Re: Firewall setup
There is a typo on the second line of the martians definition (spurious comma
and space).
Michael
> On Apr 14, 2024, at 11:09, Karel Lucas wrote:
>
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help is
> appreciated. So let's start simple and then proceed step by step. I want to
> continue with ping so that I can test the connection to the internet. This
> works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS servers
> on the internet. The PF ruleset needs to be adjusted for this, but it is
> still not clear to me how to do that. What else do I need to get ping to work
> correctly? To get started simply, I created a new pf.conf file, see below.
>
>
> /etc/pf.conf:
>
> ext_if = igc0 # The interface to the outside
> world
> int_if = "{ igc1, igc2 }"# The interfaces to the private hosts
> localnet = "192.168.2.0/24" # Hosts on the screened LAN
>
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> 446, cvspserver, 2628, 5999, 8000, 8080 }"
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
> # Options:
> set block-policy return
>
> set skip on lo
>
> block log all# block stateless traffic
>
> # Normalize packets:
> match in all scrub ( no-df max-mss 1440 )
>
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
>
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
>
> pass out all
>
>
Re: mailman on OpenBSD - linking problem
> Anything else I should pay attention to? Make sure that your TLS setup is okay. Read mailman's docs and also the pkg-readme (e.g. setting up cronjobs) - and pay attention to configuration of your mailserver > It's a basic mailing list for few gaming discussions really, > so escaping from chroot was not really that scary, at least in that case. I wouldn't deploy old python scripts outside chroot (python 2.7 was end-of-life since 01.01.2020!) ...but I also think I wouldn't setup any huge software just to deploy "a basic mailing list for few gaming discussions"
Re: files are going missing
Am 11.03.24 19:04 schrieb beecdadd...@danwin1210.de: > I'm not stupid, of course I know about -o Am 11.03.24 18:37 schrieb beecdadd...@danwin1210.de: > ...why still ask redundant question? isn't this a rather strange way of communicating for someone who is looking for help ;-) ??
Re: mailman on OpenBSD - linking problem
> What does "request strip 1" actually do in that case?
>From the manpage:
Strip strips path components from the beginning of the request path
before looking up the stripped-down path at the document root.
So in your case:
location "/admin/*" {
fastcgi socket "/var/www/run/slowcgi.sock"
root "/usr/local/lib/mailman/cgi-bin/admin"
request strip 1
}
if request is "admin/" then "admin" is stripped and "/" is sent to
document_root.
> The cgi files are in /usr/local/lib/mailman/cgi-bin/
> chroot setting in httpd.conf: chroot "/"
> Slowcgi starts with: slowcgi_flags="-p /" and it's socket path is:
> /var/www/run/slowcgi.sock
>
> Slowcgi and httpd works fine. However two things I'd like to know;
>
> As I asked, what does "request strip 1" do and if I really need that?
>
> Secondly; how to combine two locations into one? So that;
> "/admin" and "/admin/" would get captured both.
So you expect the location to be triggered if the request is "admin"
but you configured the location to listen on "admin/"?
See the difference?
Next:
There is another misconfiguration in your http.conf: You use root
directive with a filename? Why? Manpage says: The directory is a
pathname within the chroot(2) root directory of httpd.
If you set root to a filename then you have to create multiple locations
for every request:
location "/admin"--> root "/usr/local/lib/mailman/cgi-bin/admin"
location "/list" --> root "/usr/local/lib/mailman/cgi-bin/list"
location "/foo" --> root "/usr/local/lib/mailman/cgi-bin/foo"
...
this could be quite tedious thats why I would suggest:
location "/*" --> root "/usr/local/lib/mailman/cgi-bin"
If you want mailman act on something like http://localhost/mailman/admin
then you can do:
location "/mailman/*" {
fastcgi
root "/usr/local/lib/mailman/cgi-bin"
request strip 1
}
But please keep in mind that you have disabled chroot and this is not
recommended.
Maybe you want to consider to copy the needed files inside the chroot?
Or perhaps deploy mailman with something like gunicorn or uwsgi?
Re: httpd location question
> Is there any directive or regex for the 'location' directive, httpd doesn't support regular expressions. httpd includes lua pattern support. see patterns(7)
Re: mailman on OpenBSD - linking problem
> I set up a mailman on OpenBSD, and it seems I have managed to do it.
>
> A single problem left, that I'd like to share with you and get your idea;
>
> On mailman homepage, there is a link "you can visit the list admin overview
> page"
> and when I click, redirects me: mysite.com/admin and it gives error 404.
>
> However if I add "/" at the end, making mysite.com/admin/, it works.
>
> Also the same happens on the linked-text;
> "Overview of all list.mysite.com mailing lists" linking to;
> mysite.com/listinfo, which gives 404 not found when clicking on it.
>
> But with an extra '/'; mysite.com/listinfo/ works.
>
> Where's my mistake?
>
> Related httpd.conf lines;
>
> location "/admin/*" {
> fastcgi socket "/var/www/run/slowcgi.sock"
> root "/usr/local/lib/mailman/cgi-bin/admin"
> request strip 1
> }
I don't know this mailman script but...
Why did you strip first component from the request?
Are these cgi's in /usr/local/lib/mailman/cgi-bin/admin or in
/var/www/usr/local/lib/mailman/cgi-bin/admin?
What is your chroot setting in httpd.conf?
And IF you changed httpd chroot how do you start slowcgi(8)?
What/where is socket? Where is path?
Re: certbot in cron - best way?
> > On 2/21/24 10:07, Stuart Henderson wrote: > > You might like to investigate ~ in crontab(5), e.g. "~ 0,12" and lose > > the "sleep". > > > > Wouldn't it be better to have certbot write files into a directory > > served by httpd so you don't need the "rcctl stop" though? > > > Yes, it would be better. Today had a problem in which rcctl stop worked, but > rcctl start didn't. > Seems like --webroot from certbot can do the trick. Will test in a few days > with an expiring certificate. Another option is to use acme-client(1). Provided that you are happy with lets encrypt or buypass this could be really easy * It is in base so it will work out-of-the-box and you don't need to install any packages for this task. * It has super easy config. * It's typically usage is to work with httpd and uses the correct directories by default. * It is no python
Re: relayd fallback when using tag/tagged
> > > Using such a configuration:
> > > #-8<---
> > > table { 192.0.2.4 }
> > > table { 192.0.2.7}
> > > http protocol www {
> > >block
> > >match request header "Host" value "www.example" tag "example"
> > >pass request tagged "example" forward to
Wouldn't it be wrong if relayd sends the requests to even though
you told him quite clearly to send them to ?
If is down then relayd must error out, or not (because this is
what you told him to do: sending to )
I think you need an additional step between which decides where to send the
request.
Then in next step you can tag and modify...
Maybe I'm wrong but to me it sounds more consistent when doing the
layer 3 redirection on 192.0.2.30 :
table { 192.0.2.4 }
table { 192.0.2.7 }
redirect www {
listen on 192.0.2.30 port 80
forward to check http "/" code 200
forward to check icmp
}
And then do all the layer 7 filtering on 192.0.2.4
But as I said before: maybe I'm wrong ;-)
Re: httpd generating: read_errdoc entries in syslog
> Hi, > > I have a custom error template that I use for the error documents for > httpd, as described in: man httpd.conf > > In /var/www I have created: > > /err root:daemon chmod 0755 > > Within /var/www/err I have created: > > err.html www:www chmod 0444 > > In my httpd.conf I have a global configuration that points to this: > > /etc/httpd.conf > . . . > errdocs "/err" > > When I cause an error with httpd, the error document template I have > created gets rendered to the client, but I get entries in syslog like > the following: > > serv1 httpd[23368]: read_errdoc: open: No such file or directory > If you have err.html mand trigger a 404 status then httpd: (1) tries to serve 404.html -> this causes the above log entry an then (2): try to serve err.html -> this is fine if you rename err.html to 404.html then httpd serves 404.html in step 1 Are you sure you caused 404? Maybe you caused any other status code in your tests?
Re: Installing shellinabox on OpenBSD
> Use a UBS drive and run it from that... > > You don't need to install it on the window machine. > > Anyway in 2024 still not have a decent native ssh client on Window say how > interested Microsoft are in making a secure OS really... Microsoft has builtin OpenSSH since 2018 No need for putty or powershell or whatever Just open cmd: Microsoft Windows [Version 10.0.19045.4046] (c) Microsoft Corporation. Alle Rechte vorbehalten. U:\>ssh -V OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
Re: relayd fallback when using tag/tagged
> Hello,
>
> I'm trying to configure relayd(8) to use tags, to allow legit host names
> only and modify HTTP headers, and fallback. But I can't have it working
> properly.
I don't understand exactly what you want to achieve. Do you want:
A. Requests with http header "www.example" going to primary.
And going to fallback if primary is down.
And block all other requests.
or:
B. Request with http header "www.example" going to primary.
And all other going to fallback.
And block nothing (=all requests are served either by primary or
by fallback)
If A) then put both servers in the table and let HCE decide which host
is up. Something like that (header check ignored in example):
table {192.0.2.4 192.0.2.7}
redirect www {
listen on 192.0.2.30 port 80
forward to check http “/” code 200
}
If B) then you need an an additional pass rule in your protocol.
Something like that (to be honest I don't know why you need the tag here
so I ignored that in that example):
http protocol www {
pass request quick header "Host" value "www.example" \
forward to
pass request forward to
block
}
>
> Using such a configuration:
> #-8<---
> table { 192.0.2.4 }
> table { 192.0.2.7}
> http protocol www {
> block
> match request header "Host" value "www.example" tag "example"
> pass request tagged "example" forward to
> }
> relay www {
> listen on 192.0.2.30 port 80
> protocol www
> forward to port 80 check http "/" code 200
> forward to port 80
> }
> #-8<---
> forwards all tagged HTTP traffic to the primary server. But if it is turned
> off, relayd(8) only replies with error rather than sending the traffic to
> the fallback server.
>
> Removing tags and using a simple "pass" directive in protocol (as described
> in the man page) does work as expected regarding the fallback server.
>
> Is there a way to use both tags and fallback with relayd(8) to mimic
> Apache's Failover[1] configuration with "ProxyPass" and "BalancerMember
> (...) status=+H" ?
>
> Thank you,
> Joel C.
>
> [1] https://httpd.apache.org/docs/trunk/howto/reverse_proxy.html#failover
>
Re: relayd forward with tls
> Where can I read about the meaning of each field in relayd log? Like you > said, that 0 is related to the tag one set on the protocol. I can't tell where to find documentation for relayd's log. But - to be honest - I found it was not too hard to work with. For playing with relayd and httpd I suggest Michael W Lucas's book "Relayd and Httpd Mastery". Mr. Lucas, has a way of writing that is easy to read! https://mwl.io/nonfiction/tools#relayd ...and of course the excellent manpages relayd(8), relayd.conf(5)
Re: Freshrss configuration httpd.conf and fastcgi
> I'd like to setup Freshrss to work under httpd and FastCGI.
> Freshrss uses Php.
^^^
You need to deploy that script with php-fpm NOT via slowcgi(8)
See the file php-XX in /usr/local/share/doc/pkg-readmes/ for doing this
(where XX is your installed version).
> As per the documentation, only the freshrss/p directory should be
> exposed.
> https://github.com/FreshRSS/FreshRSS#installation
>
> I'd like Freshrss to be access like:
> http://myserver.tld/freshrss
>
Then you need something like: ..
> server "myserver.tld" {
> listen on * port 80
> listen on * tls port 443
> tls {
> certificate "/etc/ssl/myserver.tld.crt"
> key "/etc/ssl/private/myserver.tld.key"
> }
> root "/htdocs"
location "/freshrss/*" { root "/freshrss/p" }
> But at http://myserver.tld/freshrss/p/i/ it shows a 403 Forbidden
> status.
Because there is no index.html in /freshrss/p/i/
Please read manpages httpd.conf(5) for setting directory index other
than index.html.
Test your setup with something like curl(1) or nc(1) not in a browser
like chrome or firefox so that you can see the response clearly and no
cache comes in the way.
And only open your install to the internet when all is set up well.
Also test if access to configfiles is denied.
Re: relayd forward with tls
> Em qui., 11 de jan. de 2024 às 13:35, Michael Hekeler
> escreveu:
> >
> > > Jan 9 07:10:24 stable relayd[29792]: relay wwwtls, session 1 (1 active),
> > > fqdn1, 127.0.0.1 -> 127.0.0.1:8080, done, GET -> 127.0.0.1:8080;
> > > Jan 9 07:10:25 stable relayd[28442]: relay wwwtls, session 1 (1 active),
> > > fqdn2, 127.0.0.1 -> 127.0.0.1:8081, done, GET -> 127.0.0.1:8081;
> > > Jan 9 07:10:31 stable relayd[29792]: relay wwwtls2, session 2 (1
> > > active), 0, 127.0.0.1 -> 127.0.0.1:8080, done, GET
> > > Jan 9 07:10:35 stable relayd[28442]: relay wwwtls2, session 2 (1
> > > active), 0, 127.0.0.1 -> 127.0.0.1:8080, done, GET
> >
> > Please examine your log:
> > The first and the second request are processed by "relay wwwtls"
> > The first is tagged "fqdn1" and the second request is tagged "fqdn2"
> > The first is relayed to 127.0.0.1:8080
> > The second is relayed to 127.0.0.1:8081
> > All is fine here :-)
> >
> > Now look to the third and fourth requests.
> > They are both processed by wwwtls2.
> > But they are not tagged (see tag 0) and thats the problem!
> > Because the request stays untagged in the protocol the relay wwwtls2
> > chooses simply the first found forward rule: 127.0.0.1:8080
> >
> > So examine your requests:
> > This is fine: 'curl https://fqdn1'
> > But this not: 'curl https://fqdn1:4430'
> >
> > See the difference?
> >
> > The second sets in HTTP-Header "[HTTP_HOST] => fqdn1:4430"
> > Thats why you should match "fqdn1:4430" in relayd.conf:
> >
> > match request header "Host" value "fqdn1:4430" tag "fqdn1"
> > - or -
> > match request header "Host" value "fqdn1*" tag "fqdn1"
> >
>
> That was exactly the problem.
> I didn't know how to read the logs nor the definition of HTTP_HOST.
Most browsers can show the HTTP-Header.
E.g. in firefox -> developer tools -> network -> just click on any
object and it will show headers (and much more)
Or you can place a simple script in httpd that dumps the header.
In PHP for example you can do: print_r($_SERVER);
What I do is placing a simple C program in /cgi-bin:
#include
int
main(int argc, char *argv[])
{
extern char **environ;
printf("Content-Type: text/plain\n\n");
for (int i = 0; environ[i] != NULL; i++) {
printf("%s\n", environ[i]);
}
}
Re: relayd forward with tls
> Take a look at the example in man relayd.conf. You have to set the X-header
> like:
>
> match header set "X-Forwarded-For" \ value "$REMOTE_ADDR"
> match header set "X-Forwarded-By" \ value
> "$SERVER_ADDR:$SERVER_PORT"
This has nothing to do with relayd's forwarding rules in this topic.
Setting these headers is for logging in httpd.
Because if not set X-Forwarded-For then httpd logs the IP of the relayd
host as source for ALL requests and the original IP of the request would
be lost.
To overcome this httpd comes with a log format called "forwarded" which
appends X-Forwarded-{For,Port} to existing log format.
Re: netcup.eu arm64 (kvm, Ampere Altra), bsd.rd hangup
> > > On 12/28/23 12:30, Michael Hekeler wrote: > > > > I try to install OpenBSD on netcup ARM, too... > > > > > I disabled the pluart driver in the ramdisk kernel (on a other machine > > > with > > > config -e -f /bsd.rd and copied the ramdisk kernel over to the nectup > > > server) and got access the the installation script. > > > > How did you disable pluart driver? > I installed OpenBSD on a Hetzner ARM64 system (CAX11) and modified the > ramdisk with > config -e -f /bsd.rd > disable pluart > quit Thanks :-) > > The modification should also be possible on any other ARM64 system (e.g. > Raspberry Pi 4). > > Then I copied the modified bsd.rd and > https://cdn.openbsd.org/pub/OpenBSD/snapshots/arm64/BOOTAA64.EFI to the EFI > partition (directly under /boot/efi) on the Netcup server. > After that I started the OpenBSD BOOTAA64.EFI directly from the TianoCore > UEFI. > > > Could you provide more info, or share the bsd.rd? > You'll find my modified bsd.rd here: https://download.fusion-zone.net/ thanks again :-)
Re: relayd forward with tls
> Jan 9 07:10:24 stable relayd[29792]: relay wwwtls, session 1 (1 active), > fqdn1, 127.0.0.1 -> 127.0.0.1:8080, done, GET -> 127.0.0.1:8080; > Jan 9 07:10:25 stable relayd[28442]: relay wwwtls, session 1 (1 active), > fqdn2, 127.0.0.1 -> 127.0.0.1:8081, done, GET -> 127.0.0.1:8081; > Jan 9 07:10:31 stable relayd[29792]: relay wwwtls2, session 2 (1 active), 0, > 127.0.0.1 -> 127.0.0.1:8080, done, GET > Jan 9 07:10:35 stable relayd[28442]: relay wwwtls2, session 2 (1 active), 0, > 127.0.0.1 -> 127.0.0.1:8080, done, GET Please examine your log: The first and the second request are processed by "relay wwwtls" The first is tagged "fqdn1" and the second request is tagged "fqdn2" The first is relayed to 127.0.0.1:8080 The second is relayed to 127.0.0.1:8081 All is fine here :-) Now look to the third and fourth requests. They are both processed by wwwtls2. But they are not tagged (see tag 0) and thats the problem! Because the request stays untagged in the protocol the relay wwwtls2 chooses simply the first found forward rule: 127.0.0.1:8080 So examine your requests: This is fine: 'curl https://fqdn1' But this not: 'curl https://fqdn1:4430' See the difference? The second sets in HTTP-Header "[HTTP_HOST] => fqdn1:4430" Thats why you should match "fqdn1:4430" in relayd.conf: match request header "Host" value "fqdn1:4430" tag "fqdn1" - or - match request header "Host" value "fqdn1*" tag "fqdn1"
Re: netcup.eu arm64 (kvm, Ampere Altra), bsd.rd hangup
I try to install OpenBSD on netcup ARM, too... > I disabled the pluart driver in the ramdisk kernel (on a other machine with > config -e -f /bsd.rd and copied the ramdisk kernel over to the nectup > server) and got access the the installation script. How did you disable pluart driver? Could you provide more info, or share the bsd.rd?
Re: Relayd - block bad bots
> Hey > > I'm running a small VM on OpenBSD where my site resides. My stack is > pf/relayd/httpd. > > I see a significant traffic coming from bad bots, like mj12. I'd love > to completely block them and Relayd seems like the best place. I tried to > block by "User-Agent" header, however there is no support for globs > there. > Has anyone had any success with achieving something similiar? block request header "User-Agent" value "curl*"
Re: FAT names exceeding spec length
> > To be honest I don't understand the problem you described. > > It is simple, when you come from Android (tested Android 11 tablet) with file > names exceeding the FAT spec > these are cut to 8.3 format in OpenBSD. You mean android allows to create filenames >255 on FAT32? Then you should report this non-compliance on android (https://learn.microsoft.com/en-us/windows/win32/fileio/filesystem-functionality-comparison#limits)
Re: wired rdiff-backup doc
> Hello, > > 7.4, rdiff-backup > > After the upgrade to 7.4 I have been invited to update my > outdated command line to *the new one* by rdiff-backup. > > The puzzle was not so easy to solve as "rdiff-backup --new --help" > suggested a good mix of options; "man rdiff-backup" gave out an other > set of options and two examples, one with the [kind of operation] > declared just after rdiff-backup, the other one with the > [kind of operation] declared just after the option lists; a little > overwhelming: when you make a mistake the shell show off the *good > options* suggesting among the others --new, --nonew, etc (not > recognized) and missing to list all the various --except options among > the others. I save you from quoting the options listed by > "rdiff-backup backup --help". > > In the end after 10min of tries I was able to launch my > backup.. maybe to help other users of rdiff-backup you want to post your experiences onn their mailing-list? Or you can open an issue on github because that's what the devs suggested.
Re: FAT names exceeding spec length
> > There is also some ironic stuff behind these happenings: if you have > the possibility to check your lost long file names you will discover > that the most significant information are contained in the first 99 chars. > > > Nowarez Market wrote: > > > > > Clearly the problem is that from the user prospective in these kind > > of events all the information contained in the longer file names are > > lost. > > > > A file copy from Android is always completely transparent to the user, > > anyhow. Android open behavior "doesn't help" copping with these long > > names: if I copy files from an Android tablet and only after some > > days I retrieve them..information are lost in OpenBSD. > > > > > > Nowarez Market wrote: > > > > > I have a fat32 usb stick that I use to transfer files > > > from/to my Android tablet since years. > > > > > > I just want to drop the hint that Android manage > > > to render the file names exceeding 255 chars offering > > > the user the long form anyway while OpenBSD strictly > > > apply the FAT specs rendering these file names > > > in the 8 chars format. > > > > To be honest I don't understand the problem you described. (Maybe because english is not my native language?) But I can say that I've never had any problems with the long filenames on all of my devices whether these are usb-sticks or anything else. Maybe your android device did something so that an other OS can't detect the long filenames and maybe you can fix this by enforce -l which should be set by default but who knows...
Re: cumbersome mtree
> Hello, > > I was enthusiastic to write down a tool that permitted everyone > to check and print the default file permissions of a given path > but when I knocked my eyes against mtree behavior I remained > frightened. > > Given for example: > > mtree -c -f /etc/mtree/4.4BSD.dist -K uid,guid,mode -p /usr/games -e what is your intention when using these flags? What do you want to do? > I was expecting that: > -p let me pass the path to check to mtree like /usr/games Yes, you are right: p uses path instead of the current directory. > -K uid,guid,mode let me suggest the output for each file entry > specified together with -c command option on 7.4: $ man mtree | grep -A 57 "supported keywords" it also gives hint about the specified 'guid' keyword > But indeed mtree behavior is really different. Yes, you are right. > Please point me in the right direction with mtre 'man mtree' is a good start. or check security(8). On 7.4 you can do: $ grep -B 12 -A 27 "sub check_mtree" /usr/libexec/security
Re: Reptar aka CVE-2023-23583
Am 15.11.23 13:41 schrieb Christian Weisgerber: > not jacinda ardern: > > > I saw something about a new intel microcode coming out (subject line) for a > > goofy new bug somebody found. Do you guys package that up into the > > fw_update (firmware.openbsd.org) magic or does it only come via the oem's > > bios updates? > > Whatever Intel releases. > > Yesterday they published a microcode update that should address this. > The updated firmware package is already on the mirrors. > > > CVSROOT:/cvs > Module name:ports > Changes by: j...@cvs.openbsd.org 2023/11/14 16:34:51 > > Modified files: > sysutils/firmware/intel: Makefile distinfo > > Log message: > update intel microcode to 20231114 > > release notes: > https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114 > > mitigates: > https://lock.cmpxchg8b.com/reptar.html > https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/redundant-prefix-issue.html How can I find the cpuid of my cpu to see if my CPU is on Intel's list of affected CPU's? On my proxmox systems I can do something like dmidecode But on OpenBSD - ... I don't know...
Re: Font size and character encoding.
> How to increase font size in console? > > How to set non-UTF character encoding for tty session on OpenBSD 7.4? > apropos font -a cons
Re: Porting shell scripts from Tiny Tools
On Tuesday, November 14, 2023, Daniele B. wrote: > Hello, > > I got inspired by the Tiny Tools article, by Gerald J. Holzmann, with some > useful shell tools code for coding on Unix-like systems. > > The article is severals years old (jan 2016) and code should be adapted to > OpebBSD. But I'm trying to convert them anyway. > > You can find the first of these shell tools, "nana" (my daughter chinese > name that in italan means 'short female') resembling and > enanching the original tool "num". It is here on https://bsdload.com > > Let me get the time to browse the article more and I will keep you posted. > > > > > -- Daniele Bonini > > -- Kind regards, Mike
Re: relayd and large POST requests
> Hi,
>
> I'm running a setup on OpenBSD 7.3 (amd64, 16GB RAM) with relayd,
> varnish, httpd and php-fpm. When uploading a large >2GB file through
> ...
>
>
> /etc/relayd.conf:
>
> table { 127.0.0.1 }
>
> log connection
>
> http protocol "https" {
> tls keypair "server"
> return error
> pass
> }
>
> relay "mysite4" {
> listen on xxx port 443 tls
> protocol "https"
> forward to port 8443 check tcp
> }
>
before going any deeper in investigating the behaviour I would suggest
to configure this setup with using redirection.
I think you are better with just forwarding on layer 3.
Or did I miss something? Why did you choose relay here?
Re: tmux server recent snapshot amd64 100% CPU freeze
On Monday, July 17, 2023, Jacqueline Jolicoeur wrote: > Hi, > > I thought I would mention I seem to be able to reproduce a tmux lock up > where the tmux server component runs at 100% CPU. I am unable to attach > to it at that point. > > The command I run in order to reproduce this is: > > Enter the tmux command prompt. > > C-b and : > > Run this command. > > movew -r > > It stays locked with the movew command still on screen. I end up having > to kill the server process. > > This started to occur in OpenBSD amd64 snapshots around July 13. > > I am running my OpenBSD amd64 with sysctl vm.malloc_conf=S > > ~/.tmux.conf > > set -g status-keys vi > set -g status-right "%F %R" > set -g status-style "bg=black,fg=white" > setw -g mode-keys vi > > Thanks. > > -- Kind regards, Mike
Re: iked server/client OBSD/OBSD
Am 09.07.23 11:38 schrieb Tobias Heider: > On Sat, Jul 08, 2023 at 11:08:31PM -0700, latin...@vcn.bc.ca wrote: > (...) > > ikev2 'roadwarrior' active esp \ > > from dynamic to any \ > > peer server_ip \ > > srcid roadwarrior \ > > dstid server_domain \ > > request address any \ > > iface lo1 > > > > Questions: > > should i add the \? > > Yes, because each policy is one line which isn't very convenient but it is > what ~~~ > it is for historical reasons. I just wanted to add one thing: To me this IS very convenient! If I want to disable/comment out this poloicy then I have to insert only one single '#' in front of 'ike'. If the policy were multiple lines then you would need multiple #'s - one on each row.
Re: APCI on old Thinkpad
Am 03.07.23 22:45 schrieb Claudio Jeker: > Also keep in mind that laptops that old most often had bad or broken early > ACPI implementations and it was better to not enable ACPI on those. > Normally there was some BIOS knob to just use apm(4) which often worked > much better. Ah - very interesting. I will have a look...
Re: APCI on old Thinkpad
> Jul 3, 2023 14:47:57 Peter N. M. Hansteen : > > > I had to look this up, since I had forgotten that Thinkpads used to come > with model numbers not prefixed and/or postfixed with letters. > > I think one of several issues you will bump into is that the machine is > almost a quarter century old (released April 1999 if Wikipedia is to be > trusted), > and you may be one of fairly few people who have kept one around this long. indeed this device is very old ...and I am aware that it has many issues ;-) I did run OpenBSD on that thing for a very long time and I was always happy with it but that was starting maybe 5.x or something (I think there was a ghostbusters like CD Box). A while ago my small Netbook broke and I had to buy a new thinkpad . But this new one is so heavy that I desperately remebered my old slim and low weigth thinkpad 570. > > This means in practice that in all likelihood, recent versions of any > > now-useful > > software has been only lightly tested (if at all) on that vintage hardware. I thought about reading emails with mutt(1).
Re: APCI on old Thinkpad
Am 03.07.23 03:45 schrieb Anders Andersson: > On Fri, Jun 30, 2023 at 11:44 PM Michael Hekeler wrote: > > > > I have an old thinkpad - really old > > Old enough not to have a model number? oh dear I have forgotten the model number - Sorry! It is Thinkpad 570
APCI on old Thinkpad
I have an old thinkpad - really old
On booting it stops when listing the acpi sleep states and does nothing
more. This is dmesg:
OpenBSD 7.3 (GENERIC) #660: Sat Mar 25 11:17:44 MDT 2023
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem = 200753152 (191MB)
avail mem = 179949568 (171MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 11/01/99, BIOS32 rev. 0 @ 0xfd840, SMBIOS rev. 2.2 @
0xe0010 (35 entries)
bios0: vendor IBM version "IMET56WW" date 11/01/99
bios0: IBM 26443AG
acpi at bios0: ACPI 1.0
acpi0: sleep states S0 S1 S3 S4 S5
It can boot when disabling acpi (see dmesg below).
But then I can't zzz/ZZZ.
Ist there something other I can than disabling acpi?
Or is this old device simply not supported any more?
OpenBSD 7.3 (GENERIC) #660: Sat Mar 25 11:17:44 MDT 2023
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem = 200753152 (191MB)
avail mem = 179949568 (171MB)
User Kernel Config
UKC> disable acpi
526 acpi0 disabled
UKC> quit
Continuing...
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 11/01/99, BIOS32 rev. 0 @ 0xfd840, SMBIOS rev. 2.2 @
0xe0010 (35 entries)
bios0: vendor IBM version "IMET56WW" date 11/01/99
bios0: IBM 26443AG
acpi at bios0 function 0x0 not configured
apm0 at bios0: Power Management spec V1.2
pcibios0 at bios0: rev 2.1 @ 0xfd7d0/0x830
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdef0/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:06:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #9 is the last bus
bios0: ROM list: 0xc/0xc000
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel Celeron ("GenuineIntel" 686-class, 256KB L2 cache) 366 MHz, 06-06-0a
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,PERF,MELTDOWN
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xf800, size 0x400
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Neomagic Magicgraph NM2200" rev 0x20
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
cbb0 at pci0 dev 2 function 0 "TI PCI1450 CardBus" rev 0x03: irq 11
cbb1 at pci0 dev 2 function 1 "TI PCI1450 CardBus" rev 0x03: irq 11
clcs0 at pci0 dev 5 function 0 "Cirrus Logic CS4280/46xx CrystalClear" rev
0x01: irq 11
ac97: codec id 0x43525903 (Cirrus Logic CS4297 rev 3)
ac97: codec features headphone, 18 bit DAC, 18 bit ADC, No 3D Stereo
pcib0 at pci0 dev 6 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 6 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 3909MB, 8007552 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 6 function 2 "Intel 82371AB USB" rev 0x01: irq 11
piixpm0 at pci0 dev 6 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
"AT/Lucent LTMODEM" rev 0x01 at pci0 dev 7 function 0 not configured
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 7 device 0 cacheline 0x8, lattimer 0xb0
pcmcia0 at cardslot0
cbb1: bad Vcc request. sock_ctrl 0x0, sock_status 0x3b20
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 9 device 0 cacheline 0x8, lattimer 0xb0
pcmcia1 at cardslot1
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt2 at isa0 port 0x3bc/4: polled
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
cbb1: bad Vcc request. sock_ctrl 0x30, sock_status 0x3b20
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on wd0a (bdf7ab95ec79e5e9.a) swap on wd0b dump on wd0b
rl0 at cardbus1 dev 0 function 0 "D-Link DFE-690TXD" rev 0x10: irq 11, address
00:11:95:5a:f8:7a
rlphy0 at rl0 phy 0: RTL internal PHY
clcs0: firmware loaded
audio0 at clcs0
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
Re: Running Bugzilla in httpd - 'Pg' is not a valid choice for $db_driver in localconfig
Am 17.03.23 23:02 schrieb Stuart Henderson: > On 2023-03-17, Michael Hekeler wrote: > > If you really want to run bugzilla as cgi application with slowcgi(8) > > then you have to copy the required perl modules in your chroot. > > Or use slowcgi -p / to disable chroot. > > > However since bugzilla is ultimately a cgi application you can deploy it > > via fastcgi which is supported by httpd(8) natively. > > afaik it doesn't support fastcgi, upstream suggestion is to use > fcgiwrap which does basically the same as slowcgi. Uuh - didn't know that. I was sure that bugzilla is a fastcgi app :-/ Anyway thanks for clarification.
Re: Running Bugzilla in httpd - 'Pg' is not a valid choice for $db_driver in localconfig
Am 12.03.23 00:46 schrieb Werner Boninsegna: > Hello, > > I wonder if anybody is running Bugzilla in httpd? > > I have completed the setup and run the test scripts successfully, however > when trying to access it from the browser, I get below error: > > 'Pg' is not a valid choice for $db_driver in localconfig: > Can't load > '/usr/local/libdata/perl5/site_perl/amd64-openbsd/auto/DBD/Pg/Pg.so' for > module DBD::Pg: > Cannot load specified object > at /usr/libdata/perl5/amd64-openbsd/DynaLoader.pm line 193. > at Bugzilla/DB/Pg.pm line 30. > Compilation failed in require at Bugzilla/DB/Pg.pm line 30. > BEGIN failed--compilation aborted at Bugzilla/DB/Pg.pm line 30. > Compilation failed in require at (eval 201) line 1.If I run the Bugzilla > index.cgi scripts manually with Perl, everything works fine and I get the > initial HTML code generated. > > I think the problem might be related to the chroot, and I am probably missing > some dependency, any hints would be appreciated. If you really want to run bugzilla as cgi application with slowcgi(8) then you have to copy the required perl modules in your chroot. I could imagine that this could become a time-consuming and cumbersome process. Personally I think it negates the logic of chrooted httpd(8) if you copy a large amount of stuff inside chroot. However since bugzilla is ultimately a cgi application you can deploy it via fastcgi which is supported by httpd(8) natively. I think this would be a better solution then mimic your perl installation inside chroot.
Re: OpenBSD, PHP lifecycle and PHP 8.1 broken compatibility
> It is all about the dev environment: more precisely I > need to be able to choose the moment when to switch to PHP[N] and do > entering in the update process of all my web apps, thats it. You can have multiple vm's with old versions. E.g. you can keep an openbsd 60 vm with PHP 5.5.37.
Re: OpenBSD, PHP lifecycle and PHP 8.1 broken compatibility
Am 15.02.23 10:41 schrieb Crystal Kolipe: > On Wed, Feb 15, 2023 at 02:10:17PM +0100, Michael Hekeler wrote: > > It is pointless to send to the list and in adddition to individuals. > > If you don't want to receive individual replies to list mail, then consider > setting the > > Mail-Followup-To: > > header in your mail client. Thank you very much - I didn't know that before. > Some subscribers to the lists _do_ prefer to be cc'ed on threads that they are > involved in for various reasons, and although setting this header is not a > guarantee that your preference will be respected, it increases the chances of > it and also that other posters to that particular thread will be maintained in > the CC list as per their preference. Oh - I didn't know this too. I always do on a mailinglist so that the reply will go to the list only. I always thought that some subscribers here cc'ed the original sender accidentally. But if some subcribers prefer it to be cc'ed then this makes sense now. Thanks for the clarification :)
Re: OpenBSD, PHP lifecycle and PHP 8.1 broken compatibility
Am 15.02.23 10:12 schrieb Daniele Bonini: > > Michael Hekeler wrote: > > > You can run any PHP version you like. > > You can run more than just single version. > > ls http://ftp.openbsd.org/pub/OpenBSD/7.2/packages/amd64/ | grep > > php-7.4.30p0.tgz 8197515 > php-8.0.23p0.tgz 8771969 > php-8.1.10p0.tgz 9017614 > > > Ok, let's support OpenBSD project by compile whatever PHP version, > right? It's not that easy (c lib and diff dependencies), but it is > nice.. > > I was waiting for an honest answer against my problematic dev and > testing environment.. Actually this WAS a honest answer for your dev environment. Anyway... please learn how to use mailinglists. It is pointless to send to the list and in adddition to individuals.
Re: OpenBSD, PHP lifecycle and PHP 8.1 broken compatibility
> I'm wondering what are your thoughs on the subject of PHP different versions, > in respect to OpenBSD lifecycle. And, indeed, what is going to happen in > OpenBSD facing this broken compatibility with the past, starting from 8.1. > Are you going to support PHP 7.4 and 8.0 longer or what? What do you mean with "Are you going to support "? PHP is not an OpenBSD project. The PHP devs relase their stuff completely independant of OpenBSD's lifecycle. You can find their roadmap on PHP's homepage. OpenBSD doesn't force you to use specific PHP version. Some time ago I was deploying PHP 5.x along with PHP 7.x on one of my webstuff machines for compatibility reasons with an very outdated PHP script. > Worrysome this stuff from my side.. I personally have "tons" of webapps to > mantain and there is not a "Docker solution". > Is it plausible to come to arrange a "sustainable solution" by the ports, > chroot or whatever? You can run any PHP version you like. You can run more than just single version.
Re: Live stick / cd from official sources
Am 08.02.23 13:06 schrieb Stuart Henderson: > On 2023-02-08, Michael Hekeler wrote: > > Am 04.02.23 17:48 schrieb Daniele B.: > >> Sorry if I bother you again with the thread. > >> > >> The minipc will be on business from tomorrow and I will use it > >> together with a little student of mine: it is enough critical that the > >> "not configured" hello! doesn't reppresent anything "risky". > >> Eg: I tried to tweak the custom bios of Fujitsu for a more perfomant > >> fan/cpu but the machine started litterally to fly while booting. > >> Precautially > >> I hanged manually the booting process. > >> > >> The part of dmesg I'm wondering about is the following: > >> > >> "FUJ02E3" at acpi0 not configured > >> > >> "PNP0C14" at acpi0 not configured > >> "PNP0C32" at acpi0 not configured > >> "PNP0C14" at acpi0 not configured > >> > >> "PNP0C0B" at acpi0 not configured > >> "PNP0C0B" at acpi0 not configured > >> "PNP0C0B" at acpi0 not configured > >> "PNP0C0B" at acpi0 not configured > >> "PNP0C0B" at acpi0 not configured > >> > >> acpicpu0 at acpi0: C1(@1 halt!), PSS > >> acpicpu1 at acpi0: C1(@1 halt!), PSS > >> acpicpu2 at acpi0: C1(@1 halt!), PSS > >> acpicpu3 at acpi0: C1(@1 halt!), PSS > > > > If you just want to stop these messages from filling your logs you can > > boot into UKC mode by entering -c at the boot prompt: > > UKC> disable acpi > > UKC> quit > > > > > > ...(not a real solution but more a quick fix) > > > > > > This is bad advice. ACPI may be needed for thermal management,interrupt > routing, and maybe other things. These "not configured" > devices are unlikely to be a problem. indeed this is NOT a good advice of mine. @Daniele B. please ignore my last message.
Re: Live stick / cd from official sources
Am 04.02.23 17:48 schrieb Daniele B.: > Sorry if I bother you again with the thread. > > The minipc will be on business from tomorrow and I will use it > together with a little student of mine: it is enough critical that the > "not configured" hello! doesn't reppresent anything "risky". > Eg: I tried to tweak the custom bios of Fujitsu for a more perfomant > fan/cpu but the machine started litterally to fly while booting. Precautially > I hanged manually the booting process. > > The part of dmesg I'm wondering about is the following: > > "FUJ02E3" at acpi0 not configured > > "PNP0C14" at acpi0 not configured > "PNP0C32" at acpi0 not configured > "PNP0C14" at acpi0 not configured > > "PNP0C0B" at acpi0 not configured > "PNP0C0B" at acpi0 not configured > "PNP0C0B" at acpi0 not configured > "PNP0C0B" at acpi0 not configured > "PNP0C0B" at acpi0 not configured > > acpicpu0 at acpi0: C1(@1 halt!), PSS > acpicpu1 at acpi0: C1(@1 halt!), PSS > acpicpu2 at acpi0: C1(@1 halt!), PSS > acpicpu3 at acpi0: C1(@1 halt!), PSS If you just want to stop these messages from filling your logs you can boot into UKC mode by entering -c at the boot prompt: UKC> disable acpi UKC> quit ...(not a real solution but more a quick fix)
Re: DBeaver or similar db tool
Am 07.02.23 15:27 schrieb Daniele B.: > Hello, > > I'm looking around a new "work environment" offering what in terms > of software and I came across a list of appealing software > suggested in the category 'db tools' to manage my > databases. > > Among those I notice DBeaver (https://dbeaver.io/). > > Any chance to have a rich db tool like DBeaver ported to > OpenBSD soon or later? As others said before DBeaver is written using Java 17 and maybe you can compile it whith OpenJDK 17 and Maven. DBeaver is based on Eclipse and it is also available as eclipse plugin. Many of these Database GUI's are based on java and so maybe you can find something you like. There is also HeiSQL which is written in pascal. Many years ago i compiled that beast with lazarus and it runs fine ;-) There are PHP based database GUI's. E.g. there is Adminer. Just one single php file to drop in your webserver. But in the end it all depends on what you expect from such a tool. >From my experience (which you can safely ignore for sure) i can suggest: if you really want to use a database then you have to use the tools provided by this database. The time learning such all-purpose database management tools is better invested in learning the quirks of the specific DBMS you want to use. I find this is true for postgresql, oracle and sql-server.
Re: Issue with acpi0 on Intel NUC11TNHi3
On 1/15/23 21:01, Bradley Latus wrote: > Hello Stuart, > > I noticed that someone else had a similar issue on the openbsd-bugs list.. > https://marc.info/?l=openbsd-bugs=166497715729842=2 > > I was able to apply a patch I found from another user (Joe Miller) > which masks out > GPE_L6F messages and the problem was resolved. > https://gist.github.com/joemiller/9f5698c5634d4a93d101985dc5238365 > https://news.ycombinator.com/item?id=33279037 > > After applying his patch (removing the additional printing parts) > My system was restored to what should be expected. This also fixed the issue for me on a 4 port celeron box I picked up from Aliexpress in December. Running current from snapshots. Built a new kernel with the patch as in step 2 in release. Michael
Re: Hacked? Don't do what I did
New kernels are generated on every boot by relinking. Check your uptimes; they're likely to match kernel timestamps. Get BlueMail for Android On Sep 18, 2022, 9:58 AM, at 9:58 AM, Austin Hook wrote: > >I noticed recently that some if my /bsd files are changing dates: > >First the data, then below, I note my guess as to what's happening... > >An Internet facing server: > >ls -lT /bsd* >-rwx-- 1 rootwheel 20956100 Aug 14 09:54:46 2022 bsd >-rwx-- 1 rootwheel 20954372 Jul 31 01:17:13 2022 bsd.booted >-rw--- 1 rootwheel 10393418 Nov 3 18:53:52 2020 bsd.rd > > >Mailserver on a LAN > > ls -lT /bsd* >-rwx-- 1 root wheel 20959252 Sep 4 09:01:26 2022 /bsd >-rwx-- 1 root wheel 20953780 Sep 4 08:24:53 2022 /bsd.booted >-rw--- 1 root wheel 10393418 Jan 18 21:32:51 2021 /bsd.rd > > > >Internet facing server > >-rwx-- 1 root wheel 20961836 Sep 17 11:29:23 2022 bsd >-rwx-- 1 root wheel 20954668 Aug 28 15:21:24 2022 bsd.booted >-rw--- 1 root wheel 10393418 Oct 21 08:02:57 2020 bsd.rd > >The above three are version 6.8 > >In each case the sha256 checksums for /bsd do not seem to match the >distributed versions. Luckily those are still in the pub/openbsd >mirrors. > >And I also have a laptop running a very old version of OpenBSD, for >which >the /bsd seemed to have been corrupted by the time I was signing in >from a >hotel recently. It complained that it could not randomize the >libraries >on boot up. So it would not boot, although I could boot it up from an >external bootable hard drive containing a really old 5.3 image > >I also signed into one of my systems with "putty" which I loaded onto a > >friend's windows machine -- some time in August I think it was. > >I note: > >1) the /bsd.rd files were installed when I last updated the systems >above, >and the dates of these all correspond with other important files of the > >last upgrade or install. So at least most of those, have apparently >not >been touched. > >2) There seems to be a progression of date changing events in the /bsd >file images, in the different machines. > >Anyone know of another explanation other than someone sneakily hacking >at >my machines. > >Somehow, in some machine, I think my ssh sessions are being hacked. > >Looks like I have a lot of work to do. > > >Austin
Re: Wg-quick warns that unwind may leak DNS queries
On 09/15/22 04:18PM, Stuart Henderson wrote: > On 2022-09-15, David A. Pocock wrote: > > From the unwind manpage: > > > >> unwind sends DNS queries to nameservers to answer queries and switches to > >> resolvers learned from dhclient(8), dhcpleased(8) or slaacd(8) if it > >> detects that DNS queries are blocked by the local network. > > > > > > Perhaps the warning us to let you know that using unwind _may_ still result > > in your queries going to a local network's DHCP-provided > > domain-name-servers? > > It is exactly. > > wg-quick's config file has a way to set the DNS resolver address > (which modifies /etc/resolv.conf when bringing the vpn up). > > The warning is that if you try and use that setting when you have > unwind/resolvd running, resolvd will override it. (if unwind is > running, resolvd adjusts the file to point at 127.0.0.1 and monitors > it, rewriting it when it changes). > > > -- > Please keep replies on the mailing list. > Dear Stuart, I appreciate these explanations and suggestions. Using routing domains and routing tables is something I have heard of, but not delved into yet. I will take this opportunity to learn more about them. Thank you, Michael
Wg-quick warns that unwind may leak DNS queries
Hello, I was hoping to get some clarification on a warning I noticed today after running wg-quick (part of wireguard-tools) to connect to a commercial VPN provider. I run OpenBSD 7.1, with all the patches installed. The notice was: "[!] WARNING: unwind will leak DNS queries" I was not able to find any discussion of this on the internet. My purpose in using unwind is to reduce the need for third-party DNS queries (primarily for privacy). Is wg-quick saying that unwind may leak the queries to the VPN provider? If that is the case I am not concerned. The VPN provider has a connection check that says "No DNS leaks". What I would want to know is if my DNS queries are visible to my ISP. I thought that they are not, with unwind + VPN, but this warning causes some doubt. Any advice on how to clear this up would be appreciated. Michael
mount_ntfs(8) -u/-g problem?
Hi, I'm running: OpenBSD victim.blackhelicopters.org 7.2 GENERIC.MP#640 amd64 According to mount_ntfs(8), -u and -g let you set UID and GID of mounted filesystems. Took an NTFS USB drive, plugged it in, mounted it, and checked ownership. # mount_ntfs -u mwlucas -g mwlucas /dev/sd4i /mnt/ # ls -lai /mnt/ total 107 4 -rwxr-xr-x 1 root wheel 2560 Dec 31 1600 $AttrDef 8 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $BadClus 6 -rwxr-xr-x 1 root wheel 32768 Dec 31 1600 $Bitmap 7 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $Boot 11 drwxr-xr-x 1 root wheel 0 Aug 17 15:05 $Extend 2 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $LogFile 1 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $MFTMirr 9 -rwxr-xr-x 1 root wheel 0 Aug 17 15:05 $Secure 10 -rwxr-xr-x 1 root wheel 131072 Dec 31 1600 $UpCase 3 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $Volume 5 drwxr-xr-x 1 root wheel 0 Dec 31 1600 . 2 drwxr-xr-x 15 root wheel512 Aug 16 13:02 .. 36 drwxr-xr-x 1 root wheel 0 Aug 17 15:05 System Volume Information 38 -rwxr-xr-x 1 root wheel 111496224 Aug 17 13:35 VirtualBox-6.1.36-152435-Win.exe If I create /tmp/mnt owned by mwlucas:mwlucas and mount there, ownership of the mount point is changed to root:wheel and the files are owned by root. # chown mwlucas:mwlucas /tmp/mnt ls -lai /tmp/ total 1 2 drwxrwxrwt 9 root wheel 512 Aug 17 15:42 . 2 drwxr-xr-x 15 root wheel 512 Aug 16 13:02 .. 25920 drwxrwxrwt 2 root wheel 512 Aug 16 13:02 .ICE-unix 388800 drwxrwxrwt 2 root wheel 512 Aug 16 13:02 .X11-unix 77760 drwxr-xr-x 2 mwlucas mwlucas 512 Aug 17 15:42 mnt 259200 drwxr-xr-x 2 root wheel 512 Aug 16 13:02 sndio ... # mount_ntfs -u mwlucas -g mwlucas /dev/sd4i /tmp/mnt/ # ls -lai /tmp/mnt/ total 107 4 -rwxr-xr-x 1 root wheel 2560 Dec 31 1600 $AttrDef 8 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $BadClus 6 -rwxr-xr-x 1 root wheel 32768 Dec 31 1600 $Bitmap 7 -rwxr-xr-x 1 root wheel 0 Dec 31 1600 $Boot 11 drwxr-xr-x 1 root wheel 0 Aug 17 15:05 $Extend ... Am I doing something wrong here, or did I find a bug? FWIW, mount_msdos -u and -g assigns ownership. Thanks, ==ml -- Michael W. Lucashttps://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Absolute FreeBSD, Immortal Clay, Prohibition Orcs, etc, etc, etc... ### New books: TLS Mastery, the Networknomicon, $ git sync murder ###
Questions about OpenBSD and IRC
Hello, I started getting active with OpenBSD again. I remember some years there was an IRC channel for openbsd, I think it was on freenode. I just installed hexchat and there is no freenode option anymore, is there still an openbsd irc channel somewhere? Thanks. *Michael G. Workman* (321) 432-9295 michael.g.work...@gmail.com
Re: Xterm copy-paste not happening on OpenBSD 7.1 i386.
Am 04.08.22 15:27 schrieb Brian Durant: > I have installed OpenBSD 7.1 i386 on my Lenovo T60 and am experiencing a > couple of issues. The first is related to the following addition that I made > to my .Xdefaults file, which works with OpenBSD 7.1 amd64 installs, but not > with the OpenBSD 7.1 i386 install on my Lenovo T60: > XTerm*VT100.Translations: #override\ > Ctrl Shift C: copy-selection(CLIPBOARD) \n\ > Ctrl Shift V: insert-selection(CLIPBOARD) > Any ideas how to get copy and paste working in Xterm with an i386 install? > I understand that you want to map these keys but just to mention: there is support for PRIMARY in xterm(1) and this means selected text is in primary without any explicit copy action taking place. see Inter-Client Communication Coventions Manual for X
Kerberos
Is it normal to have a Local Kerberos Realm configured on a brand new MacBook? -- Kind regards, Mike
Re: Firefox and stuttering USB audio
On 5/6/22 10:29, Courtney wrote: Hello all, [snip] * Setting dom.ipc.processCount to a lower number in about:config * Muddled with sndiod -b and -z flags * Set softdep,noatime for my different partitions in fstab (NVMe drive) * Tried with/without SMT (Intel 10700k) * Set some sysctl flags: [snip] uaudio0: play xfer, err = 6 This may be a driver bug, but before anything else, check the output of apm(1) for your performance mode.
Re: rspamd and pyzor
Am 02.05.22 19:06 schrieb kasak: > Hello misc! > > I have some information for rspamd users, and one question. > > As you may know, rspamd not using pyzor by directly calling pyzor binary. > > Instead, they say, you need to create special systemd socket, and call pyzor > through it. > > It is described on rspamd manuals: > https://rspamd.com/doc/modules/external_services.html#pyzor-specific-details > > OpenBSD does not has systemd, but it has inetd. > > This is simple way to create socket similar to systemd: > > 127.0.0.1:5953 stream tcp nowait root /usr/local/bin/pyzor > pyzor check > > It actually works, but you may notice, that i'm using "root" here. > > I've tried to use _rspamd user, but for some reason it drops an error > > rspamd[90054]: <9ef568>; lua; pyzor.lua:134: error parsing response: ERROR > [Errno 13] Permission denied: '/root/.pyzor'.\\0a > > Can somebody explain to me, what is happening here? Why socket, runned as > _rspamd try to access root home instead of _rspamd home ? I don't know what this pyzor so I became curious and take a look... Their doc say clearly that default homedir is ~/.pyzor So if your instance of pyzor tries to access /root/.pyzor than it is a strong indication that you are running pyzor as root, no? To debug this I would suggest to start pyzor manually with the user you want it to run (see su(1)). It's been ages ago when I used inetd thats why I cant help with that. But are you sure that you need it for pyzor?!?!?!?
Openbsd 7.1 installation - disk boot record
Hello, Today I tried to do a fresh install of openbsd 7.1. (from usb pendrive). I tried to do a very basic install (accepting the default - without network - with sets from disk) and when getting to the root disk question I used (W)hole disk MBR. Everything went through smoothly, however when rebooting the system the initial boot sequence goes into an endless loop (manufacture logo appearing again and again) - also cannot enter bios setup anymore. Had to remove the ssd, connect via usb and dd with zero the first mb. Tried several things i.e. changing bios options, upgrading bios to latest version, using uefi etc nothing worked. Always same endless boot loop. After some time I found a work around by installing from the 7.0 installation image and then upgrading to 7.1. Everything works now. Does anyone know why this might be happening? It would seem that changes to fdisk did change the MBR (or how it is written) which at least on my machine - old dell e7240 - is preventing it from booting. Any help is highly appreciated. Thanks, Michael P. S. Not sure if this is a bug and if it should be reported.
Re: OpenSMTPD + Dovecot + Dkimsign configuration?
Am 11.04.22 15:05 schrieb latin...@vcn.bc.ca: > > Am 07.04.22 21:04 schrieb latin...@vcn.bc.ca: > >> Hello > >> > >> i have had 1 Personal server for years with httpd and OpenSMTPD mail > >> server working correctly; thanks OpenBSD Team. > >> > >> But now i have another server for 500 Colleagues with OSMTPD + Dovecot + > >> Dkimsign working well; but i ask, if it were possible to use only OSMTPD > >> with virtual users + Dkimsign? > >> > >> Please tell me what i might read. > > > > I don't know exactly what you want to do. > > I think you ask if you can replace dovecot with smptd > > > > The answer is: smptd is MTA (=Mail Transport Agent) > > while dovecot is MDA (=Mail Delivery Agent), dovecot-lda > > > > Also: > > If you want your users accessing your mailserver via IMAP then you need > > an imap server and that's what dovecot is. > > > > They have different purposes but if you don't need any of dovecot's > > functions here then you can remove it. It's not required to send and > > receive emails. > > > > Thanks to answer: > > Yes, i understand the difference between MTA and MDA. But i remember > Sendmail, at that moment it was as base system; receiving similar > attention as the rest of the system. > > Dovecot is not cover, it is not part of the base system; and i personally > have had really bad experience with software that is not considered as > part of the base system. As result, i use only base system! If it is > possible. > > In this case, i supossed that using a virtual-users file could work. > > Thanks for your time Michael Hekeler > Your 500 users needs a way to read their emails. If these 500 users are real users on the system (-> useradd(8)) than they are able to read directly from filesystem and smtpd is enough. But if they are virtual users only on the mailserver then you need an pop or imapserver additional to your smtpd server. AFAIK this kind of software is not in base. But if you don't like dovecot you can use any of the alternatives.
Re: OpenSMTPD + Dovecot + Dkimsign configuration?
Am 07.04.22 21:04 schrieb latin...@vcn.bc.ca: > Hello > > i have had 1 Personal server for years with httpd and OpenSMTPD mail > server working correctly; thanks OpenBSD Team. > > But now i have another server for 500 Colleagues with OSMTPD + Dovecot + > Dkimsign working well; but i ask, if it were possible to use only OSMTPD > with virtual users + Dkimsign? > > Please tell me what i might read. I don't know exactly what you want to do. I think you ask if you can replace dovecot with smptd The answer is: smptd is MTA (=Mail Transport Agent) while dovecot is MDA (=Mail Delivery Agent), dovecot-lda Also: If you want your users accessing your mailserver via IMAP then you need an imap server and that's what dovecot is. They have different purposes but if you don't need any of dovecot's functions here then you can remove it. It's not required to send and receive emails.
Re: Internal Logging?
Am 04.04.22 08:22 schrieb Eric Thomas: > I'd like to understand more about how OpenBSD logs internal events such as: > > - pkg_add/delete events > - user logins > - X session start/stops > etc. > > Is there "one big log" where all of these types of events are stored? > Or are they logged in specific directories depending on log type? Such things are to be configured in `/etc/syslog.conf`. Please see `man syslogd` and `man syslog.conf`
Re: How to track system changes?
Am 04.04.22 08:32 schrieb Eric Thomas: > I want to have a high degree of confidence in my system's state > (packages that have been added, configs that have changed, permissions > changed, etc). I've read about "read only filesystems" and the > pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). > > Aside from that, is there a way to... > > 1. ...hash the file system in some way and monitor for changes? OR > 2. ...somehow review changes that have taken place (a log somewhere)? > > The goal is to concretely know whether the state of the system has > changed, then point to what EXACTLY has changed. > Since many years I use rcs(1) for that on hosts I have to admin. In Openbsd this fine tool is in base...
Re: OpenBSD as primary OS
Am 11.09.16 12:45 schrieb jean-francois: > Hi, > > > I'm moving to OpenBSD for primary use, I'll have to keep a Windows OS for > some specific purposes also. > > Just thanks for the development of OpenBSD, it's very easy to use since > logical and well documented, I've been enjoying it for the past years for > what it deserved to do. > > Also looked at the softraid development, just few words to thank the > development of the OS and softwares. Github didn't force you to use windows. Github offers just a hosted version control using git(1). You didn't even have to register an account at github if you want to use git. If you like to use git for version control then you can install it with `pkg_add git` on openbsd and if you like to have a colorful and clickable frontend then you are not forced to use this windows app from github's homepage - there are many of them available for different platforms.
Re: openbsd, softraid recovery (I have password)
Am 02.04.22 18:56 schrieb harold: > Hello, > > Today I take a little breath to try to get some help about a little problem > I have since weeks. > I lost data due to misunderstanding of formatting rdsc1 softraid partition > on openbsd. > > I tell you my little story in the attached document, because I lost data > and would really like to recover it.. > > could you help me please? >From my experience with this list I am sure you can get help on such topic if you respect https://www.openbsd.org/mail.html
Re: Dell G3 3590 audio and touchpad
On 3/31/22 17:54, Adriano Barbosa wrote: Hi misc I'm trying to make audio and touchpad work on a Dell laptop. I've never played with this kind of stuff and I don't even know how to properly start. I have no hope on making NVIDIA hardware to work, but I believe Realtek ALC295 audio could work as, from what I got, it is supported by OpenBSD. [snip] Azalia driver doesnt detect your codecs correctly. On top of that, it may be a Dell specific hardware ID issue. Please post the output of pcidump -v
Re: chroot for go webserver with pledge and unveil
Am 16.03.22 03:09 schrieb i...@tutanota.com: > >> I was thinking that since Go by default doesn't run a webserver on > >> port 80 or 443 > > > What does it even mean. Go is a programming language. If you want to > > build and run a webserver with it and have it listen on whatever port > > you want, you can. Go doesn愒 have any opinion as to what ports you > > should or shouldn't use. And the default ports por an http/https > > server ARE 80 and 443. > > What I meant was that you cannot code the webserver to run on port 80 > or 443 unless it runs as root (for obvious reasons). What I wanted to > avoid is a change in privileges, as in starting it as root and then > change to www. The easy way it seems to be to just run on something > like port and then use PF to redirect. > > >> I can run it like this: [...] > >> But that wouldn't keep it running after a reboot. > > > There you go: > > https://man.openbsd.org/afterboot.8#System_command_scripts > > Is there something to restart it if it crashes? Just a one liner can do this: check if it's running. If not restart. But why would it crash??? Most likely because something was going wrong? So do you really want your system restart something that is going to be wrong? I must admit I have NO full 30 years expierence of sysadmin stuff (like you posted in another thread) but I would prefer to fix the problem and restart it manually only when its fixed. ...other way sounds a little bit like systemd(1) to me ;-)
Re: Please put vi in base
Am 13.03.22 03:38 schrieb i...@tutanota.com: > (...) > In my 30 years of doing sysadmin work, I have never - not even once - come > across a > situation where a normal editor like vi or nano or something equally simple > didn't > exist on the install media. Maybe I am wrong, but I am thinking you like to use Linux based OS's because you expect something like nano on install media. If so, why don't simply boot from one of those countless linux live CDs? You could even end up editing your files with a mouse-mandatory fancy KDE whatever editor... Besides that I want to thank the devs for including ed(1). It was more than once a livesafer to me in MY years of doing sysadmin work. ...and I can remember at least one time exactly the same situation with a broken fstab(5) ;-)
Re:
Hey On Tuesday, February 15, 2022, a wrote: > > -- Kind regards, Mike
Re: PHP 7.4: SSL routines:CONNECT_CR_CERT:certificate verify failed
Am 23.12.21 00:51 schrieb Leo Unglaub: > Hey friends, > > i have a OpenBSD 7.0 server with all syspatches applied. On that server i > have setup httpd and PHP 7.4 running via PHP-FPM. I followed the readme > provided by the package and everything seams to be fine. > > There is only one issue when i try to establish a secure connection from PHP > to another server. (sending an email in this case via SMTP). I get the > following error: > > > PHP Warning: stream_socket_enable_crypto(): SSL operation failed with code > > 1. OpenSSL Error messages: > > error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed My first guess ist that the chain is not correct and so the server's certificate cannot be validated. If you are sure that your PHP script connects to the right host then you can remove temporarily validation just to see if this will work. If so you should enable validation again and examine the chain on your mailserver. > (...) > But PHP is still unable to connect to that server. I ssh'ed into that server > and did the openssl s_client manually. Just to verify that everything works > as expected and it does: > > > openssl s_client -tls1_2 -connect mail.foobar.com:587 > > openssl s_client -tls1_3 -connect mail.foobar.com:587 (both 1.2 and 1.3 > > work) Use showcerts to see what is actually received: openssl s_client -showcerts -connect mail.foobar.com:587
Re: opensmtpd remove messages from/to specified mailbox?
Whatever you do to filter out the id I suggest NOT to remove the
messages directly from the what you've called "dark magic".
I think a better approach would be to echo out the command and then if
you are happy with it copy & paste...
Another suggestion is to reduce the spawning of subshells in the
pipeline and let do awk(1) the filtering:
doas mailq | awk -F\| /administrator/'{printf "smtpctl remove %s\n",$1}'
Re: mpv-0.33.1p2 SIGSEGV on exit (OpenBSD 7.0 amd64 GENERIC.MP)
Can you give this a try? # Audio compatibility fix for OpenBSD (to fix pthread core dump issue) vo=x11 in .config/mpv/mpv.conf On 15/12/21 at 03:57P, zestypucker wrote: Hello everyone, Installed OpenBSD 7.0 (amd64 GENERIC.MP) and most things worked out of the box which is a very pleasant surprise ^_^ There is still a small issue with the mpv-0.33.1p2 package installed using pkg_add that I'm hoping to get some help on: It always seg faults on exit, does not seem to matter what was played back (a single picture will do), as long as it's not a -h to print usage, mpv seg faults on exit. Got the following stack trace by running it under gdb but there's no symbols: Program received signal SIGSEGV, Segmentation fault. [Switching to thread 592846] 0x05f84812db50 in ?? () (gdb) thread apply all backtrace Thread 5 (thread 249681): #0 futex () at /tmp/-:3 #1 0x05f899c62275 in _rthread_cond_timedwait (cond=0x5f8a64fcd80, mutexp=0x5f8a6502958, abs=0x0) at /usr/src/lib/libc/thread/rthread_cond.c:102 #2 0x05f5da17b3dc in worker_thread () from /usr/local/bin/mpv #3 0x05f81d43b1c1 in _rthread_start (v=Unhandled dwarf expression opcode 0xa3 ) at /usr/src/lib/librthread/rthread.c:96 #4 0x05f899bde18a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 #5 0x05f899bde18a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Previous frame identical to this frame (corrupt stack?) #0 0x05f84812db50 in ?? () Some more info: 1. Happens in a VM (AMD64 CPU, vmware GPU) as well 2. Happens without the X server as well, Running mpv directly in a vterm causes the same seg fault on exit 3. Sometimes a warning similar to "pthread_mutex_destroy() called while there are waiters on the mutex" is printed before the seg fault Would appreciate any pointers on how to prevent this from happening or properly report the issue. Also wondering would it be possible to downgrade to an earlier version of mpv just in case it 'fixes' the issue? Looked at the manual and FAQs for pkg_add but wasn't able to figure out how to list available versions of a package or pick a specific one. Thanks in advance! ZP -- Michael
Re: route one port via a specific host (both directions)
Am 10.12.21 08:49 schrieb Claus Assmann: > I am trying to run an SMTP server on a dynamic IP address Running a smtp server on dynamic IP is just asking for troubles.
Re: Running redmine on OpenBSD
> (...) > I run the redmine app as a normal user so puma can't read the > /etc/ssl/private/redmine.MY.DOMAIN.COM.key (default perm 400). Does your environment require keys in /etc/ssl/private? maybe some corporate policies or such... If not you can simply configure acme-client(1) to place cert and key into locations where puma user can access them. > (...) > If I change perm /etc/ssl/private/redmine.MY.DOMAIN.COM.key to 555 website > loads on FF correctly (no errors on puma) but I still got an error on curl: > (...) > If I have ssl key permission set to 555 I also got an error from acme client: I wouldn't change permissions of files/directories in base (see security(8), mtree(8), ...)
Re: django-ldap-auth authentication lasts several minutes on OpenBSD
> The only machine using another DNS server from my router is the Linux Mint > development machine > which holds the copy of my code and also runs django development > server on 127.0.0.1:8080 and from where everything works without delays. ^^^ Then remove the entry from /etc/hosts and clear dns cache. Then try again on development machine and if you encounter same delays then you have found the culprit...
Re: Support
Am 10.11.21 03:57 schrieb Brian O'Loughlin: > Hi > > Further to my support request in September, (...) You are refering to an email x weeks ago? I think you will get more helpful answers if continuing your old thread
Re: Running redmine on OpenBSD
Am 09.11.21 17:56 schrieb Radek: > Hi @misc, > Does anyone successfully run redmine[1] on OpenBSD? > I'd like to install redmine on 7.0/amd64 with httpd and postgresql. I've > never done it before so any advices and hints would be appreciated. Best way is to begin with your setup and then when you encounter problems ask your questions with giving details of what you have done, what you expect, what is not working and so on. > There isn't much up to date info in google about it[2][3]. Just begin to setup httpd (it's already in base) and see the manpages. Don't try to find tutorialson google - most of them are outdated or describe things that not fit your own environment. Next step is to install postgresql. It's in packages, so you can do it with `pkg_add postgresql`. Here again read then manpage and pkg-readme. > > 1. https://www.redmine.org/ > 2. https://www.redmine.org/boards/2/topics/496 > 3. > https://web.archive.org/web/20160406041905/http://www.iwebdev.it/blog/?p=229 > > Thank you! > -- > Radek >
Re: httpd.conf Dokuwiki
Am 07.11.21 05:58 schrieb latin...@vcn.bc.ca:
> Hello List:
>
> Could somebody please tell me what is wrong in my httpd.conf?
> historia is a ln -s to dokuwiki.
>
> (...)
While you didn't say what's not working like you expected we can only
guess...
I can say that most of the problems I see when people have problems
to setup httpd(8) are more or less concerned to to the chroot.
To debug these kinds of problems you can set the chroot(2) directory in
httpd.conf temporarily to / and see if it works like expected. Then
you will know that a misunderstanding of chroot is the problem.
Then you can reset chroot in httpd.conf and modify your setup so that it
will work.
But you should make sure that your httpd is not accessible from internet
while you tinker with yout httpd.conf.
As a shot in the dark I would guess that your symlink points to a
directory that is not inside chroot, maybe something like
kb -> /home/user/dokuwiki
Here is mine:
server "xxx" {
listen on lo port $httpd_port
# Set max upload size to 513M (in bytes)
connection max request body 537919488
# deny access to the specified files
location "/wiki/bin/*" { block }
location "/wiki/conf/*" { block }
location "/wiki/data/*" { block }
location "/wiki/inc/*" { block }
location "/wiki/*/.ht*" { block }
location "/wiki/README" { block }
location "/wiki/VERSION" { block }
location "/wiki/COPYING" { block }
location "/" {
block return 301 "/wiki/doku.php"
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
}
Re: send help ( chroot php fpm refuse to exec/popen/procopen... on 7.0 )
Am 26.10.21 09:18 schrieb Sven F.:
> }{ello,
>
> I updated a device and use php fpm on openbsd 7.0
> everything works fine after putting a resolv file in the chroot
> but i can't send email from the chroot
>
> I hope I didn't see something obvious.
>
> to troubleshoot i drop the ksh inside the chroot
>
> /var/www/usr/sbin/ksh:
> (...)
I am not entirely sure what to answer here because I don't know what
your question is, but maybe it helps to copy /bin/sh to ${CHROOT}/bin/sh
Re: copying id_ed25519_sk from USB-A yubikey to USB-C yubikey
I went through the instructions on this page when I set mine up: https://github.com/drduh/YubiKey-Guide Doing a quick scan, there’s some discussion on the page about having multiple Yubikeys, and I think that it also talked about restoring from backup, and it assumes you have a copy of the actual public and private keys offline that you can use for that. -Mike Sent from my iPhone > On Oct 22, 2021, at 09:28, Paul de Weerd wrote: > > Hi all, > > I've been happily using a yubikey together with an id_ed25519 SSH key > when logging in over SSH: > > uhidev7 at uhub3 port 2 configuration 1 interface 1 "Yubico YubiKey > OTP+FIDO+CCID" rev 2.00/5.27 addr 9 > > I would now like to migrate over to a new yubikey with a USB-C > connector, as my new personal laptop has no USB-A ports. Digging > through the ssh-keygen manpage, I don't see an option to do this; it > seems you can only create new keys. > > Is this indeed impossible, or am I looking at the wrong manpage? > > Thanks, > > Paul > > -- >> [<++>-]<+++.>+++[<-->-]<.>+++[<+ > +++>-]<.>++[<>-]<+.--.[-] > http://www.weirdnet.nl/ >
Re: traceroute losses
Am 13.10.21 09:58 schrieb Peter J. Philipp: > On Wed, Oct 13, 2021 at 08:02:35AM +0200, Michael Hekeler wrote: > > Hello list, > > > > I have question regarding network/routing. However it is not directly > > openbsd related (I can see the same even on windows machines) I decided > > to ask here because I know that there are many experienced admins here > > and there is wealth of expertise on such things on this list. > > > > On my site there are about 10 clients which connects to an internet > > database host. > > From time to time connection gets lost and sometimes the clients > > reconnect after a while but sometimes the database app breaks. > > > > When doing network diagnostics with mtr(8) which combines the > > functionality of traceroute(8) and ping(8) it shows the packets hopping > > through 8 to 9 hosts to reach the destination. > > When running this tool for a few hours it shows that two hosts in this > > route produces packet loss (~20%). > > > > My Question: > > is there anything I can do about that by myself or is only option to > > contact the admin of these hosts and hope that they are willing to fix > > whatever problem there is? > > If you have 9 hops and the packet loss is on hop 4 and 5 but does not carry > over to the destination you can ignore it. If it carries over to the > destination ie. hops 6, 7, 8 and 9, then you should look further at reaching > out. > > The reason is as follows: some routers pass packets through their ASIC's for > forwarding and it doesn't touch their processor at all, it's like offloading > the entire packet forwarding process. Yet when you talk to the IP of the > router directly, which is what ping does then the processor in the router > processes the packet and this may cause packet loss becuase usually they don't > have a fast cpu here. And ICMP doesn't have much priority in this case > either. > > Best regards, > -peter > That's very interesting. Thank you so much. According to the DB hoster the loss showing at traceroute's output on hop 4 and 5 of 9 would provide reliable proof that the connection is the culprit. Now I understand that this conclusion is not automatically true. Hops 6,7,8,9 showed no more than 1% loss.
traceroute losses
Hello list, I have question regarding network/routing. However it is not directly openbsd related (I can see the same even on windows machines) I decided to ask here because I know that there are many experienced admins here and there is wealth of expertise on such things on this list. On my site there are about 10 clients which connects to an internet database host. >From time to time connection gets lost and sometimes the clients reconnect after a while but sometimes the database app breaks. When doing network diagnostics with mtr(8) which combines the functionality of traceroute(8) and ping(8) it shows the packets hopping through 8 to 9 hosts to reach the destination. When running this tool for a few hours it shows that two hosts in this route produces packet loss (~20%). My Question: is there anything I can do about that by myself or is only option to contact the admin of these hosts and hope that they are willing to fix whatever problem there is?
Re: Some more humor, maybe?
Yes On Thu., Sep. 23, 2021, 12:11 a.m. flint pyrite, wrote: > forget about host, it is plausible to self host > > What remains is the catalyst? > > Remember movement would not occur without involvement > >
Re: sed(1) and line number 0
Am 13.08.21 23:19 schrieb Philippe Meunier: > Hello, > > While porting a shell script from Linux to OpenBSD I came across the > following: > > $ uname -a > Linux foo.there.org 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 > UTC 2020 x86_64 x86_64 x86_64 GNU/Linux > $ cat > foo > test > hello > world > $ sed '0,1d' < foo > sed: -e expression #1, char 4: invalid usage of line address 0 > $ sed '0,/^hello$/d' < foo > world > $ sed '1,/^hello$/d' < foo > world > $ sed '0,/^test$/d' < foo > hello > world > $ sed '1,/^test$/d' < foo > $ > > which makes sense since, according to > https://www.gnu.org/software/sed/manual/html_node/Addresses.html: > > [...] > 0,/regexp/ > A line number of 0 can be used in an address specification like 0,/regexp/ > so that sed will try to match regexp in the first input line too. In other > words, 0,/regexp/ is similar to 1,/regexp/, except that if addr2 matches > the very first line of input the 0,/regexp/ form will consider it to end > the range, whereas the 1,/regexp/ form will match the beginning of its > range and hence make the range span up to the second occurrence of the > regular expression. > Note that this is the only place where the 0 address makes sense; there is > no 0-th line and commands which are given the 0 address in any other way > will give an error. > [...] > > Now: > > $ uname -a > OpenBSD bar.here.org 6.8 GENERIC#0 i386 > $ cat > foo > test > hello > world > $ sed '0,1d' < foo > test > hello > world > $ sed '0,/^hello$/d' < foo > test > hello > world > $ sed '1,/^hello$/d' < foo > world > $ sed '0,/^test$/d' < foo > test > hello > world > $ sed '1,/^test$/d' < foo > $ > > So: > > 1) I'm surprised that '0,1d' and '0,/^hello$/d' and '0,/^test$/d' don't give > an error. Looking at the results, I'm not sure what they do, if anything. > > 2) Out of curiosity, is there an OpenBSD equivalent to GNU's '0,/^test$/d' ? Your first address is 0? What do you expect from a line number 0? You can do: sed '/^test$/d' OR sed 1d OR grep -v 'test' OR ... > > Thanks, > > Philippe > >
Re: smtpd only Mail Server
Am 10.08.21 13:29 schrieb latin...@vcn.bc.ca: > > On Tue, 2021-08-10 at 04:32 -0700, latin...@vcn.bc.ca wrote: > >> > On Aug 10 01:52:57, latin...@vcn.bc.ca wrote: > >> > > > - smtpd had its first commit in 2008 and back then was far from > >> > > >  production ready: So are you using base smtpd, or sendmail, or > >> > > >  something else? > >> > > > >> > > Yes, 2000 it was sendmail, nginx, apache, smtpd if i remember > >> correctly; > >> > > but my question is: > >> > > > >> > > "Could someone please point me to specific openbsd place to look for > >> > > it?" > >> > > >> > To look for what? smtpd documentation? man smtpd, man spmtpd.conf, > >> > there's a dkim example right there. > >> > >> Jay in this case it looks out of context, because it is a question after > >> the explanation! Look for understandable (my level) information related > >> to > >> dkim, dmarc, and spf! My field is agriculture! > >> > >> > > >> > > > - I assume it's related to outbound mail, but even that is not > >> > > >  completely clear to me. > >> > > > >> > > No, it is the complete behaviour of dkim, dmarc, and spf. i got 0/10 > >> at > >> > > this page: https://www.mail-tester.com/ and yes, i can receive > >> mail, but > >> > > mine is considered spam! > >> > > >> > The fact that and arbitrary third site "tester" gives you this score > >> > or another can mean a lot of things. Nobody has seen your DNS or a > >> > single line of your conig yet, so it's hard to help you really. > >> > > >> > >> Well, i never said that it is the last word! I am asking for clear > >> information for dkim, dmarc, spf, and now dkimproxy and anything related > >> to send mail correctly; where correctly means "NO qualify my mail as > >> spam" > >> > >> > > > - Did you just put a dkim txt record in DNS without any additional > >> > > >  configuration on your mailserver? > >> > > > >> > > ok: i have 2 servers: 1. managed by nsd, which obtained 9.7/10 at > >> the > >> > > same > >> > > web page, not a problem; 2. vultr managed by their dns app, here i > >> am > >> > > not > >> > > able to make it work correctly. What should be the additional > >> > > configuration on the mail server please? > >> > > >> > What mail server? > >> > What "additional" configuration? > >> > >> This server: > >> > > > - Did you just put a dkim txt record in DNS without any additional > >> > > >  configuration on your mailserver? > >> > >> > > >> > If you want help with a mail config, > >> > you need to show your mail config. > >> > > >> > >> No problem: > >> I am used to use only the base system. > >> > >> #       $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles > >> Exp $ > >> > >> # This is the smtpd server system-wide configuration file. > >> # See smtpd.conf(5) for more information. > >> > >> table aliases file:/etc/mail/aliases > >> > >> listen on socket > >> > >> # To accept external mail, replace with: listen on all > >> # > >> listen on all filter "dkimsign" > >> > >> action "local_mail" mbox alias > >> action "outbound" relay > >> > >> # Uncomment the following to accept external mail for domain > >> "example.org" > >> # > >> # match from any for domain "example.org" action "local_mail" > >> match from any for domain "agroena.org" action "local_mail" > >> match from local for local action "local_mail" > >> match from local for any action "outbound" > >> > >> # dkim > >> filter "dkimsign" proc-exec "filter-dkimsign -d agroena.org -s s1 -k > >> /etc/mail/dkim/private.key" user _dkimsign group _dkimsign > >> > >> > > So assuming that you actually installed opensmtpd-filter-dkimsign and > > everything starts okay, you haven't put the public key in the DNS like > > you claimed in your original e-mail. > > $ dig +short txt s1._domainkey.agroena.org > > $ > > > > I am not sure if it is a problem, but the selector is: mail. > > $ dig +short txt mail._domainkey.agroena.org > "k=rsa; t=s; h=sha256; > p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOGOPbZVPidt2KCGqb38+OOD/cIZZnkpMY67oUPAfjVzP7vjJnxeTUOYtuQPTYv3whE6dwRSDwdw96DELKTjbaJ8DMEDFxbeqZxFl4EivuxuIwRSJVZQ36ed+TnfrPxLQowcno3kIh9je3t2VQ7GfD4WJfPD2GzfVljcTmJP3gNQIDAQAB" > > First you should match the selectors name. Either by telling the filter to use the key in selector "mail" or by changing the selectors name in DNS to "s1" Then you can debug further (e.g. your public key in DNS should match /etc/mail/dkim/private.key)
Re: How to use macros in acme-client.conf?
Am 25.07.21 18:54 schrieb Wolf:
> (...)
> api_url="https://acme-v02.api.letsencrypt.org/directory;
> authority letsencrypt {
> api url $api_url
> account key "/etc/acme/letsencrypt-privkey.pem"
> }
please check if you accidently inserted some control characters when
copy the snippet from the manpage to test.conf.
To test you can remove all whitespace before the word "api" and after
"$api_url".
> It fails with a syntax error:
>
> $ ./acme-client -vvv -f ../test.conf
> api_url = "https://acme-v02.api.letsencrypt.org/directory;
> ../test.conf:3: syntax error
What is "-vvv"?
Manpage on my 6.9-STABLE mentions "Specify twice..."
> It looks like the macro is loaded correctly, but the expansion fail. Are
> the macros just bugged? If not, could someone please advice me on what I
> am doing wrong?
>
macro expansion works on all of my systems.
So they are not "just bugged" ;-)
Re: CWM+Xterm+Tmux+Vim & Copy/Paste
Am 13.07.21 07:20 schrieb Michael Hekeler: > Am 13.07.21 01:13 schrieb Samuel Banya: > > My recommendation, tweak your tmux setup, and use vim keybindings for > > copying and pasting with the proper config options: > > - https://www.youtube.com/playlist?list=PL5BE1545D8486D66D > > > > On Mon, Jul 12, 2021, at 9:12 PM, David Anthony wrote: > > > Hello, > > > > > > Does anyone using the combination of CWM+Xterm+Tmux+Vim have any advice > > > for dealing with Copy/Paste? To/From Browser? > > you want to copy to/from clipboard or to/from the primary selection? > I am asking because the primary selection was always working on all of > my hosts out of the box. > When in tmux need to press Shift to set selection. Edit to make it clearer: the selected text is in primary without the need of any explicit copy action See: https://tronche.com/gui/x/icccm/sec-2.html#s-2.6.1 If you enable mouseprotocol then you will notice that the selection made with the mouse is NOT recognized. So you have to press `shift` while doing things with the mouse to override the mouse protocol https://man.openbsd.org/xterm#Mouse_Protocol
Re: CWM+Xterm+Tmux+Vim & Copy/Paste
Am 13.07.21 01:13 schrieb Samuel Banya: > My recommendation, tweak your tmux setup, and use vim keybindings for copying > and pasting with the proper config options: > - https://www.youtube.com/playlist?list=PL5BE1545D8486D66D > > On Mon, Jul 12, 2021, at 9:12 PM, David Anthony wrote: > > Hello, > > > > Does anyone using the combination of CWM+Xterm+Tmux+Vim have any advice > > for dealing with Copy/Paste? To/From Browser? you want to copy to/from clipboard or to/from the primary selection? I am asking because the primary selection was always working on all of my hosts out of the box. When in tmux need to press Shift to set selection.
Re: An OpenBSD Consumer Gateway Launc
Am 11.06.21 16:15 schrieb fern.tje...@aiyja.com: > Hi, > > I am Nan Mel, the marketing director of Aiyja and Etheria group of companies, > nice to meet you all. All of us in the company would like to say a big thank > you! > > We have launched Ayos HCS, (...) >From the homepage: "Ayos uses BSD as its base, so it is naturally hardened, but then we add sprinkles on top to help harden it more." Just out of curiosity: what are these sprinkles?
Re: Color emojis
Am 17.06.21 09:06 schrieb Michael Hekeler: > Am 17.06.21 00:28 schrieb Francisco Fuentes: > > (...) > > I need to be able to see emojis across the system, > > (...) > > Excuse me. > But what are these color emojis that you "need to be able to see across > the system"? > Oh - ha ha... A quick google'ing showed me the emoji. I was reading an article about monitoring some oracle stuff before and so my mind was locked in thoughts of such... - Sorry for the noise!
Re: Color emojis
Am 17.06.21 00:28 schrieb Francisco Fuentes: > (...) > I need to be able to see emojis across the system, > (...) Excuse me. But what are these color emojis that you "need to be able to see across the system"?
Re: web server security
Am 10.06.21 01:16 schrieb Gustavo Rios: > Hi folks! > > I am planning a web serve using openbsd as the os and using php. My > question is: how to avoid any given user from implement an php script that > will read some else file, since everything will run as the web server user > and group ? If your requirements are really to run everything as the same user then it's not possible to forbid this user from reading files created by someone else that has same uid. Same uid means "same person". This means your webserver expects person A to be the owner of files created by person B. If you want to separate ownership of files then you have to create different users and restrict php from reading directories that it shouldn't. Another advice for 'web server security' is to don't give untrusted users shell access or any write access to your system so you won't have to deal with someone "implementing a script that will read someone else files"... ;-)
Best practices mirroring large file-system hierarchies?
hw.sensors.nvt0.volt0=8.00 VDC hw.sensors.nvt0.volt2=7.28 VDC hw.sensors.nvt0.volt6=7.79 VDC hw.sensors.nvt0.volt7=6.28 VDC hw.sensors.nvt0.volt8=7.49 VDC hw.sensors.nvt0.volt9=6.30 VDC hw.sensors.nvt0.volt10=7.12 VDC hw.sensors.nvt0.volt11=7.63 VDC (VTT) hw.sensors.nvt0.volt12=3.46 VDC (3VDD) hw.sensors.nvt0.volt13=3.46 VDC (3VSB) hw.sensors.nvt0.volt14=4.19 VDC (VBat) hw.sensors.km0.temp0=42.38 degC hw.sensors.km1.temp0=42.00 degC hw.cpuspeed=2300 hw.vendor=Supermicro hw.product=H8SGL hw.version=1234567890 hw.serialno=1234567890 hw.uuid=534d4349-0002-337a-c40c-337ac40cb061 hw.physmem=68701257728 hw.usermem=68701241344 hw.ncpufound=16 hw.allowpowerdown=1 hw.smt=0 hw.ncpuonline=8 machdep.console_device=ttyC0 machdep.bios.diskinfo.128=bootdev = 0xa204, cylinders = 1024, heads = 255, sectors = 63 machdep.bios.diskinfo.129=bootdev = 0xa0020204, cylinders = 1024, heads = 255, sectors = 63 machdep.bios.diskinfo.130=bootdev = 0xa0030204, cylinders = 1024, heads = 255, sectors = 63 machdep.bios.diskinfo.131=bootdev = 0xa0040204, cylinders = 1024, heads = 255, sectors = 63 machdep.bios.diskinfo.132=bootdev = 0xa0050204, cylinders = 1024, heads = 255, sectors = 63 machdep.bios.diskinfo.133=bootdev = 0xa0060204, cylinders = 1024, heads = 255, sectors = 63 machdep.bios.diskinfo.134=bootdev = 0xa0080204, cylinders = 1024, heads = 255, sectors = 63 machdep.bios.diskinfo.135=bootdev = 0xa0070204, cylinders = 1024, heads = 255, sectors = 63 machdep.bios.cksumlen=2 machdep.allowaperture=0 machdep.cpuvendor=AuthenticAMD machdep.cpuid=0x600f12 machdep.cpufeature=0x179bfbff machdep.kbdreset=0 machdep.xcrypt=0 machdep.lidaction=1 machdep.forceukbd=0 machdep.tscfreq=236969 machdep.invarianttsc=1 machdep.pwraction=1 ddb.radix=16 ddb.max_width=80 ddb.max_line=25 ddb.tab_stop_width=8 ddb.panic=1 ddb.console=0 ddb.log=1 ddb.trigger=0 vfs.mounts.ffs has 16 mounted instances vfs.mounts.mfs has 2 mounted instances vfs.ffs.max_softdeps=23704 vfs.ffs.sd_tickdelay=2 vfs.ffs.sd_worklist_push=0 vfs.ffs.sd_blk_limit_push=0 vfs.ffs.sd_ino_limit_push=0 vfs.ffs.sd_blk_limit_hit=0 vfs.ffs.sd_ino_limit_hit=0 vfs.ffs.sd_sync_limit_hit=0 vfs.ffs.sd_indir_blk_ptrs=1618 vfs.ffs.sd_inode_bitmap=4201 vfs.ffs.sd_direct_blk_ptrs=14680 vfs.ffs.sd_dir_entry=8615 vfs.ffs.dirhash_dirsize=2560 vfs.ffs.dirhash_maxmem=5242880 vfs.ffs.dirhash_mem=5184849 vfs.nfs.iothreads=-1 vfs.fuse.fusefs_open_devices=0 vfs.fuse.fusefs_fbufs_in=0 vfs.fuse.fusefs_fbufs_wait=0 vfs.fuse.fusefs_pool_pages=0 -- Michael
6.9 hangs at reboot/halt -p on Supermicro H8SGL
; rev 0x00 pchb4 at pci0 dev 24 function 4 "AMD 15/0xh CPU Power" rev 0x00 pchb5 at pci0 dev 24 function 5 "AMD 15/0xh Host" rev 0x00 pchb6 at pci0 dev 25 function 0 "AMD 15/0xh Link Cfg" rev 0x00 pchb7 at pci0 dev 25 function 1 "AMD 15/0xh Address Map" rev 0x00 pchb8 at pci0 dev 25 function 2 "AMD 15/0xh DRAM Cfg" rev 0x00 km1 at pci0 dev 25 function 3 "AMD 15/0xh Misc Cfg" rev 0x00 pchb9 at pci0 dev 25 function 4 "AMD 15/0xh CPU Power" rev 0x00 pchb10 at pci0 dev 25 function 5 "AMD 15/0xh Host" rev 0x00 usb2 at ohci0: USB revision 1.0 uhub2 at usb2 configuration 1 interface 0 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb3 at ohci1: USB revision 1.0 uhub3 at usb3 configuration 1 interface 0 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb4 at ohci2: USB revision 1.0 uhub4 at usb4 configuration 1 interface 0 "ATI OHCI root hub" rev 1.00/1.00 addr 1 usb5 at ohci3: USB revision 1.0 uhub5 at usb5 configuration 1 interface 0 "ATI OHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 wbsio0 at isa0 port 0x2e/2: W83627DHG-P rev 0x73 wbsio0 port 0xa10/2 not configured usb6 at ohci4: USB revision 1.0 uhub6 at usb6 configuration 1 interface 0 "ATI OHCI root hub" rev 1.00/1.00 addr 1 vmm0 at mainbus0: SVM/RVI sd7 at scsibus1 targ 4 lun 0: naa.50014ee262750414 sd7: 2861588MB, 512 bytes/sector, 5860533168 sectors sd8 at scsibus1 targ 5 lun 0: naa.50014ee25f82849d sd8: 3815447MB, 512 bytes/sector, 7814037168 sectors uhidev0 at uhub2 port 1 configuration 1 interface 0 "SIGMACHIP USB Keyboard" rev 1.10/1.10 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd1 at ukbd0 mux 1 wskbd1: connecting to wsdisplay0 uhidev1 at uhub2 port 1 configuration 1 interface 1 "SIGMACHIP USB Keyboard" rev 1.10/1.10 addr 2 uhidev1: iclass 3/0, 2 report ids uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0 vscsi0 at root scsibus4 at vscsi0: 256 targets softraid0 at root scsibus5 at softraid0: 256 targets root on sd1a (59a3ee4ba41ddb29.a) swap on sd1b dump on sd1b ### sysctl hw ### hw.machine=amd64 hw.model=AMD Opteron(TM) Processor 6276 hw.ncpu=16 hw.byteorder=1234 hw.pagesize=4096 hw.disknames=sd0:48d117fdb8bf80d1,sd1:59a3ee4ba41ddb29,sd2:36ab3ca77b9c2e6f,sd3:362548917ef7bfba,sd4:ceb3422dc4d34ab5,sd5:5bc682b7aa33d82f,sd6:da46565a96a9a13a,sd7:43b4ba0f34af8d17,sd8:168427c044825975 hw.diskcount=9 hw.sensors.sdtemp0.temp0=46.50 degC hw.sensors.sdtemp1.temp0=48.75 degC hw.sensors.sdtemp2.temp0=49.00 degC hw.sensors.sdtemp3.temp0=48.75 degC hw.sensors.sdtemp4.temp0=48.25 degC hw.sensors.sdtemp5.temp0=48.00 degC hw.sensors.sdtemp6.temp0=48.00 degC hw.sensors.sdtemp7.temp0=45.75 degC hw.sensors.nvt0.temp1=54.50 degC hw.sensors.nvt0.temp4=73.75 degC hw.sensors.nvt0.fan0=164 RPM hw.sensors.nvt0.fan1=764 RPM hw.sensors.nvt0.fan2=164 RPM hw.sensors.nvt0.fan3=451 RPM hw.sensors.nvt0.fan4=164 RPM hw.sensors.nvt0.fan5=164 RPM hw.sensors.nvt0.volt0=7.97 VDC hw.sensors.nvt0.volt2=7.28 VDC hw.sensors.nvt0.volt6=7.79 VDC hw.sensors.nvt0.volt7=6.28 VDC hw.sensors.nvt0.volt8=7.49 VDC hw.sensors.nvt0.volt9=6.30 VDC hw.sensors.nvt0.volt10=7.11 VDC hw.sensors.nvt0.volt11=7.63 VDC (VTT) hw.sensors.nvt0.volt12=3.46 VDC (3VDD) hw.sensors.nvt0.volt13=3.46 VDC (3VSB) hw.sensors.nvt0.volt14=4.32 VDC (VBat) hw.sensors.km0.temp0=33.88 degC hw.sensors.km1.temp0=33.88 degC hw.cpuspeed=2300 hw.setperf=100 hw.vendor=Supermicro hw.product=H8SGL hw.version=1234567890 hw.serialno=1234567890 hw.uuid=534d4349-0002-337a-c40c-337ac40cb061 hw.physmem=68701257728 hw.usermem=68701241344 hw.ncpufound=16 hw.allowpowerdown=1 hw.perfpolicy=manual hw.smt=0 hw.ncpuonline=8 -- Michael
Re: OpenBSD 6.9 and PHP version
Am 17.05.21 18:20 schrieb Steve Williams: > Hi, > > When I upgraded to OpenBSD 6.9 then did the pkg_add -u, I got php-php-7.4.18 > installed. > > How do I know if it's "safe" to delete the old php-7.3.28 and all the > associated modules? You will have to check the manual (readmes, manpages, homepage whatever) provided by the webapp developers whether the thing runs on php-7.4. And if PHP 7.4 is supported by ALL of your webapps then it is safe to remove PHP 7.3 If PHP 7.4 is supported by all BUT ONE then you should run multiple instances of php-fpm and configure 7.4 for the supported ones and serve 7.3 only for the unsupported webapp. Then you shouldn't remove php-7.3 ;-) > > I know I'll have to migrate my ".ini" file changes to the new version for > both php and php_fpm, but other than that, how do I figure out if anything > is still calling 7.3? > > I have a simple build, roundcubemail, piwigo, nextcloud and a few others. > > Thanks, > Steve W. >
u no response
Dear Olive, could please stop spamming this list? This is not a forum nor is it IRC. If you have a question or any other valid concern, feel free to pose them - I kindly ask you to abstain from anything else. Regards Michael
openssl/libressl s_client -crlf difference
Hi, Should LibreSSL and OpenSSL be strictly command line compatible? The reason I ask is: using OpenSSL, I can use openssl s_client to connect to a site like so: $ openssl s_client -crlf www:443 LibreSSL requires I add the -connect $ openssl s_client -crlf -connect www:443 Thanks, ==ml -- Michael W. Lucashttps://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... ### New books: SNMP Mastery, the Networknomicon, Drinking Heavy Water ###
Re: Enhancing Privacy in 2020 attached screenshot
On 22.12.20 00:18, pipus wrote: > (...) > Interesting 28 public and private emails protecting Stuart and his parts > 2 really nice private emails on the product itself :) Well, in fact the project sounds indeed to me in the beginning. But reading this thread I must realize that you tried hard to create very bad conditions for that project by stumbling through this list insulting people and lecture me in a top-down approach what I have been supposedly "waiting for ages" and such I am very happy that you are not in MY marketing team (and I mean *really* happy). I can only speak for me, but the project you announced before is not longer on my list (I don't know but this project has negative connotation since reading this thread). Chapeau!
Re: No longer can change brightness
On 13.10.20 13:07, james.lu...@keemail.me wrote: > Hello, > > The latest snapshots (maybe 1 week ago) have made wsconsctl(8) no longer > functional for changing display brightness on my MacBook Pro mid 2014. > > The expected behavior would be to `wsconsctl display.brigthness=X` to change > the value for the desired percentage, but it always return > `display.brightness -> 0.00%` while keeping the brightness at the highest > possible. using xrandr(1)? xrandr --output ... --brightness 1.0
Re: OpenIKED: Authentication question
Hi, Tobias, Thanks for your response! I am pasting the contents of the iked.confs as well as the list of files in /etc/iked on both hosts below. Kind regards, Michael -- /etc/iked.conf on initiator: local_IP="192.168.5.10" local_NW="192.168.5.10/32" peer_IP="192.168.5.11" peer_NW="192.168.5.11/32" local_FQDN="openbsd.my.domain" peer_FQDN="openbsd2.my.domain" allowed_enc="enc aes-128 enc aes-256" allowed_enc_esp="enc aes-128 enc aes-256 enc aes-128-ctr enc aes-256-ctr" allowed_enc_auth_esp="enc aes-128-gcm enc aes-256-gcm" allowed_prf="prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512" allowed_group="group modp2048 group modp3072 group modp4096 group ecp256 group ecp384 group ecp521 group brainpool256 group brainpool384 group brainpool512" allowed_auth="auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512" ikev2 "initiator-ESP-tunnel" active tunnel esp \ from $local_NW to $peer_NW \ local $local_IP peer $peer_IP \ ikesa $allowed_auth $allowed_enc $allowed_prf $allowed_group \ childsa $allowed_auth $allowed_enc_esp $allowed_group \ childsa $allowed_enc_auth_esp $allowed_group \ srcid $local_FQDN dstid $peer_FQDN \ ikelifetime 0 \ lifetime 0 bytes 0 \ ecdsa384 -- /etc/iked.conf on responder: local_IP="192.168.5.11" local_NW="192.168.5.11/32" peer_IP="192.168.5.10" peer_NW="192.168.5.10/32" local_FQDN="openbsd2.my.domain" peer_FQDN="openbsd.my.domain" allowed_enc="enc aes-128 enc aes-256" allowed_enc_esp="enc aes-128 enc aes-256 enc aes-128-ctr enc aes-256-ctr" allowed_enc_auth_esp="enc aes-128-gcm enc aes-256-gcm" allowed_prf="prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512" allowed_group="group modp2048 group modp3072 group modp4096 group ecp256 group ecp384 group ecp521 group brainpool256 group brainpool384 group brainpool512" allowed_auth="auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512" ikev2 "responder-ESP-tunnel" passive tunnel esp \ from $local_NW to $peer_NW \ local $local_IP peer $peer_IP \ ikesa $allowed_auth $allowed_enc $allowed_prf $allowed_group \ childsa $allowed_auth $allowed_enc_esp $allowed_group \ childsa $allowed_enc_auth_esp $allowed_group \ srcid $local_FQDN dstid $peer_FQDN \ ikelifetime 0 \ lifetime 0 bytes 0 \ ecdsa384 -- List of files in /etc/iked on initiator: total 32 drwxr-xr-x 7 root wheel 512 Jul 8 13:54 . drwxr-xr-x 22 root wheel 1536 Jul 10 15:33 .. drwxr-xr-x 2 root wheel 512 May 7 18:51 ca drwxr-xr-x 2 root wheel 512 Jul 9 15:09 certs drwxr-xr-x 2 root wheel 512 May 7 18:51 crls -rw-r--r-- 1 root wheel 451 Jul 8 13:54 local.pub drwx-- 2 root wheel 512 Jul 8 13:54 private drwxr-xr-x 6 root wheel 512 May 7 18:51 pubkeys /etc/iked/ca: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. /etc/iked/certs: total 8 drwxr-xr-x 2 root wheel 512 Jul 9 15:09 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. /etc/iked/crls: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. /etc/iked/private: total 12 drwx-- 2 root wheel 512 Jul 8 13:54 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. -rw--- 1 root wheel 1675 Jul 8 13:54 local.key /etc/iked/pubkeys: total 24 drwxr-xr-x 6 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. drwxr-xr-x 2 root wheel 512 Jul 10 11:09 fqdn drwxr-xr-x 2 root wheel 512 May 7 18:51 ipv4 drwxr-xr-x 2 root wheel 512 May 7 18:51 ipv6 drwxr-xr-x 2 root wheel 512 May 7 18:51 ufqdn /etc/iked/pubkeys/fqdn: total 16 drwxr-xr-x 2 root wheel 512 Jul 10 11:09 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. -rw-r--r-- 1 root wheel 215 Jul 10 11:07 openbsd2.my.domain -rw-r--r-- 1 root wheel 215 Jul 9 15:11 openbsd2.my.domain.old /etc/iked/pubkeys/ipv4: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. /etc/iked/pubkeys/ipv6: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. /etc/iked/pubkeys/ufqdn: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. -- List of files in /etc/iked on responder: total 32 drwxr-xr-x 7 root wheel 512 Jul 8 15:43 . drwxr-xr-x 22 root wheel 1536 Jul 22 17:08 .. drwxr-xr-x 2 root wheel 512 May 7 18:51 ca drwxr-xr-x 2 root wheel 512 May 7 18:51 certs drwxr-xr-x 2 root wheel 512 May 7 18:51 crls -rw-r--r-- 1 root wheel 451 Jul 8 15:43 local.pub drwx-- 2
OpenIKED: Authentication question
Hi, folks, I have successfully set up an ESP tunnel between two OpenBSD 6.7 hosts using OpenIKED but I have not copied any key material (public keys) from one host to the other. Still, authentication succeeds. This is how it looks like in the logs of the initiator: ca_validate_pubkey: valid public key in file pubkeys/fqdn/openbsd2.my.domain ikev2_getimsgdata: imsg 25 rspi 0x193c5f369533048e ispi 0xac6ce70df4e79168 initiator 1 sa valid type 11 data length 0 ikev2_dispatch_cert: peer certificate is valid sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa) sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa spi=0xac6ce70df4e79168: sa_state: AUTH_SUCCESS -> VALID The public key “openbsd2.my.domain” and its corresponding private key have been generated on the initiator host itself. Therefore the initiator should not be able to authenticate the responder using the key “openbsd2.my.domain”. Is anyone able to explain this behavior? I am probably just missing something here and would highly appreciate any hints. Cheers, Michael __ Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251 Geschäftsführung/Management Board: Dirk Kretzschmar TÜV NORD GROUP Expertise for your Success Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com> Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>
Intel wireless issue after upgrading to 6.7
I've run into a problem on my Thinkpad T530 after upgrading to 6.7, where my wireless no longer connects to my home wifi network. The system tries to bring the interface up, but isn't able to pull an IP lease. I tried giving it a static IP, to see if that would get it on the network, but no luck there as well. I've even gone to wiping the drive and doing a completely fresh install of 6.7, then running fw_update through the onboard ethernet, but that didn't even resolve the issue. Nothing shows up in dmesg or the system logs in terms of errors, so I'm starting to see if I can get any info out of the wireless network to see if it's even appearing on the network, and may try reinstalling 6.6 to verify that this isn't the wireless card picking this particular moment to die on me, but I'm wondering if there's some other way to get any more detail out of the laptop about what's going on? The laptop uses the Intel wireless drivers. -Mike -- Michael Steeves (stee...@raingods.net)
Re: Has anyone launched Steam for Linux on openbsd?
Switching full-time to OpenBSD this week. As long as there's a functional mupen64plus I'm happy. On Wed, 22 Apr 2020, 00:40 , wrote: > Hello, > > > Nikita Stepanov wrote: > > > Has anyone launched Steam for Linux on openbsd? > You might want to checkout > > Information for > https://openbsd.mirror.netelligent.ca/pub/OpenBSD//snapshots/packages/amd64/depotdownloader-2.3.3.tgz > > Comment: > Steam depot downloader utilizing the SteamKit2 library > > Description: > Steam depot downloader utilizing the SteamKit2 library. Supports > .NET Core 2.0. Client to download apps and Workshop items from > Steam. > > Maintainer: Thomas Frohwein > > WWW: https://github.com/SteamRE/DepotDownloader > > There's also the https://www.playonbsd.com/ website that has more > information on gaming with BSD systems. > > Kevin Chadwick wrote: > > Not sure but there wouldn't be much incentive anyway as there > > aren't many steam games that run on Linux! > > There's at least one, and that's enough to legitimize wanting access > to a game you've paid for. > > Have a nice day, > > Patrick Marchand > >
Re: Smartphone Alternatives
The Fairphone 3 will be supporting alternative Operating system soon. On my Fairphone 2 I was running AOSP Android and it was great. All of the sinister stuff included with Android was stripped out. The Pinephone is supporting Linux implementations but it's kind of in beta at the moment. It looks cool and has some hardware kill switches for WiFi and things. Not sure if any BSD implementation is on the cards for either phone. Regards, Michael Joy On Sun, 16 Feb 2020, 18:24 Predrag Punosevac, wrote: > Hi, > > I would firstly like to apologize to developers as the question I am > about to ask has little to do with OpenBSD. However, in my experience > the number of security conscious people lurking on this mailing list is > such that I could not resist. > > Long story short one of my virtual servers (running Red Hat) got hacked > by cryptomining folks. I noticed 100% load on CPUs coming out of a cron > job and traced everything to a cryptomining scripts. Sure enough there > was an ssh-key .ssh/authorized_keys which was not suppose to be there. > Incidentally, I had to turn off Duo 2-factor authentication as one of my > users insisted on having GUI access via X2go-client. > > I am not much of a security expert so my instinct is that account was > compromised by scooping account information from a browser cash or my > "smart" phone while reading email from Office 365. I have log files and > I am going through them. Browser cash problem hopefully will be offset > now when I have 2-factor enabled for Office 365 email and using only > browser on my locked down OpenBSD desktop. > > However, that still leaves me with a damn Android smartphone. I already > deleted/disabled email clients but the more I look the more I feel > stupid for having that crap. I am looking now at purchasing something > like Nokia 106. Note that I use one of USA T-Mobile plans and my current > smartphone works well across the globe. It looks like Nokia 106 doesn't > work in Europe. > > I would appreciate any advises, comments, suggestions on the choice of > mobile device for basic phone calls and texting. It would be painful to > carry around a small laptop for web browsing, maps, and few other > useful things but it looks like I am heading there. > > Thanks for your help. > > Predrag Punosevac > >
Re: Dell Latitude e6400 OpenBSD Drive Issue
Ok, thanks for the info. *Michael G. Workman* (321) 432-9295 michael.g.work...@gmail.com On Sun, Feb 9, 2020 at 4:47 PM Adam Thompson wrote: > On 2020-02-09 06:58, Michael G Workman wrote: > > Hello, > > > > Shout out to the OpenBSD developers for making a great OS! > > > > I was able to install OpenBSD 6.6 on a Dell Latitude e6400 laptop, with > > a > > USB Install. Sent the dmesg in already. > > > > The installer would not recognize the hard drive, a brand new SSD > > drive. > > The solution to that, from stack exchange, was to change the SATA > > settings > > in BIOS from IRRTL to AHCI, that fixed the problem. > > > > However if my laptop is powered off for a while, the SATA setting > > changes > > back to IRRTL instead of AHCI, very annoying, not sure why the BIOS > > would > > not make my changes persistent. I think it may be a hardware issue, but > > just wanted to know if anyone else has encountered this before? > > > > Thanks. > > > > *Michael G. Workman* > > (321) 432-9295 > > michael.g.work...@gmail.com > > I have run several laptops from that series with OpenBSD. The other > replies are correct, your BIOS battery is dead. Unfortunately, on many > of the Latitudes, the BIOS battery is of the variety that's embedded in > the RTC chip, and is not separately replaceable. > Some, however, including - the 6430 for example - have a regular coin > cell, albeit wrapped in a proprietary cover with a non-standard > connector, but at least is *is* replaceable without insane amounts of > work. > I have the owner's manuals for many of the 6400 series, email me > directly if you can't find the guide to replacing parts for your > particular model. > -Adam >
Dell Latitude e6400 OpenBSD Drive Issue
Hello, Shout out to the OpenBSD developers for making a great OS! I was able to install OpenBSD 6.6 on a Dell Latitude e6400 laptop, with a USB Install. Sent the dmesg in already. The installer would not recognize the hard drive, a brand new SSD drive. The solution to that, from stack exchange, was to change the SATA settings in BIOS from IRRTL to AHCI, that fixed the problem. However if my laptop is powered off for a while, the SATA setting changes back to IRRTL instead of AHCI, very annoying, not sure why the BIOS would not make my changes persistent. I think it may be a hardware issue, but just wanted to know if anyone else has encountered this before? Thanks. *Michael G. Workman* (321) 432-9295 michael.g.work...@gmail.com
