user account information.
Please apply the following patch to the file /usr/libexec/security,
run sh /etc/daily (both as root) and report back whether the
error messages you get then make more sense to you.
After that, to repair the damage, run vipw(8), do some trivial
change - like adding a letter to the full name field of some entry
- and try to save and exit vipw(8). If it works, great (and if you
want, revert the trivial change, using vipw(8) again). If it denies
saving, your master.passwd(5) file is corrupt, too. In that case,
choose re-edit and fix whatever problems it reports.
Btw., Nick is right that in general, you should note in problem reports
which version of OpenBSD you are running, it's mere luck that it doesn't
matters in the case at hand.
Yours,
Ingo
Use of uninitialized value $home in concatenation (.) or string
at /usr/libexec/security line 356.
Index: security
===
RCS file: /cvs/src/libexec/security/security,v
retrieving revision 1.32
diff -u -p -r1.32 security
--- security4 Dec 2014 00:07:21 - 1.32
+++ security26 Mar 2015 14:23:53 -
@@ -336,7 +336,16 @@ sub find_homes {
nag !(open my $fh, '', $filename),
open: $filename: $!
and return [];
- my $homes = [ map [ @{[split /:/]}[0,2,5] ], $fh ];
+ my $homes = [];
+ while ($fh) {
+ my $entry = [ @{[split /:/]}[0,2,5] ];
+ chomp;
+ nag !defined $entry-[2],
+ Incomplete line \$_\ in $filename.
+ and next;
+ chomp $entry-[2];
+ push @$homes, $entry;
+ }
close $fh;
return $homes;
}
Re: httpd tls - what am i missing?
On Wed, Mar 25, 2015 at 05:40:11PM GMT, Theodore Wynnychenko wrote: Hi Theodore, So, I checked the certificate: openssl x509 -text -noout -in /etc/ssl/server.crt and I get: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption etc All seems fine. It may seem fine to you but most likely it isn't. I took the server.key and server.crt files to an older machine (actually, the one I am trying to replace) that is running 4.9 (I think) and apache. Put the new certificate and key in the proper places, and was able to open an https connection to that machine, and was able to confirm that the new certificate was the one being presented and works. That's probably where the problem lies - the key and/or the certificate. I've just tested your configuration with a new key and cert and it works absolutely fine. Have you run any tests using 's_client'? Regards, Raf
Re: httpd cgi (5.6-stable)
On Fri, 27 Mar 2015, at 01:50 AM, Alexei Malinin wrote: Hello. I'm trying to get working cgi programs with OpenBSD-5.6 stable httpd on default /var/www but without success: [...] Please tell me what I'm doing wrong? [...] ./cgi-bin: total 1 drwxr-xr-x 2 root daemon 512 Aug 8 2014 . drwxr-xr-x 9 root daemon 512 Mar 23 14:08 .. -- 1 root bin 144592 Aug 8 2014 bgplg Check the man page for bgplg(8); you need to set the permissions to make it executable. -- Carlin [...] -- Alexei Malinin
