Re: man.openbsd.org failure?

[Daniel Jakots]

On Thu, 21 Dec 2023 21:22:49 -0500, Dave Anderson  wrote:

> Safari isn’t providing much useful information, but starting today
> I’m consistently getting a “server stopped responding” error when
> trying to access the online man pages at man.openbsd.org.
> www.openbsd.org is working fine.

Yes, it's a maintenance:
https://marc.info/?l=openbsd-misc=170301839017559=2

Cheers,
Daniel

Re: non-hardware 2fa options for openssh

[Daniel Jakots]

On Tue, 29 Aug 2023 13:18:53 -0400, Dave Voutila  wrote:

> > You can also want to look at sysutils/login_oath (which I've been
> > using for years), but maybe for new setups, the login_totp from
> > base makes more sense.
> >  
> 
> login_totp is in base?

Wow, I was sure https://github.com/reyk/login_otp was imported, and the
man I was looking at actually comes from sysutilis/login_oauth lol

thanks for catching my mistake!

Re: non-hardware 2fa options for openssh

[Daniel Jakots]

On Tue, 29 Aug 2023 10:07:18 -0500, "myml...@gmx.com" 
wrote:

> Hi All,
> 
> I want to secure an openssh server with two factor authentication and
> have seen the hardware token methods, most recently i've been seeing
> yubi/FIDO methods.
> 
> Ideally I would like to avoid having to depend on a usb size device
> that could easily be lost.

Using something based on TOTP (Cf. rfc6238) is probably your best bet
then.

> I looked around and found mention of google authenticator as an
> option, phones aren't much bigger than usb sticks but people protect
> their phone as if it was their soul, but the newest mention I can
> find is many years old.

AFAIK, google authenticator is simply an app doing the math for TOTP.
There are multiple basic opensource apps (on both Android and iphones)
which can provide you with the right TOTP based on the seed/secret.

And if you don't want to use a phone, you can use oathtool(1) from
security/oath-toolkit.
I think some password managers also are able to generate the TOTP.

> My question is there any recent documentation / information on setting
> up an openssh server with non-hardware based two factor
> authentication? This does NOT have to be google authenticator, any
> similar service will suffice.

login_totp(8), login.conf(5), sshd_config(5), and maybe a couple of
others.

You can also want to look at sysutils/login_oath (which I've been using
for years), but maybe for new setups, the login_totp from base makes
more sense.

Have fun,
Daniel 

Re: Recommended place to store static arp entries

[Daniel Jakots]

On Tue, 28 Feb 2023 14:35:18 +0100, Claudio Jeker
 wrote:

> To be honest I never had the need to store static arp entries. So for
> me the best place is /dev/null.

Not op, but I have such a need: I own an wifi AP which tends to not
being able to let arp pass, in one direction. All the rest is fine, so
as long the router can reach the hosts in the LANs.

I ended up having in my router:

$ cat /etc/rc.local
arp -Fs 192.0.2.1 00:11:22:33:44:55
[...]

for the required devices using wifi.

Of course I'm not happy about the situation, but it's a good work around
for this shitty device.

Cheers,
Daniel

Re: hostnames in syslogd

[Daniel Jakots]

On Mon, 25 Apr 2022 14:27:19 -0400, "Sven F." 
wrote:

> Moreover just like -h send the hostname , in a SSL setup it would be
> useful to log the CN of the client certificat , with -i maybe,
> since it is a strong ID sorting logs with that feels more reliable
> than ip, or modified hostnames.
> 
> I may miss some important legacy behavior but a `-i` option that logs
> the CN after the hostname in a similar manner looks non breaking and
> useful.

Ah that reminds me an issue I have. On my central logging machine, I
filter logs by hostname. However, it appears sometimes my dns fails so
it doesn't get a hostname and the logs with the IP address escape the
filter. If I could filter based on the client's certificate
hostname, that would be much more reliable!

Cheers,
Daniel

Re: time drift in OpenBSD in proxmox (qemu-kvm) guest

[Daniel Jakots]

On Thu, 14 Apr 2022 23:47:42 +0200, Stefan Sperling 
wrote:

> > $ sysctl kern.timecounter
> > kern.timecounter.tick=1
> > kern.timecounter.timestepwarnings=0
> > kern.timecounter.hardware=pvclock0
> > kern.timecounter.choice=i8254(0) pvclock0(1500) acpihpet0(1000)
> > acpitimer0(1000)
> > 
> > Anyone have ideas of things I could try that are less wrong than
> > running rdate from cron? Thanks.  
> 
> I have a -current built-a-week-ago guest on stock Debian KVM, no
> problems with time-keeping. It picks acpihpet as timecounter instead
> of pvclock:
> 
> $ sysctl kern.timecounter 
> kern.timecounter.tick=1
> kern.timecounter.timestepwarnings=0
> kern.timecounter.hardware=acpihpet0
> kern.timecounter.choice=i8254(0) pvclock0(500) acpihpet0(1000)
> acpitimer0(1000)

I've some VMs using
$ sysctl kern.timecounter
kern.timecounter.tick=1
kern.timecounter.timestepwarnings=0
kern.timecounter.hardware=pvclock0
kern.timecounter.choice=i8254(0) pvclock0(1500) acpitimer0(1000)

for two months on this particular host and no issue. That said I'm
using an Intel CPU and I force kvm to virtualize some "recent" hardware
(because I hated seeing a floppy disk c* in my dmesg) so I run

> QEMU Standard PC (Q35 + ICH9, 2009)

full dmesg for the curious:
$ dmesg   
OpenBSD 7.1 (GENERIC.MP) #457: Sun Apr  3 00:33:57 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 3204300800 (3055MB)
avail mem = 3089903616 (2946MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5af0 (11 entries)
bios0: vendor SeaBIOS version "1.14.0-2" date 04/01/2014
bios0: QEMU Standard PC (Q35 + ICH9, 2009)
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC MCFG WAET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-9700T CPU @ 2.00GHz, 674.06 MHz, 06-9e-0d
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 999MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i7-9700T CPU @ 2.00GHz, 750.80 MHz, 06-9e-0d
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: smt 0, core 0, package 1
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xb000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
com0 at acpi0 COM1 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82G33 Host" rev 0x00
vga1 at pci0 dev 1 function 0 "Bochs VGA" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 2 function 0 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci1 at ppb0 bus 1
virtio0 at pci1 dev 0 function 0 "Qumranet Virtio 1.x Network" rev 0x01
vio0 at virtio0: address 52:54:00:06:db:02
virtio0: msix shared
ppb1 at pci0 dev 2 function 1 vendor "Red Hat", unknown product 0x000c rev 
0x00: apic 0 int 22
pci2 at ppb1 bus 2
xhci0 at pci2 dev 0 function 0 vendor "Red Hat", unknown product 0x000d rev 
0x01: apic 0 int 22, xHCI 0.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Red Hat 

Re: Must interface unit numbers start with 0?

[Daniel Jakots]

On Fri, 22 Oct 2021 19:13:18 -0400, "Allan Streib"
 wrote:

> can I name the interface vlan101

Yes you can. I've a machine where there's only vlan206.

Cheers,
Daniel

Re: 7.0 upgrade dmesg confusion

[Daniel Jakots]

On Fri, 15 Oct 2021 20:09:16 -0400, Jon Fineman  wrote:

> I was preparing the dmesg to send off and I noticed it looks like the
> old message from 6.9. How could that occur? What did I miss?

>From dmesg(8):

   On some systems the message buffer can survive reboot and be
   retained (in the hope of exposing information from a crash).

   FILES
/var/run/dmesg.boot  copy of dmesg saved by rc(8) at boot time



Cheers,
Daniel

Re: IPv6: how to trigger script when address prefix changes?

[Daniel Jakots]

On Thu, 7 Oct 2021 02:52:13 +0200, Mike Fischer
 wrote:

> Would a IPv6 address prefix change be something the hotplug(4) /
> hotplugd(8) mechanism would see?

It would rather be ifstated(8), but I don't think so. I've never looked
into this, but if I were, I would check the route(8) monitor command:
https://man.openbsd.org/route#monitor

Re: ssh authlog: Failed none for invalid user

[Daniel Jakots]

On Mon, 9 Aug 2021 14:52:40 -0700, Jordan Geoghegan
 wrote:

> Hello,
> 
> I was hoping somebody could set me straight here. On one of my
> machines I have a number of entries in my /var/log/authlog file that
> look like this:
> 
>     Failed none for invalid user admin from 14.239.50.255 port 51796
> 
> The machine has been being hammered with SSH bruteforce attempts and
> I noticed that "Failed none" entry popping up frequently.
> 
> What exactly does "Failed none" mean here in this in this context?
> 
> Any insight would be greatly appreciated as my Google-fu has failed
> me in my search for an answer.

I don't have any experience with ssh's code but after a quick grep, it
seems to come from
https://github.com/openbsd/src/blob/73b5c081a08ab8132aaab716c8f4da9aebb020e7/usr.bin/ssh/auth.c#L272-L282

I guess the "none" is the auth method selected by the client. Someone
with more knowledge on the ssh protocol can surely give you a more
detailed answer.

Cheers,
Danie

Re: SSL issue on 6.8 arm64 when upgrading to 6.9

[Daniel Jakots]

On Fri, 18 Jun 2021 23:21:40 -0300, "Nenhum_de_Nos"
 wrote:

> TLS handshake failure: handshake failed: error:1404B410:SSL
> routines:ST_CONNECT:sslv3 alert handshake failure
> 
> is also present when I try to install any package on 6.8. I looked
> for it over google and found no clues, just one patch that looks like
> to issue tihs, but a full recompile would last longer then a fresh
> 6.9 install.

There was a problem a few days ago with cloudflare:
https://marc.info/?l=openbsd-bugs=162336101708589=2

It seems it's still the case for me:
$ nc -zvc cloudflare.cdn.openbsd.org 443
Connection to cloudflare.cdn.openbsd.org (104.17.249.92) 443 port [tcp/https] 
succeeded!
nc: tls handshake failed (handshake failed: error:1404B42E:SSL 
routines:ST_CONNECT:tlsv1 alert protocol version)

https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare.cdn.openbsd.org
says Assessment failed: Failed to communicate with the secure server 

I would try another CDN/mirror if I were you:

$ nc -zvc fastly.cdn.openbsd.org 443 
Connection to fastly.cdn.openbsd.org (151.101.126.217) 443 port [tcp/https] 
succeeded!
TLS handshake negotiated TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 with host 
fastly.cdn.openbsd.org
Peer name: fastly.cdn.openbsd.org
Subject: /CN=fastly.cdn.openbsd.org
Issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Atlas R3 DV TLS CA 2020
Valid From: Mon Feb 22 20:12:22 2021
Valid Until: Sat Mar 26 20:12:22 2022
Cert Hash: 
SHA256:ca2b5d20050ce1e32adb901ed2fdffc2613b6f1ecec2fa89efa2338d8e8e6a96
OCSP URL: http://ocsp.globalsign.com/ca/gsatlasr3dvtlsca2020


Cheers,
Daniel

Re: nc(1) fails the tls handshake when destination ends with a full stop

[Daniel Jakots]

On Sun, 30 May 2021 19:55:42 +0200, Theo Buehler 
wrote:

> On Sun, May 30, 2021 at 01:43:54PM -0400, Daniel Jakots wrote:
> > On Sun, 30 May 2021 17:45:22 +0200, Theo Buehler
> >  wrote:
> >   
> > > Unsure. If people really think this is useful and necessary, I
> > > can be convinced. It's easy enough to do. And you're right, curl
> > > strips the trailing dot after resolving a host name for SNI and
> > > HTTP host header.  
> > 
> > Given the current error message makes it hard to understand what the
> > problem is, I think it's nicer to fix the user error like curl(1)
> > does.  
> 
> What I do not quite see is why you would want or expect to be able to
> have a trailing dot there. None of nc's examples have it and in
> ftp/curl it seems even weirder.

I think what happened is I was fucking around with my certificates
file, and they're named like example.com.pem. I wanted to check
something so I double-clicked on the string and pasted it, and then
removed only "pem". I left the trailing dot both out of laziness and
because I didn't expect it to break things.

I recently learned that you can include the DNS name trailing dot in a
url even if it looks weird. But I just tested some more and for
instance:

https://datatracker.ietf.org./doc/html/rfc6066#section-3 # works
https://openbsd.org./ # doesn't work with Error code:
SSL_ERROR_ILLEGAL_PARAMETER_ALERT

$ nc -zvc datatracker.ietf.org. 443
Connection to datatracker.ietf.org. (4.31.198.44) 443 port [tcp/https] 
succeeded!
nc: tls handshake failed (name `datatracker.ietf.org.' not present in server 
certificate)
(and adding -Tnoname makes it work)

so I guess LibreSSL is stricter than OpenSSL?

Re: nc(1) fails the tls handshake when destination ends with a full stop

[Daniel Jakots]

On Sun, 30 May 2021 17:45:22 +0200, Theo Buehler 
wrote:

> Unsure. If people really think this is useful and necessary, I can be
> convinced. It's easy enough to do. And you're right, curl strips the
> trailing dot after resolving a host name for SNI and HTTP host header.

Given the current error message makes it hard to understand what the
problem is, I think it's nicer to fix the user error like curl(1) does.

Thanks,
Daniel

nc(1) fails the tls handshake when destination ends with a full stop

[Daniel Jakots]

Hi,

$ nc -zvc openbsd.org 443 # works as expected
Connection to openbsd.org (129.128.5.194) 443 port [tcp/https] succeeded!
TLS handshake negotiated TLSv1.3/AEAD-AES256-GCM-SHA384 with host openbsd.org
[...]

$ nc -zvc openbsd.org. 443 # fails
Connection to openbsd.org. (129.128.5.194) 443 port [tcp/https] succeeded!
nc: tls handshake failed (handshake failed: error:1404B42E:SSL 
routines:ST_CONNECT:tlsv1 alert protocol version)


And FWIW I get a different error when the destination runs nginx:

$ nc -zvc px.chown.me. 443 
Connection to px.chown.me. (198.48.202.221) 443 port [tcp/https] succeeded!
nc: tls handshake failed (handshake failed: error:1404B417:SSL 
routines:ST_CONNECT:sslv3 alert illegal parameter)

I checked with -Tnoname to be sure, and it didn't change anything.

Is that normal?

Cheers,
Daniel

Re: Openbsd 6.9 Default gateway

[Daniel Jakots]

On Sat, 8 May 2021 02:37:41 +0300, Irshad Sulaiman
 wrote:

> Thank you for the reply 
> 
> 
>   I could do by 
> Delete and adding route with route command manually 
> But is there any better way to do this 

If you used the same network both on wired and wireless, you could use
a trunk(4) in failover mode for a transparent transition. Check
"Trunking Your Wireless Adapter" in
https://www.openbsd.org/faq/faq6.html

Cheers,
Daniel

Re: blacklistd analogue

[Daniel Jakots]

On Thu, 25 Mar 2021 19:00:52 +0200, Kapetanakis Giannis
 wrote:

> How about a distributed setup?
> 
> Has anyone thought of a way getting IPs from various servers (say
> linux & fail2ban) to the central OpenBSD (pf) firewall?
> 
> Ideally with history in order to punish more the frequent abusers.
> 
> I had plans on looking to bgp to distribute the IPs around but maybe 
> there is already a better way doing this.
> 
> thanks and sorry for hijacking but I believe its quite relevant.

I did this for my machines: https://chown.me/blog/acacia

It's not clever enough to punish more the frequent abusers though.

Cheers,
Daniel

Re: Protecting entire LAN subnet with Wiregaurd

[Daniel Jakots]

On Sun, 21 Mar 2021 23:49:37 -0400, Daniel Jakots  wrote:

> On Mon, 22 Mar 2021 14:34:00 +1100, Antonino Sidoti
>  wrote:
> 
> > I am confused on how to force all lan clients in my home network to
> > use wireguard tunnel via local firewall. Do I need to add routes and
> > if so how do I do this on my local firewall if the public IP is
> > dynamic and the default gateway changes regularly.   
> 
> To make all the traffic goes through Wireguard®, you can do
> # route add default -link -iface wg0
> 
> Having a dynamic IP at home means that if the IP changes, the server
> won't be able to initiate the tunnel but AFAIK, that's the only
> problem.

After thinking more about it, I see what the problem is.

So maybe using some rdomains/rtables as described in
https://codimd.laas.fr/s/NMc3qt5PQ#

Re: Protecting entire LAN subnet with Wiregaurd

[Daniel Jakots]

On Mon, 22 Mar 2021 14:34:00 +1100, Antonino Sidoti 
wrote:

> I am confused on how to force all lan clients in my home network to
> use wireguard tunnel via local firewall. Do I need to add routes and
> if so how do I do this on my local firewall if the public IP is
> dynamic and the default gateway changes regularly. 

To make all the traffic goes through Wireguard®, you can do
# route add default -link -iface wg0

Having a dynamic IP at home means that if the IP changes, the server
won't be able to initiate the tunnel but AFAIK, that's the only problem.

Cheers,
Daniel

Re: What determines source IP of traffic from OpenBSD box ?

[Daniel Jakots]

On Fri, 26 Feb 2021 11:53:40 +0100 (CET), Rachel Roch
 wrote:

> Let's say I'm running "pkg_add -u" on a OpenBSD-based router with
> multiple interfaces.
> 
> What determines the source IP ?

On -current there is
 route [-T rtable] sourceaddr [-inet|-inet6] [address]
 route [-T rtable] sourceaddr [-inet|-inet6] -ifp interface

Cheers,
Daniel

Re: rdsetroot and gzip'd bsd.rd

[Daniel Jakots]

On Tue, 2 Feb 2021 15:29:12 +0100, Sebastien Marie 
wrote:

> On Mon, Feb 01, 2021 at 08:30:17PM -0500, Daniel Jakots wrote:
> > On Mon, 01 Feb 2021 18:18:43 -0700, "Theo de Raadt"
> >  wrote:
> >   
> > > Should rdsetroot be able to edit gzip'd files?  I am not sure
> > > about that.  
> > 
> > Yeah, I don't think so either. gzip(1) can be easily used to
> > uncompress it beforehand. 
> > 
> > But the result is still that rdsetroot on -current is not able to
> > extract a bsd.rd even when given an uncompressed bsd.rd (i.e. a "ELF
> > 64-bit LSB executable, x86-64, version 1" bsd.rd).
> >   
> 
> I looked at what it is done for amd64/ramdisk_cd
> 
> bsd.rd target is made from bsd (kernel) + mr.fs (rdboot filesystem)
> with rdsetroot(8) bsd.gz target is made from bsd.rd with strip(1) +
> gzip(1).
> 
> with current method, it is bsd.gz which is installed in RELEASEDIR as
> bsd.rd file.
> 
> 
> the problem is rdsetroot(8) doesn't support extracting the mr.fs part
> from image when the image is stripped: it expects to find
> "rd_root_size" and "rd_root_image" symbols to locate the size and the
> offset of the mr.fs part inside the image.
> 
> It is possible to use strip with -K rd_root_size -K rd_root_image
> option to preserve these specifics symbols (and make rdsetroot -x to
> work again). I tested it successfully on i386.
> 
> diff a6394f126ec0ed0606e8aac07a82ab1a4c4f2988
> /home/semarie/repos/openbsd/src blob -
> 77fdc3e10fc525e725a40528b728c06976eefc06 file +
> distrib/i386/ramdisk_cd/Makefile --- distrib/i386/ramdisk_cd/Makefile
> +++ distrib/i386/ramdisk_cd/Makefile
> @@ -56,8 +56,8 @@ MRMAKEFSARGS=   -o
> disklabel=${MRDISKTYPE},minfree=0,den 
>  bsd.gz: bsd.rd
>   cp bsd.rd bsd.strip
> - strip bsd.strip
> - strip -R .comment -R .SUNW_ctf bsd.strip
> + strip -K rd_root_size -K rd_root_image bsd.strip
> + strip -K rd_root_size -K rd_root_image -R .comment -R
> .SUNW_ctf bsd.strip gzip -9cn bsd.strip > bsd.gz
>  
>  bsd.rd: mr.fs bsd
>
> Please note that the second strip call need -K option too, else the
> symtab is removed. I am a bit surprised by this behaviour.
> 
> I am unsure I will be able to provide a patch for all
> architectures. Please comment if the direction is right or not.
> 
> Thanks.

Thanks for looking at it!

I built a release (without the xenocara part) to test a similar diff to
yours for amd64 (I didn't know which bsd.rd was which, so I did both):

Index: ramdiskA/Makefile
===
RCS file: /cvs/src/distrib/amd64/ramdiskA/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- ramdiskA/Makefile   18 May 2020 06:20:43 -  1.10
+++ ramdiskA/Makefile   5 Feb 2021 19:01:06 -
@@ -36,8 +36,8 @@ MRMAKEFSARGS= -o disklabel=${MRDISKTYPE}
 
 bsd.gz: bsd.rd
cp bsd.rd bsd.strip
-   strip bsd.strip
-   strip -R .comment -R .SUNW_ctf bsd.strip
+   strip -K rd_root_size -K rd_root_image bsd.strip
+   strip -K rd_root_size -K rd_root_image -R .comment -R .SUNW_ctf 
bsd.strip
gzip -9cn bsd.strip > bsd.gz
 
 bsd.rd: mr.fs bsd
cvs server: Diffing ramdisk_cd
Index: ramdisk_cd/Makefile
===
RCS file: /cvs/src/distrib/amd64/ramdisk_cd/Makefile,v
retrieving revision 1.24
diff -u -p -r1.24 Makefile
--- ramdisk_cd/Makefile 5 Jan 2021 15:10:42 -   1.24
+++ ramdisk_cd/Makefile 5 Feb 2021 19:01:06 -
@@ -59,8 +59,8 @@ MRMAKEFSARGS= -o disklabel=${MRDISKTYPE}
 
 bsd.gz: bsd.rd
cp bsd.rd bsd.strip
-   strip bsd.strip
-   strip -R .comment -R .SUNW_ctf bsd.strip
+   strip -K rd_root_size -K rd_root_image bsd.strip
+   strip -K rd_root_size -K rd_root_image -R .comment -R .SUNW_ctf 
bsd.strip
gzip -9cn bsd.strip > bsd.gz
 
 bsd.rd: mr.fs bsd


And it works:
$ doas cp /home/RELEASEDIR/bsd.rd . 
   
$ mv bsd.rd bsd.rd.gz   
   
$ gunzip bsd.rd.gz  
   
$ doas rdsetroot -x bsd.rd disk.fs  
   
$ file disk.fs  
   
disk.fs: Unix Fast File system [v1] (little-endian), last mounted on , last 
written at Fri Feb  5 18:06:46 2021, clean flag 1, number of blocks 7360, 
number of data blocks 7071, number of cylinder groups 1, block size 4096, 
fragment size 512, minimum percentage of free blocks 0, rotational delay 0ms, 
disk rotational speed 60rps, SPACE optimization


Thanks,
Daniel

Re: rdsetroot and gzip'd bsd.rd

[Daniel Jakots]

On Mon, 01 Feb 2021 18:18:43 -0700, "Theo de Raadt"
 wrote:

> Should rdsetroot be able to edit gzip'd files?  I am not sure about
> that.

Yeah, I don't think so either. gzip(1) can be easily used to uncompress
it beforehand. 

But the result is still that rdsetroot on -current is not able to
extract a bsd.rd even when given an uncompressed bsd.rd (i.e. a "ELF
64-bit LSB executable, x86-64, version 1" bsd.rd).

rdsetroot and gzip'd bsd.rd

[Daniel Jakots]

Hi,

Running -current amd64, I fetched a -current amd64 bsd.rd, then run
$ rdsetroot -x bsd.rd ramdisk
rdsetroot: bsd.rd: not an elf

I didn't expect that, so I run file on it which said
bsd.rd: gzip compressed data, max compression, from Unix

I naively tried to gunzip it:
$ mv bsd.rd bsd.rd.gz && gunzip bsd.rd.gz
$ file bsd.rd
bsd.rd: ELF 64-bit LSB executable, x86-64, version 1

so I ran rdsetroot again
$ rdsetroot -x bsd.rd ramdisk
rdsetroot: symbol table not found


I guess it's because of
https://github.com/openbsd/src/commit/aa6c3ec2488169493ed4877eea65efb00c967050


Is it because now bsd.rd is stripped and rdsetroot needs to be updated
to not expect a symbol table? Or am I missing something?


Cheers,
Daniel

SIOCSIFPARENT SIOCAIFADDR SIOCSIFFLAGS in bsd.rd

[Daniel Jakots]

Hi,

I upgraded my APU2 on 2021-01-16 and I have this in the upgrade log
email:

Terminal type? [vt220] vt220
Available disks are: sd0.
Which disk is the root disk? ('?' for details) [sd0] sd0
Checking root filesystem (fsck -fp /dev/sd0a)... OK.
Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK.
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
ifconfig: SIOCSIFPARENT: Invalid argument
ifconfig: SIOCAIFADDR: Device not configured
ifconfig: SIOCSIFFLAGS: Device not configured
Force checking of clean non-root filesystems? [no] no
[...]

The upgrade log before (2020-12-10) was just
Terminal type? [vt220] vt220
Available disks are: sd0.
Which disk is the root disk? ('?' for details) [sd0] sd0
Checking root filesystem (fsck -fp /dev/sd0a)... OK.
Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK.
Force checking of clean non-root filesystems? [no] no
[...]


I guess this comes from me switching from trunk(4) to aggr(4).

Is it normal/expected?

It doesn't cause me any trouble but I would have expected the same
'behavior' from trunk(4) and aggr(4) in this regard. Or is it to keep
bsd.rd on a diet?

Cheers,
Daniel

Re: Managed to mess up the system encrypted disk. I can no longer boot.

[Daniel Jakots]

On Wed, 27 Jan 2021 11:31:13 -0500, Ashton Fagg 
wrote:

> Do you want "rm -rf /" to hold your hand also?

As a matter of fact, it does :)
https://github.com/openbsd/src/commit/c11d908c7069eb03d103482ce1d0227f3d47b349

Re: Website - Missing kstat man page

[Daniel Jakots]

On Sat, 2 Jan 2021 22:57:06 -0500, tiredtech 
wrote:

> I came across a broken link during some pre-install research.
> 
> While browsing URL https://www.openbsd.org/68.html,
> I noticed URL link on the webpage for kstat(1) generates
> a "No results found." message when pointing to its man page:
> 
> https://man.openbsd.org/kstat
> 
> Flagged as new, so I was curious about its general function.
> 
> Regards
> 

It looks like kstat isn't linked to the build so it's not built by
default, therefore it's not present on the man.o.o server.

The source is in src/usr.bin/kstat. If you don't have any src tree
around, you can either read it on github [1] or you can fetch the raw
version [2] and give it to mandoc(1)

[1]: 
https://github.com/openbsd/src/blob/a09091e54b85e8cd86ccf4763998e3800065d5dc/usr.bin/kstat/kstat.1
[2]: 
https://raw.githubusercontent.com/openbsd/src/a09091e54b85e8cd86ccf4763998e3800065d5dc/usr.bin/kstat/kstat.1

(I could copy paste the resulting man page in this email, but you'd lose
all the fancy markup :))

Actually, mandoc(1) supports html output, here's what it gives
https://static.chown.me/private/misc/kstat.html

Cheers,
Daniel

Re: Wireguard

[Daniel Jakots]

On Mon, 28 Dec 2020 21:17:42 +, Peter Fraser 
wrote:

> This is my first attempt to set up wireguard, and of course I can't
> get it to work.
> 
> The wg man page shows "ifconfig wgN debug" as an option to help
> debugging. The man page for ifconfig does document the option.
> Nor does the man page tell how to turn the option off.

As any other ifconfig option, with a leading -, i.e. ifconfig wg0 -debug

> I hoped it might show me my problem, I don't now where the messages
> are going,

dmesg(8) or /var/log/messages


Cheers,
Daniel

Re: Enhancing Privacy in 2020 attached screenshot

[Daniel Jakots]

On Wed, 16 Dec 2020 22:55:17 +, pipus  wrote:

> haha Stuart.
> Always there to make a low IQ entrance :)
> Would you be more receptive if it was made by Linus and used Linux I
> wonder... ? Try not to be to childish was just a bit of excitement
> over something we have been waiting for for many decades.

While you were "waiting for many decades" (because I assume you were
not able to do the work), Stuart has done more than 17000 commits in
OpenBSD. It could be funny to see how clueless you are, if it wasn't
appalling because of your lack of respect.

Cheers,
Daniel

Re: Switching from trunk(4) to aggr(4)

[Daniel Jakots]

On Wed, 16 Dec 2020 15:04:36 +1000, David Gwynne 
wrote:

> By default LACP only sends packets every 30 seconds. Did you run
> tcpdump for long enough to make sure you saw at least one? If you get
> rid of "-D in" do you see the LACP packets that OpenBSD is
> transmitting?

You were right, I didn't wait long enough. (I didn't know about the
"every 30 seconds"). But I tried again and I never saw them with -D in,
and with -D out I saw the one from OpenBSD.

> Alternatively your switch is configured with a static aggregation,
> ie, what the "loadbalance" in trunk(4) does.

You were right again. As I didn't see the LACP packets, I looked more
carefully and yeah it appeared it was not configured as a LACP trunk. I
deleted the trunk and recreated it (it was immutable) and now aggr0 is
active. Yay!

I thought that since trunk0 in lacp mode was working, it meant the
switch was correctly configured.


Out of curiosity, I tried the commands from sthen, and indeed now they
show something:

TL-SG3216#show lacp internal
Flags:  S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in active mode   P - Device is in passive mode

Channel group 1
LACP port Admin OperPortPort
Port  Flags   State Priority  Key   Key Number  State
Gi1/0/2   SA  Up32768 0x1   0x345   0x2 0x4d
Gi1/0/4   SA  Up32768 0x1   0x345   0x4 0x4d
Gi1/0/6   SA  Up32768 0x1   0x345   0x6 0x4d

TL-SG3216#show lacp neighbor
Flags:  S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in active mode   P - Device is in passive mode

Channel group 1
  LACP port  Admin  Oper   PortPort
Port  Flags   Priority   Dev ID  KeyKeyNumber  State
Gi1/0/2   SP  0  ..  0  0  0   0
Gi1/0/4   SP  0  ..  0  0  0   0
Gi1/0/6   SP  0  ..  0  0  0   0


Thank you very much!
Daniel

Re: Switching from trunk(4) to aggr(4)

[Daniel Jakots]

On Tue, 15 Dec 2020 14:30:16 +1000, David Gwynne 
wrote:

> Can you try tcpdump -p -veni em0 -D in and see if any LACP packets
> appear to come in on the port? If not, can you remove the -p and see
> if em0 starts to work?
> 
> There are two main differences between how aggr(4) and trunk(4)
> works. The first you've already found, which is that trunk(4) uses
> the address from one of the ports it's given, while aggr(4) generates
> one when it's created. The second difference is that trunk(4) makes
> member ports promisc, while aggr(4) tries to be a lot more precise
> and takes care to program the ports properly. This means that in your
> environment em(4) has to support changing it's MAC address to the one
> provided by aggr(4), and it has to support joining multicast groups
> properly, including the one that LACP packets are sent to.
> 
> tcpdump with -p means that it won't make the interface promiscuous.
> If you don't see LACP packets come in while the port is promisc, that
> means the multicast filter isn't working properly. It should start
> working if you're running tcpdump without -p on the em(4) ports, or
> on aggr(4) itself.


Thanks for your reply!

Here's what I did (spoiler alert, I couldn't get aggr0 to work):

I switched back the hostname files, and rebooted.

During boot:

starting network
aggr0 em0 trunkport: creating port
aggr0 em0 mux: BEGIN (BEGIN) -> DETACHED
aggr0 em0 rxm: BEGIN (BEGIN) -> INITIALIZE
aggr0 em0 rxm: INITIALIZE (UCT) -> PORT_DISABLED
aggr0 em1 trunkport: creating port
aggr0 em1 mux: BEGIN (BEGIN) -> DETACHED
aggr0 em1 rxm: BEGIN (BEGIN) -> INITIALIZE
aggr0 em1 rxm: INITIALIZE (UCT) -> PORT_DISABLED
aggr0 em2 trunkport: creating port
aggr0 em2 mux: BEGIN (BEGIN) -> DETACHED
aggr0 em2 rxm: BEGIN (BEGIN) -> INITIALIZE
aggr0 em2 rxm: INITIALIZE (UCT) -> PORT_DISABLED
vlan10: no linkaggr0 em0 rxm: PORT_DISABLED (port_enabled) ->
EXPIRED .aggr0 em2 rxm: PORT_DISABLED (port_enabled) -> EXPIRED
aggr0 em1 rxm: PORT_DISABLED (port_enabled) -> EXPIRED
..aggr0 em0 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED
aggr0 em2 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED
aggr0 em1 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED
... sleeping

root@pancake:~# tcpdump -p -veni em0 -D in
tcpdump: listening on em0, link-type EN10MB
18:04:03.996369 80:56:f2:b7:9c:09 ff:ff:ff:ff:ff:ff 8100 60: 802.1Q vid 70 pri 
1 arp who-has 10.70.70.254 tell 10.70.70.101
18:04:04.016123 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 
1 arp who-has 24.48.69.20 tell 24.48.69.1
18:04:04.034874 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 
1 arp who-has 24.48.69.109 tell 24.48.69.1

(vlan10 is my uplink to my isp's modem), I didn't have anything but
those arp who-has.

root@pancake:~# ifconfig aggr0 -> still no carrier

root@pancake:~# tcpdump -veni em0 -D in
tcpdump: listening on em0, link-type EN10MB
18:05:11.247455 52:54:00:06:aa:01 00:0d:b9:43:9f:fc 8100 1423: 802.1Q vid 20 
pri 1 10.10.10.44.5638 > 198.48.202.251.25826: udp 1377 (ttl 64, id 2495, len 
1405)
18:05:11.248427 52:54:00:06:aa:01 00:0d:b9:43:9f:fc 8100 1390: 802.1Q vid 20 
pri 1 10.10.10.44.5638 > 198.48.202.251.25826: udp 1344 (ttl 64, id 47470, len 
1372)
18:05:11.249478 52:54:00:06:aa:01 00:0d:b9:43:9f:fc 8100 1424: 802.1Q vid 20 
pri 1 10.10.10.44.5638 > 198.48.202.251.25826: udp 1378 (ttl 64, id 57431, len 
1406)
18:05:11.570690 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 
1 arp who-has 184.161.78.225 tell 184.161.78.1
18:05:11.586920 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 
1 arp who-has 192.222.131.28 tell 192.222.131.1
18:05:12.050180 00:17:10:8e:44:a5 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 10 pri 
1 arp who-has 24.48.76.202 tell 24.48.76.1

nothing else than those udp packets (my collectd setup) and the
arp who-has

root@pancake:~# ifconfig aggr0 -> still no carrier

At that point I thought "sthen asked me to try to reboot the switch,
let's do it now" and shortly after I got in my console
aggr0 em0 rxm: DEFAULTED (!port_enabled) -> PORT_DISABLED
aggr0 em1 rxm: DEFAULTED (!port_enabled) -> PORT_DISABLED   
aggr0 em2 rxm: DEFAULTED (!port_enabled) -> PORT_DISABLED
aggr0 em2 rxm: PORT_DISABLED (port_enabled) -> EXPIRED   
aggr0 em1 rxm: PORT_DISABLED (port_enabled) -> EXPIRED
aggr0 em0 rxm: PORT_DISABLED (port_enabled) -> EXPIRED
aggr0 em2 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED
aggr0 em1 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED
aggr0 em0 rxm: EXPIRED (current_while_timer expired) -> DEFAULTED

I tried again putting in promiscuous mode. I thought also let's do it
on all physical interface as well to be safe :D

# tcpdump -veni aggr0 -D in
# tcpdump -veni em0 -D in
# tcpdump -veni em1 -D in
# tcpdump -veni em2 -D in

root@pancake:~# ifconfig aggr0 -> still no carrier


Cheers,
Daniel

Re: Switching from trunk(4) to aggr(4)

[Daniel Jakots]

On Mon, 14 Dec 2020 09:26:36 - (UTC), Stuart Henderson
 wrote:

> >> What does the lacp status look like on the switch? (or does it just
> >> say 'up' or something and not really have any status?)  
> >
> > It doesn't say anything about the lacp, it just says the individual
> > ports are going up or down (which is normal since I'm rebooting the
> > apu to apply the network config change).  
> 
> Looking at the switch docs you should get something from "show lacp
> internal", "show lacp neighbor" - maybe compare them between trunk
> and aggr?

I had never connected through serial/cli since I'm a baby who doesn't
know what he's doing so the web interface was nice :3

After the whole adventure of configuring a serial account (which meant
finding the serial cable with an rj45 connector, finding the port baud
rate and so on):

TL-SG3216#show lacp 
 <1-8>- Channel group number
 internal - Actor Lacp Information
 neighbor - Partner Lacp Information
 sys-id   - Display Lacp Global System Priority.

TL-SG3216#show lacp 1 
Error: Bad command

TL-SG3216#show lacp internal

TL-SG3216#show lacp neighbor

TL-SG3216#show lacp sys-id
32768, 8416.f99e.a094


how disappointing :-)
(I tried these, both under trunk0 and aggr0: same result).

I'll reply to your other points in my reply to dlg to centralize all
the info.


Cheers,
Daniel

Re: Switching from trunk(4) to aggr(4)

[Daniel Jakots]

On Mon, 14 Dec 2020 08:23:15 +0100, Hrvoje Popovski 
wrote:

> maybe to put debug in hostname.aggr0 then destroy it and then sh
> netstart aggr0 ?

Indeed, making hostname.aggr0:

debug
trunkport em0 trunkport em1 trunkport em2
up

made the debug appear, thanks!

Daniel

Re: Switching from trunk(4) to aggr(4)

[Daniel Jakots]

On Sun, 13 Dec 2020 20:34:35 - (UTC), Stuart Henderson
 wrote:

> On 2020-12-12, Daniel Jakots  wrote:
> > I've been using a LACP trunk on my apu (with the three em(4)). On
> > top of which I have some vlans. I've been doing that for years and
> > it's working fine.  
> 
> I used load-balancing trunk on APU before but stopped when I came to
> the conclusion that APU running OpenBSD wasn't going to push more
> than 1Gbps anyway.. (I use failover way more than any type of load
> balancing)

Yes but:
- the three cables between the switch and the APU looks beautiful
- I don't have to care which if is em0 and which if is em2. Just plug
  everything.
:)

> I don't see anything on the switch side I could change, and the log I
> have is merely the ports going up or down when I reboot.
>
> > Any idea why aggr(4) stays in no carrier status?  
> 
> Do you get any clues from "ifconfig aggr0 debug"?

I just tried
# ifconfig aggr0 debug
# dmesg

# ifconfig aggr0 down
# ifconfig aggr0 up
# ifconfig aggr0 # checked the debug flag was still there
# dmesg


I also looked at /var/log/message to be save, but nothing relevant.

> What does the lacp status look like on the switch? (or does it just
> say 'up' or something and not really have any status?)

It doesn't say anything about the lacp, it just says the individual
ports are going up or down (which is normal since I'm rebooting the apu
to apply the network config change).

Cheers,
Daniel

Re: Switching from trunk(4) to aggr(4)

[Daniel Jakots]

On Sun, 13 Dec 2020 11:00:32 +0100, livio  wrote:

> # cat /etc/hostname.aggr0
> trunkport em1 trunkport em2 trunkport em3 lacpmode active lacptimeout
> slow description "i_data"
> up

I just tried adding "lacpmode active lacptimeout slow" in case
ifconfig(8) was lying and they were not the default, but it didn't help.

> It works well for me and I never had issues. I currently use a HP
> switch, but it also works with Cisco.
> Maybe some leftovers from the LACP config? I never encountered the
> "no carrier status" issue though.

What do you mean "some leftovers from the LACP config"? I only removed
the trunk0 interface. There isn't anything to change on switch (since
it works with trunk(4)), is it?

For the record, the switch is a TP-LINK TL-SG3216

Cheers,
Daniel

Switching from trunk(4) to aggr(4)

[Daniel Jakots]

Hi,

I've been using a LACP trunk on my apu (with the three em(4)). On
top of which I have some vlans. I've been doing that for years and it's
working fine.

I thought about using aggr(4) instead (for no real reason). But the
aggr interface stays in "status: no carrier".

What I did is, I replaced my hostname.trunk0

trunkproto lacp trunkport em0 trunkport em1 trunkport em2
up

with a hostname.aggr0

trunkport em0 trunkport em1 trunkport em2
up

(and changing the parent in my hostname.vlan*). To apply the new
configuration, I just reboot.

My trunk0 which works is
trunk0: flags=8843 mtu 1500 
   
lladdr 00:0d:b9:43:9f:fc
   
index 7 priority 0 llprio 3 
   
trunk: trunkproto lacp  
   
trunk id: [(8000,00:0d:b9:43:9f:fc,403C,,), 
   
 (0080,00:00:00:00:00:00,,,)]   
   
em2 lacp actor system pri 0x8000 mac 00:0d:b9:43:9f:fc, key 
0x403c, port pri 0x8000 number 0x3 
em2 lacp actor state 
activity,aggregation,sync,collecting,distributing,defaulted
em2 lacp partner system pri 0x80 mac 00:00:00:00:00:00, key 
0x0, port pri 0x80 number 0x0 
em2 lacp partner state aggregation,sync,collecting,distributing 
   
em2 port active,collecting,distributing 
   
em1 lacp actor system pri 0x8000 mac 00:0d:b9:43:9f:fc, key 
0x403c, port pri 0x8000 number 0x2 
em1 lacp actor state 
activity,aggregation,sync,collecting,distributing,defaulted
em1 lacp partner system pri 0x80 mac 00:00:00:00:00:00, key 
0x0, port pri 0x80 number 0x0 
em1 lacp partner state aggregation,sync,collecting,distributing 
   
em1 port active,collecting,distributing 
   
em0 lacp actor system pri 0x8000 mac 00:0d:b9:43:9f:fc, key 
0x403c, port pri 0x8000 number 0x1 
em0 lacp actor state 
activity,aggregation,sync,collecting,distributing,defaulted
em0 lacp partner system pri 0x80 mac 00:00:00:00:00:00, key 
0x0, port pri 0x80 number 0x0 
em0 lacp partner state aggregation,sync,collecting,distributing 
   
em0 port active,collecting,distributing 
   
groups: trunk   
   
media: Ethernet autoselect  
   
status: active

And the aggr0 which doesn't come up is:
aggr0: flags=8843 mtu 1500  
   
lladdr 00:0d:b9:43:9f:fc
   
index 6 priority 0 llprio 7 
   
trunk: trunkproto lacp  
   
trunk id: [(8000,00:0d:b9:43:9f:fc,0006,,), 
   
 (,00:00:00:00:00:00,,,)]   
   
em0 lacp actor system pri 0x8000 mac 00:0d:b9:43:9f:fc, key 
0x6, port pri 0x8000 number 0x1 
em0 lacp actor state activity,aggregation,defaulted 
   
em0 lacp partner system pri 0x0 mac 00:00:00:00:00:00, key 0x0, 
port pri 0x0 number 0x0 
em0 lacp partner state activity,aggregation,sync
   
em0 port
   
em1 lacp actor system pri 0x8000 mac 00:0d:b9:43:9f:fc, key 
0x6, port pri 0x8000 number 0x2 
em1 lacp actor state activity,aggregation,defaulted 
   
em1 lacp partner system pri 0x0 mac 00:00:00:00:00:00, key 0x0, 
port pri 0x0 number 0x0 
em1 lacp partner state activity,aggregation,sync
   
em1 port
   
em2 lacp actor system pri 0x8000 mac 00:0d:b9:43:9f:fc, key 
0x6, port pri 0x8000 number 0x3 
em2 lacp actor state activity,aggregation,defaulted 
   
em2 lacp partner system pri 0x0 mac 00:00:00:00:00:00, key 0x0, 
port pri 0x0 number 0x0 
em2 lacp partner state activity,aggregation,sync
   
em2 port
   
groups: aggr
   
media: Ethernet autoselect   

Re: Following the upgrade to 6.8, sshguard is reporting that it fails to start

[Daniel Jakots]

On Wed, 28 Oct 2020 16:53:03 -0500, Todd  wrote:

> Following the upgrade to 6.8, rcctl is reporting that sshguard fails
> to start.
> 
>  rcctl check sshguard
>  sshguard(failed)
> 

[...]

>  apu$ rcctl get sshguard
> 
> 
>  sshguard_class=daemon
>  sshguard_flags=-l /var/log/authlog -a 5 -b
> 10:/var/db/sshguard/blacklist.db -w xxx.xxx.xxx.xxx

Yeah the pexp (from pkg/sshguard.rc) seems to be broken as it won't
match as soon as you set some custom daemon_flags.

The port has a maintainer so you should mail them (with or without a
Cc: ports@, as you like).

Or you can try to fix it yourself by playing with pgrep(1) (check what
exact command it runs in /etc/rc.d/rc.subr) and looking at what pexp
other ports rc scripts define.


Cheers,
Daniel

Re: ssl/libssl certificate validation broken?

[Daniel Jakots]

On Thu, 22 Oct 2020 21:49:20 -0500, "Rafael Possamai"
 wrote:

> >Hi Bob, it was in the middle of the night and I got quite kinda
> >stressed because all services depending on our ldap proxy stopped
> >working after the upgrade and it took me a while to figure the
> >problem out.  
> 
> Perhaps this is unsolicited advice, but maybe you can setup a test
> system first, perform major upgrade on it to make sure everything
> works. If so, then do it in production. 
> 

Even better, try -current a few weeks before release (a possible hint
is -beta). This way you can get any encountered bug fixed in time for
-release. Your prod but also every one else will benefit from it.

Cheers,
Daniel

Re: Approved way to update installed ports after system upgrade?

[Daniel Jakots]

On Tue, 20 Oct 2020 17:32:48 -0700, Andrew Robertson
 wrote:

> What's the standard way to upgrade installed ports after a system
> upgrade?
> 
> 
> I've been trying to figure out how to do this properly, and it
> doesn't seem to
> 
> have any mention in the FAQ. Thanks in advance.
> 

"Finish up by upgrading the packages using pkg_add -u." from
https://www.openbsd.org/faq/upgrade68.html

For the very few ports that have a restricted license which mean we
can't distribute packages, update the repository with cvs [1] and then
run `make update`

[1]: https://www.openbsd.org/anoncvs.html

Cheers,
Daniel

Re: ideas needed for password management

[Daniel Jakots]

On Thu, 24 Sep 2020 09:29:37 -0400 (EDT), ben  wrote:

> You don't. Pass is a password manager. It stores passwords for later
> use.

Indeed. So how is pass relevant to OP's problem?

Re: ideas needed for password management

[Daniel Jakots]

On Thu, 24 Sep 2020 08:56:01 -0400 (EDT), ben  wrote:

> The pass program for most UNIX based operating systems
> should be available. I'm pretty sure on OpenBSD it's 
> under a different name, so query for package names
> with 'pass' in them.


Out of curiosity, how do you interface OpenSMTPD/Dovecot with pass?

Re: pf, send(2) and EACCES

[Daniel Jakots]

On Fri, 28 Aug 2020 22:33:30 +0200, Claudio Jeker
 wrote:

> Have a look at the pf(4) stats. especially check if the congestion
> counter increases when you see the error. If pf(4) detects a network
> congestion then ruleset evaluation is skipped and only state matching
> happens. In that case you can get EACCESS for connections that would
> normally be allowed by pf(4).

Thanks, I'll take a look at `systat pf` if it happens again.


Daniel

Re: pf, send(2) and EACCES

[Daniel Jakots]

On Fri, 28 Aug 2020 16:06:48 +0200, Sebastien Marie 
wrote:

> - generate lot of postgresql access. from postgresql thread, the
> statement seems to be a SELECT, so it would be fine to ran in loop
> (hopping no cache and real traffic generated).
> 
> - run pfctl -Treplace in a loop (with a set of different files as the
> kernel code takes care if host are added, changed, deleted)

I ran the select on one machine and the pfctl -Treplace on db1 both in
a `while :` for about two hours and it didn't happen.

I'll try again if the problem happens genuinely again.

Thanks,
Daniel

Re: pf, send(2) and EACCES

[Daniel Jakots]

On Fri, 28 Aug 2020 08:32:59 +0200, Sebastien Marie 
wrote:

> On Thu, Aug 27, 2020 at 03:27:58PM -0400, Daniel Jakots wrote:
> > Hi,
> > 
> > I'm chasing a weird behavior with postgresql. Sometimes (it's very
> > infrequent) a sql request fails with "could not send data to client:
> > Permission denied". I reported the problem on pgsql-general@ [0]
> > and if I understood correctly, this happens when pgsql uses send(2)
> > and gets EACCES.
> > 
> > According to send(2) this happens when "The connection was blocked
> > by pf(4)". I have a cron that modifies a table with 
> > `pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH`
> > 
> > The file is large so it's not exactly immediate. Could pf
> > temporarily block new connections while it loads the file? Or am I
> > looking at the wrong thing?
> >   
> 
> From your pf rules, does the postgresql connection could be blocked if
> TABLE_NAME is empty/inconsistent ?
> 
> Could you add (if you don't have already tested it), an explicit
> allow rule for postgresql to ensure the connection will success ?

They are distinct rules:
# grep -e api_bans -e 5432 /etc/pf.conf 
table  persist file "/etc/pf.api"
block drop in quick from 
pass in on vio0 proto tcp from $docker3 to (self) port 5432
pass in on vio0 proto tcp from $web1 to (self) port 5432

The thing is that it happens very rarely, and I'm not sure how to
reproduce it.

> From my reading, pfctl -Treplace is using DIOCRSETADDRS ioctl. On
> userland side, it tries to do it in one step (see
> src/sbin/pfctl/pfctl_table.c line 228), but could iterate on
> pfr_set_addrs() (I am unsure if the change is atomic or if the
> iteration is to ensure the change will be atomic with large enough
> buffer for result).
> 
> The DIOCRSETADDRS ioctl on kernel side is done under PF_LOCK(). But I
> didn't check if the match rule would be done under PF_LOCK() or not
> (I am not familiar enough with pf(4) code to find the code which do
> the check).

Merci,
Daniel

Re: pf, send(2) and EACCES

[Daniel Jakots]

On Thu, 27 Aug 2020 16:16:17 -0400, "Sven F." 
wrote:

> pflog0 will tell you what is block if you log it, and can tell you if
> it is

I would have been surprised otherwise (since normally packets pass) but
I looked and there was no log about blocked packet at that time.

pf, send(2) and EACCES

[Daniel Jakots]

Hi,

I'm chasing a weird behavior with postgresql. Sometimes (it's very
infrequent) a sql request fails with "could not send data to client:
Permission denied". I reported the problem on pgsql-general@ [0] and if
I understood correctly, this happens when pgsql uses send(2) and gets
EACCES.

According to send(2) this happens when "The connection was blocked by
pf(4)". I have a cron that modifies a table with 
`pfctl -t TABLE_NAME -Tr -f TABLE_FILE_PATH`

The file is large so it's not exactly immediate. Could pf temporarily
block new connections while it loads the file? Or am I looking at the
wrong thing?


[0]: https://www.postgresql.org/message-id/20200827111031.5ee46257%40anegada


Cheers,
Daniel

Re: gcc not on new OpenBSD 6.7 machine, clang problems

[Daniel Jakots]

On Mon, 17 Aug 2020 12:05:05 -0700, "Whiskey T."
 wrote:

> Incidentally, I need it to compile opendkim. I couldn't make clang 
> compile it:

Why don't you use the port/package?

Re: pf.conf set state-defaults pflow seemingly not exporting traffic

[Daniel Jakots]

On Tue, 21 Jul 2020 19:35:17 +0200, Peter Nicolai Mathias Hansteen
 wrote:

> pfctl -vnf pf.conf

oh indeed it says
pass out log on vlan10 proto tcp all flags S/SA modulate state
(if-bound)

but I understood why my pflow setup still works: it takes the flow from
the internal interfaces :)

Re: pf.conf set state-defaults pflow seemingly not exporting traffic

[Daniel Jakots]

On Tue, 21 Jul 2020 18:52:40 +0200, Peter Nicolai Mathias Hansteen
 wrote:

> > 21. jul. 2020 kl. 17:42 skrev marfabastewart
> > :
> > 
> > pf.conf set state-defaults pflow seemingly not exporting traffic
> > 
> > My money is on state-defaults working and I just am doing something
> > wrong, but I can't figure out what it is.
> > 
> > The sensor's information:
> > OpenBSD 6.7 (GENERIC.MP) #4: Wed Jul 15 11:16:20 MDT 2020
> > r...@syspatch-67-amd64.openbsd.org:/usr/src/sys/arch/amd64
> > /compile/GENERIC.MP
> > bios0: PC Engines APU2
> > 
> > On the sensor in /etc/pf.conf each pass rule has modulate state.  I
> > add (pflow) to each of these rules, flows export correctly.  If I
> > don't explicitly add (pflow), I don't see netflow traffic.  
> 
> That is indeed the expected behavior.
> 
> set state-defaults only sets the default so any rule without
> explicitly set state options will evaluate as having ‘keep state
> (pflow)’.
> 
> Your ‘modulate state’ overrides the default. As you have seen, on
> non-default rules you need to add any options explicitly.

Are you sure?
I have a working (AFAIK) pflow setup and I also have 
pass out log on $ext_if proto { tcp, udp } all modulate state

(I checked the rule is used because if I comment it the outgoing
traffic doesn't go anymore)

Cheers,
Daniel

Re: Unbound Configuration

[Daniel Jakots]

On Fri, 10 Jul 2020 21:21:00 +, 
wrote:

> Can anybody help me out with the *simplest possible* unbound.conf
> file, just to get it working???

The default config should be fine.

Also posting to multiple mailing lists at the same time is considered a
bad practice.

Cheers,
Daniel

Re: Hardware Random Number Generators (RNG)

[Daniel Jakots]

On Thu, 09 Jul 2020 16:35:13 -0600, "Theo de Raadt"
 wrote:

> > PS  I think the USB devices are probably a pretty good source of
> > true entropy.  
> 
> Why do I bother explaining?  I'm the maintainer of the openbsd
> kernel's randomness code.  I say I don't see the point in 1 line of
> code to support these devices.

But don't we have urng(4)? Or is there some subtlety between the cards
it supports and OP's card I'm missing?

Re: SSL error wth dovecot + roundcube

[Daniel Jakots]

On Wed, 8 Jul 2020 23:02:40 -0400, Aisha Tammy 
wrote:

> I can send a diff later but hopefully the maintainer can just add a
> small note?

Then mailing the maintainer (with or without cc'ing ports@) will
increase your chance (vs just mailing misc@) ;)

Re: Relayd with TLS and non-TLS backends - bug

[Daniel Jakots]

On Fri, 3 Jul 2020 20:25:12 -0400, Brian Brombacher
 wrote:

> My subjective net gain is simplicity, security, performance, and
> flexibility.

I don't think adding ipsec (or a mesh vpn) into the mix achieve that but
ymmv.

Re: Relayd with TLS and non-TLS backends - bug

[Daniel Jakots]

On Fri, 3 Jul 2020 19:14:17 -0400, Henry Bonath 
wrote:

> Daniel,
> 
> Thanks for taking the time to test this out.
> I just reloaded a test machine from scratch with -current and
> installed the HAProxy 2.0.15-4f39279 package.
> I loaded a very basic config file, and am also seeing the same exact
> issue on this one as well.
> Very strange that you are not -
> Would you mind sharing any additional details of your config file?
> Is there anything special about the certificate you have on the
> backend server?
> 
> I would love to understand what is going on here and what the
> difference is with my experience.

What is your backend running? Can you connect from the haproxy host with
nc(1) and/or openssl(1)?

I try to do my stuff as vanilla as possible so it's an RSA key signed
by LE.

Re: Relayd with TLS and non-TLS backends - bug

[Daniel Jakots]

On Thu, 2 Jul 2020 14:00:48 -0400, Henry Bonath 
wrote:

> Note the missing Client Hello on the 6.7 machine as it jumps to
> Application Data straight away.
> Configuration files for HAProxy are identical on both systems.
> 
> I'm currently spinning up a machine on -CURRENT just to see if there
> is any difference,
> as there is a newer version of HAProxy in packages under Snapshots.
> 
> I was initially going to try to reach out to the package maintainer
> for HAProxy but if this is happening in Relayd, then this "feels
> like" a de-facto bug. I wonder if NGINX would exhibit the same
> behavior.
> 
> Has anyone else experienced such behavior with Load-Balancing TLS
> Backends since upgrading to 6.7?

I don't use TLS for my backend (the only backend I use nowadays is on
localhost) so I can't speak for 6.7 (I only use -current, and when
-current was 6.7, I didn't test that).

I just tested my -current haproxy using another -current host of mine
running nginx as a backend with TLS and it worked fine.

backend https
   option forwardfor
   server web1 ln.chown.me:443 check ssl verify none

and also with "verify required ca-file /etc/ssl/cert.pem"


Maybe some libressl fix happened on -current was not deemed critical
enough to be backported to 6.7?

Cheers,
Daniel

Re: New tool to (quickly) check for available package upgrades

[Daniel Jakots]

On Tue, 16 Jun 2020 16:59:07 -0400, "Jeremy O'Brien"
 wrote:

> I wrote a quick little tool here:
> https://github.com/neutralinsomniac/obsdpkgup in Go to show available
> package upgrades from your configured mirror.
> 
> It takes no more than a few seconds (the time it takes to download
> index.txt from the package repo) to show you all packages that have
> received a version bump. This tool *won't* show same-version
> package-rebuild upgrades, so it shouldn't be used as a complete
> replacement to running 'pkg_add -u', but rather as a companion to
> show when actual newer versions of packages are released. I just
> noticed that in my 99% case, I was waiting anywhere from 5-10 minutes
> for 'pkg_add -u' to complete checking all ~400 of my installed
> packages, and it uses a considerable amount of bandwidth while doing
> so.
> 
> As I understand it, the pkgtools detect same-version rebuilds by
> downloading enough of every installed package tgz to check the
> metadata contained within to determine if an upgrade is needed. If
> anyone knows of an alternative way to determine when a same-version
> package install is required, I would love to know of it. In the
> meantime, I hope someone else can make use of this tool as well.

I think if I wanted to compare packages between a machine of mine and a
mirror, I would compare the quirks package signature timestamps. On
your machine you can find it with
$ grep digital-signature /var/db/pkg/quirks*/+CONTENTS
and on the mirror, you need to fetch the quirks-XXX.tgz (I guess you
can find the XXX with the index.txt) and then look for the +CONTENTS
file.

Cheers,
Daniel

Re: OpenBSD alternatives to Pi-Hole

[Daniel Jakots]

On Fri, 12 Jun 2020 17:00:56 -0400, George 
wrote:

> On 2020-06-12 3:57 p.m., Daniel Jakots wrote:
> >
> > I have only one file and it's 4.6M/111246 lines. It takes a while to
> > It runs on a APU2C2 (iirc, but it has for sure 2G of ram).  
> 
> Wow that seems kind of hungry... :)

While it is definitely hungry, "2G of ram" referred to my router
hardware. ;)

> I was planning on running this as a service in VM so I can move it
> when I am upgrading etc.. anyway will give this a shot. @Daniel:
> Would you care sharing a link to your script or is it not BSD
> licensed?

Sure. It's actually two scripts, because some things are easier to do
in shell and others in python.

https://chown.me/indigo/89acc189bc1d0fab752454fb15932a888fbbf3e3e363e592fa738a226df97f64

I have OTHER_DOMAINS to block domains that are not in the blocks list.

In my unbound.conf I have

include: /var/unbound/etc/adblock.conf

Cheers,
Daniel

Re: OpenBSD alternatives to Pi-Hole

[Daniel Jakots]

On Fri, 12 Jun 2020 21:51:50 +0200, fRANz
 wrote:

> On Fri, Jun 12, 2020 at 9:35 PM Daniel Jakots  wrote:
> 
> > I have a script that fetches the block list and put it in a unbound
> > format. It's in a special unbound config file that I include in my
> > unbound.conf. This has way fewer features than pihole though so it
> > depends on what you want/need.  
> 
> May I ask the average file size of your unbound zones?
> I do the same on my APU4 (4GB version, OpenBSD v6.7) but for huge file
> zones I got unbound timeout during zone loading.

I have only one file and it's 4.6M/111246 lines. It takes a while to
start: I just timed it and it took 12s. It runs on a APU2C2 (iirc, but
it has for sure 2G of ram).

Re: OpenBSD alternatives to Pi-Hole

[Daniel Jakots]

On Fri, 12 Jun 2020 15:24:46 -0400, George 
wrote:

> Hi guys,
> 
> I am trying to setup a Pi-Hole service, i.e. add blocking based on
> empty DNS records zones files, for my local LAN and would like to ask
> what people are using on OpenBSD in this role?

I have a script that fetches the block list and put it in a unbound
format. It's in a special unbound config file that I include in my
unbound.conf. This has way fewer features than pihole though so it
depends on what you want/need.

Cheers,
Daniel

Re: How do I get a list of the files of only installed packages?

[Daniel Jakots]

On Sun, 7 Jun 2020 21:11:57 +0100, Ottavio Caruso
 wrote:

> Hi,
> 
> "pkg_info -L PACKAGE-NAME"
> 
> will give me a list of all the files within each package, regardless
> of whether the package is installed or not.
> 
> How can I restrict the output to only installed packages, making it
> fail if the package is not installed?
> 
> I could do:
> 
> "pkg_info -f PACKAGE-NAME "
> 
> but that would not give me full pathnames.
> 
> I've looked at the pkg_info man page but I couldn't find a clue.
> 
> Thanks.
> 

A "creative" solution:
$ cat -- /var/db/pkg/*/+CONTENTS

for free, you get for each file its size, its timestamp, and
its checksum! ;)

Cheers,
Daniel

Re: Filling a 4TB Disk with Random Data

[Daniel Jakots]

On Mon, 1 Jun 2020 14:33:44 - (UTC), Christian Weisgerber
 wrote:

> Take care to pick the proper device corresponding to the drive you
> want to overwrite.

Don't make people miss a good opportunity to test their backups!

Re: OpenBSD insecurity rumors from isopenbsdsecu.re

[Daniel Jakots]

On Mon, 11 May 2020 17:27:24 +, slackwaree
 wrote:

> I wish if the someone who took the time to make this page at least
> would make an antisystemD page instead.

I doubt anyone asked you how they should spend their time.

>  Let's face it how much time that old fart linus has, maybe
> COVID takes him too.

Are you really saying you hope he dies?
What the fuck is wrong with you?

> I couldn't care less either, all I care is my
> BSD servers uptime 600+ days and not 1 day I worry about their
> security.

You are clearly clueless.


Please refrain from posting again such shitty emails.

Thanks,
Daniel

Re: @OpenBSD_CVS Twitter 140char limit?

[Daniel Jakots]

On Sat, 09 May 2020 19:17:29 +0200, Tommy Nevtelen 
wrote:

> Hi there!
> 
> Does anybody on this list manage @OpenBSD_CVS? Would be nice to lift
> the message truncation from the old 140char limit to the new 280char
> limit. Super annoying when I can't read an interesting commit message
> that is just a little longer  :)

afresh1@ is pretty busy so your best luck is probably to submit a pull
request at https://github.com/afresh1/openbsd-commits-to-twitter

Cheers,
Daniel

Re: pf rules vs late pppoe0 setup

[Daniel Jakots]

On Sun, 26 Apr 2020 13:54:27 +0200, Jan Stary  wrote:

> Is there a recommended way to deal with this?

If I correctly understood your problem, the solution:
(from pf.conf(5))

> Host name resolution and interface to address translation are
> done at ruleset load-time.  When the address of an interface (or
> host name) changes (under DHCP or PPP, for instance), the ruleset
> must be reloaded for the change to be reflected in the kernel.
> Surrounding the interface name (and optional modifiers) in
> parentheses changes this behaviour.  When the interface name is
> surrounded by parentheses, the rule is automatically updated
> whenever the interface changes its address.  The ruleset does not
> need to be reloaded.  This is especially useful with NAT.

Cheers,
Daniel

Re: Porting Jitsi to OpenBSD

[Daniel Jakots]

On Fri, 24 Apr 2020 08:25:51 -0400, Aisha Tammy 
wrote:

> Hey all,
> I'm hoping to port jitsi and wanted to know if anyone else is already
> working on a port so that I don't do work that might be unnecessary.


This kind of email should go on ports@.
Since misc@ has a very low SNR [1] don't assume anyone seriously
working on OpenBSD is actually reading this particular mailing-list.

[1]: https://en.wikipedia.org/wiki/Signal-to-noise_ratio

Cheers,
Daniel

Re: GNU+Linux corporate takeover, was: Wine for OpenBSD?

[Daniel Jakots]

On Tue, 14 Apr 2020 16:05:56 -0400, Raul Miller 
wrote:

> Got any good docs on how to debug (or monitor) D-Bus issues?

You're asking help to debug D-Bus on an OpenBSD mailing list? Why don't
you bring this sooo interesting discussion off-list?

Re: openbsd.org down?

[Daniel Jakots]

On Sun, 12 Apr 2020 11:28:21 +0200, Salvatore Cuzzilla
 wrote:

> Can’t reach openbsd.org  - planned maintenance?

Until the problem is solved (which is known and being worked on), I just
forked openbsd/www on github and enabled github pages. You can reach the
website at https://danieljakots.github.io/openbsd-www/
Of course as there is my name there, you can guess it's not something
official.


Cheers,
Daniel

Re: opensmtpd updates not in OPENBSD_6_6 branch?

[Daniel Jakots]

On Wed, 08 Apr 2020 20:29:27 + (UTC), Chris Ross
 wrote:

> I updated usr.sbin/smtpd to HEAD, and now get 6.6.4.

You're lagging, it's been bumped to 6.7.0 13 hours ago :)
https://github.com/openbsd/src/commit/3b6172845ca039729e3ac02040d787f83f9c7250

> If I diff that
> dir against the same in OPENBSD_6_6, there are a few thousand lines of
> unified diffs, clearly showing many changes. I don't know for sure
> that it means what's in OPENBSD_6_6 is the same smtpd 6.6.0 that
> shipped with OpenBSD 6.6.0, but it's clearly not the smtpd 6.6.4
> that's in HEAD.

I think your approach is wrong. You're assuming the version number
matters but it doesn't. What matters is that you have the fixes.

Each errata contains the diff, check the code you have to see if it has
the patches.

> I'm not sure how the syspatch creation process is involved, but I saw
> the note from Gilles a month and a half ago[1] suggesting using
> syspatch to update the system.  It looks like that didn't update the
> stable branch.

I don't understand your "it looks like". The whole code is free. Look at
the commits instead of guessing.


Cheers,
Daniel

Re: Ports: how to install dependencies from binaries?

[Daniel Jakots]

On Wed, 8 Apr 2020 13:12:54 +1000, Stuart Longland
 wrote:

> Silly question… how do you install the dependencies of a port from
> binaries automatically?

https://man.openbsd.org/bsd.port.mk#FETCH_PACKAGES but it doesn't work
very reliably, sadly.

Cheers,
Daniel

Re: opensmtpd updates not in OPENBSD_6_6 branch?

[Daniel Jakots]

On Tue, 07 Apr 2020 19:05:31 + (UTC), Chris Ross
 wrote:

> Hello all.  I am running a OpenBSD 6.6 that I installed late last
> year.  I was recently trying to make sure I'd updated my smtpd to
> 6.6.4, based on earlier security announcement.  As I'm running on a
> sparc64, syspatch doesn't work.  While I'd love to talk about
> rectifying that, that's a bigger issue.
>
> For now, I figured I would get the -stable branch (OPENBSD_6_6) and
> that would have an updated smtpd I could install.  But, I find that
> that branch only have smtpd 6.6.0 in it.  I was of the impression
> that was the stable branch, and as such it should get updates,
> especially including security updates.
> 
> Let me know how I should track important updates for my system,
> without syspatch support for my arch.

The syspatch creation process includes committing to the
(old)stable branch. AFAIK, what happened here is that the fixes were
backported but the version wasn't bumped.
But if you want to be sure, check the code you're going to compile.

Cheers,
Daniel

Re: error on xfce4 ports build

[Daniel Jakots]

On Sun, 16 Feb 2020 15:55:51 -0800, Justin Muir 
wrote:

> Any ideas for this error??

It looks like upstream deleted the project. You can still fetch the
source code there:
https://ftp.osuosl.org/pub/blfs/conglomeration/gtk-xfce-engine/gtk-xfce-engine-3.2.0.tar.bz2
if you put it in /home/jkm/ports/distfiles/xfce4/ it should just work.

There's a sha256 to check the integrity, so as long you don't change
distinfo, you don't have to worry.


I'm glad I'm not the only missing gtk-xfce-engine BTW :)

Cheers,
Daniel

Re: perl popularity inside openbsd community? (Re: Suggestion: Replace Perl ...)

[Daniel Jakots]

On Thu, 2 Jan 2020 19:49:28 +0100, Marc Chantreux 
wrote:

> some endless sterile debates

Like this thread, or worse?

sysmerge at scale

[Daniel Jakots]

Hi,

I run a bunch of -current VM and I manage them with ansible. When
there's a file that gets updated in src/etc, I check if it matters for
me and if it doesn't, I ignore it. Then, eventually I sync the file in
my ansible repo with upstream's one. But even then sysmerge keeps
nagging me with:
Subject: example.com rc.sysmerge output

 /etc/login.conf unhandled, re-run sysmerge to merge the new version

and I usually end up running sysmerge manually with 'd'.

Any advice on how to deal with that? How do you do it?

Cheers,
Daniel

Re: s.th. strange happening?

[Daniel Jakots]

On Fri, 9 Aug 2019 17:01:13 +0200, Stefan Wollny 
wrote:

> As I never did any changes to 'www/squid/Makefile' the following
> irritates me:
> 
> /usr/ports $ doas cvs -q up -Pd -A

don't use doas

> cvs server: conflict: INDEX is modified but no longer in the
> repository 
> C INDEX

rm INDEX

> M www/squid/Makefile

cvs diff www/squid/Makefile
if the change is useless, rm it and re run cvs up.

In doubt, rm the whole tree and fetch a new one ;)


Cheers,
Dnaiel

Re: Host Header Redirection on openbsd.org

[Daniel Jakots]

On Mon, 5 Aug 2019 05:38:46 -0700, Claus Assmann
 wrote:

> On Mon, Aug 05, 2019, Marc Espie wrote:
> > [[...]] the same useless mp4 video.  
> 
> Maybe it is/contains an (attempt of an) exploit?
> 

Unlikely since their signature says "Certified Ethical Hacker"

Re: [www] faq/ports/testing.html - adding link for portslogger(1)'s man

[Daniel Jakots]

On Mon, 29 Jul 2019 22:22:01 +0200, Alex Naumov
 wrote:

> just a small update for the port testing guide ;-)

Thanks committed!

Daniel

Re: Ansible install Re: Reboot and re-link

[Daniel Jakots]

On Fri, 21 Jun 2019 20:02:48 +0200, Frank Beuth 
wrote:

> On Wed, Jun 19, 2019 at 11:29:32PM +0200, Maxim Bourmistrov wrote:
> >Installing via NOT RECOMMENDED WAY(following upgrade65.html) -
> >scripting on steroides (ansible).  
> 
> I don't want to re-open the hostilities, but installing OpenBSD via
> Ansible is very relevant to my interests. Previously discussed on
> this list was a very roundabout approach using Qemu -- is there a
> better way now?
> 

You can automate installation with autoinstall(8). You can also
automate upgrades with autoinstall(8) and from 6.6 you'll be able to
use sysupgrade(8) as well.

Cheers,
Daniel

Re: When will be created a great desktop experience for OpenBSD?

[Daniel Jakots]

On Thu, 23 May 2019 19:51:45 +, "Patrick Harper"
 wrote:

> Our ideas of the setup process aren't equal so I disagree.

Can you please stop answering to this useless thread?

Re: influxdb goes "panic:runtime error: index out of range"

[Daniel Jakots]

On Mon, 8 Apr 2019 13:58:27 +0200, Joel Carnat  wrote:

> On a fresh influxdb instance in an OpenBSD VM: same issue. On a
> fresh influxdb instance in a Linux Ubuntu VM: the error disappears and
> the query gets the correct answers.

Did you install the exact same influxdb version on Linux?

I deleted some series or something else and then
if I do now show series it says the same
> show series
ERR: SHOW SERIES [panic:runtime error: index out of range]

I thought it was probably an influx's bug so I asked the hidden
maintainer to update but he politely said no :)

> Find attached the complete log.

It's quite unreadable as is :p

Cheers,
Daniel

Re: authentication methods: how do they work?

[Daniel Jakots]

On Wed, 27 Mar 2019 12:31:51 -0400, Boris Epstein
 wrote:

> This is a nice piece of code indeed:
> 
> https://github.com/WIZARDISHUNGRY/totp-util
> 
> But I don't see the login_ code there - which would be
> helpful if I were to write a login plugin. Do you know where that
> code would be?

Not sure how do you relate totp-util and login_oauth but you can fetch
the source at that url:
/usr/ports/sysutils/login_oath$ echo $(make show=MASTER_SITES)$(make 
show=DISTFILES)  
https://spacehopper.org/mirrors/login_oath-0.8.tar.gz

Re: authentication methods: how do they work?

[Daniel Jakots]

On Wed, 27 Mar 2019 05:34:49 -0400, Boris Epstein
 wrote:

> It is interesting because some people mention combined methods - like
> SSL hostkey + some second factor being used just in that fashion:
> 
> https://chown.me/blog/2FA-with-ssh-on-OpenBSD.html
> 
> But based on my experience thus far it looks like Ted is right. So I
> may have to write a utility for combined login. What should that
> utility do - call the two methods in question and return true or
> false depending on whether they succeed?

You can actually look at the auth plugin this (brilliantly written btw,
*cough* ;)) blog article mentions. login_oauth allows you to use totp
and a password:

> DESCRIPTION
>  The login_totp-and-pwd program attempts to authenticate the user
> via a combination of password authentication and an OATH time-based
> one-time password

(quote from login_totp-and-pwd.8).

Cheers,
Daniel 

Re: authentication methods: how do they work?

[Daniel Jakots]

On Tue, 26 Mar 2019 10:01:59 -0400, Boris Epstein
 wrote:

> Hello listmates,
> 
> Let's say I have the following configured in my /etc/login.conf
> 
> auth-defaults:auth=password,skey,yubikey
> 
> Would that mean either password, or skey, or Yubikey, or should they
> all be satisifed?

Either. Then you can pick which is used when you run the software, for
instance with sudo it's the -a flag.

> Also, is there a way to specify that different
> users have different requirements as far as authentication methods.

I would use different login classes.

Cheers,
Daniel

Re: I am sorry

[Daniel Jakots]

On Mon, 4 Feb 2019 12:52:48 -0800, Chris Cappuccio 
wrote:

> Leonid Bobrov [mazoc...@disroot.org] wrote:
> > Hi, dear OpenBSD community.
> > 
> > Please forgive me for drama I made earlier at mailing list and
> > IRC channel. I am not a troll, I promise, I want to contribute to
> > OpenBSD in any way I can, please give me a chance.
> >   
> 
> This is the internet. Nobody remembers or cares.

Maybe you don't, but some of us do. I was glad to see Leonid's email
(assuming it's genuine).

> > All this time I had a depression and recently I've visited a doctor
> > and now I am taking tranquilizer and antidepressant pills and feel
> > myself much better, tomorrow I am going to visit a doctor once more.
> >   
> 
> Throw 'em away. Wear your flag proud. 

Really? :|

Re: Keepassx without gtk

[Daniel Jakots]

On Mon, 4 Feb 2019 14:39:28 +0300, Isimsiz  wrote:

> Good day, sirs
> Is it possible to install keepassx without gtk+?
> For some reason keepassx depends on qt4 and gtk+3
> I use packages. Maybe i need to compile to exclude gtk support or its
> impossible at all?

I'm not sure what problem you're trying to solve but do you know about
kpcli?

Cheers,
Daniel

Re: does this affect acme-client?

[Daniel Jakots]

On Mon, 21 Jan 2019 15:18:04 +0100, "Peter J. Philipp"
 wrote:

> Does this affect the acme-client?
> 
> https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209
> 
> Regards,
> -peter
> 

To quote the man page "acme-client only implements the “http-01”
challeng" so LE stopping sni-01 shouldn't change anything for
acme-client(1)

Cheers,
Daniel

Re: Blocking "shodan.io" - What are my options?

[Daniel Jakots]

On Tue, 8 Jan 2019 16:07:43 -0800, Misc User
 wrote:

> Doing some work on it the other day, I noticed it opens a pretty big 
> command injection hole if pfctl doesn't kill the connection before
> the connecting source gets a chance to send data.  An attacker could
> connect to the port and send the string "Ncat: Connection from
> 172.16.11.152.\ && " and whatever it uses for 
> will be done by a privileged account (At least one with permissions
> to add entries to pf's tables)
> 
> I tested it using a telnet client connecting to one of the arbitrary 
> ports I set up.  So I've been trying to figure out a better way to do 
> this.  There has to be, maybe something with tcpdump.
> 
> I'm looking into patching ncat to have a flag where the -v option 
> doesn't output packet content, and only outputs packet metadata. 
> Probably also clean up what it outputs to produce a 'honeypot' mode
> or something friendly to chaining to a firewall control program.

I'm truly amazed that you just realized you enabled people to run code
on your machine with a privileged user, and instead of dropping the
gun, you're like "maybe if I hold it with two hands, I won't shoot
myself in the foot again".

People say "don't roll your own crypto" but it seems it applies to
honeypot software too.

Re: install portslist?

[Daniel Jakots]

On Fri, 14 Dec 2018 15:40:05 +0100, Rudolf Sykora 
wrote:

> Is this expected? What am I doing wrong?

You probably have a recent ports tree with old packages. Does
`cd /usr/ports/databases/sqlports && make update`
help?

Cheers,
Daniel

Re: cloudflare.cdn.openbsd.org Certificate expired.

[Daniel Jakots]

If you're not able to refrain from giving your judgment on a situation
you don't know the details, please go open a blog or something. misc@ is
not the place for it.

Thanks,
Daniel

On Sat, 20 Oct 2018 12:56:21 -0600, "Constantine A. Murenin"
 wrote:

> This is pretty hilarious!
> 
> Apparently, even the CDNs cannot keep the HTTPS certificates
> up-to-date.  Yet your blog with cat photos MUST have HTTPS, and the
> cost of having HTTPS is estimated at zero by the leading industry
> experts at Google Chrome, Mozilla and Cloudflare (isn't it ironic
> now?!).
> 
> Clearly it's zero.  Every major browser vendor confirms administrative
> costs are zero and/or negligible; and HTTP/2 (as implemented in the
> browsers) requires HTTPS, because why would you NOT use HTTPS?!  And
> if it's not zero, folks wouldn't use HTTPS everywhere, now would
> they?!
> 
> Hurray to HTTPS Everywhere!  Let's Encrypt!
> 
> /sarcasm
> 
> On Sat, 20 Oct 2018 at 11:49, Paco Esteban  wrote:
> >
> > Hi misc@
> >
> > You're probably aware of this but just in case:
> >
> > https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.4/packages-stable/i386/:
> > ftp: SSL write error: certificate verification failed: certificate
> > has expired
> > https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.4/packages/i386/:
> > ftp: SSL write error: certificate verification failed: certificate
> > has expired
> > https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.4/packages/i386/:
> > empty
> >
> > Cheers,
> > Paco.
> >
> > p.s.: Big thanks for 6.4 to all the people involved !
> >
> > --
> > Paco Esteban
> > https://onna.be/gpgkey.asc  
> 

Re: Rate limiting on UDP with PF

[Daniel Jakots]

On Wed, 17 Oct 2018 17:59:08 +0200, cont...@jdubois.me wrote:

> I am trying to rate limit UDP with Packet Filter. I know there are
> rules to rate limit on TCP such as "max number" or "max-src-conn-rate
> number / interval" but I did not find anything for UDP.
> 
> I still tried the options with these rules, but once the number of
> states was reached, the NTP server kept answering the requests :
> 
> pass in on $ext_if proto udp to 192.0.2.1 port 123 keep state (max 10)

I think the closest to your goal is max-pkt-rate, see:
https://man.openbsd.org/pf.conf.5#max-pkt-rate

Note it won't block the IP like it does for TCP, the rule simply stops
matching packets.

This parameter was added to OpenBSD recently, but if you run a
supported OpenBSD version, it should be fine ;)

Cheers,
Daniel

Re: CVE-2018-15473 ssh user enumeration vulnerability in OpenBSD 6.3

[Daniel Jakots]

On Tue, 4 Sep 2018 12:05:01 -0500, "Karl O. Pinc"  wrote:

> Ssh in OpenBSD 6.3 (stable), and I presume 6.2, is vulnerable
> to username existance checking by remote systems.

It was already discussed on the list:
https://marc.info/?l=openbsd-misc=153512055014488=2

Cheers,
Daniel

Re: network connectivity problem (ifconfig, arp, ...)

[Daniel Jakots]

On Mon, 03 Sep 2018 22:58:49 +0200, Vincent 
wrote:

> I've found an article

It's always better to rely on the FAQ rather than on a third party
article who may have not kept the information up to date. It's not
always possible because not everything is in the FAQ but in this case,
it is:

https://www.openbsd.org/faq/faq6.html#Wireless

(scroll down a bit until "Trunking your wireless adapter")

Cheers,
Daniel

Re: Cloud-Storage & OpenBSD

[Daniel Jakots]

On Sun, 02 Sep 2018 15:38:40 -0400, Predrag Punosevac
 wrote:

> Dain Bentley wrote:
> 
> > Rclone and a storage provider of choice  
> 
> I don't see it in ports. 
> 
> https://rclone.org/downloads/
> 
> seems to be the link to binary blob. Could you give me the link to
> source code?

It's available on current and will be in 6.4+

https://github.com/openbsd/ports/commit/450fdb4b62b110c027a53143523e13baf7caabc3

Cheers,
Daniel

Re: Cannot make update on updated ports on a fresh install

[Daniel Jakots]

On Thu, 16 Aug 2018 23:41:52 +0200 (CEST), 
wrote:

Probably not helping much but

> lea@openbsd:/usr/ports/net/curl $ doas make update

You shouldn't run this as root if you don't have PORTS_PRIVSEP

> On my /etc/mk.conf i have:
> SUDO=/usr/bin/doas
> WRKOBJDIR=/usr/ports/build/wrkobjdir
> DISTDIR=/usr/ports/build/distdir
> PLIST_DB=/usr/ports/build/plist
> BULK_COOKIES_DIR=/usr/ports/build/bulk_cookies
> UPDATE_COOKIES_DIR=/usr/ports/build/update_cookies
> PACKAGE_REPOSITORY=/usr/ports/build/pkgrepo
> FETCH_PACKAGES=Yes

Do you really need to configure all these var and not use the default?

Cheers,
Daniel

Re: xconsole keeps dieing

[Daniel Jakots]

On Tue, 17 Jul 2018 17:53:14 -0500, Edgar Pettijohn III
 wrote:

> For some reason xconsole has decided to start seg faulting regularly.
> I can't remember how to build X with debugging symbols. Could anyone
> give me a quick rundown so I can provide more information.

/usr/xenocara/README should help you I think.

Cheers,
Daniel

Re: Employers, Jobs and OpenBSD

[Daniel Jakots]

On Fri, 13 Jul 2018 23:05:09 -0300, Man Hobby 
wrote:

> Hi,
> 
> What is the opinion of employers about OpenBSD?

Best Operating System.

> There is reason for to learn use OpenBSD to find job?
> 
> If not, why?

Learning OpenBSD will make you learn many many many things about Unix
systems.

> If there is not reason for to learn use OpenBSD to find job, why use
> OpenBSD?

Just a side note, it's funny you're so much focused on 'job' while you
have 'hobby' in your name.

HTH,
Daniel

Re: /etc/services for MQTT protocol

[Daniel Jakots]

On Sun, 17 Jun 2018 17:59:56 +0200, gro...@grompf.net wrote:

> Hello,
> 
> Here's a tiny diff i used during my MQTT exploration while coupling
> some Dyson(tm) stuff with my openbsd homeserver.
> 
> a203 1
> mqtt1883/tcp# MQTT protocol
> a285 1
> secure-mqtt 8883/tcp# Secure MQTT

https://marc.info/?l=openbsd-tech=151520867321072=2

and I think there was also another argument about the ports being added
to the baddynamic sysctls but I can't find it.

Cheers,
Daniel

Re: OpenBSD logo on my private hompage. It is allowed?

[Daniel Jakots]

On Thu, 07 Jun 2018 15:51:24 -0800, justina colmena
 wrote:

> The no-profit clause is new.

That's not true. It was added with
revision 1.8
date: 2005/03/24 01:31:13;  author: deraadt;  state: Exp;  lines: +4 -3;
note do not sell

(on github: 
https://github.com/openbsd/www/commit/46f3713db1ab0fa2183699928305b8b0a29f8683)

Re: py3-qt5

[Daniel Jakots]

On Thu, 1 Mar 2018 21:40:57 -0500, Z Ero 
wrote:

> Not showing in pip3 --list after installed with pkg_add. Not available
> module. Why?
> 

pip and pkg_add are two different package manager. If you run pkg_info,
you should see the package list which would mean it's installed.
You should probably read the FAQ: https://www.openbsd.org/faq/faq15.html

Cheers,
Daniel

Re: 5-button wheeled mouse and X

[Daniel Jakots]

On Sun, 29 Oct 2017 11:37:45 -0400, gwes  wrote:

> On 10/25/17 07:20, Cág wrote:
> > Natasha Kerensikova wrote:
> >  
> >> it started as a bug report: it have a 5-button mouse with a wheel,
> >> even though I don't use much the buttons 4 and 5 (I think only for
> >> previous and next in firefox history). I recently switched to
> >> OpenBSD, and I was surprised to find these buttons cause
> >> scrolling, like the wheel. If this behavior is intended, the rest
> >> of this e-mail is moot.  
> >
> > This isn't a bug apparently. Are the extra buttons recognised by
> > xev? If they are, remap them with xmodmap(1). If they aren't, well,
> > then it should be done by xf86-input-evdev or libinput. There's
> > been some work in FreeBSD, and the drivers are in ports, but
> > OpenBSD doesn't have them. 
> I use a 4-button Logitech trackball mouse. It required remapping in
> xmodmap to make it work.
> Yes, xev showed enough information to see "button up" and "button
> down" events to use as input to xmodmap.

Do you mind sharing your configuration?

Cheers,
Daniel

Re: Running OpenVPN as a client breaks SSH access into same box? Is it a problem with default route being changed?

[Daniel Jakots]

On Tue, 24 Oct 2017 16:25:08 -0400, "tec...@protonmail.com"
 wrote:

> It's currently a bit tricky for me getting into the box physically.
> If only I had SSH access ha!
> 
> I'm almost 100% certain that returning packets are being routed over
> the tun0 (new default route) interface instead of em0.

http://man.openbsd.org/pf.conf#reply-to should help you

> 
> >  Original Message 
> > Subject: Re: Running OpenVPN as a client breaks SSH access into
> > same box? Is it a problem with default route being changed? Local
> > Time: 24 October 2017 10:13 PM UTC Time: 24 October 2017 20:13
> > From: kgo...@gmail.com
> > To: tec...@protonmail.com 
> >
> > you are more likely to receive help if you post the output of
> > "ifconfig -a" and "netstat -nr" commands.
> >
> > On Tue, Oct 24, 2017 at 4:06 PM, tec...@protonmail.com
> > tec...@protonmail.com wrote:
> >  
> >> Hi,
> >> I have a very very basic setup. Not using any other pf rules other
> >> than what comes default with 6.2-Release and almost every other
> >> release. Running OpenVPN works without a problem - able to connect
> >> as a client to a remote OpenVPN server. Everything is properly
> >> routing, verified by checking my IP. Problem is that as soon as
> >> OpenVPN is running, I cannot SSH in to my OpenBSD machine from any
> >> other machine on the Lan. Now, I'm guessing this has something to
> >> do with the default route being changed automatically by OpenVPN
> >> but I am still a total newbie with routing and pf so I have not a
> >> clue how to fix this, especially in any sort of manner which I can
> >> safely assume it to be the correct way. Can someone tell me how to
> >> resolve this? Thank  

Re: regarding the default path for pkg_add in -current

[Daniel Jakots]

On Wed, 27 Sep 2017 20:57:10 -0600, and...@quickstick.net wrote:

> Also, after login, pkg_add is very determined to use to the same 
> ../6.2/.. directory path. For the benefit of others who might find 
> themselves in the same spot, the workaround is to use the full path 
> while using pkg_add. 

A better solution is to use pkg_add -Dsnap

Cheers,
Daniel

Re: Packages security updates in -stable

[Daniel Jakots]

On Sat, 9 Sep 2017 21:16:36 +0200, Lukasz Jendrysik 
wrote:

> Similar situation with Chromium etc. All of those packages exists in 
> newer versions in -current, but it's not an option in my case.
> 
> I understand that -stable is not place for the latest packages
> available and it's expected to be rock solid, but also secure.
> So I wonder what is the policy in situation when updating to the
> newer upstream version is more than recommended due the security
> reasons.

On -stable, we backport only security (or reliability) fixes, we don't
do updates, because as Theo said, new code means new bugs. Sometimes
though, upstream are kind enough to tag a release which contains only
the patch (the latest one that comes to my mind is weechat 1.7.1), so it
can look like an update but it's not an update.

The problem is the same as everywhere, the people who can do it, don't
care (because priorities) and people who care, won't do it. If you want
to help, please send patches. About that I will just quote what sthen@
said in another thread:

> - get the ports in great shape before sending them. [...]. portcheck
> and lib-depends-check etc should either be clear or you should
> explain why not. if you're already known for sending good clean
> ports, people with a few minutes to spare will be more likely
> to look at yours rather than someone else's...

On Sat, 9 Sep 2017 23:24:38 +0200, Lukasz Jendrysik 
wrote:

> > Well the options are: Get involved and do the work, or watch.  
> How can I help in case when updated package is already in -current?

I would suggest that you begin by looking at how previous irssi
security problem were dealt with on -stable and try to do the same.

Cheers,
Daniel