Re: APU2 fails to boot on OpenBSD 6.6-current #521

[PJ]

Am 13.12.19 um 22:52 schrieb Alexander Pluhar:
>> Just upgraded my APU2 to the latest -current and it seems to hang on the 
>> disk.
>> It was fine running on -current #512.
> I encountered this problem on 6.6 stable with the latest syspatches installed 
> after
> updating the APU firmware[1] to 4.11.0.1.
>
> It worked again after downgrading to 4.10.0.3.
>
> [1] https://pcengines.github.io

Same behavior here trying to install 6.6 stable on a fresh apu4d4 unit.

The device was delivered with a rather old ("legacy") "coreboot build
20190402 / BIOS version v4.0.24". The console didn't work correctly,
different USB sticks were not read reliably, the installer
(install66.fs) kept crashing after boot, if the boot was reached at all.
Got it to work starting the apu2-tinycore6.4.img from SD-Card and
reflashing a recent firmware version.

Tried the most recent 4.11.0.1 first, unfortunately: with firmware
4.11.0.1 again all kinds of not correctly reading USB 3.0 devices or
detecting an internal mSATA, again not even the console was reliable.
Had to boot the apu2-tinycore6.4.img from SD-Card again to get to a
reliable root prompt and reflash the downgrade to firmware version 4.10.0.3.

After downgrading to 4.10.0.3 everything is normal. Installing on the
mSATA was easy as it should be, and now I'm happily running 6.6 on it.

Here
https://github.com/drduh/PC-Engines-APU-Router-Guide/blob/master/README.md
is a good howto for all this.

Re: umass device disklabel not detected properly in macppc

[Theo de Raadt]

The disklabel sector is a not a machine-independent format, and it
moves between different sectors on some machines.

You'll find we make no promises about this type of disk-portability.
MBR or GPT label?  Yes.

Our own disklabels, unfortunately not.

rgci...@disroot.org wrote:

> dear all,
> 
> to transfer files between an amd64 Linux, amd64 OpenBSD-current, and macppc
> OpenBSD-current i have a USB drive. last night was the first time i tried to
> use the drive on the macpcc.
> 
> Dec 19 06:09:06 apbg4 /bsd: umass0 at uhub0 port 2 configuration 1 interface 
> 0 "BUFFALO SSD-PEU3" rev 2.10/1.10 addr 2
> Dec 19 06:09:06 apbg4 /bsd: umass0: using SCSI over Bulk-Only
> Dec 19 06:09:06 apbg4 /bsd: scsibus4 at umass0: 2 targets, initiator 0
> Dec 19 06:09:06 apbg4 /bsd: sd0 at scsibus4 targ 1 lun 0:  PMAP> serial.04110210357B1BD7B099
> Dec 19 06:09:06 apbg4 /bsd: sd0: 241216MB, 512 bytes/sector, 494010368 sectors
> 
> the disklabel was not detected properly. this is the disklabel on macppc
> OpenBSD-current (#638: Mon Dec 16):
> 
> # /dev/rsd0c:
> type: SCSI
> disk: SCSI disk
> label: SSD-PEU3
> duid: 
> flags:
> bytes/sector: 512
> sectors/track: 63
> tracks/cylinder: 255
> sectors/cylinder: 16065
> cylinders: 30750
> total sectors: 494010368
> boundstart: 0
> boundend: 494010368
> drivedata: 0
> 
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   c:4940103680  unused
> 
> i tried both USB ports of the Powerbook5,8. same results.
> 
> this is the **correct** disklabel on amd64 OpenBSD-current (#637: Sun Dec 15):
> 
> # /dev/rsd1c:
> type: SCSI
> disk: SCSI disk
> label: SSD-PEU3
> duid: 
> flags:
> bytes/sector: 512
> sectors/track: 63
> tracks/cylinder: 255
> sectors/cylinder: 16065
> cylinders: 30750
> total sectors: 494010368
> boundstart: 0
> boundend: 494010368
> drivedata: 0
> 
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   c:4940103680  unused
>   i:494006272 2048  ext2fs
> 
> 
> partition can be mounted properly on amd64 Linux and OpenBSD.
> 
> 
> IIRC the drive was initialized / created on Linux.
> 
> 
> i have other USB drives (whole disk, msdos format) that work properly across 
> all
> 3 machines.
> 
> 
> what am i missing here? looking forward to some pointers.
> 
> 
> yorosiku ~
> 

umass device disklabel not detected properly in macppc

[rgcinjp]

dear all,

to transfer files between an amd64 Linux, amd64 OpenBSD-current, and macppc
OpenBSD-current i have a USB drive. last night was the first time i tried to
use the drive on the macpcc.

Dec 19 06:09:06 apbg4 /bsd: umass0 at uhub0 port 2 configuration 1 interface 0 
"BUFFALO SSD-PEU3" rev 2.10/1.10 addr 2
Dec 19 06:09:06 apbg4 /bsd: umass0: using SCSI over Bulk-Only
Dec 19 06:09:06 apbg4 /bsd: scsibus4 at umass0: 2 targets, initiator 0
Dec 19 06:09:06 apbg4 /bsd: sd0 at scsibus4 targ 1 lun 0:  serial.04110210357B1BD7B099
Dec 19 06:09:06 apbg4 /bsd: sd0: 241216MB, 512 bytes/sector, 494010368 sectors

the disklabel was not detected properly. this is the disklabel on macppc
OpenBSD-current (#638: Mon Dec 16):

# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: SSD-PEU3
duid: 
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 30750
total sectors: 494010368
boundstart: 0
boundend: 494010368
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  c:4940103680  unused

i tried both USB ports of the Powerbook5,8. same results.

this is the **correct** disklabel on amd64 OpenBSD-current (#637: Sun Dec 15):

# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: SSD-PEU3
duid: 
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 30750
total sectors: 494010368
boundstart: 0
boundend: 494010368
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  c:4940103680  unused
  i:494006272 2048  ext2fs


partition can be mounted properly on amd64 Linux and OpenBSD.


IIRC the drive was initialized / created on Linux.


i have other USB drives (whole disk, msdos format) that work properly across all
3 machines.


what am i missing here? looking forward to some pointers.


yorosiku ~

Fwd: dig(1) and nslookup(1) broken in -current

[Chris Eidem]

Sent from my iPad

Begin forwarded message:

> From: Dieter Rauschenberger 
> Date: December 18, 2019 at 11:09:34 AM CST
> To: misc@openbsd.org
> Subject: dig(1) and nslookup(1) broken in -current
> 
> Hi misc,
> 
> $ dig openbsd.org
> Abort trap (core dumped)
> 
> $ tail -f /var/www/messages
> Dec 18 17:57:07 ws /bsd: dig[96895]: pledge "dns", syscall 28
> 
> $ nslookup  openbsd.org
> Abort trap (core dumped)
> 
> $ tail -f /var/www/messages
> Dec 18 17:57:22 ws /bsd: nslookup[10037]: pledge "dns", syscall 28
> 
> host(1) ist working fine. This happens on todays snapshot and via cvs
> checkout and compile.
> 
> Regards
> -Dieter
> 

I can confirm dig fails for me also, though tail appears to be working as 
expected.

Re: OpenBSD pf - redirect all DNS queries to local DNS server

[Bodie]

On 17.12.2019 21:55, lu hu wrote:

Our little home network:

ISP -> ROUTER -> SWITCH -> WIFI APs -> CLIENTS

ROUTER: OpenBSD 6.5, giving DHCP+fwing internet to the WIFI APs. Based
on https://www.openbsd.org/faq/pf/example1.html#pf and
https://www.openbsd.org/faq/pf/example1.html#dhcp

CLIENTS: laptops, smartphones.

So everything is going through the ROUTER.

We can see a https://www.openbsd.org/faq/pf/example1.html#dns DOC for
how to setup a DNS server, ~ok.

AD filtering. We would like to have one, but not a fancy one, just a
working one.

Based on "bad hosts", ex.: if a client queries iamAD.foo, then answer
it back as 127.0.0.1, so the clients will try to connect to
themselfes, which will end up not showing the AD.

The big question: Is there any DOC for OpenBSD about this? What pf
rules needed to redirect any DNS server (ex.: 8.8.8.8 or 1.1.1.1)
requests to the DNS server running on the ROUTER, coming from the
CLIENTS?


https://man.openbsd.org/unwind
https://man.openbsd.org/unbound

and maybe something similar to http://openports.se/net/adsuck ?




So ex.: if a smartphone CLIENT wants to query iamAD.foo domain to get
ADs, it will only get back 127.0.0.1

Re: Why isn't ChallengeResponseAuthentication NO in sshd_config?

[Bodie]

On 18.12.2019 18:48, lu hu wrote:

Hello,


# what am I talking about?

https://man.openbsd.org/sshd_config#ChallengeResponseAuthentication

ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed. All
authentication styles from login.conf(5) are supported. The default is
yes.


# what does linux distros use:

If I ex.: read:

https://access.redhat.com/solutions/336773

then I can see ChallengeResponseAuthentication is NO for security
reasons. Ubuntu too.


# what else says ChallengeResponseAuthentication should be NO?

https://www.openwall.com/lists/oss-security/2019/12/04/5
->


These issues were quickly fixed in OpenBSD as you can see in Security



1. CVE-2019-19521: Authentication bypass

this attack should be more mitigated if
ChallengeResponseAuthentication would be by default set to NO.


# FIX:

from this:
cat /etc/ssh/sshd_config
...
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
...

to this:
vi /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
...
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
...

But of course by default, without fixing sshd_config it should be NO.

Who the hell uses s/key with sshd nowadays?



And you are aware that this option is not there just for S/Key, right?
It's for example PAM Google authenticator too on Linux and others

I think you missed couple of points. Eg.:

https://www.openbsd.org/faq/faq10.html#SKey

and the fact that login.conf(5) on OpenBSD by default enables S/Key.




So please, can we make the default sshd_config more secure and set the
"ChallengeResponseAuthentication to NO"?



Some practical examples at hand of the current vulnerability which will
make this change reasonable?


Many thanks and whishing a peaceful xmas!

Re: dig(1) and nslookup(1) broken in -current

[Chris Eidem]

I can confirm dig fails, though tail -f works for me.  Using tail, when 
I try to use dig, I see the following in /var/log/messages:


Dec 18 14:28:03 fw /bsd: dig[33014]: pledge "dns", syscall 28


On 12/18/19 11:06 AM, Dieter Rauschenberger wrote:

Hi misc,

$ dig openbsd.org
Abort trap (core dumped)

$ tail -f /var/www/messages
Dec 18 17:57:07 ws /bsd: dig[96895]: pledge "dns", syscall 28

$ nslookup  openbsd.org
Abort trap (core dumped)

$ tail -f /var/www/messages
Dec 18 17:57:22 ws /bsd: nslookup[10037]: pledge "dns", syscall 28

host(1) ist working fine. This happens on todays snapshot and via cvs
checkout and compile.

Regards
-Dieter

Re: Third server now locked up after reboot due to no keyboard attached

[Alfred Morgan]

On 2019-12-15 18:25:33 Nick Holland wrote:
> If the boot loader echoed anything, it's behaving As Desired

Actually, one of my machines that hangs on boot> doesn't echo anything.

> a char at the command line means "STOP ALL BOOTING

I wonder if a filter can be applied to the input e.g. Ignore all
non-printable input. I am curious as to why the one server that doesn't
echo anything is stopping on boot> prompt. Can anyone give me pointers to
modifying the boot code to show what character code is stopping the boot?

> BIOS upgrade.  Long shot, but maybe?

The one server that is echoing is updated to the latest bios. The other one
that is not echoing is not and has an interesting BIOS update description
of "Improve USB compatibility" so I'm going to have to try that.

> BIOS config option

I've tried several bios config options. No change.

> a boot.conf file should fix -- simply putting "boot" in /etc/boot.conf

A great suggestion. I had "boot bsd" in my boot.conf from someone
recommending this to me but then I ran into trouble when I did a sysupgrade
and then it didn't come back since I think the reboot failed to get to boot
bsd.upgrade and bsd kernel wasn't ready to boot yet. "boot" in the
boot.conf sounds like this would fix my problem and sysupgrade problem.

On 2019-12-16 18:02:19 Andrew Daugherity wrote:
> If you have console redirection configured in the BIOS

I don't. I am using the standard terminal.

> Note that this is not yet implemented in the UEFI bootloader

Ctrl key would be nice. I am using UEFI boot.

-alfred

Re: cwm keybind menu-window

[Okan Demirmen]

On Wed 2019.12.18 at 18:56 +0100, s...@tutamail.com wrote:
> Hi guys,
> 
> is it possible to set up a keybind for menu-window + C-a (to list all 
> available items)? 
> 
> thxs!

No, not directly via cwm today.

Thanks.

cwm keybind menu-window

[su-]

Hi guys,

is it possible to set up a keybind for menu-window + C-a (to list all available 
items)? 

thxs!

Why isn't ChallengeResponseAuthentication NO in sshd_config?

[lu hu]

Hello,


# what am I talking about?

https://man.openbsd.org/sshd_config#ChallengeResponseAuthentication

ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed. All 
authentication styles from login.conf(5) are supported. The default is yes.


# what does linux distros use:

If I ex.: read:

https://access.redhat.com/solutions/336773

then I can see ChallengeResponseAuthentication is NO for security reasons. 
Ubuntu too.


# what else says ChallengeResponseAuthentication should be NO?

https://www.openwall.com/lists/oss-security/2019/12/04/5
->
1. CVE-2019-19521: Authentication bypass

this attack should be more mitigated if ChallengeResponseAuthentication would 
be by default set to NO.


# FIX:

from this:
cat /etc/ssh/sshd_config
...
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
...

to this:
vi /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
...
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
...

But of course by default, without fixing sshd_config it should be NO.

Who the hell uses s/key with sshd nowadays?



So please, can we make the default sshd_config more secure and set the 
"ChallengeResponseAuthentication to NO"?

Many thanks and whishing a peaceful xmas!

Re: installation question

[Mario Theodoridis]

On 18.12.19 18:13, Stefan Sperling wrote:

On Wed, Dec 18, 2019 at 05:05:26PM +0100, Mario Theodoridis wrote:

Hi everyone,

this may sound silly but i'm trying to install 6.6 via serial console from
install66.fs which is described as you know:


A boot and installation image which contains
the base and X sets.  An install or upgrade can be
done with a USB key without network connectivity.


However when i get to the distribution sets my install looks like this:


Let's install the sets!
Location of sets? (disk http nfs or 'done') [http] disk
Is the disk partition already mounted? [yes]


Try answering 'no' here and then selecting the 'a' partition
of the disk which contains install66.fs for mounting.


Thanks Stefan,
i'll try that on the next test install.

Mit freundlichen Grüßen/Best regards

Mario Theodoridis

Re: installation question

[Stefan Sperling]

On Wed, Dec 18, 2019 at 05:05:26PM +0100, Mario Theodoridis wrote:
> Hi everyone,
> 
> this may sound silly but i'm trying to install 6.6 via serial console from
> install66.fs which is described as you know:
> 
> > A boot and installation image which contains
> > the base and X sets.  An install or upgrade can be
> > done with a USB key without network connectivity.
> 
> However when i get to the distribution sets my install looks like this:
> 
> > Let's install the sets!
> > Location of sets? (disk http nfs or 'done') [http] disk
> > Is the disk partition already mounted? [yes]

Try answering 'no' here and then selecting the 'a' partition
of the disk which contains install66.fs for mounting.

Re: dig(1) and nslookup(1) broken in -current

[Dieter Rauschenberger]

Hi misc,

tested on i386.

On Wed, Dec 18, 2019 at 06:06:27PM +0100, Dieter Rauschenberger wrote:
> Hi misc,
> 
> $ dig openbsd.org
> Abort trap (core dumped)
> 
> $ tail -f /var/www/messages
> Dec 18 17:57:07 ws /bsd: dig[96895]: pledge "dns", syscall 28
> 
> $ nslookup  openbsd.org
> Abort trap (core dumped)
> 
> $ tail -f /var/www/messages
> Dec 18 17:57:22 ws /bsd: nslookup[10037]: pledge "dns", syscall 28
> 
> host(1) ist working fine. This happens on todays snapshot and via cvs
> checkout and compile.
> 
> Regards
> -Dieter

dig(1) and nslookup(1) broken in -current

[Dieter Rauschenberger]

Hi misc,

$ dig openbsd.org
Abort trap (core dumped)

$ tail -f /var/www/messages
Dec 18 17:57:07 ws /bsd: dig[96895]: pledge "dns", syscall 28

$ nslookup  openbsd.org
Abort trap (core dumped)

$ tail -f /var/www/messages
Dec 18 17:57:22 ws /bsd: nslookup[10037]: pledge "dns", syscall 28

host(1) ist working fine. This happens on todays snapshot and via cvs
checkout and compile.

Regards
-Dieter

installation question

[Mario Theodoridis]

Hi everyone,

this may sound silly but i'm trying to install 6.6 via serial console 
from install66.fs which is described as you know:



A boot and installation image which contains
the base and X sets.  An install or upgrade can be
done with a USB key without network connectivity.


However when i get to the distribution sets my install looks like this:


Let's install the sets!
Location of sets? (disk http nfs or 'done') [http] disk
Is the disk partition already mounted? [yes] 
Pathname to the sets? (or 'done') [6.6/amd64] 
The directory '6.6/amd64' does not exist.


I assume the sets are on install.fs which is mounted, but no dice.
Then i google and find https://www.openbsdhandbook.com/installation/
However, there the basic installation goes as mine, but then uses http 
instead. I already did that back when i installed 6.2, thinking it was a 
bug, or my fault.


So how exactly do i actually install distribution sets from disk.


--
Mit freundlichen Grüßen/Best regards

Mario Theodoridis