Re: weird ansible + doas behaviour
On 2020-06-21 23:55, Stuart Henderson wrote: On 2020-06-21, Gregory Edigarov wrote: Trying to run ansible-playbook with localhost. Playbook: --- - hosts: localhost become: true become_method: doas roles: - wrkstpkgs Expected behaviour - Ansible asks for the become pass only once, then execution of tasks require no intervention. Observed behaviour: run ansible-playbook: ansible-playbook -K site.yml BECOME password: [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' PLAY [localhost] ** TASK [Gathering Facts] doas (g...@lbld12.duckdns.org) password: ok: [localhost] TASK [wrkstpkgs : ensure vital packages are present] ** doas (g...@lbld12.duckdns.org) password: ok: [localhost] TASK [wrkstpkgs : ensure versioned packages are present] ** doas (g...@lbld12.duckdns.org) password: doas.conf only contains this line: permit persist greg Am I missing anything? Thanks a lot in advance. I think it's like the problem with using doas in ports. "persist" uses the TIOCSETVERAUTH/TIOCCHKVERAUTH tty(4) ioctls which were added specifically for doas, the authentication can't be passed around very far: TIOCCHKVERAUTH void Check the verified auth status of this session. The calling process must have the same real user ID and parent process as the process which called TIOCSETVERAUTH. A zero return indicates success. Chances are the second doas call does not have the same parent process. Hello Stuart. Yes, it's definitely the case. But are there any workarounds? of course I can install sudo from packages, but I'm always willing to stick with the base as much as possible. And completely preventing the prompting for password using permit nopass doesn't seem to me like a good solution either. -- With best regards, Gregory Edigarov
Re: weird ansible + doas behaviour
Stuart Henderson wrote: > On 2020-06-21, Gregory Edigarov wrote: > > Yes, it's definitely the case. But are there any workarounds? of course > > I can install sudo from packages, but I'm always willing to stick with > > the base as much as possible. And completely preventing the prompting > > for password using permit nopass doesn't seem to me like a good solution > > either. > > It isn't configurable, I think those (sudo or nopass) are the only > workarounds. Indeed, it is by design. "persist" insists on very close ancestry, anything less than this quickly becomes very wide open to many processes on the system, and then where is the actual seperation. Kind of like it is in sudo, if you want a honest opinion
Re: weird ansible + doas behaviour
On 2020-06-21, Gregory Edigarov wrote: > Yes, it's definitely the case. But are there any workarounds? of course > I can install sudo from packages, but I'm always willing to stick with > the base as much as possible. And completely preventing the prompting > for password using permit nopass doesn't seem to me like a good solution > either. It isn't configurable, I think those (sudo or nopass) are the only workarounds.
Keyboard on raspberry pi rpi3b not working
Dear Theo, Hello, I would like that my keyboard G213 works, but unfortunately, it doesnt. Please find my dmesg. I am looking forward to reading you. Best regards Openbsd user OpenBSD 6.7 (GENERIC.MP) #602: Thu May 7 13:45:48 MDT 2020 dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP real mem = 958754816 (914MB) avail mem = 899207168 (857MB) mainbus0 at root: Raspberry Pi 3 Model B Rev 1.2 cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4 cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu0: 512KB 64b/line 16-way L2 cache efi0 at mainbus0: UEFI 2.8 efi0: Das U-Boot rev 0x20200100 apm0 at mainbus0 simplefb0 at mainbus0: 1824x984, 32bpp wsdisplay0 at simplefb0 mux 1 wsdisplay0: screen 0-5 added (std, vt100 emulation) "system" at mainbus0 not configured "axi" at mainbus0 not configured simplebus0 at mainbus0: "soc" bcmdmac0 at simplebus0: DMA0 DMA2 DMA4 DMA5 DMA8 DMA9 DMA10 bcmclock0 at simplebus0 bcmmbox0 at simplebus0 bcmgpio0 at simplebus0 bcmaux0 at simplebus0 bcmintc0 at simplebus0 bcmdog0 at simplebus0 bcmrng0 at simplebus0 pluart0 at simplebus0: console bcmsdhost0 at simplebus0: 250 MHz base clock sdmmc0 at bcmsdhost0: 4-bit, sd high-speed, mmc high-speed, dma "dsi" at simplebus0 not configured dwctwo0 at simplebus0 bcmtemp0 at simplebus0 "local_intc" at simplebus0 not configured sdhc0 at simplebus0 sdhc0: SDHC 3.0, 200 MHz base clock sdmmc1 at sdhc0: 4-bit, sd high-speed, mmc high-speed simplebus1 at simplebus0: "firmware" "expgpio" at simplebus1 not configured "power" at simplebus0 not configured "mailbox" at simplebus0 not configured "gpiomem" at simplebus0 not configured "fb" at simplebus0 not configured "vcsm" at simplebus0 not configured "virtgpio" at simplebus0 not configured simplebus2 at mainbus0: "clocks" "clock" at simplebus2 not configured "clock" at simplebus2 not configured "phy" at mainbus0 not configured "arm-pmu" at mainbus0 not configured agtimer0 at mainbus0: tick rate 19200 KHz "leds" at mainbus0 not configured "fixedregulator_3v3" at mainbus0 not configured "fixedregulator_5v0" at mainbus0 not configured cpu1 at mainbus0 mpidr 1: ARM Cortex-A53 r0p4 cpu1: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu1: 512KB 64b/line 16-way L2 cache cpu2 at mainbus0 mpidr 2: ARM Cortex-A53 r0p4 cpu2: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu2: 512KB 64b/line 16-way L2 cache cpu3 at mainbus0 mpidr 3: ARM Cortex-A53 r0p4 cpu3: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 D-cache cpu3: 512KB 64b/line 16-way L2 cache usb0 at dwctwo0: USB revision 2.0 scsibus0 at sdmmc0: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: removable sd0: 59MB, 512 bytes/sector, 122624 sectors uhub0 at usb0 configuration 1 interface 0 "Broadcom DWC2 root hub" rev 2.00/1.00 addr 1 uhub1 at uhub0 port 1 configuration 1 interface 0 "Standard Microsystems product 0x9514" rev 2.00/2.00 addr 2 bwfm0 at sdmmc1 function 1 manufacturer 0x02d0, product 0xa9a6 at sdmmc1 function 2 not configured smsc0 at uhub1 port 1 configuration 1 interface 0 "Standard Microsystems SMSC9512/14" rev 2.00/2.00 addr 3 smsc0: address b8:27:eb:3c:e5:55 ukphy0 at smsc0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x0001f0, model 0x000c umass0 at uhub1 port 2 configuration 1 interface 0 "SanDisk Ultra Fit" rev 2.10/1.00 addr 4 umass0: using SCSI over Bulk-Only scsibus1 at umass0: 2 targets, initiator 0 sd1 at scsibus1 targ 1 lun 0: removable serial.07815583520326110495 sd1: 14663MB, 512 bytes/sector, 30031250 sectors uhidev0 at uhub1 port 4 configuration 1 interface 0 "Logitech Gaming Keyboard G213" rev 2.00/9.00 addr 5 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0 mux 1 wskbd0: connecting to wsdisplay0 uhidev1 at uhub1 port 4 configuration 1 interface 1 "Logitech Gaming Keyboard G213" rev 2.00/9.00 addr 5 uhidev1: iclass 3/0, 18 report ids ukbd1 at uhidev1 reportid 1: 0 variable keys, 6 key codes wskbd1 at ukbd1 mux 1 wskbd1: connecting to wsdisplay0 uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 17: input=19, output=19, feature=0 uhid2 at uhidev1 reportid 18: input=63, output=63, feature=0 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets bootfile: sd0a:/bsd boot device: sd0 root on sd1a (fced472af8a53105.a) swap on sd1b dump on sd1b WARNING: CHECK AND RESET THE DATE! gpio0 at bcmgpio0: 54 pins bwfm0: address b8:27:eb:69:b0:00 wskbd0: disconnecting from wsdisplay0 wskbd0 detached ukbd0 detached uhidev0 detached wskbd1: disconnecting from wsdisplay0 wskbd1 detached ukbd1 detached uhid0 detached uhid1 detached uhid2 detached uhidev1 detached uhidev0 at uhub1 port 4 configuration 1 interface 0 "Logitech Gaming Keyboard G213" rev 2.00/9.00 addr 5 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0 mux 1 wskbd0: connecting to wsdisplay0 uhidev1 at uhub1 port 4
Re: IKEDv2 and alias addresses
On 2020-06-21, Sonic wrote: > On Sun, Jun 21, 2020 at 12:11 PM Patrick Wildt wrote: >> If you want to use a specific address for a policy, you can use the >> "local" keyword to specify it. This is part of the policy, not a global >> option. >> >> Then iked(8) continues to losten on 0.0.0.0:500, but the policy will >> only match if the IP address match to the one specified as "local". IIRC "local" isn't enough, some packets are still sent on the bound 0.0.0.0, the kernel chooses the source address (based on the local interface address in the route to the destination) and it can be the wrong address for the other side. It's been a while since I tried and I don't remember which packets were involved. > My config is basically: > Remote: >=== > local_gw="a.b.c.164" > local_net="172.20.28.0/23" > server_gw="x.y.z.45" > server_net="172.26.62.0/23" > state="active" > > ikev2 'remote_rsa' $state esp \ > from $local_net to $server_net \ > local $local_gw peer $server_gw \ > dstid server.example.com >=== > Server: >=== > local_gw="x.y.z.45" > local_net="172.26.62.0/23" > remote_gw="a.b.c.164" > remote_net="172.20.28.0/23" > state="passive" > > ikev2 'server_rsa' $state esp \ > from $local_net to $remote_net \ > local $local_gw peer $remote_gw \ > srcid server.example.com >=== > > Both outside nets are /29's and the .164 and .45 are aliases, with > .161 and .41 being the main address. However in trouble shooting I > kept seeing information moving on the main addresses and my pf.conf > rules were configured for the alias addresses. > > Being new to ikev2 setup I may have this all wrong. > > Thanks! > > phessler ran into this as well. He was able to work around it by forcing it to use the correct source address by adding an -ifa route. I'm not sure exactly the order you'll need but try some things along these lines: route add -host x.y.z.45 $gateway -ifa a.b.c.164 This is one of various reasons why I stick with isakmpd/ikev1 for lan-to-lan tunnels and just use ikev2 for single-host clients.
weird ansible + doas behaviour
Trying to run ansible-playbook with localhost. Playbook: --- - hosts: localhost become: true become_method: doas roles: - wrkstpkgs Expected behaviour - Ansible asks for the become pass only once, then execution of tasks require no intervention. Observed behaviour: run ansible-playbook: ansible-playbook -K site.yml BECOME password: [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' PLAY [localhost] ** TASK [Gathering Facts] doas (g...@lbld12.duckdns.org) password: ok: [localhost] TASK [wrkstpkgs : ensure vital packages are present] ** doas (g...@lbld12.duckdns.org) password: ok: [localhost] TASK [wrkstpkgs : ensure versioned packages are present] ** doas (g...@lbld12.duckdns.org) password: doas.conf only contains this line: permit persist greg Am I missing anything? Thanks a lot in advance. -- With best regards, Gregory Edigarov
Re: weird ansible + doas behaviour
On 2020-06-21, Gregory Edigarov wrote: > Trying to run ansible-playbook with localhost. > Playbook: > > --- > - hosts: localhost > become: true > become_method: doas > > roles: > - wrkstpkgs > > > Expected behaviour - Ansible asks for the become pass only once, then > execution of tasks require no intervention. > Observed behaviour: > > run ansible-playbook: > > ansible-playbook -K site.yml > BECOME password: > [WARNING]: provided hosts list is empty, only localhost is available. > Note that the implicit localhost does not match 'all' > > PLAY [localhost] > ** > > TASK [Gathering Facts] > > doas (g...@lbld12.duckdns.org) password: > ok: [localhost] > > TASK [wrkstpkgs : ensure vital packages are present] > ** > doas (g...@lbld12.duckdns.org) password: > ok: [localhost] > > TASK [wrkstpkgs : ensure versioned packages are present] > ** > doas (g...@lbld12.duckdns.org) password: > > doas.conf only contains this line: > permit persist greg > > Am I missing anything? Thanks a lot in advance. I think it's like the problem with using doas in ports. "persist" uses the TIOCSETVERAUTH/TIOCCHKVERAUTH tty(4) ioctls which were added specifically for doas, the authentication can't be passed around very far: TIOCCHKVERAUTH void Check the verified auth status of this session. The calling process must have the same real user ID and parent process as the process which called TIOCSETVERAUTH. A zero return indicates success. Chances are the second doas call does not have the same parent process.
Re: IKEDv2 and alias addresses
On Sun, Jun 21, 2020 at 12:11 PM Patrick Wildt wrote: > If you want to use a specific address for a policy, you can use the > "local" keyword to specify it. This is part of the policy, not a global > option. > > Then iked(8) continues to losten on 0.0.0.0:500, but the policy will > only match if the IP address match to the one specified as "local". My config is basically: Remote: === local_gw="a.b.c.164" local_net="172.20.28.0/23" server_gw="x.y.z.45" server_net="172.26.62.0/23" state="active" ikev2 'remote_rsa' $state esp \ from $local_net to $server_net \ local $local_gw peer $server_gw \ dstid server.example.com === Server: === local_gw="x.y.z.45" local_net="172.26.62.0/23" remote_gw="a.b.c.164" remote_net="172.20.28.0/23" state="passive" ikev2 'server_rsa' $state esp \ from $local_net to $remote_net \ local $local_gw peer $remote_gw \ srcid server.example.com === Both outside nets are /29's and the .164 and .45 are aliases, with .161 and .41 being the main address. However in trouble shooting I kept seeing information moving on the main addresses and my pf.conf rules were configured for the alias addresses. Being new to ikev2 setup I may have this all wrong. Thanks!
Re: Lenovo V130, boot failed with error "entry point at 0x1001000"
Hi, the update of the loader didn't help. I've updated the bootx64.efi from 3.48 to 3.52. But the current kernel doesn't load. I'll try a re-installation. Maybe @Otto can explain why the start of bsd.rd is possible and the start of bsd.sp/bsd.mp is not possible. Maybe I can build a custom kernel. Best regards, Sven On 6/21/20 8:33 PM, Sven Wolf wrote: Hi, I found the same issue in a thread some weeks ago. https://marc.info/?l=openbsd-misc&m=159039904132502&w=2 I'll test an reinstall/older loader. Boot from mbr isn't an option :( Best regards, Sven On 6/21/20 8:20 PM, Sven Wolf wrote: Hi, I've upgraded my Lenovo V130 from snapshot 6.6 (April 2020) to the snapshot from 2020-06-20. The boot via boot.rd is always possible. But when I load bsd.sp or bsd.rd the boot process stops with the error "entry point 0x1001000". Do you have an idea how I can fix this error? In the past I did't have any problem with openbsd on this machine. I'll try tomorrow the next snapshot. Thanks and best regards, Sven
Re: Lenovo V130, boot failed with error "entry point at 0x1001000"
Hi, I found the same issue in a thread some weeks ago. https://marc.info/?l=openbsd-misc&m=159039904132502&w=2 I'll test an reinstall/older loader. Boot from mbr isn't an option :( Best regards, Sven On 6/21/20 8:20 PM, Sven Wolf wrote: Hi, I've upgraded my Lenovo V130 from snapshot 6.6 (April 2020) to the snapshot from 2020-06-20. The boot via boot.rd is always possible. But when I load bsd.sp or bsd.rd the boot process stops with the error "entry point 0x1001000". Do you have an idea how I can fix this error? In the past I did't have any problem with openbsd on this machine. I'll try tomorrow the next snapshot. Thanks and best regards, Sven
Lenovo V130, boot failed with error "entry point at 0x1001000"
Hi, I've upgraded my Lenovo V130 from snapshot 6.6 (April 2020) to the snapshot from 2020-06-20. The boot via boot.rd is always possible. But when I load bsd.sp or bsd.rd the boot process stops with the error "entry point 0x1001000". Do you have an idea how I can fix this error? In the past I did't have any problem with openbsd on this machine. I'll try tomorrow the next snapshot. Thanks and best regards, Sven
Re: IKEDv2 and alias addresses
On Fri, Jun 19, 2020 at 11:19:11AM -0400, Sonic wrote: > With IKEDv1 I was able to use alias addresses for the VPN tunnels with > a Listen-on directive in isakmpd.conf: > == > [General] > Listen-on= 1.2.3.7 > == > > So far my attempts with IKEDv2 have been unsuccessful at using alias > addresses. Is it possible? > > Thanks! > > Chris iked(8) listens on all addresses. It binds on 0.0.0.0:500 and receives all IKE messages that arrive, unless there's an isakmpd(8) runnin on the same address. Thus there's no need to specify an additional address, because it's already listening on all addresses. If you want to use a specific address for a policy, you can use the "local" keyword to specify it. This is part of the policy, not a global option. Then iked(8) continues to losten on 0.0.0.0:500, but the policy will only match if the IP address match to the one specified as "local". Patrick