Re: Enhancing Privacy in 2020 attached screenshot

2020-12-20 Thread Aaron Mason
On Sat, Dec 19, 2020 at 2:01 PM Ashlen  wrote:
>
> On 20/12/16 22:55, pipus wrote:
> > haha Stuart.
> > Always there to make a low IQ entrance :)
> Ever hear of Dunning-Kruger, pipus?
>
> https://lsa.umich.edu/psych/news-events/all-news/faculty-news/the-dunning-kruger-effect-shows-why-some-people-think-they-re-gr.html
>

First rule of Dunning-Kruger club is you don't know you're in
Dunning-Kruger club.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Advice on using intrusion detection

2020-11-24 Thread Aaron Mason
On Sun, Nov 22, 2020 at 1:14 AM Nick Holland
 wrote:
>
> On 2020-11-20 17:15, Erik Lauritsen wrote:
> > Is it recommended to run some kind of intrusion detection on an
> > OpenBSD router/firewall?
> >
> > I suspect that any kind of system like Snort or Suricata will give a
> > lot of false positives?
>
> [SNIP]
>
> One thing I have been doing for a while is rsync --link-dest backups of
> systems, both in-house and at various workplaces.  FANTASTIC tool,
> giving incredibly "useful" backups, with relatively low impact and
> resource requirements.  My I use a -v on rsync to get verbose backups,
> and log it to a file.
>
> Just recently, I realized these logs are basically a "changed file"
> report, which is a starting point for a file alteration reporting
> tool.  Combine that with a carefully crafted "ignore" file (you
> can do that with a grep -vf ignorefile logfile), and you have an
> interesting file monitoring system.
>

This sounds similar to what I do with logs - something Marcus Ranum
called "artificial ignorance". Using grep, you fill a file with
patterns to remove things you know aren't interesting, and once you
apply it to your logs what remains will absolutely be interesting.  If
anything else uninteresting shows up, update the pattern file to
filter those entries out. I used this method on the logs of my
OpenBSD-based Request Tracker server and found that the reason a
commercial piece of software running on a Hyper-V virtual machine kept
needing to be reactivated was because the server's MAC address would
regularly change if you left it set to Dynamic.  Really, Microsoft?

> The painful part with any such system is crafting the list of what
> to ignore vs. what to panic over.  Everyone wants to tick the
> checkbox that says "We have an intrusion detection system", and
> everyone wants one of two results: "No problem" and "intruder
> detected".  So far, I don't think any tool does that.  An IDS
> without careful human monitoring is just for show (and it's a
> potential security risk of its own), and more likely to be the
> cause of a problem than a solution.  Careful monitoring takes
> time and resources.
>

Problems like "we're only getting 56Mbps from our 1000mbit fibre
connection". Yes, really. Bypassing the IDS/IPS actually led to better
performance - or at least better numbers on the speed test. You got
some 'splaining to do, Sophos.

> One nifty thing I have found in "rolling my own" is that I found
> a lot of little oddities, no security problems, but things that
> needed fixing.  I'd call that a win.
>

Exactly, it just takes effort.  Something that is in short supply
whether by overwork or laziness.

> Nick.
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: OBSD 6.8 vlan communication issues

2020-11-11 Thread Aaron Mason
0   26 - 1 aggr0
> > 10.10.70.3 e0:63:da:8e:78:d7  UHLc   0 7158 - 3 aggr0
> > 10.10.70.255   10.10.70.1 UHPb   00 - 1 aggr0
> > 10.10.70.255   10.10.70.0 UHPb   00 - 1 vlan70
> > 10.10.77/2410.10.77.1 UCPn   01 - 4 aggr0
> > 10.10.77/2410.10.77.0 UCPn   00 - 4 vlan77
> > 10.10.77.0 fe:e1:ba:d0:f4:8c  UHLl   00 - 1 vlan77
> > 10.10.77.1 fe:e1:ba:d0:f4:8c  UHLl   0   31 - 1 aggr0
> > 10.10.77.255   10.10.77.1 UHPb   00 - 1 aggr0
> > 10.10.77.255   10.10.77.0 UHPb   00 - 1 vlan77
> > 10.10.79/2410.10.79.1 UCPn   01 - 4 aggr0
> > 10.10.79/2410.10.79.0 UCPn   00 - 4 vlan79
> > 10.10.79.0 fe:e1:ba:d0:f4:8c  UHLl   0    0 -     1 vlan79
> > 10.10.79.1 fe:e1:ba:d0:f4:8c  UHLl   0   36 - 1 aggr0
> > 10.10.79.255   10.10.79.1 UHPb   00 - 1 aggr0
> > 10.10.79.255   10.10.79.0 UHPb   00 - 1 vlan79
> > 127/8  127.0.0.1  UGRS   00 32768 8 lo0
> > 127.0.0.1  127.0.0.1  UHhl   1   17 32768 1 lo0
> > 192.168.7/24   192.168.7.4UCn10 - 4 re0
> > 192.168.7.100:1b:21:18:88:72  UHLch  514796 - 3 re0
> > 192.168.7.48c:ec:4b:7a:04:dc  UHLl   0  184 - 1 re0
> > 192.168.7.255  192.168.7.4UHb00 - 1 re0
> >
> >
> > the pf rules when pf enabled
> >
> > pfctl -sr
> > block return all
> > pass all flags S/SA
> > block return in on ! lo0 proto tcp from any to any port 6000:6010
> > block return out log proto tcp all user = 55
> > block return out log proto udp all user = 55
> > pass out log on aggr0 inet proto icmp from 10.10.70.0/24 to any label
> > "pings"
> > pass out log on aggr0 inet proto icmp from 10.10.77.0/24 to any label
> > "pings"
> > pass out log on aggr0 inet proto icmp from 10.10.79.0/24 to any label
> > "pings"
> > pass in on vlan70 all flags S/SA label "vlan70" tag vlan70
> > pass out on vlan70 all flags S/SA label "vlan70o" tag vlan70o
> >
> > sysctl for ip forwarding is set
> >
> > net.inet.ip.forwarding=1
> >
> >
> >
>
> --
> Kindest regards,
> Tom Smyth.

Good catch, didn't notice the IPs on the aggr0 interface. I retract my advice.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: OBSD 6.8 vlan communication issues

2020-11-11 Thread Aaron Mason
1 re0
>
>
> the pf rules when pf enabled
>
> pfctl -sr
> block return all
> pass all flags S/SA
> block return in on ! lo0 proto tcp from any to any port 6000:6010
> block return out log proto tcp all user = 55
> block return out log proto udp all user = 55
> pass out log on aggr0 inet proto icmp from 10.10.70.0/24 to any label
> "pings"
> pass out log on aggr0 inet proto icmp from 10.10.77.0/24 to any label
> "pings"
> pass out log on aggr0 inet proto icmp from 10.10.79.0/24 to any label
> "pings"
> pass in on vlan70 all flags S/SA label "vlan70" tag vlan70
> pass out on vlan70 all flags S/SA label "vlan70o" tag vlan70o
>
> sysctl for ip forwarding is set
>
> net.inet.ip.forwarding=1
>
>

What is your management VLAN set to on the switch? Did you set up
those ports in a LAG as well as on those VLANs?

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: chromium has troubles showing videos from youtube

2020-11-10 Thread Aaron Mason
On Wed, Nov 11, 2020 at 7:42 AM Gregory Edigarov  wrote:
>
> Hello,
>
> chromium-86.0.4240.185, installed from packages
> is showing spinner and goes no further  after the first ad before video,
> and not.
> at first I thought  it is some extension, but with clean chromium the
> behavior is
> still the same.
>
> does anybody else observing this? or is it just me?
>
> --
> With best regards,
>Gregory Edigarov
>

Hi

If you open up the developer console and start a video, do you see any
requests that end in an error in the Network tab?

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Multiple USB NICs

2020-10-19 Thread Aaron Mason
On Tue, Oct 20, 2020 at 12:29 PM Lee Nelson  wrote:
>
>
>
> On Mon, 19 Oct 2020, Allan Streib wrote:
>
> > Lee Nelson  writes:
> >
> >> I had considered some late-running script that would query the MAC's of
> >> each NIC and then configure them accordingly or rewrite the hostname.*
> >> files and call netstart on them, but that just seems sloppy and
> >> unreliable.
> >
> > What about DHCP? It supports MAC-specific configurations.
> >
> > Allan
> >
> Very good point, except in my case, this machine would be the dhcp server.
>

You could run scripts to set the IP address based on the MAC with this
in each hostname.axenN file:

!/path/to/script axeN

And then write that script to pick the IP address based on the MAC.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Understanding download speed reduction by introducing an inline Ubiquity ERL device

2020-10-07 Thread Aaron Mason
 410.0/s
> >>  ip-option  261640.1/s
> >>  proto-cksum00.0/s
> >>  state-mismatch 107580.0/s
> >>  state-insert   00.0/s
> >>  state-limit00.0/s
> >>  src-limit  00.0/s
> >>  synproxy   00.0/s
> >>  translate  00.0/s
> >>  no-route   00.0/s
> >>
> >> pfctl -s memory:
> >>
> >> stateshard limit   10
> >> src-nodes hard limit1
> >> frags hard limit16384
> >> tableshard limit 1000
> >> table-entries hard limit   20
> >> pktdelay-pkts hard limit1
> >>
> >> The netlivlocks value keeps on increasing regularly:
> >> kern.netlivelocks=57911
> >>
> >> netstat -m:
> >>
> >> 1009 mbufs in use:
> >> 917 mbufs allocated to data
> >> 5 mbufs allocated to packet headers
> >> 87 mbufs allocated to socket names and addresses
> >> 801/7256 mbuf 2048 byte clusters in use (current/peak)
> >> 0/15 mbuf 2112 byte clusters in use (current/peak)
> >> 0/24 mbuf 4096 byte clusters in use (current/peak)
> >> 0/8 mbuf 8192 byte clusters in use (current/peak)
> >> 0/0 mbuf 9216 byte clusters in use (current/peak)
> >> 0/0 mbuf 12288 byte clusters in use (current/peak)
> >> 0/0 mbuf 16384 byte clusters in use (current/peak)
> >> 0/8 mbuf 65536 byte clusters in use (current/peak)
> >> 6512/17088/131072 Kbytes allocated to network (current/peak/max)
> >> 0 requests for memory denied
> >> 0 requests for memory delayed
> >> 0 calls to protocol drain routines
> >>
> >> netstat -i:
> >>
> >> NameMtu   Network Address  Ipkts IfailOpkts Ofail 
> >> Colls
> >> lo0 32768  198 0  198 0  
> >>0
> >> lo0 32768 localhost/1 localhost  198 0  198 0  
> >>0
> >> lo0 32768 fe80::%lo0/ fe80::1%lo0198 0  198 0  
> >>0
> >> lo0 32768 127/8   localhost  198 0  198 0  
> >>0
> >> cnmac0  1600a8:28:dc:cc:2e:6f 56088774 0 22283491  2688  
> >>0
> >> cnmac0  1600  73.231.60/2 c-73-231-60-128.h 56088774 0 22283491  2688  
> >>0
> >> cnmac1  160078:8a:20:46:a8:c1 23646497 4 5656985348  
> >>0
> >> cnmac2  160078:8a:20:46:a8:c214823 0   226198 226198 
> >> 0
> >> enc0*   00 00 0  
> >>0
> >> bridge0 1500  23187238 0 57022219 0  
> >>0
> >> vether0 32768   fe:e1:ba:d0:c8:a9 23056709 0 56795991 0  
> >>0
> >> vether0 32768 192.168.10/ 192.168.10.1  23056709 0 56795991 0  
> >>0
> >> pflog0  331360 026171 0  
> >>0
> >
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Bluetooth adapter that works with OpenBSD

2020-09-21 Thread Aaron Mason
On Tue, Sep 22, 2020 at 2:22 PM Tito Mari Francis Escaño
 wrote:
>
> Hi misc,
> I'm building an OpenBSD desktop PC and would like to use my Royal Kludge
> RK71 mechanical keyboard with it via USB Bluetooth dongle.
> Can somebody please point me to USB Bluetooth dongles tested working with
> OpenBSD?
> Hopefully you can guide me.
> Thanks so much.

No Bluetooth in OpenBSD, I'm afraid.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Creating a Partition for RAID Arrays

2020-09-16 Thread Aaron Mason
On Thu, Sep 17, 2020 at 1:51 PM Justin Noor  wrote:
>
> Hello Misc,
>

Hi!

> We need to create a partition on an OpenBSD server for the sole purpose of
> mounting RAID arrays.
>

> [LE SNIP]
> How big should this partition be?

As big as you need to store any actual data.  If you're not storing
anything on it, there's no reason to have one at all, just create the
directory in your root filesystem.  Is there a reason you can't just
do that?

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: How to split install.wim

2020-09-02 Thread Aaron Mason
On Wed, Sep 2, 2020 at 4:44 PM Peter Nicolai Mathias Hansteen
 wrote:
>
> Urgh. I’s probably due to the lack of a useful dd analogue that they make 
> users jump through hoops like that.
>
> Otherwise my initial reaction before reading the article was ‘just use dd’, 
> but that would be totally foreign territory to most Windows admins most 
> likely.
>

Sadly, this very sensible approach didn't occur to Microshaft, either.
As a consequence, the ISO isn't a hybrid one - "burning" the ISO to a
USB stick doesn't work.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: How to split install.wim

2020-09-01 Thread Aaron Mason
On Wed, Sep 2, 2020 at 3:35 PM Predrag Punosevac  wrote:
>
> Hi All,
>
> I am using my desktop
>
> predrag@oko$ uname -a
> OpenBSD oko.int.bagdala2.net 6.7 GENERIC.MP#5 amd64
>
> to create a bootable Windows 10 USB flash drive. It is a paid job
> although I would not be surprised that my consent to do it, is
> consistent with the early signs of dementia. I just wasted a few hours
> of my life to find out that install.wim is too large to be written on
> Fat32 file system as described in this article
>
> https://www.zdnet.com/article/windows-10-installer-files-too-big-for-usb-flash-drive-heres-the-fix/
>
> I need to split it in two before I can write it to a bootable USB.  Has
> anybody done this on an OpenBSD machine? It seems that the library for
> manipulation of Windows Imaging exists
>
> https://wimlib.net/
>
> but I can't find anything in the ports tree.
>
> https://openports.pl/
>
> And just for the curios you will not be able to mount Windows ISO image
> using mount_udf
>
> This thread is right on money
>
> https://marc.info/?l=openbsd-misc=139271029815043=2
>
> You will have to use
>
> 7z e Win10_2004_English_x64.iso
>
> command to extract the files from the iso image provided by Microsoft.
>
> Best,
> Predrag
>

You would be better to use NTFS than muck around with splitting the
installer file.  Pretty sure it needs to be NTFS to boot anyway, at
least for non-UEFI machines.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Microsoft's war on plain text email in open source

2020-08-26 Thread Aaron Mason
On Thu, Aug 27, 2020 at 7:27 AM Chris Bennett
 wrote:
>
> I was recently told by a youngster that I was a total idiot for working
> my way through the new CSS to understand it well. I needed to go
> straight over to some Framework that assumes I am stupid, which I
> would be if I didn't take the time to understand what I'm really
> accomplishing.
>

This.  So many projects I've picked up from others use jQuery like
it's somehow a requirement to do anything, when really it just makes
bashing out crappy code faster (something something premature
optimisation) - I refuse to use it partly for that reason, mostly
because I fail to see the benefit in lugging around a sizeable
framework when I intend to use a tiny part of it (never chop down a
tree when just the branch will do - old Aussie proverb) that can
easily be done in vanilla JS.

Someone posted on Quora about a nasty trick they cooked up for a
painful tester to essentially gaslight him (it would randomly resize
elements on the web page, and this guy would claim that everything was
fine on his end and then turn it off before he went over to look at
it) and it was jQuery all the way - with minimal effort I ported it to
vanilla JS.  It's not that hard.

Also, I use gmail with an old account that got overtaken by spam that
I use for mailing lists as well, and it handles patches just fine.
Never been an issue.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: aggr(4) not working with Intel XXV710 SFP28 on a Supermicro X11DPi-N(T)

2020-08-18 Thread Aaron Mason
On Wed, Aug 19, 2020 at 12:00 AM Winfred Harrelson
 wrote:
>
> On Tue, Aug 18, 2020 at 04:53:42PM +1000, Jonathan Matthew wrote:
> >
> > This sounds like multicast filters aren't working properly with your nic.
> > trunk(4) puts trunk ports in promisc mode, so multicast filters don't 
> > matter,
> > but aggr(4) doesn't.  Could you try running 'tcpdump -ni ixl0' for a while 
> > and
> > see if that side of the aggr starts working?
>
> I left the tcpdump running for a little over 5 minutes but that changed 
> nothing:
>

Did anything come up on the tcpdump while it was running?  Maybe
there's a clue there.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Tunefs(8)

2020-08-16 Thread Aaron Mason
On Tue, Aug 11, 2020 at 2:07 AM Rupert Gallagher  wrote:
>
> Omit the last line of the manual, because there is no need for it.
>

Well of course there's no need for it, but why on Earth should that
mean that it shouldn't be there?

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Bug? having no monitor plugged in causes a reboot in bsd.rd

2020-07-19 Thread Aaron Mason
On Sun, Jul 19, 2020 at 9:06 AM Alfred Morgan  wrote:
>
> OpenBSD upgrade.lan 6.7 GENERIC.MP#182 amd64
>
> If I set tty com0 then bsd.rd boots fine. If I have a monitor plugged in
> bsd.rd boots fine. If I don't have a monitor and I don't direct tty to com0
> then bsd.rd reboots my machine after a few seconds.
> Any tips on how I can inspect what is going on here?
>
> -alfred

It might help if we knew a bit more about your system.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Shell account service providers

2020-07-15 Thread Aaron Mason
On Thu, Jul 16, 2020 at 11:53 AM Ibsen S Ripsbusker
 wrote:
>
> Are there services that sell managed OpenBSD shell accounts?
> I mean a service similar to sdf.org.
>

What are you looking for in such a service?

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: OpenBSD master volume GUI TCL, how to contribute?

2020-07-01 Thread Aaron Mason
On Thu, Jul 2, 2020 at 4:50 AM wdaver  wrote:
>
> There are posts asking for a GUI to control volume for OpenBSD.
> I wanted the same and wrote an 85 line TCL (8.5) script.  It calls
> sndioctl, has a volume slider and mute button, sized for touch
> screen convenience.  I use it every day.
>
> I am ok with just posting here, for users to copy and paste.
>
> It could be a port (maybe the smallest port ever).  I know there is an
> introduction in the FAQ for ports and I have zero experience creating
> ports.  Seems like it would need a brief man page.
>
> The script may stop people from asking about it...
>
> Suggestions for the best way to contribute this tiny script to OpenBSD?
>

Putting it here is a good start.  Maybe put it in a publicly
accessible repository (maybe Gitlab? I'd suggest GitHub, but
Microsoft) so you can also push any changes needed, and anyone who
wants to can suggest improvements and report bugs.

>From there, if you (or anyone) wants to submit a port, they've got a
central place to pick up the latest version.  If you wanted to do this
yourself, your best bet is to look for any ports that have TCL as a
prerequisite, and go from there.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: OpenBSD Readonly File System

2020-06-24 Thread Aaron Mason
On Mon, Jun 22, 2020 at 4:24 PM Mogens Jensen
 wrote:
>
> Tuesday, June 9, 2020 7:59 AM, Vertigo Altair  
> wrote:
>
> > Hi Misc,
> > I have a firewall device and I'm using OpenBSD on it.
>
> Last year I had to configure an OpenBSD 6.5 firewall for use in a
> remote location, and was concerned about power loss corrupting the
> filesystem and making the system unbootable without manual
> intervention. As I did not want to modify OpenBSD in unsupported ways,
> I decided to test what kind of damage power loss could do, by
> randomly removing and applying power to the firewall, many many times.
>
> What I found was that 99% of the time, the system would just repair the
> filesystem and boot without problems, but if by chance the power was
> removed at a short time window during kernel relinking, the kernel
> would become corrupt and leave the system completely unbootable and
> not easy to repair. It was suggested to me that I tried to mount root
> partition with the sync option, so I arranged the partition layout in a
> way that would make it feasible and added the option to fstab.
>
> Only other problem I found, was that a few times after removing power
> when writing a large file, the system would require me to run fsck -y
> manually, this is by design, but I decided it was more important to me
> that the system could boot unattended, with a minuscule risk of
> completely ruining the filesystem, so I wrote a small unsupported patch
> for the rc script (sorry if the formatting gets messed up by posting):
>
> The patch has only been tested on OpenBSD 6.5.
>
> ---
> Index: src/etc/rc
> ===
> RCS file: /cvs/src/etc/rc,v
> retrieving revision 1.536
> diff -u -p -u -p -r1.536 rc
> --- src/etc/rc  1 Apr 2019 11:39:46 -   1.536
> +++ src/etc/rc  20 Aug 2019 22:47:49 -
> @@ -1,5 +1,8 @@
>  #  $OpenBSD: rc,v 1.536 2019/04/01 11:39:46 tedu Exp $
>
> +# NOTE: The do_fsck() function has been patched to run 'fsck -y' if an
> +#  automatic file system check fails with exit code 8.
> +
>  # System startup script run by init on autoboot or after single-user.
>  # Output and error are redirected to console by init, and the console is the
>  # controlling terminal.
> @@ -271,8 +274,14 @@ do_fsck() {
> echo "Reboot failed; help!"
> exit 1
> ;;
> -   8)  echo "Automatic file system check failed; help!"
> -   exit 1
> +   8)  echo "Automatic file system check failed; trying fsck -y"
> +   fsck -y
> +   case $? in
> +   0)  ;;
> +   *)  echo "Could not repair file system unattended; help!"
> +   exit 1
> +   ;;
> +   esac
> ;;
> 12) echo "Boot interrupted."
> exit 1
> ---
>
> After mounting root filesystem with sync option and applying the patch,
> I was no longer able to make the system unbootable by power loss in my
> test setup. It may be possible, but the risk is now so small that it is
> not a concern for me and the risk of something else breaking is
> probably bigger. During operation in remote location, the system has
> always been able to completely boot after a power loss so far.
>
> So while it was not possible for me to not make any unsupported
> modifications at all, I think it is a very small change compared to
> have read only filesystems. Anyone who knows OpenBSD, will be able to
> manage the firewall without special instructions.
>
>
> Regards,
> Mogens Jensen
>

Auto filesystem repair is bad juju.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Disabling OpenBSD Login Prompt

2020-06-10 Thread Aaron Mason
On Wed, Jun 10, 2020 at 5:57 PM Valdrin MUJA  wrote:
>
> Hi Misc,
>
>
>
> I want to disable OpenBSD Login prompt at startup -and also after logging 
> out-. Because I want to run my external program instead of ksh. There is an 
> login prompt also in my program and I want to use it.
>
>
>
> I updated the /etc/ttys ;
>
> valdrin# cat /etc/ttys
> #
> #   $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $
> #
> # name  getty   typestatus  comments
> #
> console "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC0   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC1   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC2   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC3   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC4   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC5   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC6   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC7   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC8   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC9   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyCa   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyCb   "/usr/libexec/getty std.9600"   vt220   off secure
> tty00   "/root/myprogram"   vt220on secure
> tty01   "/usr/libexec/getty std.9600"   unknown off
> tty02   "/usr/libexec/getty std.9600"   unknown off
> tty03   "/usr/libexec/getty std.9600"   unknown off
> tty04   "/usr/libexec/getty std.9600"   unknown off
> tty05   "/usr/libexec/getty std.9600"   unknown off
> tty06   "/usr/libexec/getty std.9600"   unknown off
> tty07   "/usr/libexec/getty std.9600"   unknown off
>
>
>
> I'm connected the device with com0 port so I updated the tty00 to run my 
> external program. However; system is stucking after date appears on startup.
>
>
>
> starting network
> reordering libraries: done.
> starting early daemons: syslogd ntpd.
> starting RPC daemons:.
> savecore: no core dump
> checking quotas: done.
> clearing /tmp
> kern.securelevel: 0 -> 1
> creating runtime link editor directory cache.
> preserving editor files.
> starting network daemons: sshd.
> starting local daemons: cron.
> Wed Jun 10 10:27:04 +03 2020
>
>
>
>
>
> Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. 
> How can I overcome this issue?
>
>
>
> Thanks..

Are you able to access other terminals after boot (i.e. Ctrl+Alt+F2)?

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog

2020-05-27 Thread Aaron Mason
On Thu, May 28, 2020 at 2:21 PM Aaron Mason  wrote:
>
> On Thu, May 28, 2020 at 2:20 PM Quantum Robin  
> wrote:
> >
> > Hi,
> >
> > While surfing on the Google to learn more about OpenBSD, I encountered this
> > one: "OpenBSD: Not Free Not Fuctional and Definetly Not Secure (
> > https://aboutthebsds.wordpress.com/2013/01/25/20/)
> >
> > Is the author telling the truth? Or just yet another anti-BSD thing?
>
> If it has to tell you it's "the truth" in its title, it probably isn't.
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse

It's also difficult to take someone seriously when they can't spell
the words they're using, like "functional" and "definitely"

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog

2020-05-27 Thread Aaron Mason
On Thu, May 28, 2020 at 2:20 PM Quantum Robin  wrote:
>
> Hi,
>
> While surfing on the Google to learn more about OpenBSD, I encountered this
> one: "OpenBSD: Not Free Not Fuctional and Definetly Not Secure (
> https://aboutthebsds.wordpress.com/2013/01/25/20/)
>
> Is the author telling the truth? Or just yet another anti-BSD thing?

If it has to tell you it's "the truth" in its title, it probably isn't.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Help, i want to ask if my Asus Vivobook Ryzen 3 , Vega 3 can run openbsd

2020-05-24 Thread Aaron Mason
On Mon, May 25, 2020 at 1:49 PM Digital Crow  wrote:
>
> Help, i want to ask if my Asus Vivobook Ryzen 3 , Vega 3  can run openbsd
> I have problems with freebsd i can't run xorg it has a problem with efi
> framebuffer and amdgpu driver.
> It seems that this laptop can boot only efi partitions there's no setting
> on bios about csm or anything else related to it.
> Is it possible  openbsd would work ?
> Also is the process the same as freebsd ?
> I need to install drm-kmod and add kld_list amdgpu on rc.conf
> The openbsd installer create efi boot partition ?
> I think this laptop can boot only efi partitions

There's only one way to find out...

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: LDAP database choice

2020-05-20 Thread Aaron Mason
On Thu, May 21, 2020 at 2:31 AM Aisha Tammy  wrote:
>
> Hi all,
>   Is there any particular reason why ldapd has its own version of btree.c
> instead of using the db.h standard btree ?
>
> Aisha
>

Probably.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: freeze on startup

2020-05-16 Thread Aaron Mason
On Sun, May 17, 2020 at 4:32 AM Joseph A Borg  wrote:
>
> I can boot into bsd.rd, which I assume to be still at version 6.5
>

Don't assume, find out.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: fw_update verify firmware?

2020-05-14 Thread Aaron Mason
On Fri, May 15, 2020 at 3:39 AM Nick Holland
 wrote:
>
> On 2020-05-14 11:08, i...@aulix.com wrote:
>
> I actually had Adaptec give me a firmware update with a time bomb in
> it, and didn't bother to tell me that after X days, it would brick my
> adapter and prevent me from updating/downdating it.  If it had been
> stored in RAM, I might have been able to recover it, but since it was
> flashed into EEPROM and prevented the machine from booting, the card
> had to be replaced...and my customer had an outage.

Apropos of nothing, that saga is worth reading in full:

Episode 4: A New Flaw - http://marc.info/?l=openbsd-misc=125783114503531=2
Episode 5: The Firmware Strikes Back:
http://marc.info/?l=openbsd-misc=126775051500581=2
Episode 6: Return of the Vendor:
http://marc.info/?l=openbsd-misc=128779369427908=2

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Secure end points for Internet tunnel, the most secure hardware

2020-05-12 Thread Aaron Mason
On Tue, May 12, 2020 at 1:27 PM  wrote:
>
> Aaron, thank you for your suggestion.
>
> For now I prefer to try to use the oldest suitable hardware I can find, not 
> sure if it is a good idea.
>

YMMV. Don't fall into the sunk cost fallacy.

> Please someone let me know if AllWinner SoC backdoor described at:
>
> https://www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_nasty_root_backdoor/
>
> can be exploited in OpenBSD?
>

That is a kernel level issue, not an SOC level one.

https://github.com/friendlyarm/h3_lichee/blob/master/linux-3.4/arch/arm/mach-sunxi/sunxi-debug.c

Anyone who suggested this be put in OpenBSD's kernel would likely
receive a visit from Theo brandishing a flamethrower fuelled by
Substance N to melt their PC, house, land, self.

> Is it a bad idea to run a small communication server on a AllWinner A20 board 
> like a Cubitruck if it works with OpenBSD (it is not on the list though). 
> What about other compatible boards like AllWinner A10 Orange PI One?
>

If it isn't on the list, it either isn't supported or hasn't been
tested.  If you have the hardware on hand, it never hurts to try the
latest snap and send a dmesg to the the openbsd-arm mailing list so
they can update their docs or get an idea of what's missing.

> I just want my DNS (local) and postfix, dovecot (Internet)  and SSH (local 
> and Internet) work on it protected from hackers.

Running OpenBSD and spamd on your router and any non-internet facing
services on other systems behind it, and not making silly decisions
like password based root logins (or any login for that matter) and
employing a default permit policy on your firewall are a good start.
Anything else is service-specific.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Secure end points for Internet tunnel, the most secure hardware

2020-05-11 Thread Aaron Mason
On Mon, May 11, 2020 at 5:16 PM  wrote:
>
> Hi,

Hi!

>
> [SNIP]
>
> Can you offer anything better than Cortex A7 board which is immune to Spectre?
> What is the most secure Cortex A7 board on which OpenBSD can run? I guess it 
> shall have as little BLOBs as possible - only a small Boot ROM like 
> Beaglebone Black which unfortunately is not Cortex A7, but rather Cortex A8.
>

The Pine A64 (US$15 for the 512mb version or US$21 for the 1GB plus
version) and the Rock64 (US$24.95 for the 1GB version) that both use a
Cortex-A53 CPU that is immune to Spectre, can't speak to the
blobbiness, though.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-07 Thread Aaron Mason
On Fri, May 8, 2020 at 2:30 AM jeanfrancois  wrote:
>
> As long as there's no material published it's worth just any other word.
>

To quote Douglas Adams on whether you can trust people on the
internet, "of course not, it's just people talking".

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: More than 16 partitions

2020-04-28 Thread Aaron Mason
On Sat, Apr 25, 2020 at 2:41 PM Theo de Raadt  wrote:
>
> Amelia A Lewis  wrote:
>
> > So, and I recognize that the answer might reasonably be "go read more
> > code and figure it out yourself," a question for Theo and others if you
> > have a moment: why couldn't an arch expand past sixteen? It seems, both
> > from the math calculating struct size (which may be mistaken, in which
> > case I apologize) and in the comment for MAXMAXPARTITIONS that more
> > *are* possible.
>
> Because there is another reason.  Here are the device nodes for
> two sequentially-numbered disks.
>
> brw-r-  1 root  operator4,   0 Apr 17 11:50 sd0a
> brw-r-  1 root  operator4,   1 Apr 17 11:50 sd0b
> brw-r-  1 root  operator4,   2 Apr 17 11:50 sd0c
> brw-r-  1 root  operator4,   3 Apr 17 11:50 sd0d
> brw-r-  1 root  operator4,   4 Apr 17 11:50 sd0e
> brw-r-  1 root  operator4,   5 Apr 17 11:50 sd0f
> brw-r-  1 root  operator4,   6 Apr 17 11:50 sd0g
> brw-r-  1 root  operator4,   7 Apr 17 11:50 sd0h
> brw-r-  1 root  operator4,   8 Apr 17 11:50 sd0i
> brw-r-  1 root  operator4,   9 Apr 17 11:50 sd0j
> brw-r-  1 root  operator4,  10 Apr 17 11:50 sd0k
> brw-r-  1 root  operator4,  11 Apr 17 11:50 sd0l
> brw-r-  1 root  operator4,  12 Apr 17 11:50 sd0m
> brw-r-  1 root  operator4,  13 Apr 17 11:50 sd0n
> brw-r-  1 root  operator4,  14 Apr 17 11:50 sd0o
> brw-r-  1 root  operator4,  15 Apr 17 11:50 sd0p
> brw-r-  1 root  operator4,  16 Apr 17 11:50 sd1a
> brw-r-  1 root  operator4,  17 Apr 17 11:50 sd1b
> brw-r-  1 root  operator4,  18 Apr 17 11:50 sd1c
> brw-r-  1 root  operator4,  19 Apr 17 11:50 sd1d
> brw-r-  1 root  operator4,  20 Apr 17 11:50 sd1e
> brw-r-  1 root  operator4,  21 Apr 17 11:50 sd1f
> brw-r-  1 root  operator4,  22 Apr 17 11:50 sd1g
> brw-r-  1 root  operator4,  23 Apr 17 11:50 sd1h
> brw-r-  1 root  operator4,  24 Apr 17 11:50 sd1i
> brw-r-  1 root  operator4,  25 Apr 17 11:50 sd1j
> brw-r-  1 root  operator4,  26 Apr 17 11:50 sd1k
> brw-r-  1 root  operator4,  27 Apr 17 11:50 sd1l
> brw-r-  1 root  operator4,  28 Apr 17 11:50 sd1m
> brw-r-  1 root  operator4,  29 Apr 17 11:50 sd1n
> brw-r-  1 root  operator4,  30 Apr 17 11:50 sd1o
> brw-r-  1 root  operator4,  31 Apr 17 11:50 sd1p
>
> Look very carefully at this column  ^^
>

Are they allocated in the kernel in a linear fashion?  If not, you
could allocate additional nodes under a spare major for the extra
partitions.  If so, well I'm just talking out of my arse.

I'd see for myself if I could find where they're allocated.  I'll have
more of a deep dive later.


--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: MIdnight Commander won't run

2020-04-22 Thread Aaron Mason
On Wed, Apr 22, 2020 at 11:17 AM Jay Hart  wrote:
>
> Upgraded my router from 6.5 to 6.6.  Followed the upgrade guide and installed 
> most, not all, of
> the file sets.  I did not install the games set or several of the X sets.
>
> I ran pkg_add -u and also used sysclean to find and remove all unneeded files.
>
> Afterwards, trying to run 'mc' results in:
>
> tangerine# mc
> ld.so can't load library libpcre.so.3.0
> Killed
>
> libpcre.so.3.0 is in /usr/local/lib
>
> Not sure how to go about fixing this, google searches did not turn up 
> anything on this.
>
> Looking for a bit of help.
>
> Thanks,
>
> Jay
>

I find it rare that an upgrade ever goes smoothly for any OS.  Have
you tried running ldconfig(8)?

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: I see you guys are full of shit when it comes to one thing:

2020-04-15 Thread Aaron Mason
This isn't the airport, no need to announce your departure.

On Wed, Apr 15, 2020 at 3:27 PM zap  wrote:
>
> you  think proprietary softwatre is secure as much as linux loves being
> shit.
>
>
> I had hoped you guys had better self respect, and had some moral
> integrity within.
>
> And if you think i sound sad for dissing GNU, I was going to hold this
> back, but your fucking attitudes are shit as are your attempts to  block
> software that could be useful just because you get into an argument with
> people. (Palemoon) :P
>
> Same with wine!
>
> Please by all means get me off your damn list.  You guys are as bad as
> the linux organization.
>
> and while your all at it, since your unwilling to understand the truth
> that proprietary software sucks, just go wank yourselves somewhere.
>
> I really don't care about  being on this list anymore.  You guys are
> fucking heartless.  That's a fact.
>
> And Theo, if I said anything nice about you, please forget I said
> anything.  I don't take kindly to hostile assholes who refuse to be civil.
>
>
> Sigh... I guess trying to praise you for the good you guys do is just
> not constructive.  I see you guys live in a bubble of your own choosing.
>
> Wee proprietary software totally doesn't have any flaws or
> weaknesses!  GNU has the right to be shit, same with Linux! and BSD can
> refuse software that could otherwise benefit their users just because it
> has a license you hate! GOD damn
>
>
> Smell you later assholes.
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Failed to install bootblocks. You will not be able to boot OpenBSD

2020-04-06 Thread Aaron Mason
On Sat, Apr 4, 2020 at 1:14 AM Justin Noor  wrote:
>
> Hello OpenBSD Community,
>

Hi!


> [SNIP]
> had no data on them, other than the FreeBSD installation sets, I decided
> not to clean the boot code area with 'dd if=/dev/zero of=/dev/rsd0c bs=1
> count=1'.
>
>

That clears one byte.  You may have intended this:

dd if=/dev/zero of=/dev/rsd0c bs=1M count=1


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: mapserver httpd configuration

2020-04-05 Thread Aaron Mason
Hi Rashad

Is mapserv.sock in /var/www/run?  Also, does the web server have
access to the socket file?

I use a similar method to run RT:

# cat /etc/httpd.conf
[SNIP]
server $domain {
listen on egress tls port 443
fastcgi socket "/run/rt/rt-server.sock"
log syslog
tls {
key "/etc/ssl/private/server.key"
certificate "/etc/ssl/server.crt"
}
connection max request body 104857600
}
[SNIP]
# ls -l /var/www/run/rt/rt-server.sock
srwxrwxrwx  1 www  www  0 Apr  3 08:27 /var/www/run/rt/rt-server.sock

Also, yes I know 777 is a security risk.  I think RT did that, I don't
tell it to have any particular mode.  chmod o-rwx didn't break RT, so
I'll see about turning those off on startup and diving into the code
to see if I can fix that at the source.

Should be able to chown it after it starts, or you can just run it as
www and put it in its own directory under /run.

On Fri, Apr 3, 2020 at 9:03 PM Rashad Kanavath
 wrote:
>
> Hello all,
>
> Does anybody had tried to mapserver using httpd.
>
> I had latest mapserver 7.3 installed but cannot configure as it gives 500
> internal server error
> https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/geo/mapserver/pkg/README-main?rev=1.4=text/x-cvsweb-markup
>
> The above readme show information on ngix and supervisor.
> I tried to copy the ngix config into my httpd.conf and got that 500
> internel server error.
> See my httpd.conf below:
>
> server "mydomain.com" {
>   listen on * port 80
>   root "/htdocs/ mydomain.com"
>   location "*.php*" {
> fastcgi socket "/run/php-fpm.sock"
>   }
>   location "/cgi-bin/mapserv" {
> fastcgi socket  "/run/mapserv.sock"
> fastcgi param SCRIPT_FILENAME "/cgi-bin/mapserv"
> }
> }
>
> I had php script working correctly and /var/www/cgi-bin/mapserv -v is
> working correctly
>
> MapServer version 7.2.2 OUTPUT=PNG OUTPUT=JPEG OUTPUT=KML SUPPORTS=PROJ
> SUPPORTS=AGG SUPPORTS=FREETYPE SUPPORTS=CAIRO SUPPORTS=ICONV
> SUPPORTS=FRIBIDI SUPPORTS=WMS_SERVER SUPPORTS=WMS_CLIENT
> SUPPORTS=WFS_SERVER SUPPORTS=WFS_CLIENT SUPPORTS=WCS_SERVER
> SUPPORTS=SOS_SERVER SUPPORTS=FASTCGI SUPPORTS=GEOS SUPPORTS=PBF INPUT=JPEG
> INPUT=POSTGIS INPUT=OGR INPUT=GDAL INPUT=SHAPEFILE
>
>
> In the Readme on cvs give details on chroot, but I don't know it usage for
> using OpenBSD httpd
>
> thanks for your help.
> --
> Regards,
>Rashad



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Openbsd 6.6 amd64 stable bridge with 90 vlans does not forward packets after reboot

2020-03-19 Thread Aaron Mason
Hi Tom

Just looking at /etc/netstart (admittedly for 6.1) and by all rights
that shouldn't be happening - the VLAN interfaces should be starting
well before the bridges.  Maybe add !sleep 1 to the top of the
/etc/hostname.bridge101 file and see if it does better?

On Fri, Mar 20, 2020 at 12:22 PM Tom Smyth  wrote:
>
> Hello,
>
> I have a box that I use to aggregate a number of vlans which are
> isolated from each other(using port protection groups  and bridged
> onto a 10G interface ix0
> these are configured using a standard  hostname.bridgefile as follows,
> cat /etc/hostname.bridge101
> maxaddr 16384 timeout 300
> up
> add ix0 -stp ix0
> add vlan604 protected vlan604 1 -stp vlan604
> add vlan4069 protected vlan4069 1 -stp vlan4069
> .
> .
> .
> add vlan3982 protected vlan43982 1 -stp vlan3982
>
> when I reboot the box ... the system does not seem to forward frames )
>
> but if I run
> sh /etc/netstart bridge101
>
> then the bridge forwards the packets just fine.
>
> interface configs are as follows
> cat /etc/hostname.ix0
> mtu 1700 up
>
> cat /etc/hostname.ix1
> mtu 1708 up
>
> cat /etc/hostname.vlan3982
> parent ix1 vnetid 3982 mtu 1700 up
>
>
> ifconfig bridge101 yields similar results after reboot as opposed to
> ifconfig bridge101 after restarting the interface
>
> the only differences I saw was the index
>
> after reboot the index of bridge101 was 6
>
> but after restarting the bridge101 the index of bridge101 was 98
> (which sounds to me like perhaps the bridge was being started before
> the vlans on bootup)
>
>
> has anyone come across this issue before?
> Thanks
>
>
>
>
> --
> Kindest regards,
> Tom Smyth.
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Hosting a CDN question

2020-03-17 Thread Aaron Mason
In that case, relayd would be the most likely port of call.

On Wed, Mar 18, 2020 at 10:06 AM Flipchan  wrote:
>
> Yeah the point with a cdn is to lower the latency of it so therefor you what 
> is needed is just not only a fast http server but a traffic redirector 
> depending on the end users origin
>
> On March 17, 2020 3:44:27 AM GMT+01:00, Aaron Mason 
>  wrote:
>>
>> You can easily "write" one in Go with 9 lines of code.  And since Go
>> builds static binaries, you can chroot it for security.
>>
>> I just did a quick test between httpd and a web server written in Go
>> and on a simple text file with 20,000 requests from 10 threads I saw a
>> 2.3x improvement on a pair of tests.
>>
>> On Mon, Mar 16, 2020 at 9:28 PM Flipchan  wrote:
>>>
>>>
>>>  Hey all,
>>>
>>>  My company needs to put up a cdn for fast hosting of javascript, images 
>>> and css for websites, and then i would need something faster then httpd.
>>>
>>>
>>>  Does anyone here run a cdn for static website content?
>>>
>>>  If so what software did u use to set it up ?
>>>
>>>  have a good one
>>>  Sincerely
>>>  Filip
>>
>>
>>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Hosting a CDN question

2020-03-16 Thread Aaron Mason
It's worth noting that httpd didn't go over ~30% in the test, whereas
the Go web server absolutely slammed the system.

On Tue, Mar 17, 2020 at 1:44 PM Aaron Mason  wrote:
>
> You can easily "write" one in Go with 9 lines of code.  And since Go
> builds static binaries, you can chroot it for security.
>
> I just did a quick test between httpd and a web server written in Go
> and on a simple text file with 20,000 requests from 10 threads I saw a
> 2.3x improvement on a pair of tests.
>
> On Mon, Mar 16, 2020 at 9:28 PM Flipchan  wrote:
> >
> > Hey all,
> >
> > My company needs to put up a cdn for fast hosting of javascript, images and 
> > css for websites, and then i would need something faster then httpd.
> >
> >
> > Does anyone here run a cdn for static website content?
> >
> > If so what software did u use to set it up ?
> >
> > have a good one
> > Sincerely
> > Filip
>
>
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Hosting a CDN question

2020-03-16 Thread Aaron Mason
You can easily "write" one in Go with 9 lines of code.  And since Go
builds static binaries, you can chroot it for security.

I just did a quick test between httpd and a web server written in Go
and on a simple text file with 20,000 requests from 10 threads I saw a
2.3x improvement on a pair of tests.

On Mon, Mar 16, 2020 at 9:28 PM Flipchan  wrote:
>
> Hey all,
>
> My company needs to put up a cdn for fast hosting of javascript, images and 
> css for websites, and then i would need something faster then httpd.
>
>
> Does anyone here run a cdn for static website content?
>
> If so what software did u use to set it up ?
>
> have a good one
> Sincerely
> Filip



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: experience setting up a low memory machine

2020-03-11 Thread Aaron Mason
On Wed, Mar 11, 2020 at 6:47 PM Jordan Geoghegan  wrote:
>
>
>
> On 2020-03-11 00:13, Stuart Longland wrote:
> > On 15/2/20 6:43 pm, Dumitru Moldovan wrote:
> >> [SNIP]
> > [SNIP]
> >
> > Sometimes it's better to realise when something has past its prime.
>
> A year or two ago I had OpenBSD working on my iBook with 64MB of RAM,
> even got FVWM working on it. For fun and testing purposes, I ran some
> small OpenBSD virtual machines with 64MB RAM as well. A few years back I
> got OpenBSD to boot with 32MB, but it wasn't particularly usable. I've
> found 128MB to be usable for basic terminal work, but you're definitely
> correct about 256MB being the bare minimum for anything fancy or GUI
> related.
>
>

At work I run OpenBSD 6.1 in a VM for Request Tracker.  It has 512MB
RAM and it seems that may very well be overkill.  At previous jobs I
can ManageEngine ServiceDesk Plus and even in Linux you needed 2GB
minimum just for it to get out of bed.  I plan on rebuilding it with
6.6 (can't update RT because packages are too old in 6.1) and might
run it on 256MB for shits and giggles.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Dell Latitude e6400 OpenBSD Drive Issue

2020-02-10 Thread Aaron Mason
On Tue, Feb 11, 2020 at 3:04 AM Adam Thompson  wrote:
>
> [SNIP]
>
> The older the Latitude, the harder it is to open, but even an E6400 is
> pretty easy, even if you've never opened up a laptop before.

Yes.  The E6400 and E6410 were favourites of mine, with a single
spring-mounted screw and a slide clip holding the bottom in place.
The E6420 with its eleventy billion screws on the base (none held in
place with anything) was a major step backwards, but still easier than
many business-grade laptops I'd seen.

>
> Good luck,
> -Adam
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out

2020-02-05 Thread Aaron Mason
Hi Kris

On Thu, Feb 6, 2020 at 5:22 AM krishh61  wrote:
>
> HI,
>
> I can give mine:
>
>
>  cut --
> OpenBSD 6.6 (GENERIC.MP) #4: Wed Jan 15 08:56:09 MST 2020
>
> r...@syspatch-66-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> real mem  = 3210944512 (3062MB)
> avail mem = 3136659456 (2991MB)
> [SNIP]
> root on sd0a (d3d7274cd817feba.a) swap on sd0b dump on sd0b
> [drm] *ERROR* CPU pipe B FIFO underrun
> [drm] *ERROR* [CRTC:34:pipe ] flip_done timed out
> vblank wait timed out on crtc 0
> [drm] *ERROR* [CRTC:34:pipe ] flip_done timed out
> [drm] *ERROR* [CONNECTOR:54:SVIDEO-] flip_done timed out
> inteldrm0: 1024x768, 32bpp
> wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation), using wskbd0
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out
> vblank wait timed out on crtc 1
> [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out
> [drm] *ERROR* [CONNECTOR:54:SVIDEO-] flip_done timed out
>
> --- cut ---
>
> ThinkPad R61i
>
> regards
>
> Kris
>
>
>
> --
> Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
>

Thanks, that's very helpful.  For shits and giggles, say we disable inteldrm:

boot> boot -c
[...]
UKC> disable inteldrm
UKC> quit

Can you give this a try and report back please.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out

2020-02-04 Thread Aaron Mason
Hi Jacek

On Tue, Feb 4, 2020 at 4:42 AM Jacek Kowalczyk  wrote:
>
> Hi,
>
> I am running Openbsd 6.6 at ThinkPad R61i with graphic card Intel GMA X3100. 
> I am getting errors like in the subject:
> [drm] *ERROR* [CRTC:41:pipe ] flip_done timed out
> [drm] *ERROR* [CONNECTOR:51:SVIDEO- ] flip_done timed out
> And my laptop is booting quite long time, around 5 minutes.
> What I need to set or install and where to solve it?
>
>
> BR
> Jacek Kowalczyk
> http://jacekkowakczyk82.github.ii
>
>
> -- Wysłane za pomocą K-9 Mail.
>

Can you reply with a full dmesg please.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: How to hide my server's IP?

2020-02-02 Thread Aaron Mason
Why would ifconfig be in your chroot?

On Mon, Feb 3, 2020 at 8:28 AM Arthur Wayside
 wrote:
>
> Hello.
>
> Say I run a websapp inside a chroot and someone manages to hack it and gain 
> shell access. Can I then somehow hide my server's IP from the likes of 
> ifconfig?
>
> Thanks!
>
> Artur.
>
> Sent with [ProtonMail](https://protonmail.com) Secure Email.



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Brand new server - bad adventures

2020-01-23 Thread Aaron Mason
After reviewing your dmesg and googling the model of your CPU, might I
suggest/recommend turning off hyperthreading if you can.  Bad security
juju.

On Thu, Jan 23, 2020 at 6:29 PM Andreas Kusalananda Kähäri
 wrote:
>
> On Wed, Jan 22, 2020 at 11:30:51PM +0300, Özgür Kazancci wrote:
> > Hello everyone! Greetings to misc people!
> >
> > Got a brand new dedicated server with a hardware: Intel Xeon-E 2274G - 64GB
> > DDR4 ECC 2666MHz - 2x SSD NVMe 960GB
> > and installed "brand new" OpenBSD 6.6 on it. (I'm managing it remotely via
> > KVM/IPMI)
> >
> > After the first boot, dmesg is outputting sequentally between few seconds
> > delays:
> > "wsdisplay0 at inteldrm0 mux 1
> > init: can't open /dev/console: Device not configured" and the system doesn't
> > boot at all.
>
> Is it possible that it does actually boot but that you just don't see the
> messages.  Did you try pinging the machine or accessing it through SSH?
>
>
> >
> > Please refer to the screenshot attached: https://ibb.co/sQbt7F7
> >
> > And after few hours of forums/IRC-logs readings, I tried to try the
> > suggestion of lots of similar-people: "disable inteldrm"
> >
> > To do that, during the boot I typed "boot -c", then got a brand new error
> > (IPMI/KVM freezes, no more keyboard input):
> > "kbc: cmd word write error" (with a weird cursor)
> > Please refer to the screenshot attached: https://ibb.co/QchqhtY
> >
> > Anyways, wanted to skip that -for now-, rebooted the server again, and
> > booted into bsd.rd, mounted the / and /usr on the harddisk, chrooted into
> > there and did;
> > "config -ef /bsd", then "disable inteldrm" and "quit" to save the changes.
> > Finally rebooted.
> >
> > The system booted up fine! Got the login prompt shell, logged in, well, with
> > -an another- brand new error :)
> >
> > "reorder_kernel: failed - see /usr/...GENERIC.MP/relink.log"
>
> This sometimes indicates that the previous boot got to the kernel
> re-linking stage but that it got interrupted there.  I see this on VMs
> if I forcefully reboot them as soon as the login prompt appears.
>
>
> >
> > I guess that was because I modified the kernel, anyway, wanted to skip that
> > too -for now-. Did what I always do the first: syspatch
> >
> > installed the patches, rebooted the system, aand...Tada! "inteldrm0 is back,
> > b1tch3z!" :)
> >
> > Dmesg has again: "init: can't open /dev/console: Device not configured" and
> > delays there. No boot, again.
> >
> > My questions are:
> >
> > How can I get the rid of the error "init: can't open /dev/console: Device
> > not configured" to be able to boot into the system?
> >
> > if that was the only way (disabling inteldrm), would I repeat it each time I
> > issue syspatch?
> >
> > And each time syspatch (re)installs the kernel, should I get the error
> > "reorder_kernel: failed", because I modified (disabled inteldrm) kernel?
> >
> > Any words on "kbc: cmd word write error" when I tried the 'boot -c'?
> >
> > I thank you for your time in reading all these,
> > And many thanks for your suggestions, in advance!
> >
> > Best,
> > Özgür Kazancci
>
> --
> Andreas (Kusalananda) Kähäri
> SciLifeLab, NBIS, ICM
> Uppsala University, Sweden
>
> .
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: install libreoffice OpenBSD 6.6

2020-01-22 Thread Aaron Mason
Hi

What command did you use to install libreoffice and what is your PKG_PATH?

On Thu, Jan 23, 2020 at 1:59 PM Jovany Leandro G.C  wrote:
>
>
> hello community,
>
> i recently install OpenBSD 6.6 and works great.
>
> now i try install libreoffice and throws:
>
>
> quirks-3.182 signed on 2020-01-22T10:10:52Z
> Can't install rasqal-0.9.33p2 because of libraries
> |library gmp.10.0 not found
> | not found anywhere
> Direct dependencies for rasqal-0.9.33p2 resolve to libgcrypt-1.8.5
> raptor-2.0.15p2 pcre-8.41p2 e2fsprogs-1.42.12p5 mpfr-3.1.5.2p1
> Full dependency tree is libxslt-1.1.33 e2fsprogs-1.42.12p5 libyajl-2.1.0
> curl-7.66.0 libgpg-error-1.36p0 pcre-8.41p2 xz-5.2.4 libiconv-1.16p0
> raptor-2.0.15p2 libgcrypt-1.8.5 libxml-2.9.9 gettext-runtime-0.20.1p0
> mpfr-3.1.5.2p1 nghttp2-1.39.2
> Can't install redland-1.0.17p6: can't resolve rasqal-0.9.33p2
> Can't install libreoffice-6.3.2.2v0: can't resolve redland-1.0.17p6
> Couldn't install libreoffice-6.3.2.2v0 rasqal-0.9.33p2 redland-1.0.17p6
>
>
> what can i do?
>
> thanks any help
>
>
> --
> Jovany Leandro G.C
> Desarrollador Software Libre
> Cel: (57) 3165387562
> Git: https://gitlab.com/bit4bit
> Fossil: https://efossils.somxslibres.net
> E-Sitio: https://www.somxslibres.net
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: What is you motivational to use OpenBSD

2020-01-12 Thread Aaron Mason
On Thu, Aug 29, 2019 at 12:40 AM Mohamed salah
 wrote:
>
> I wanna put something in discussion, what's your motivational to use
> OPENBSD what not other bsd's what not gnu/Linux, if something doesn't work
> fine on openbsd and you love this os so much what will do?

For most of my purposes, it Just Works(TM). The firewall rules are
user readable and easy to understand, most of the out of the box
software with configs follows the same easy-to-read scheme, and it
doesn't load anything out of the box that I don't need, it leaves that
decision to me and never insults my intelligence.  And those man
pages...

When I changed jobs and needed a service desk suite, I opted for
Request Tracker and rolled up a Hyper-V VM running OpenBSD 6.1.  Even
though no doco exists for this, I was able to make my way well enough
that I started to document my process as best I could on the httpd
GitHub repo wiki.

As a case study, at previous jobs I ran ManageEngine ServiceDesk Plus
on Windows Server, and the whole required 2GB of RAM minimum.  My
pokey little RT server has 512MB of RAM and it's all it has ever
needed.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Iked dead-peer-detection and DynDNS

2020-01-08 Thread Aaron Mason
On Thu, Jan 9, 2020 at 9:09 AM List  wrote:
>
> Hi,
> I am using Iked to tunnel to my home router from an openbsd machine.
> Everything works fine that far. Problems occur when my router reboots at
> night and gets a new IP assigned. (DSL)
> Afer receiving the new IP the tunnel is not rebuilt. Because the active
> part doesn't recognize that the IP has changed.
> How do you guys handle that ?  Is there a builtin mechanism?
> I've got the impression that once iked startup it reads the hostname of the 
> destination server
> (FQDN && DynDNS) and saves that permanently and doesn't recheck untils
> it is manually killed and restarted.
>
> And is second part of the problem. Is there a way to do
> Dead-peer-detection as part of ikeds builtin mechanism?
>
> How do you guys handle all of that ?
>
> Enlighten me !
>
>
> I'd greatly appreciate any help !
>
> Best regards,
> Stephan
>

Maybe try using ifstated(8) to ping a host on your home network and
restart iked to re-establish the tunnel when the tunnel falls over.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Leaving OpenBSD (with patch)

2020-01-08 Thread Aaron Mason
On Thu, Jan 9, 2020 at 3:54 AM Roderick  wrote:
>
>
> Theo, please, give him the travel blessing, before departure.
>
> Rod.
>
>
> On Wed, 8 Jan 2020, cho...@jtan.com wrote:
>
> > Some people have needs that OpenBSD doesn't meet. Of course the
> > logical thing to do is to adapt it to meet them or to use something
> > which does but to some -- in line with the general complexication
> > that's progressing nowadays -- this simple solution is not enough
> > and the need to announce one's inadequacy to the world in passive
> > aggressive tones arises.
> >
> > Indeed this happens so commonly that it has become something on the
> > order of a FAQ, and in order not to have to eat my own words from
> > the other day I've spent actual time in the other text editor doing
> > some actual hacking (I know, right?!?) and include this diff for
> > the developers' consideration.
> >
> > I have taken the liberty of assuming you want to be at least
> > moderately polite as you tell people to kindly fuck off. My apologies
> > if that's an oversight; I can re-do it if you wish.
> >
> > Matthew
> >
> >
> > cvs diff: Diffing .
> > Index: faq1.html
> > ===
> > RCS file: /home/flask/src/openbsd/cvsync/www/faq/faq1.html,v
> > retrieving revision 1.238
> > diff -u -p -r1.238 faq1.html
> > --- faq1.html   2 Oct 2019 15:40:06 -   1.238
> > +++ faq1.html   8 Jan 2020 16:12:30 -
> > [SNIP]
> >
> >
>

I'd probably add a note to say something along the lines of "this
isn't the airport, no need to announce your departure".

Though the Venn diagram of "people who loudly leave an open source
project's mailing list because said project didn't do 'X'" and "people
who don't RTFM" is probably a circle...

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Riello IPG 800 USB Driver and NUT

2020-01-07 Thread Aaron Mason
On Wed, Jan 8, 2020 at 10:52 AM Marcos Madeira | Secure Networks
 wrote:
>
> Hello again,
>
> I have a tried a few other things, but without much success.
>
> In regards to using to using ucycom0 or uhidev0 or ucom0 as the virtual
> devices, I was not able to do this, because of how NUT needs a device to
> connect to. None of those devices have a file like /dev/ucycom0 .
>
> In regards to using a serial driver, NUT mentions that the supported
> driver is riello_usb. I did try riello_ser, but it makes the system drop
> to ddb after service start. The nut driver port in this case is
> /dev/cuaU0. I actually reached a somewhat interesting state, where at
> every boot the system drops to ddb, because the upsd service is enabled.
> I am not sure if this is expected behavior as far as OpenBSD goes. I can
> gather more data, but need to get different hardware, because (I assume)
> that the problem is in the USB stack resulting in the keyboard not being
> available to even do 'show panic'. Should this error be pursued or is it
> expected? It can be replicated by using cu -l /dev/cuaU0. The error is
> as follows:
>
> (0, 0, 1) -> e
>
> kernel: page faut trap, code=0
>
> Stopped at usbd_is_dying+0xb:   cmpb   $0,0x8(%ecx)
>
> ddb{0}>
>
>
> Finally, when using the riello_usb driver, I get much different upsc
> output on Ubuntu as compared to OpenBSD. For example, the ups.status
> does not even change when unplugging the UPS. I will be checking this
> separately as it could be just a problem with the versions of the nut
> port. The following is the relevant output:
>
> $ upsc ups@127.0.0.1
>
> [SNIP]
>
> Thank you for your consideration,
>
> Marcos Madeira
> Secure Networks Lda
> Tel.: 911 881 590
> mmade...@securenetworks.pt
> https://www.securenetworks.pt
>
> On 03/01/20 11:58, Marcos Madeira | Secure Networks wrote:
> >
> > Hello misc,
> >
> > I am looking to use several Riello UPSs of model IPG 800 DE with
> > OpenBSD through the nut port. These UPSs also go by the name iPlug.
> > This is a compact UPS with only a single USB-B connector for
> > connectivity as is usual with low-end UPSs. However, I am facing an
> > obstacle due to how OpenBSD is discovering the UPS via the USB interface.
> >
>
> > Thank you for your consideration,
> >
> > --
> > Marcos Madeira
>

Just a thought... IIRC on laptops you can access battery info in
sysctl(8) - charge level, charge remaining, whether it has AC input,
etc.  Could you do the same here?

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: dmesg for Riverbed Steelhead 250/550

2019-11-24 Thread Aaron Mason
On Fri, Nov 22, 2019 at 6:57 PM Mik J  wrote:
>
> Hello,
>
> > The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not,
> > likely because there's some GPIO magic required to switch back the
> > relays.
>
> It's strange because when the OS is switched off, the relays are closed (act 
> as a wire). I would have thought at least, you could plug cables on these 
> interfaces and a ping would go through.
>

You would think that, but it seems the Riverbed OS flicks those relays
on boot, and there are configuration commands to flick them back
manually.  There's clearly some magic going on but there doesn't seem
to be any GPIO available, at least not in OpenBSD.

> Which benefits do you find in recycling these hardwares ? What is your usage ?
>

I heard they make good pfSense firewalls, no reason we couldn't do PF
natively :)

They're cheap, low profile, rack mountable devices with ECC memory,
gigabit NICs and (at least for the 550 at the time of manufacture)
somewhat enterprise-grade CPUs.  Most "appliance" style systems one
finds tend to run mobile CPUs or the old Core 2s - or worse, first gen
Atoms.  There's no beating that level of bang for buck.

> Regards
>
>
>
> Le mardi 19 novembre 2019 à 03:45:11 UTC+1, Aaron Mason 
>  a écrit :
>
>
> Here's a quick rundown on how I got it installed - you will need an
> existing OpenBSD installation.
>
> 1. Download the FS install image.
> 2. Mount it in your existing OpenBSD system and edit etc/boot.conf to
> set the tty to com0.
> 3. Write the resulting image to a USB stick.
> 4. Plug in your USB stick, then plug in the power.
> 5. When it says to press any key, do so.  When the GRUB menu appears, hit 'c'.
> 6. Set the root device (which will likely be hd2): root (hd2)
> 7. Fire up the chainloader: chainloader +1
> 8. Boot: boot
> 9. ???
> 10. Profit!
>
> On Tue, Nov 19, 2019 at 1:31 PM Aaron Mason  wrote:
> >
> > All
> >
> > Fired up OpenBSD 6.6 on a Riverbed Steelhead 250 and a 550, purchased
> > from fleabay for about $30 ea (plus shipping) - the 250 runs a single
> > core Celeron M @ 1.66GHz and 1GB DDR2, the 550 runs a low power
> > dual-core Xeon at the same speed and 2GB DDR2 - both x86 only.  Both
> > have a 2GB USB DOM and a separate laptop HDD (120GB for the 250 and
> > 320GB for the 550) likely for caching (these being WAN accelerators).
> >
> > The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not,
> > likely because there's some GPIO magic required to switch back the
> > relays.  The Xeon-powered 550 definitely seems to have a bit more
> > oompf than the 250's hamster whee-- err, Celeron M CPU.
> >
> > The output for dmesg for each is attached.
> >
> > --
> > Aaron Mason - Programmer, open source addict
> > I've taken my software vows - for beta or for worse
>
>
>
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: dmesg for Riverbed Steelhead 250/550

2019-11-18 Thread Aaron Mason
Here's a quick rundown on how I got it installed - you will need an
existing OpenBSD installation.

1. Download the FS install image.
2. Mount it in your existing OpenBSD system and edit etc/boot.conf to
set the tty to com0.
3. Write the resulting image to a USB stick.
4. Plug in your USB stick, then plug in the power.
5. When it says to press any key, do so.  When the GRUB menu appears, hit 'c'.
6. Set the root device (which will likely be hd2): root (hd2)
7. Fire up the chainloader: chainloader +1
8. Boot: boot
9. ???
10. Profit!

On Tue, Nov 19, 2019 at 1:31 PM Aaron Mason  wrote:
>
> All
>
> Fired up OpenBSD 6.6 on a Riverbed Steelhead 250 and a 550, purchased
> from fleabay for about $30 ea (plus shipping) - the 250 runs a single
> core Celeron M @ 1.66GHz and 1GB DDR2, the 550 runs a low power
> dual-core Xeon at the same speed and 2GB DDR2 - both x86 only.  Both
> have a 2GB USB DOM and a separate laptop HDD (120GB for the 250 and
> 320GB for the 550) likely for caching (these being WAN accelerators).
>
> The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not,
> likely because there's some GPIO magic required to switch back the
> relays.  The Xeon-powered 550 definitely seems to have a bit more
> oompf than the 250's hamster whee-- err, Celeron M CPU.
>
> The output for dmesg for each is attached.
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



dmesg for Riverbed Steelhead 250/550

2019-11-18 Thread Aaron Mason
All

Fired up OpenBSD 6.6 on a Riverbed Steelhead 250 and a 550, purchased
from fleabay for about $30 ea (plus shipping) - the 250 runs a single
core Celeron M @ 1.66GHz and 1GB DDR2, the 550 runs a low power
dual-core Xeon at the same speed and 2GB DDR2 - both x86 only.  Both
have a 2GB USB DOM and a separate laptop HDD (120GB for the 250 and
320GB for the 550) likely for caching (these being WAN accelerators).

The primary and AUX NICs work, the LAN0/0 and WAN0/0 ports do not,
likely because there's some GPIO magic required to switch back the
relays.  The Xeon-powered 550 definitely seems to have a bit more
oompf than the 250's hamster whee-- err, Celeron M CPU.

The output for dmesg for each is attached.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
OpenBSD 6.6 (GENERIC) #298: Sat Oct 12 11:06:10 MDT 2019
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
real mem  = 1073037312 (1023MB)
avail mem = 1037803520 (989MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 10/22/13, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 
0x9f800 (40 entries)
bios0: vendor American Megatrends Inc. version "MINOW035" date 10/22/2013
bios0: Riverbed Technology, Inc. DTABA
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET
acpi0: wakeup devices P0P1(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) M CPU @ 1.66GHz ("GenuineIntel" 686-class) 1.67 GHz, 
06-0e-0c
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,PBE,SSE3,MWAIT,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 166MHz
cpu0: mwait min=64, max=64, C-substates=0.2, IBE
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 7 (EPA0)
acpiprt2 at acpi0: bus 6 (EPA1)
acpiprt3 at acpi0: bus 5 (P0P4)
acpiprt4 at acpi0: bus 4 (P0P5)
acpiprt5 at acpi0: bus 3 (P0P6)
acpicpu0 at acpi0: C1(@1 halt!)
acpitz0 at acpi0: critical temperature is 99 degC
acpipwrres0 at acpi0: GFAN, resource for SBRG, FN00
"PNP0A08" at acpi0 not configured
acpicmos0 at acpi0
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 3100 Host" rev 0x00
"Intel 3100 Error Reporting" rev 0x00 at pci0 dev 0 function 1 not configured
vendor "Intel", unknown product 0x35b5 (class system subclass miscellaneous, 
rev 0x00) at pci0 dev 1 function 0 not configured
ppb0 at pci0 dev 2 function 0 "Intel 3100 EDMA" rev 0x00
pci1 at ppb0 bus 7
ppb1 at pci0 dev 3 function 0 "Intel 3100 PCIE" rev 0x00
pci2 at ppb1 bus 6
em0 at pci2 dev 0 function 0 "Intel 82571EB" rev 0x06: apic 1 int 16, address 
00:0e:b6:95:dc:0e
em1 at pci2 dev 0 function 1 "Intel 82571EB" rev 0x06: apic 1 int 17, address 
00:0e:b6:95:dc:0f
ppb2 at pci0 dev 28 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 5
em2 at pci3 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 
00:0e:b6:3e:23:08
ppb3 at pci0 dev 28 function 1 "Intel 6321ESB PCIE" rev 0x01
pci4 at ppb3 bus 4
em3 at pci4 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 
00:0e:b6:3e:23:09
ppb4 at pci0 dev 28 function 2 "Intel 6321ESB PCIE" rev 0x01: apic 1 int 18
pci5 at ppb4 bus 3
ppb5 at pci0 dev 28 function 3 "Intel 6321ESB PCIE" rev 0x01
pci6 at ppb5 bus 2
uhci0 at pci0 dev 29 function 0 "Intel 6321ESB USB" rev 0x01: apic 1 int 23
uhci1 at pci0 dev 29 function 1 "Intel 6321ESB USB" rev 0x01: apic 1 int 19
ehci0 at pci0 dev 29 function 7 "Intel 6321ESB USB" rev 0x01: apic 1 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc9
pci7 at ppb6 bus 1
ichpcib0 at pci0 dev 31 function 0 "Intel 6321ESB LPC" rev 0x01: PM disabled
ahci0 at pci0 dev 31 function 2 "Intel 6321ESB AHCI" rev 0x01: apic 1 int 19, 
AHCI 1.1
ahci0: port 0: 1.5Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  naa.50e0448be8ca
sd0: 114473MB, 512 bytes/sector, 234441648 sectors
ichiic0 at pci0 dev 31 function 3 "Intel 6321ESB SMBus" rev 0x01: apic 1 int 19
iic0 at ichiic0
ichiic0: abort failed, status 0x41
iic0: addr 0x24 a1=ff a2=ff a3=ff a4=ff a5=ff a6=ff a7=ff e1=02 e3=02 words 
00=01aa 01=01aa 02=01aa 03=01aa 04

Re: Encrypting my keydisk

2019-10-27 Thread Aaron Mason
On Fri, Oct 25, 2019 at 12:20 PM Normen Wohner  wrote:
>
>
>
> > Am 24.10.2019 um 03:27 schrieb Aaron Mason :
> >
> > On Wed, Oct 23, 2019 at 7:45 PM Normen Wohner  wrote:
> >>
> >> To enable two factor encryption?
> >> One passcode is in his head the other on a key.
> >> If either is missing the data on drive is unreadable.
> >> I don’t know what is hard to understand about it.
> >> In an ideal world you’d use the manual passcode
> >> to decrypt the keydisk and then the keydisk
> >> to decrypt the fs.
> >> You should also not be able to tell
> >> whether the keydisk was in fact encrypted,
> >> the bootloader should try and on failure ask
> >> for a passcode, not expect there to be some
> >> 'RSA-2048' written at the end.
> >> It’s hard for me to understand why nobody asked for this sooner.
> >>
> >
> > You could just use a passphrase on the original disk to the same
> > effect.  No sense over-complicating things.
>
> No, you could not, that way whoever has the keydisk has access to the files 
> on disk, otherwise you still need a password. Not sure what is unclear about 
> this. Maybe you think this is about login? It is actually about obfuscating 
> the login process and enabling 2FA.
> Maybe you think live files are still encrypted when the OS runs but no user 
> is logged in. That is sadly not the case.

Or maybe I think the password is asked for on boot.  No access to
files until that passphrase is entered, regardless of whether someone
is logged in or not.  If you wanted the files hidden prior to login,
write two scripts - one to mount the encrypted volume, the other to
unmount - allow them to be run without password in doas.conf(5), then
run them from ~/.profile, using trap (see
https://www.cyberciti.biz/faq/linux-unix-run-commands-when-you-log-out/
for more details) to run the unmount script on logoff.

>
>
> Regarding your second question, whatever part or level of the "bootloader" 
> normally checks for keydisk already has access to the full range of supported 
> en- and decryption mechanisms as it uses the key to do just that to the disk. 
> This would simply add a second decrypt trial.
>
>

That doesn't answer the question of how it's going to access an
encrypted key without the key to decrypt it.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Encrypting my keydisk

2019-10-23 Thread Aaron Mason
On Thu, Oct 24, 2019 at 10:44 AM List  wrote:
>
> One would obviously NOT store the key on harddisk. That wouldn't make
> any sense and is not necessary.
>
> This could be similarly achieved as the normal FDE with passphrase. But
> instead of the actual harddisk as target, the target of the "yet to
> implement" encryption of the keydisk would be the key on the keydisk
> itself.
>

So how would the system access the key if it's encrypted?

> g
>
> On 2019-10-22 23:40, Aaron Mason wrote:
> > On Wed, Oct 23, 2019 at 5:11 AM List  wrote:
> >> I'm sorry I might have not been so clear about it. I meant a way to
> >> encrypt the actual keydisk with a passphrase.
> >>
> >> On 2019-10-18 13:34, Jan Stary wrote:
> >>>>> On Wednesday, October 16, 2019 11:06 PM, List  
> >>>>> wrote:
> >>>>>> I was wondering if there is a reason for the lack of keydisk 
> >>>>>> encryption.
> >>> $ man bioctl
> >>> # bioctl -h -v -c C ...
> >>>
> > To what end?  At some point you're going to have to store the
> > passphrase somewhere it can be easily read, and all you've really
> > achieved is a way to, at best, slow down a potential attacker.
> >
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Fwd: Encrypting my keydisk

2019-10-23 Thread Aaron Mason
On Wed, Oct 23, 2019 at 7:45 PM Normen Wohner  wrote:
>
> To enable two factor encryption?
> One passcode is in his head the other on a key.
> If either is missing the data on drive is unreadable.
> I don’t know what is hard to understand about it.
> In an ideal world you’d use the manual passcode
> to decrypt the keydisk and then the keydisk
> to decrypt the fs.
> You should also not be able to tell
> whether the keydisk was in fact encrypted,
> the bootloader should try and on failure ask
> for a passcode, not expect there to be some
> 'RSA-2048' written at the end.
> It’s hard for me to understand why nobody asked for this sooner.
>

You could just use a passphrase on the original disk to the same
effect.  No sense over-complicating things.

> > Am 22.10.2019 um 23:43 schrieb Aaron Mason :
> >
> > On Wed, Oct 23, 2019 at 5:11 AM List  wrote:
> >>
> >> I'm sorry I might have not been so clear about it. I meant a way to
> >> encrypt the actual keydisk with a passphrase.
> >>
> >> On 2019-10-18 13:34, Jan Stary wrote:
> >>>>>> On Wednesday, October 16, 2019 11:06 PM, List  
> >>>>>> wrote:
> >>>>>>> I was wondering if there is a reason for the lack of keydisk 
> >>>>>>> encryption.
> >>> $ man bioctl
> >>> # bioctl -h -v -c C ...
> >>>
> >>
> >
> > To what end?  At some point you're going to have to store the
> > passphrase somewhere it can be easily read, and all you've really
> > achieved is a way to, at best, slow down a potential attacker.
> >
> > --
> > Aaron Mason - Programmer, open source addict
> > I've taken my software vows - for beta or for worse
> >
>

(NOTE: Just realised I sent this directly to Normen rather than the
list.  Sorry for the noise, Normen.)

--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: On blindly running code

2019-10-22 Thread Aaron Mason
On Fri, Oct 18, 2019 at 11:23 PM  wrote:
>
> Frank Beuth writes:
> > On Fri, Oct 18, 2019 at 11:54:18AM +0100, cho...@jtan.com wrote:
> > >Virtualisation is not a panacea. I have managed to achieve data loss 
> > >through destructi
> > ve actions taken within a "safe" virtualised sandbox.
> >
> > How did you manage that feat?
>
> Basically assuming "safe" then taking actions to subvert that, namely 
> mounting an SMB share within the VM. rm(1) does not discriminate. My own 
> fault obviously but it's notable that the "virtual environment == safe" 
> assumption was shattered so effectively, so easily, and by actions which in 
> most circumstances would be benign.
>

Been there, done that, got the t-shirt.  Only in my case it was a
mounted VFAT volume in my home directory.  Oops.  Praise the
programmer for undelete.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Encrypting my keydisk

2019-10-22 Thread Aaron Mason
On Wed, Oct 23, 2019 at 5:11 AM List  wrote:
>
> I'm sorry I might have not been so clear about it. I meant a way to
> encrypt the actual keydisk with a passphrase.
>
> On 2019-10-18 13:34, Jan Stary wrote:
> >>> On Wednesday, October 16, 2019 11:06 PM, List  
> >>> wrote:
> >>>> I was wondering if there is a reason for the lack of keydisk encryption.
> > $ man bioctl
> > # bioctl -h -v -c C ...
> >
>

To what end?  At some point you're going to have to store the
passphrase somewhere it can be easily read, and all you've really
achieved is a way to, at best, slow down a potential attacker.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Companies using openbsd

2019-10-20 Thread Aaron Mason
Not our own product, but we run Request Tracker on OpenBSD - after
using ManageEngine ServiceDesk Plus on Windaz, requiring 2GB RAM
minimum.  Our RT server has 512mb RAM and it's all it has ever needed.

On Mon, Oct 21, 2019 at 8:10 AM List  wrote:
>
> Hi,
>
> are there companies known to you who use openbsd for their products ?
>
> For building let's say their own OS based upon OpenBSD ?
>
> Thanks for your time.
>
> Regards,
>
> Stephan
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Strong Host Model in OpenBSD network stack

2019-10-17 Thread Aaron Mason
Bastian

Did you perform this same test in FreeBSD/NetBSD?  What were your results?

Seems to me that the results you got in test 2 are entirely consistent
with normal behaviour - you are routing packets to the 10.0.0.0/24
network via 192.168.100.1, so it will return a ping from 10.0.0.97 -
the other interface on VM1 - as the packet was passed from em0 to em1,
from which the reply was initiated.

Of course, I could be wrong.  if you haven't already done so, try the
same tests in (Free|Net)BSD with net.inet.ip.check_interface set to 1
and see what you get.

On Fri, Oct 18, 2019 at 6:53 AM Bastian Kanbach  wrote:
>
> Hello,
>
> recently I was performing some checks that relate to the "Strong Host
> Model" and "Weak Host Model", and I noticed that OpenBSD was behaving
> different than I expected. I always assumed that the network stack of
> OpenBSD was following the "Strong Host Model", but I might be wrong with
> that:
>
> Basically the Strong Host Model means that the network stack "accepts
> locally destined packets if the destination IP address in the packet
> matches an IP address assigned to the network interface on which the
> packet was received."
>
> FreeBSD and NetBSD have a sysctl property for this, called
> "net.inet.ip.check_interface", which defaults to 0 (Weak Host Model).
> However for OpenBSD I haven't seen such a property at all.
>
>
> Basically my setup consisted of the following virtual machines and
> network interfaces (IP-Forwarding disabled):
>
>
> VM 1 (OpenBSD 6.5):
>
> em0: 192.168.100.1/24 ("Internal Network")
>
> em1: 10.0.0.97/24 ("NAT")
>
>
> VM 2 (Ubuntu Server 18.10):
>
> ens33: 192.168.100.2/24 ("Internal Network")
>
>
> 
>
>
> As expected, ens33 of VM2 can communicate with em0 of VM1, since both
> interfaces are associated with the same Virtualbox network, and both IP
> addresses are part of the same /24 subnet.
>
> ens33 of VM2 can't directly communicate with em1 of VM1, since the IP
> addresses are part of different subnets and no routes were configured.
>
>
> Then I performed 2 tests:
>
>
> Test 1:
>
> Perform an arping from ens33/VM2 (192.168.100.2) to 10.0.0.97 (VM1). The
> packet was NOT answered by VM1.
>
>
> Test 2:
>
> Set the following route on VM2: ip r add 10.0.0.0/24 via 192.168.100.1.
> Then send an ICMP echo request to 10.0.0.97 (VM1), originating from
> 192.168.100.2 (VM2). VM1 replied with an ICMP echo reply (with a source
> MAC address of interface em0).
>
>
> While the behaviour of Test 1 indicates that the Strong Host Model is
> followed, Test 2 shows the behaviour of a "Weak Host Model".
>
>
> What of both is actually supposed to be the default for OpenBSD? Is
> there any kernel parameter to control these behaviours, like
> net.inet.ip.check_interface for FreeBSD or NetBSD?
>
>
> Thanks,
>
> Bastian
>
>
>
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Softraid data recovery

2019-10-14 Thread Aaron Mason
On Tue, Oct 15, 2019 at 7:34 AM Steven Surdock
 wrote:
>
> I have a simple RAID1 configuration on wd0, wd1.  I was in the process of 
> performing a rebuild on wd1, as it failed during some heavy reads.  During 
> the rebuild wd0 went into a failure state.  After some troubleshooting I 
> decided to reboot and now my RAID disk, sd1, is unavailable.  Disks wd0 and 
> wd1 don't show any errors, but I have a replacement disk.  I have backups for 
> the critical data and I'd like to try and recover as much recent data as 
> possible.  My thought was to create a disk image of the "/home/public" data 
> and mount it using vnconfig, but I seem to be having issues with the 
> appropriate 'dd' command to do that.
>
> How can I recover as much data as possible off the failed RAID array.
> If I recreate the array, "bioctl -c 1 -l /dev/wd0d,/dev/wd1d softraid0", will 
> the existing data be preserved?
>
> root@host# disklabel wd0
> # /dev/rwd0c:
> type: ESDI
> disk: ESDI/IDE disk
> label: WDC WD4001FAEX-0
> duid: acce36f25df51c8c
> flags:
> bytes/sector: 512
> sectors/track: 63
> tracks/cylinder: 255
> sectors/cylinder: 16065
> cylinders: 486401
> total sectors: 7814037168
> boundstart: 64
> boundend: 4294961685
> drivedata: 0
>
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   c:   78140371680  unused
>   d:   7814037104   64RAID
>
> root@host# more /var/backups/disklabel.sd1.backup
> # /dev/rsd1c:
> type: SCSI
> disk: SCSI disk
> label: SR RAID 1
> duid: 8ec2330eabf7cd26
> flags:
> bytes/sector: 512
> sectors/track: 63
> tracks/cylinder: 255
> sectors/cylinder: 16065
> cylinders: 486401
> total sectors: 7814036576
> boundstart: 64
> boundend: 7814036576
> drivedata: 0
>
> 16 partitions:
> #size   offset  fstype [fsize bsize   cpg]
>   a:   2147488704   64  4.2BSD   8192 65536 1 # 
> /home/public/
>   c:   78140365760  unused
>   d:   5666547712   2147488768  4.2BSD   8192 65536 1 # 
> /home/Backups/
>

I think at this point you're far better off restoring from backup.
You do have a backup, right?

As for the disks, ddrescue would be a better option than dd - it'll
keep trying if it encounters another URE whereas dd will up and quit.
Expect it to take several days on disks that big - it's designed to be
gentle to dying disks.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: A sad raid/fsck story

2019-10-03 Thread Aaron Mason
Thanks for the cautionary tale.  Will definitely keep this in mind for
any RAID arrays I manage.

On Fri, Oct 4, 2019 at 2:04 AM sven falempin  wrote:
>
> Dear readers,
>
> I was running a OpenBSD (6.4) device, with a raid mirror array.
> One of the disk failed, so the system ask me to fsck,
> which I did before checking the raid status manually ( :'( ) ,
> THEN I rebooted and softraid told me: one of the hard drive is dead.
>
> But fsck already destroyed a few file on the mirror.
>
> Probably a user error, nevertheless, In openbsd 'simply work' mindset,
> maybe the /etc/rc could warn or even perform some bioctl check on raid
> array when first fsck / mount
> fails.
>
> Cheers.
>
> ( Lost data recovered from backup )



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Alix 2d13 and OpenBSD 6.5 Problems

2019-10-02 Thread Aaron Mason
Hi Sean

Maybe plug in a spare USB drive and format it for swap?  Swap on CF is
rarely a good idea, especially if you swap often.

On Thu, Oct 3, 2019 at 2:01 PM Sean Kamath  wrote:
>
> Just wanted to say a thank you for everyone’s comments.  I’ve combined all my 
> replies into one mostly to sum everything up.
>
> > On Oct 2, 2019, at 02:16, Stefan Sperling  wrote:
> > Try adding swap space.
> > I have added 2GB of swap space on my alix and it has been running fine ever 
> > since.
>
> My “disk” is 2GB. I don’t even have any X sets loaded as they won’t fit.
>
> > On Oct 2, 2019, at 09:03, Olivier Cherrier  wrote:
> > On mine (only 32 MB of swap), I had to disable kernel relinking.
> > Otherwise, the system more or less collapses at boot time.
>
>
> Yeah, I believe I only have 32MB of swap (I chose the default disk layout oh 
> so long ago).
>
>
> > On Oct 2, 2019, at 08:34, Joe Barnett  wrote:
> > I cannot comment on the upgrade process, but I have had zero fatal issues 
> > running 6.5 on my alix2d13 boards.  That said, memory has been getting 
> > tighter with more recent OpenBSD versions, and swap (as someone else 
> > suggested) should help.  I love these reliable boards, but they are 
> > starting to show their age (at least relative to how I use them with 
> > OpenBSD).
>
> Yeah, so I’m wondering if I want to get a larger CompactFlash card and 
> reinstall, try and be clever and go off the reservation, or just pack in the 
> 9 of these things I have and get an APU.
>
> > On Oct 2, 2019, at 09:15, Stuart Henderson  wrote:
> > After boot, the kernel is relinked in a random order in the background
> > ("/usr/libexec/reorder_kernel &" in /etc/rc).
>
> Yes, I’m familiar with why it’s done.  I was mostly wondering if I broke 
> something because I’ve not had this problem since I got these things (I don’t 
> even know how long ago), and 6.5 just killed it.
>
> > Unfortunately the Alix doesn't have much RAM and if you have pretty
> > much anything other than a minimal set of daemons running it won't
> > cope well.
>
> I’m running nsd and unbound.  I can turn off smtpd. . . What I would be nice 
> to do is delay starting daemons until relinking is done.  Regardless, I think 
> I have my answer about why it’s falling over.
>
> > You can disable the reordering by removing /var/db/kernel.SHA256
> > but be aware that syspatch relies on the reorder_kernel mechanism in
> > order to apply kernel patches.
>
> Good to know.  I’m going to do everything I can to avoid turning off 
> relinking, because I want to go on the big boy rides! :-)
>
> Sean
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Recommended web and database server specification

2019-08-14 Thread Aaron Mason
Hi Tito

Can you tell us more about the database?  How often will its data be
changed, added to, etc? How much data do you have?  How complex are
your DB queries?  These answers will help determine the RAM and
processor requirements for the database.

As for the web server daemon itself, I think Reyk Floeter would be the
best placed to answer that question - also paging Nick Holland for
more hardware expertise.

On Thu, Aug 15, 2019 at 12:57 PM Tito Mari Francis Escano
 wrote:
>
> Hi to everyone at misc,
>
> I'm recently working on an OpenBSD-based PHP7 web application with
> PostgreSQL-backend for a local government agency and was wondering what
> would you recommend as the acceptable server specification. This web
> application won't reach the Google or Facebook level of visits per day,
> but I was hoping to prepare this be deployed and run for quite a long
> time and ready for about 60,000 visits per day at most.
>
> Your advise and recommendation would be greatly appreciated. Thanks so much.
>
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Boot NVME device on sparc64

2019-07-30 Thread Aaron Mason
Could you boot from another bootable device and use boot.conf(8) to
tell it to boot the kernel on the SSD?  Bit of a round-about way of
doing it but it could work if boot(8) can see the SSD.

If the CD boot loader can see the SSD, you could burn it to a CD-R
along with your boot.conf and use it to boot - just make sure you put
it back if you use the drive to install software.

Just spitballing here, I don't have a sparc64 device readily available
for testing.

On Fri, Jul 26, 2019 at 8:31 AM John Gould  wrote:
>
> Hi there, Does anyone have a way of booting a pcie nvme device on sparc64.
> I can install OBSD on the device but of course there is no way OBP can see
> it
> as a boot device. I can also use it for storage under OpenBSD which works
> fine.
>
> But! Is there any way to boot OpenBSD 6.5 installed on this drive on
> sparc64.
>
> I'm using a Sun t5120.
>
> Kind regards John.



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: SCM

2019-07-28 Thread Aaron Mason
On Mon, Jul 29, 2019 at 3:25 AM Nathan Hartman  wrote:
(snip)
> * Hg does not mean Au.

I see what you did there :)


> 9. Apache license. Not BSD but much closer than any GPL revision.

Yeah, hard pass.  The Apache license is full of encumbering legalese.
They stopped including Apache in base (after supporting a 1.x tree for
years) for this very reason.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: wsmouse: disable touch-panel

2019-06-10 Thread Aaron Mason
Found an approach that might be worth considering:

https://marc.info/?l=openbsd-misc=155751021025538=2

On Tue, Jun 11, 2019 at 1:07 PM Aaron Mason  wrote:
>
> I had a similar issue with a Surface Pro 3 with a faulty touch screen
> running Windaz, the solution was to disable the USB input device for
> the touch screen.
>
> On OpenBSD, you could try using "boot -c" at boot to remove
> wsmouse[123] device from the kernel (see
> https://man.openbsd.org/config for details).  If that works, it's a
> matter of working out how to get the kernel relink to carry that
> change into the relinked kernel.  Someone on list worked it out, can't
> remember how long ago though.



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: wsmouse: disable touch-panel

2019-06-10 Thread Aaron Mason
I had a similar issue with a Surface Pro 3 with a faulty touch screen
running Windaz, the solution was to disable the USB input device for
the touch screen.

On OpenBSD, you could try using "boot -c" at boot to remove
wsmouse[123] device from the kernel (see
https://man.openbsd.org/config for details).  If that works, it's a
matter of working out how to get the kernel relink to carry that
change into the relinked kernel.  Someone on list worked it out, can't
remember how long ago though.



Re: hw.ncpu=1, hw.ncpuonline=1, hw.ncpufound=4

2019-04-09 Thread Aaron Mason
Looks to me like you're not running bsd.mp.  A dmesg would clear this up.

On Mon, Apr 8, 2019 at 2:19 AM Otto Moerbeek  wrote:
>
> On Sun, Apr 07, 2019 at 01:54:35PM +, Ipsen S Ripsbusker wrote:
>
> > My hw.ncpu and hw.ncpuonline are less than my hw.ncpufound.
> > I tried setting hw.smt, but that alone was apparently not enough.
> > What should I do if I want to use all 4 CPUs?
> >
> > Also, now that I have realized this, I have a theory about a related
> > issue, and I would like to know how I can debug it. I am using softraid
> > CRYPTO, and I have found that accessing the disk with one process will
> > interrupt the other processes accessing the disk. Now I wonder this
> > happens because the sole core must switch encryption/decription
> > processes for the different files. How could I determine whether this is
> > indeed happening?
> >
> > More hardware information follows. It is a ThinkPad T530 with
> > two SSDs and two corresponding softraid CRYPTO disks.
>
> This type of question *requires* a dmesg.
>
> -Otto
>
> >
> > $ sysctl hw
> > hw.machine=amd64
> > hw.model=Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz
> > hw.ncpu=1
> > hw.byteorder=1234
> > hw.pagesize=4096
> > hw.disknames=sd0:c4ae9aa6707fe6a0,sd1:10319ae393cc594d,sd2:72b7961f3a883f2a,sd3:9067e68ce463822c
> > hw.diskcount=4
> > hw.sensors.cpu0.temp0=44.00 degC
> > hw.sensors.acpitz0.temp0=47.00 degC (zone temperature)
> > hw.sensors.acpibtn0.indicator0=On (lid open)
> > hw.sensors.acpibat0.volt0=11.10 VDC (voltage)
> > hw.sensors.acpibat0.volt1=12.11 VDC (current voltage)
> > hw.sensors.acpibat0.power0=0.00 W (rate)
> > hw.sensors.acpibat0.watthour0=28.20 Wh (last full capacity)
> > hw.sensors.acpibat0.watthour1=1.41 Wh (warning capacity)
> > hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity)
> > hw.sensors.acpibat0.watthour3=28.20 Wh (remaining capacity), OK
> > hw.sensors.acpibat0.watthour4=73.26 Wh (design capacity)
> > hw.sensors.acpibat0.raw0=0 (battery full), OK
> > hw.sensors.acpiac0.indicator0=On (power supply)
> > hw.sensors.acpithinkpad0.temp0=47.00 degC
> > hw.sensors.acpithinkpad0.temp1=47.00 degC
> > hw.sensors.acpithinkpad0.temp2=47.00 degC
> > hw.sensors.acpithinkpad0.temp3=47.00 degC
> > hw.sensors.acpithinkpad0.temp4=47.00 degC
> > hw.sensors.acpithinkpad0.temp5=47.00 degC
> > hw.sensors.acpithinkpad0.temp6=47.00 degC
> > hw.sensors.acpithinkpad0.temp7=47.00 degC
> > hw.sensors.acpithinkpad0.fan0=2121 RPM
> > hw.sensors.acpithinkpad0.indicator0=Off (port replicator), UNKNOWN
> > hw.sensors.softraid0.drive0=online (sd3), OK
> > hw.cpuspeed=2901
> > hw.setperf=100
> > hw.vendor=LENOVO
> > hw.product=2392ASU
> > hw.version=ThinkPad T530
> > hw.serialno=PK2X772
> > hw.uuid=81c1c6e7-7653-cb11-b4d1-97bd37f8963e
> > hw.physmem=16845565952
> > hw.usermem=16811044864
> > hw.ncpufound=4
> > hw.allowpowerdown=1
> > hw.perfpolicy=auto
> > hw.smt=1
> > hw.ncpuonline=1
> >
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: RS-232 serial to ethernet

2019-04-08 Thread Aaron Mason
On Tue, Apr 9, 2019 at 2:34 AM Tom Smyth  wrote:
>
> Hello LÉVAI Dániel,
> If I understand you correctly you want a serial server
>
> you could use something like a PCengines apuc2. running OpenBSD
> that would work ok, as a serial console box  thjat would liekly set you
> back about 150 euro ... which is good value considering what you get
>

Heck, even the outmoded ALIX1 will do this job.  And it has more than
one port, plus PCI expansion to add more serial ports.  Some vendors
sell cases with a PCI slot, but it's mini ITX so you could even put it
in a standard PC case if you have one laying around. US$59.50 +
shipping for a board and I/O bracket (unless you're in the EU and
can't order directly) and you're laughing.  SSH for a serial server,
plus there's still plenty of capacity in its 500MHz Geode for other
things - I use mine for booting remote installers and DBAN, and it
barely breaks a sweat.

> or if security is not a big deal for you mikrotik does have a pretty flexible
> suite of options for a serial -->TCPIP (serial server)/ virtual serial ports)
> and you can get a solution for sub 100 euro ... for that soemthing
> like an rb450G or RB411 would do...
>
> Hope this helps
>
> On Mon, 8 Apr 2019 at 17:16, Joseph Mayer  wrote:
> >
> > Daniel,
> >
> > Ethernet to serial is normally done using ppp [1].
> >
> > Why add unneeded hardware.
> >
> > Do you have RJ45 or RS232 on the OpenBSD machine already?
> >
> > Joseph
> >
> > [1] http://man.openbsd.org/ppp
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Tuesday, April 9, 2019 12:04 AM, LÉVAI Dániel  wrote:
> >
> > > Hi misc@!
> > >
> > > I was wondering if I could use some budget solution to access my OpenBSD
> > > machine via its serial console over the network, and I stumbled upon
> > > this piece of hardware: [1] [2] [3] (the same device "USR-TCP232-302",
> > > I'm just not sure which one will be up at the time someone looks at
> > > them)
> > >
> > > It basically should be able convert the serial port to TCP/IP
> > > networking. Is this something anyone else has used before -- or if you
> > > know something similar, I'm really interested!
> > >
> > > Thanks,
> > > Dani
> > >
> > > [1] - 
> > > https://www.aliexpress.com/item/Q18041-USR-TCP232-302-Tiny-Size-Serial-RS232-to-Ethernet-TCP-IP-Server-Module-Ethernet-Converter/32683105763.html
> > > [2] - 
> > > https://www.aliexpress.com/item/USR-TCP232-302-Tiny-Size-Serial-RS232-to-Ethernet-TCP-IP-Server-Module-Ethernet-Converter-Support/32899179930.html
> > > [3] - 
> > > https://www.aliexpress.com/item/Q18041-USR-TCP232-302-Tiny-Size-Serial-RS232-to-Ethernet-TCP-IP-Server-Module-Ethernet-Converter/32685599659.html
> > >
> > > ---
> > >
> > > LÉVAI Dániel
> > > PGP key ID = 0x83B63A8F
> > > Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
> >
> >
>
>
> --
> Kindest regards,
> Tom Smyth
>
> The information contained in this E-mail is intended only for the
> confidential use of the named recipient. If the reader of this message
> is not the intended recipient or the person responsible for
> delivering it to the recipient, you are hereby notified that you have
> received this communication in error and that any review,
> dissemination or copying of this communication is strictly prohibited.
> If you have received this in error, please notify the sender
> immediately by telephone at the number above and erase the message
> You are requested to carry out your own virus check before
> opening any attachment.
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: ~OT, ARM64 becoming more useful: RK3399 laptop w M2 slot & A64 phone coming

2019-03-13 Thread Aaron Mason
I like the look of the Rock64 Pro - quad core A53 + dual core A72,
gigabit NIC, PCIe slot that can be used with a SATA card in the
Rock64Pro NAS enclosure.  Seems OpenBSD supports the Rock64Pro, it's
not clear if the NIC is supported (as some rumblings on the OpenBSD
subreddit suggest).  That said, someone posted a NetBSD dmesg[1] that
shows the NIC appearing (two PHYs appear for some reason) though I'll
keep my unlimitless credit card tucked away until I know for sure.

That said, the thought that you could have a low power NAS with the
capability of encrypted softraid is a nice one...

[1] http://www.netbsd.org/~jmcneill/rockpro64.txt

On Wed, Mar 13, 2019 at 7:17 PM Tinker  wrote:
>
> This is bordering on off-topic to this list, but, the ARM64 architecture
> is becoming more useful:
>
> An RK3399 laptop with
>  * magnesium chassi,
>  * M.2 PCIe NVMe SSD slot (four-lane PCIe v3) and
>  * 4K@60hz displayport output,
>  * full HD IPS display,
> for 200 USD is coming to market.
>
> Keyboard layout may be UK/ISO.
>
> Its hardest functionality limit then should be the CPU/SoC's 4GB RAM
> cap.
>
> https://liliputing.com/2019/01/pinebook-pro-linux-laptop-coming-this-year-for-199-and-up.html
>
> https://www.omgubuntu.co.uk/2019/01/pinebook-pro-linux-laptop-coming-soon
>
> https://www.forbes.com/sites/jasonevangelho/2019/01/30/the-new-pinebook-pro-will-challenge-google-chromebooks-for-199/
>
> And they're making an Allwinner A64 smartphone.
>
> Both these SoC:s are supported by OpenBSD.
>
> Some day these devices will break through their 4GB RAM cap, and some
> day they'll become faster.
>
> And some day RISCV will take the steps ARM64 is taking now.
>
> This is great heterogenicity progress.
>
> Tinker
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: _XSERVTransSocketUNIXAccept: accept() failed

2019-02-13 Thread Aaron Mason
What were you trying to do when you got these messages?

On Thu, Feb 14, 2019 at 1:27 PM Joe M  wrote:
>
> Hello,
>
> I see these messages in /var/log/Xorg.0.log
>
> joe:10424$ tail Xorg.0.log
> [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed
> [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed
> [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed
> [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed
> [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed
> [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed
> [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed
> [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed
> [2616181.044] _XSERVTransSocketUNIXAccept: accept() failed
> [2616181.045] _XSERVTransSocketUNIXAccept: accept() failed
>
>
> joe:10425$ tail /var/log/xenodm.log
> _XSERVTransSocketUNIXAccept: accept() failed
> _XSERVTransSocketUNIXAccept: accept() failed
> _XSERVTransSocketUNIXAccept: accept() failed
> _XSERVTransSocketUNIXAccept: accept() failed
> _XSERVTransSocketUNIXAccept: accept() failed
> _XSERVTransSocketUNIXAccept: accept() failed
> _XSERVTransSocketUNIXAccept: accept() failed
> _XSERVTransSocketUNIXAccept: accept() failed
> _XSERVTransSocketUNIXAccept: accept() failed
> _XSERVTransSocketUNIXAccept: accept() failed
>
>
> Any suggestions on how to figure out why this is happening.
>
> Thanks
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: SSH disconnects right after accepting

2019-02-07 Thread Aaron Mason
Can you share your sshd_config file, and ~user/.ssh/rc  and
~user/.ssh/config files (if they exist) please.

On Fri, Feb 8, 2019 at 12:07 PM Lars Bonnesen  wrote:
>
> No, clear text login also does not work. Only when I log on through the 
> console, not say.
>
> Regards, Lars.
>
> On Fri, Feb 8, 2019, 02:03 Aaron Mason >
>> Hi
>>
>> Does it work fine if you log in with the user's password?
>>
>> On Fri, Feb 8, 2019 at 11:25 AM Lars Bonnesen  
>> wrote:
>> >
>> > OpenBSD 6.4
>> >
>> > Putty just reports "Authenticating with public key "XXX" from agent" and
>> > then I am disconnected. If I run sshd with -ddd, I get the following
>> > output. I can't seem to get any error, and therefor I can't tell what is
>> > wrong. Anyone has any idea? Thanks
>> >
>> >
>> > debug2: load_server_config: filename /etc/ssh/sshd_config
>> > debug2: load_server_config: done config len = 204
>> > debug2: parse_server_config: config /etc/ssh/sshd_config len 204
>> > debug3: /etc/ssh/sshd_config:25 setting LogLevel DEBUG
>> > debug3: /etc/ssh/sshd_config:30 setting PermitRootLogin no
>> > debug3: /etc/ssh/sshd_config:39 setting AuthorizedKeysFile
>> > .ssh/authorized_keys
>> > debug3: /etc/ssh/sshd_config:86 setting Subsystem sftp
>> > /usr/libexec/sftp-server
>> > debug1: sshd version OpenSSH_7.9, LibreSSL 2.8.2
>> > debug1: private host key #0: ssh-rsa SHA256:XXX
>> > debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:XXX
>> > debug1: private host key #2: ssh-ed25519 SHA256:XXX
>> > debug1: rexec_argv[0]='/usr/sbin/sshd'
>> > debug1: rexec_argv[1]='-ddd'
>> > debug2: fd 3 setting O_NONBLOCK
>> > debug1: Bind to port 22 on 0.0.0.0.
>> > Server listening on 0.0.0.0 port 22.
>> > debug2: fd 4 setting O_NONBLOCK
>> > debug1: Bind to port 22 on ::.
>> > Server listening on :: port 22.
>> > debug1: fd 5 clearing O_NONBLOCK
>> > debug1: Server will not fork when running in debugging mode.
>> > debug3: send_rexec_state: entering fd = 8 config len 204
>> > debug3: ssh_msg_send: type 0
>> > debug3: send_rexec_state: done
>> > debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
>> > debug1: inetd sockets after dupping: 3, 3
>> > Connection from 172.17.4.3 port 63721 on 172.17.1.2 port 22 rdomain "0"
>> > debug1: Client protocol version 2.0; client software version
>> > PuTTY_Release_0.70
>> > debug1: no match: PuTTY_Release_0.70
>> > debug1: Local version string SSH-2.0-OpenSSH_7.9
>> > debug2: fd 3 setting O_NONBLOCK
>> > debug3: ssh_sandbox_init: preparing pledge sandbox
>> > debug2: Network child is on pid 89382
>> > debug3: preauth child monitor started
>> > debug3: privsep user:group 27:27 [preauth]
>> > debug1: permanently_set_uid: 27/27 [preauth]
>> > debug1: list_hostkey_types:
>> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
>> > debug3: send packet: type 20 [preauth]
>> > debug1: SSH2_MSG_KEXINIT sent [preauth]
>> > debug3: receive packet: type 20 [preauth]
>> > debug1: SSH2_MSG_KEXINIT received [preauth]
>> > debug2: local server KEXINIT proposal [preauth]
>> > debug2: KEX algorithms:
>> > curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
>> > [preauth]
>> > debug2: host key algorithms:
>> > rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
>> > debug2: ciphers ctos: chacha20-poly1...@openssh.com
>> > ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,
>> > aes256-...@openssh.com [preauth]
>> > debug2: ciphers stoc: chacha20-poly1...@openssh.com
>> > ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,
>> > aes256-...@openssh.com [preauth]
>> > debug2: MACs ctos: umac-64-...@openssh.com,umac-128-...@openssh.com,
>> > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
>> > hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
>> > [preauth]
>> > debug2: MACs stoc: umac-64-...@openssh.com,umac-128-...@openssh.com,
>> > hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,
>> > hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hma

Re: SSH disconnects right after accepting

2019-02-07 Thread Aaron Mason
se_uid: 1000/1000 (e=0/0)
> debug1: trying public key file /home/user/.ssh/authorized_keys
> debug1: fd 4 clearing O_NONBLOCK
> debug1: /home/user/.ssh/authorized_keys:5: matching key found: RSA
> SHA256:XXX
> debug1: /home/user/.ssh/authorized_keys:5: key options: agent-forwarding
> port-forwarding pty user-rc x11-forwarding
> Accepted key RSA SHA256:XXX found at /home/user/.ssh/authorized_keys:5
> debug1: restore_uid: 0/0
> debug3: mm_answer_keyallowed: publickey authentication test: RSA key is
> allowed
> debug3: mm_request_send entering: type 23
> debug3: send packet: type 60 [preauth]
> debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
> debug3: user_specific_delay: user specific delay 0.000ms [preauth]
> debug3: ensure_minimum_time_since: elapsed 84.236ms, delaying 6.470ms
> (requested 5.669ms) [preauth]
> Postponed publickey for user from 172.17.4.3 port 63721 ssh2 [preauth]
> debug3: receive packet: type 50 [preauth]
> debug1: userauth-request for user user service ssh-connection method
> publickey [preauth]
> debug1: attempt 2 failures 0 [preauth]
> debug2: input_userauth_request: try method publickey [preauth]
> debug3: userauth_pubkey: have ssh-rsa signature for RSA SHA256:XXX [preauth]
> debug3: mm_key_allowed entering [preauth]
> debug3: mm_request_send entering: type 22 [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 22
> debug3: mm_answer_keyallowed entering
> debug3: mm_answer_keyallowed: key_from_blob: 0x5c404dc0
> debug1: temporarily_use_uid: 1000/1000 (e=0/0)
> debug1: trying public key file /home/user/.ssh/authorized_keys
> debug1: fd 4 clearing O_NONBLOCK
> debug1: /home/user/.ssh/authorized_keys:5: matching key found: RSA
> SHA256:XXX
> debug1: /home/user/.ssh/authorized_keys:5: key options: agent-forwarding
> port-forwarding pty user-rc x11-forwarding
> Accepted key RSA SHA256:XXX found at /home/user/.ssh/authorized_keys:5
> debug1: restore_uid: 0/0
> debug3: mm_answer_keyallowed: publickey authentication: RSA key is allowed
> debug3: mm_request_send entering: type 23
> debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
> debug3: mm_request_receive_expect entering: type 23 [preauth]
> debug3: mm_request_receive entering [preauth]
> debug3: mm_sshkey_verify entering [preauth]
> debug3: mm_request_send entering: type 24 [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 24
> debug3: mm_answer_keyverify: publickey 0x5f9500c0 signature verified
> debug1: auth_activate_options: setting new authentication options
> debug3: mm_request_send entering: type 25
> Accepted publickey for user from 172.17.4.3 port 63721 ssh2: RSA SHA256:XXX
> debug1: monitor_child_preauth: user has been authenticated by privileged
> process
> debug3: mm_get_keystate: Waiting for new keys
> debug3: mm_request_receive_expect entering: type 26
> debug3: mm_request_receive entering
> debug3: mm_get_keystate: GOT new keys
> debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
> debug3: mm_request_receive_expect entering: type 25 [preauth]
> debug3: mm_request_receive entering [preauth]
> debug1: auth_activate_options: setting new authentication options [preauth]
> debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth]
> debug3: user_specific_delay: user specific delay 0.000ms [preauth]
> debug3: ensure_minimum_time_since: elapsed 68.769ms, delaying 21.937ms
> (requested 5.669ms) [preauth]
> debug3: send packet: type 52 [preauth]
> debug3: mm_request_send entering: type 26 [preauth]
> debug3: mm_send_keystate: Finished sending state [preauth]
> debug1: monitor_read_log: child log fd closed
> debug3: ssh_sandbox_parent_finish: finished
> User child is on pid 24651
> debug3: monitor_apply_keystate: packet_set_state
> debug2: set_newkeys: mode 0
> debug1: rekey after 4294967296 blocks
> debug2: set_newkeys: mode 1
> debug1: rekey after 4294967296 blocks
> debug1: ssh_packet_set_postauth: called
> debug3: ssh_packet_set_state: done
> debug3: notify_hostkeys: key 0: ssh-rsa SHA256:XXX
> debug3: notify_hostkeys: key 1: ecdsa-sha2-nistp256 SHA256:XXX
> debug3: notify_hostkeys: key 2: ssh-ed25519 SHA256:XXX
> debug3: notify_hostkeys: sent 3 hostkeys
> debug3: send packet: type 80
> debug1: active: key options: agent-forwarding port-forwarding pty user-rc
> x11-forwarding
> debug3: sending debug message: /home/user/.ssh/authorized_keys:5: key
> options: agent-forwarding port-forwarding pty user-rc x11-forwarding
> debug3: send packet: type 4
> debug3: sending debug message: /home/user/.ssh/authorized_keys:5: key
> options: agent-forwarding port-forwarding pty user-rc x11-forwarding
> debug3: send packet: type 4
> debug1: Entering interactive session for SSH2.
> debug2: fd 6 setting O_NONBLOCK
> debug2: fd 7 setting O_NONBLOCK
> debug1: server_init_dispatch
> debug3: receive packet: type 90
> debug1: server_input_channel_open: ctype session rchan 256 win 16384 max
> 16384
> debug1: input_session_request
> debug1: channel 0: new [server-session]
> debug2: session_new: allocate (allocated 0 max 10)
> debug3: session_unused: session id 0 unused
> debug3: mm_request_receive entering
> debug1: do_cleanup



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: i386 release build machines

2019-01-24 Thread Aaron Mason
There's an image in the bottom left of the OpenBSD website that shows
the server rack where all releases and ports are built.  It was taken
in 2009, so it's probably changed a bit since then, but you'll get a
good idea of what is used.

I've toyed with the idea of using an old, heat-belching computer to
build snapshots over and over again, and use a fan to push out the
resulting heat.  Not sure how it would go with heating a room, but it
would certainly use less energy than a standard space heater, albeit
probably a bit noisier. If it weren't for the fact that it sounds like
a 747 on take off, that's what I'd do with my SunFire V210.

Also, you might want to check your SPF records - GMail is complaining
about not being able to verify its authenticity.

On Fri, Jan 25, 2019 at 6:45 AM Luis Coronado  wrote:
>
> What machines (brand/model/specs) do you guys
> use to create the releases/snapshots for i386? I am curious to find out if
> possible as I would think that the bigger boxes out there even though could
> have more than 4G of RAM the extra would go unused.
>
> I recently got a few old 32 bit servers and thought about building my own
> snapshots just because is cool to do that. Not that matters exactly what
> the project uses but I am sure you guys expect to have a build ready in a
> reasonable time.
>
> Thanks
>
> -luis



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Blocking "shodan.io" - What are my options?

2019-01-10 Thread Aaron Mason
I knew it wouldn't trigger on the first attempt, but I had a sneaking
suspicion that you'd need something to listen on that port.  Is there
a way to achieve what we seek, in that case, without userland tools?

On Thu, Jan 10, 2019 at 9:18 PM Stuart Henderson  wrote:
>
> On 2019-01-09, Aaron Mason  wrote:
> > Hi Jordan
> >
> > I've set it up to try it, but I'm not having much luck.  Even when I
> > trigger more than one, it still doesn't populate the bad_hosts table,
> > even again when I extend the rate period to 86400 seconds.  I've added
> > logging so I know the rule is triggering.  See below.
>
> max-src-conn-rate is only triggered when a TCP connection is
> established, you need to have something listening (and it will only
> trigger on the *second* connection).
>
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Blocking "shodan.io" - What are my options?

2019-01-09 Thread Aaron Mason
Hi Jordan

I've set it up to try it, but I'm not having much luck.  Even when I
trigger more than one, it still doesn't populate the bad_hosts table,
even again when I extend the rate period to 86400 seconds.  I've added
logging so I know the rule is triggering.  See below.

git# tcpdump -i pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
08:50:41.100611 111-222-33-45.dyn.isp.net.au.49643 >
git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192  (DF)
08:50:41.630593 111-222-33-45.dyn.isp.net.au.49643 >
git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192  (DF)
08:50:42.155612 111-222-33-45.dyn.isp.net.au.49643 >
git.mydomain.com.telnet: S 3935794887:3935794887(0) win 8192  (DF)
08:50:43.496590 111-222-33-45.dyn.isp.net.au.49649 >
git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192  (DF)
08:50:44.038541 111-222-33-45.dyn.isp.net.au.49649 >
git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192  (DF)
08:50:44.571563 111-222-33-45.dyn.isp.net.au.49649 >
git.mydomain.com.telnet: S 2579184023:2579184023(0) win 8192  (DF)
08:50:46.879666 111-222-33-45.dyn.isp.net.au.49660 >
git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192  (DF)
08:50:47.408720 111-222-33-45.dyn.isp.net.au.49660 >
git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192  (DF)
08:50:47.938650 111-222-33-45.dyn.isp.net.au.49660 >
git.mydomain.com.telnet: S 1029456025:1029456025(0) win 8192  (DF)
^C
9 packets received by filter
0 packets dropped by kernel
git# cat /etc/pf.conf
#   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

ext_if=vio0
ext_ip=111.222.33.44

set skip on lo

block return# block stateless traffic
pass# establish keep-state

block quick from 
pass in log on $ext_if proto tcp to $ext_ip port telnet keep state
(max-src-conn-rate 1/86400, overload  flush global)

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
git#

On Wed, Jan 9, 2019 at 1:30 PM Jordan Geoghegan  wrote:
>
>
>
> On 01/08/19 18:08, tomr wrote:
> >
> > On 1/9/19 12:42 PM, Jordan Geoghegan wrote:
> >> Yikes. Everything you are (erroneously) trying to do here can be done
> >> without leaving your pf.conf.
> >>
> >> Remember, KISS.
> >>
> > Is there a way to add an address to a table from within a rule, or
> > something to that effect? I can't see such an option. A la...
> >
> > block in quick on $ext_if to any port ! { $allowed_ports } add-to 
> >
> >
> > (Otherwise I don't see how the whole show could be completed without
> > logging, monitoring the log, then running pfctl, ie with leaving your
> > pf.conf)
>
> Without wasting too much time on this, the "overload" example from the
> pf.conf man page could be pretty easily adapted to meet the specified needs:
>
> pass in on egress proto tcp to egress port 22 keep state
> (max-src-conn-rate 1/10, overload  flush global)
>
> or to copy basically verbatim from the man page, (with only the
> src-conn-rate and port number adjusted):
>
> block quick from 
> pass in on $ext_if proto tcp to $webserver port ssh keep state \
>(max-src-conn-rate 1/10, overload  flush global)
>
>
> I havent tested this personally, but it should be adequate.
>
>
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Blocking "shodan.io" - What are my options?

2019-01-08 Thread Aaron Mason
On Sat, Jan 5, 2019 at 5:46 AM Misc User  wrote:
>
> On 1/3/2019 11:20 PM, Radek wrote:
> >> A little ncat, sed, pfctl, and a dash of cron are able to do
> >> the job just fine.  cron is just there to start the ncat processes at
> >> boot and run an hourly script to do a pfctl -T expire  86400 to
> >> keep the table clean of old attackers.
> > Sounds good. Could you share your script here?
> >
>
> I don't have access to my systems right now, but the script is pretty
> much a couple of one-liners in crontab, somethings similar to:
>
> ncat -l -k 23 -vv | sed s/// | xargs -R 1 -I % pfctl -t honeypot
> -T add %
>
> I'll have to look up the exact command when I get get home tonight,
> especially the sed I used.  Running on my local system, the ncat command
> echoes out lines like:
>
> Ncat: Connection from 172.16.11.152.
> Ncat: Connection from 172.16.11.152:57562.
>
> If I get the time today, I'll work on re-creating the regex, if not,
> I'll share the one I've been using on my systems.
>

Hi

Any news on this? I've tried building my own and while I can get a
list of IP addresses, nothing gets sent through to xargs.  They appear
if I leave off the xargs bit:

git# nc -vnkl 21 2>&1 | sed -E 's/^Connection from
([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) [0-9]*
received!$/\1/'
111.222.33.44
^C
git#

But if I include the pipe to xargs, nothing happens,  I still get
nothing happening if I change it to a while loop, using read to pull
in the IP address.

This works, though, though it assumes that the output for nc(1) will
stay the same forever - it's also IPv6 ready unlike my example above:

nc -vnkl 21 2>&1 | while read dummy dummy ipaddr dummy dummy; do pfctl
-t honeypot -T add $ipaddr; done

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: [OpenBSD 6.4][OpenIKED] Route to IPSec tunnel?

2018-12-12 Thread Aaron Mason
Hi Siegfried

(Maintainers of the IPSec stack and ISAKMPD are welcome to tear my answer apart)

IPSec tunnels are, for want of a better term, entirely transparent -
the underlying OS and its clients have no idea that it exists.  In
order to route across an IPSec tunnel, use gif(4) to create an
IP-to-IP tunnel between the endpoints.  IPSec will encrypt all traffic
that goes across it - from there it's a matter of setting up the
static routes on either side.
On Wed, Dec 12, 2018 at 7:40 AM Zhi-Qiang Lei  wrote:
>
> I’m building a gateway to encrypt some traffics:
>
>  Client —> Gateway —> VPN Server —> Internet
> (192.168.1.16) (10.0.0.2)
>
>
> [Gateway] /etc/iked.conf:
>
> ikev2 quick active ipcomp esp \
> from 10.0.0.2 to 0.0.0.0/0 \
> local egress peer $vpn_server_ip \
> ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group 
> curve25519 \
> childsa enc chacha20-poly130 group curve25519 \
> dstid "asgard.local"
>
> [VPN Server] /etc/iked.conf:
>
> ikev2 quick passive ipcomp esp \
> from 0.0.0.0/0 to 10.0.0.2 \
> local egress \
> ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group 
> curve25519 \
> childsa enc chacha20-poly130 group curve25519 \
> dstid "blackjack.local"
>
> The SA has been established. When I ping 10.0.0.2 on VPN Server and tcpdump 
> on gateway enc0 I got:
>
> # tcpdump -envps 1500 -i enc0 -l
> tcpdump: listening on enc0, link-type ENC
> 03:48:20.778584 (authentic,confidential): SPI 0x7f27bd3b: $vpn_server_ip > 
> $gateway_ip: $vpn_server_ip > 10.0.0.2: icmp: echo request (id:4656 seq:0) 
> [icmp cksum ok] (ttl 255, id 60419, len 84) (ttl 50, id 59144, len 104)
> 03:48:21.788330 (authentic,confidential): SPI 0x7f27bd3b: $vpn_server_ip > 
> $gateway_ip: $vpn_server_ip > 10.0.0.2: icmp: echo request (id:4656 seq:1) 
> [icmp cksum ok] (ttl 255, id 1688, len 84) (ttl 50, id 31496, len 104)
>
> How can I route the packets from the client to the VPN server on the gateway? 
> When I was using OpenVPN, I did the routing in pf.conf:
>
> pass in quick from 192.168.1.0/24 to !192.168.1.0/24 route-to tun0
> pass out quick on tun0 from 192.168.1.0/24 to any nat-to tun0
>
> However, there is no tunnel device created after the SA is established on 
> OpenBSD. Did I miss something to create it?
>
> Best regards,
> Siegfried
>
>
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: [OpenIKED] Is it impossible to differentiate the policies by dstid?

2018-11-04 Thread Aaron Mason
What happens when you remove quick from both policies?
On Mon, Nov 5, 2018 at 7:00 AM 雷致强  wrote:
>
> OpenIKED is so great when I use one policy for all users. However, I’m having 
> trouble when I try to apply different policies to different users.
> With iked.conf followed, iked seems to applies “blackjack” policy to incoming 
> connections only, which keeps the users of “redheart” out.
>
> ikev2 "blackjack" quick passive ipcomp esp \
> from 0.0.0.0/0 to 10.0.0.2 \
> local egress \
> ikesa enc aes-256 prf hmac-sha2-256 group curve25519 \
> childsa enc chacha20-poly1305 group curve25519 \
> dstid "blackjack.local" \
> psk "testpsk1" \
>
> ikev2 "redheart" quick passive ipcomp esp \
> from 0.0.0.0/0 to 172.16.0.0/24 \
> local egress \
> dstid "redheart.local" \
> psk "testpsk2" \
> config protected-subnet 0.0.0.0/0 \
> config address 172.16.0.0/24 \
> config netmask 255.255.255.0 \
> config name-server 8.8.8.8
>
> This is what happens when redheart.local connects to the responder. (I 
> replaced the IPs to redheart.local and asgard.local)
>
> # iked -dv
> set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/blackjack.local
> ikev2 "blackjack" quick passive esp inet from 0.0.0.0/0 to 10.0.0.2 local 
> asgard.local peer any ikesa enc aes-256 prf hmac-sha2-256 auth 
> hmac-sha2-256,hmac-sha1 group curve25519 childsa enc chacha20-poly1305 group 
> curve25519 dstid blackjack.local lifetime 10800 bytes 536870912 psk 
> 0x7465737470736b31
> set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/redheart.local
> ikev2 "redheart" quick passive esp inet from 0.0.0.0/0 to 172.16.0.0/24 local 
> asgard.local peer any ikesa enc aes-256,aes-192,aes-128,3des prf 
> hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
> modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
> hmac-sha2-256,hmac-sha1 dstid redheart.local lifetime 10800 bytes 536870912 
> psk 0x7465737470736b32 config protected-subnet 0.0.0.0 config address 
> 172.16.0.0 config netmask 255.255.255.0 config name-server 8.8.8.8
> ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to 
> asgard.local:500 policy 'blackjack' id 0, 604 bytes
> ikev2_sa_responder: no proposal chosen
> ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to 
> redheart.local:60970 msgid 0, 36 bytes
> sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack'
> ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to 
> asgard.local:500 policy 'blackjack' id 0, 604 bytes
> ikev2_sa_responder: no proposal chosen
> ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to 
> redheart.local:60970 msgid 0, 36 bytes
> sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack'
>
> If I remove the “quick” option of “blackjack” policy, all incoming connection 
> goes to “redheart” policy, which blocks “blackjack” users.
>
> Regarding to all the examples I saw, I guess dstid is not a condition to 
> match the policies? Only “peer” matters?
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: OpenBSD site

2018-11-01 Thread Aaron Mason
Even more amazing - if you see an error on the website, you can fix it
and send a patch.  If they like it, they'll include the change.  I put
in a patch a quite a few years ago to replace some broken links with
archived counterparts[1] which Theo himself accepted [2].  Not tooting
my own horn here, just saying that it can be done, and it's one of the
things that's kept me coming back all these years.

[1] https://marc.info/?l=openbsd-www=129340910201453=2
[2] https://marc.info/?l=openbsd-cvs=129355971818793=2
On Sun, Oct 28, 2018 at 10:01 AM Henry Bonath  wrote:
>
> This is amazing to know, thank you!
>
> On Sat, Oct 27, 2018 at 3:11 PM  wrote:
>
> > Knowing OpenBSD philosophy, you should probably NOT expect a CMS :).
> >
> > But you don't need to guess when you can check for yourself - all the
> > sources are available for an anonymous CVS as described in [1].
> >
> > You can easily have an up-to-date local copy on your machine by first
> > reading manual pages on cvs(1), httpd(8) and httpd.conf(5) and then doing
> > something like (as root):
> >
> > # mkdir -p /var/www/htdocs/openbsd
> > # cd /var/www/htdocs/openbsd
> > # cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs checkout -P www
> >
> > and adding the following section to /etc/httpd.conf:
> >
> > server "openbsd-doc" {
> > listen on * port 81
> > root "/htdocs/openbsd/www"
> > }
> >
> > and enabling httpd:
> >
> > # rcctl enable httpd
> >
> > After that, navigate to http://localhost:81 and enjoy browsing an offline
> > copy of OpenBSD website.
> >
> > [1] https://www.openbsd.org/anoncvs.html
> >
> >
> > On Sat, Oct 27, 2018, at 4:24 AM, Janne Johansson wrote:
> > > Manual edits, no hurry to jump on this weeks fashionable web
> > > framework, testing with lynx goes a long way to keep it simple and
> > > readable.
> > >
> > > Den lör 27 okt. 2018 kl 11:14 skrev misc nick :
> > > >
> > > > I was wondering how you maintain and update such high quality content
> > in OpenBSD's site.
> > > > Do you manually edit html files, use a cms, or something else? I am
> > asking to shamelessly
> > > > copy your best practices. ;-)
> > > >
> > > > Thanks,
> > > > Nick
> > > >
> > >
> > >
> > > --
> > > May the most significant bit of your life be positive.
> > >
> >
> >



--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Problems with a quad Realtek NIC

2018-10-11 Thread Aaron Mason
Wow, never seen a multi-port Realtek NIC before.

Based on your dmesg and the excerpt above, it looks like the issue
starts at ppb1 - a PCI-PCI bridge likely on the quad-port NIC based on
the vendor being the same as each one below it and the one above it
being an Intel ppb(4) - and then cascades through.  Looking at the
dmesg excerpt below, looks like your card has four separate Realtek
RTL8168 NICs each on a separate PCI-PCI bridge, each of which connects
to another PCI-PCI bridge, then another before connecting to the one
on the mainboard:

pci0 at mainbus0 bus 0
[...]
ppb0 at pci0 dev 28 function 0 "Intel Bay Trail PCIE" rev 0x0e: msi
<-- MAINBOARD
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 vendor "ASMedia", unknown product 0x1184
rev 0x00 <-- PCIe card
pci2 at ppb1 bus 2
ppb2 at pci2 dev 1 function 0 vendor "ASMedia", unknown product 0x1184
rev 0x00: msi
pci3 at ppb2 bus 3
re0 at pci3 dev 0 function 0 "Realtek 8168" rev 0x06:
RTL8168E/8111E-VL (0x2c80), msi, address 00:e0:4c:68:1a:ea
rgephy0 at re0 phy 7: RTL8169S/8110S/8211 PHY, rev. 5
ppb3 at pci2 dev 3 function 0 vendor "ASMedia", unknown product 0x1184
rev 0x00: msi
pci4 at ppb3 bus 4
re1 at pci4 dev 0 function 0 "Realtek 8168" rev 0x06:
RTL8168E/8111E-VL (0x2c80), msi, address 00:e0:4c:68:1a:eb
rgephy1 at re1 phy 7: RTL8169S/8110S/8211 PHY, rev. 5
ppb4 at pci2 dev 5 function 0 vendor "ASMedia", unknown product 0x1184
rev 0x00: msi
pci5 at ppb4 bus 5
re2 at pci5 dev 0 function 0 "Realtek 8168" rev 0x06:
RTL8168E/8111E-VL (0x2c80), msi, address 00:e0:4c:68:1a:ec
rgephy2 at re2 phy 7: RTL8169S/8110S/8211 PHY, rev. 5
ppb5 at pci2 dev 7 function 0 vendor "ASMedia", unknown product 0x1184
rev 0x00: msi
pci6 at ppb5 bus 6
re3 at pci6 dev 0 function 0 "Realtek 8168" rev 0x06:
RTL8168E/8111E-VL (0x2c80), msi, address 00:e0:4c:68:1a:ed
rgephy3 at re3 phy 7: RTL8169S/8110S/8211 PHY, rev. 5

Here's a diagram of the logical layout based on the above:
https://imgur.com/AM1sGr8

Maybe try the card on another motherboard and see if you get the same symptoms.

In any case, it's my understanding (and the maintainers of re(4) are
free to correct me on this) that Realtek NICs are usually a bad idea
for non-desktop applications, since they offload pretty much (if not
entirely) all of its functions to the OS - every time something
sneezes on the connected network, it raises an interrupt to the CPU.
This can lead to pretty craptacular performance and high CPU use under
heavy load.  I can only imagine the hailstorm that would ensue if all
four of your NIC ports were running at full tilt.

Your best bet for this would be a used quad-port Intel NIC, which can
be had for similar money (but not too much more) and is rather more
self-sufficient than the Realtek cards (and the maintainers of em(4)
are free to correct me there as well).  You'll get better line
performance with less CPU stress.
On Thu, Oct 11, 2018 at 11:49 AM Martin Hanson
 wrote:
>
> Hi, I have one of these 4-port Realtek NIC cards:
> https://www.ebay.co.uk/itm/PCIe-PCI-Express-to-4x-Gigabit-Card-4-Port-Ethernet-Network-Adapter-10-100-1000M/252484240577?epid=505371101Â
>  I
> am running OpenBSD 6.3 stable. During boot the card is seen, but it only
> works occasionally. When it works I can see all the 4 ports using
> "ifconfig" and I can assign IP addresses etc. When it doesn't work
> nothing is shown using "ifconfig". As far as I understand from the "re"
> manpage RTL8168E/8111E is supported. This is my dmesg: 
> http://paste.debian.net/1046756/Â When
> the card isn't working I also get this:Â +ppb1 at pci1 dev 0 function 0
> vendor "ASMedia", unknown product 0x1184 rev 0x00
> +pci2 at ppb1 bus 2
> +ppb2 at pci2 dev 1 function 0 vendor "ASMedia", unknown product 0x1184
> rev 0x00: not configured by system firmware
> +ppb3 at pci2 dev 3 function 0 vendor "ASMedia", unknown product 0x1184
> rev 0x00: not configured by system firmware
> +ppb4 at pci2 dev 5 function 0 vendor "ASMedia", unknown product 0x1184
> rev 0x00: not configured by system firmware
> +ppb5 at pci2 dev 7 function 0 vendor "ASMedia", unknown product 0x1184
> rev 0x00: not configured by system firmware
>  Is this a driver issue or something else perhaps? Kindest regards



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: checking source with pvs-studio

2018-10-02 Thread Aaron Mason
On Sun, Sep 30, 2018 at 3:42 AM Theo de Raadt  wrote:
>
> Sergey Bronnikov  wrote:
>
> > Hello!
> >
> > openbsd source code was checked by various static analyzers (coverity,
> > cppcheck, clang analyzer etc). Have someone tried PVS-Studio?
> > It became free to use for opensource projects [1].
> >
> > [1] https://www.viva64.com/en/b/0457/
>
> which means you can roll up your sleeves and be that someone
>

Apparently you've got to go through your source code and plug the
product in every single non-header file.  Basically it's either give
them free advertising or give them ~$720 for a one year license.

>From https://www.viva64.com/en/b/0457/:

> Step 2
> Make edits in all the compilable files of your project. I.e. in all the
> files with the extensions c, cc, cpp, cs, and so on. You don't have to
> change header h-files.
>
> You need to write two lines of comments in the beginning of each file.
> We offer several options. This is a kind of 'fee' for using PVS-Studio
> for free.
>
> Comments for students (academic license):
>
> // This is a personal academic project. Dear PVS-Studio, please check it.
>
> // PVS-Studio Static Code Analyzer for C, C++ and C#:
> // http://www.viva64.com
>
> Comments for free open source projects:
>
> // This is an open source non-commercial project. Dear PVS-Studio,
> // please check it.
>
> // PVS-Studio Static Code Analyzer for C, C++ and C#:
> // http://www.viva64.com
>
> Comments for individual developers:
>
> // This is an independent project of an individual developer. Dear
> // PVS-Studio, please check it.
>
> // PVS-Studio Static Code Analyzer for C, C++ and C#:
> // http://www.viva64.com
>
> Of course, the options we suggest won't be suitable for everyone. But
> that's the point of such measures. If none of the variants is relevant
> to you of your product, we suggest you consider purchasing the license.

Not a very wise use of time, though you could automate it if you were
particularly determined.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Community-driven OpenBSD tutorials wiki?

2018-04-11 Thread Aaron Mason
On Fri, Jan 5, 2018 at 8:26 AM, Peter N. M. Hansteen  wrote:

>
> If you think you don't have the seniority to start submitting patches
> when you see a bug (even a typo in a man page or the faq), you're most
> likely wrong. Your first efforts will not be perfect of course, but if
> you put in the effort and are able to learn from constructive criticism,
> it's likely sooner or later you will be adding real value.
>

This.  I once submitted a patch to update THE PUBLIC WEBSITE (I
replaced some broken links with archived versions) and it was approved
without demur and on the website the next day.  If you have a change
to make and a patch to implement it, you can shape OpenBSD's future,
even if it's just to make sure the website has no broken links.
That's what keeps me coming back.



Re: bsd.rd source

2018-04-05 Thread Aaron Mason
Same place as the bsd kernel itself - they're both built from the same source.

On Fri, Apr 6, 2018 at 7:29 AM,  <ch...@ccmach14.org> wrote:
> Hello - will someone please tell me where I can find the source for bsd.rd?
> Thanks
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Hardware recommendations for compact 1U firewall

2017-01-09 Thread Aaron Mason
On Tue, Jan 10, 2017 at 12:58 PM, Paul Suh <pl...@goodeast.com> wrote:
>> On Dec 16, 2016, at 8:32 PM, Predrag Punosevac <punoseva...@gmail.com>
> wrote:
>>
>> This is my favorite Ebay seller and they have lots of nice network
>> equipment for home, small, and large business.
>>
>> http://stores.ebay.com/MITXPC/
>
> +1 for MITXPC. I've purchased several systems from them over the years and
> they've always been responsive and helpful.
>
>
> --Paul
>
> [demime 1.01d removed an attachment of type application/pkcs7-signature which 
> had a name of smime.p7s]
>

I'd do this if it weren't for the fact that shipping their items to
Australia costs more than their items themselves...

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Hardware recommendations for compact 1U firewall

2017-01-09 Thread Aaron Mason
On Tue, Jan 10, 2017 at 1:32 AM, Stuart Henderson <s...@spacehopper.org>
wrote:
> Aaron Mason wrote:
>> >> Torn between a Barracuda web filter or a Portwell CAR 3000. The latter
>> >> is more expensive but supports 10Gbit, whereas the Barracuda may only
>> >> have 10/100.  Both Core2Duo based, could probably upgrade to a
>> >> Core2Quad or a Xeon with a 771->775 adapter.
>
> btw, I found some cheap CAR 3000 (this one says "caswell" rather than
> portwell and is an oem firewall box), so here's a dmesg in case it's of
> interest. sysctl hw follows below.
>
> Handy to have so many ports for Ł25, but 4x 1u fans (including the one in
> the PSU) make it rather noisy.
>
> OpenBSD 6.0-current (GENERIC.MP) #122: Sun Jan  8 14:53:10 MST 2017
> bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4242145280 (4045MB)
> avail mem = 4108922880 (3918MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfbcb0 (45 entries)
> bios0: vendor American Megatrends Inc. version "080015" date 12/22/2010
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S1 S3 S4 S5
> acpi0: tables DSDT FACP APIC MCFG OEMB SSDT
> acpi0: wakeup devices P0P2(S4) P0P3(S4) P0P1(S4) USB0(S4) USB1(S4) USB2(S4)
USB3(S4) EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4)
P0P9(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz, 2793.39 MHz
> cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM
2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LONG,LAHF,PERF,SENSOR
> cpu0: 3MB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 265MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz, 2793.00 MHz
> cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM
2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LONG,LAHF,PERF,SENSOR
> cpu1: 3MB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 7 (P0P1)
> acpiprt2 at acpi0: bus 1 (P0P4)
> acpiprt3 at acpi0: bus 2 (P0P5)
> acpiprt4 at acpi0: bus 3 (P0P6)
> acpiprt5 at acpi0: bus 4 (P0P7)
> acpiprt6 at acpi0: bus 5 (P0P8)
> acpiprt7 at acpi0: bus 6 (P0P9)
> acpicpu0 at acpi0: !C3(100@57 mwait.3@0x30), !C2(500@1 mwait.1@0x10),
C1(1000@1 mwait.1), PSS
> acpicpu1 at acpi0: !C3(100@57 mwait.3@0x30), !C2(500@1 mwait.1@0x10),
C1(1000@1 mwait.1), PSS
> "AWY0001" at acpi0 not configured
> "PNP0501" at acpi0 not configured
> "PNP0501" at acpi0 not configured
> acpibtn0 at acpi0: PWRB
> cpu0: Enhanced SpeedStep 2793 MHz: speeds: 2800, 2403, 2136, 1870, 1603 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel G41 Host" rev 0x03
> inteldrm0 at pci0 dev 2 function 0 "Intel G41 Video" rev 0x03
> drm0 at inteldrm0
> intagp0 at inteldrm0
> agp0 at intagp0: aperture at 0xd000, size 0x1000
> inteldrm0: msi
> inteldrm0: 1024x768, 32bpp
> wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi
> pci1 at ppb0 bus 1
> em0 at pci1 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
00:90:fb:39:8c:c4
> ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01: msi
> pci2 at ppb1 bus 2
> em1 at pci2 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
00:90:fb:39:8c:c5
> ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x01: msi
> pci3 at ppb2 bus 3
> em2 at pci3 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
00:90:fb:39:8c:c6
> ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x01: msi
> pci4 at ppb3 bus 4
> em3 at pci4 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
00:90:fb:39:8c:c7
> ppb4 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: msi
> pci5 at ppb4 bus 5
> em4 at pci5 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address
00:90:fb:39:8c:c8
> ppb5 at pci0 dev 28 function 5 &qu

Re: Hardware recommendations for compact 1U firewall

2016-12-21 Thread Aaron Mason
1 at iic0 addr 0x19: stts2002
> sdtemp2 at iic0 addr 0x1a: stts2002
> sdtemp3 at iic0 addr 0x1b: stts2002
> iic0: addr 0x2e 00=3d words 00=3d3d 01= 02= 03= 04= 05=
06= 07=
> spdmem0 at iic0 addr 0x50: 8GB DDR3 SDRAM ECC PC3-12800 with thermal sensor
> spdmem1 at iic0 addr 0x51: 8GB DDR3 SDRAM ECC PC3-12800 with thermal sensor
> spdmem2 at iic0 addr 0x52: 8GB DDR3 SDRAM ECC PC3-12800 with thermal sensor
> spdmem3 at iic0 addr 0x53: 8GB DDR3 SDRAM ECC PC3-12800 with thermal sensor
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> uhub2 at uhub1 port 1 "Intel product 0x07db" rev 2.00/0.02 addr 2
> uhub3 at uhub2 port 3 "ATEN International product 0x7000" rev 2.00/0.00 addr
3
> uhidev0 at uhub3 port 1 configuration 1 interface 0 "ATEN International
product 0x2419" rev 1.10/1.00 addr 4
> uhidev0: iclass 3/1
> ukbd0 at uhidev0: 8 variable keys, 6 key codes
> wskbd1 at ukbd0 mux 1
> wskbd1: connecting to wsdisplay0
> uhidev1 at uhub3 port 1 configuration 1 interface 1 "ATEN International
product 0x2419" rev 1.10/1.00 addr 4
> uhidev1: iclass 3/1
> ums0 at uhidev1: 3 buttons, Z dir
> wsmouse1 at ums0 mux 0
> vscsi0 at root
> scsibus3 at vscsi0: 256 targets
> softraid0 at root
> scsibus4 at softraid0: 256 targets
> root on sd0a (5275a7b2a0b9439e.a) swap on sd0b dump on sd0b
>



--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Hardware recommendations for compact 1U firewall

2016-12-18 Thread Aaron Mason
Thanks for some additional fleabay search terms :)

On Sat, Dec 17, 2016 at 2:59 PM, Nick Holland
<n...@holland-consulting.net> wrote:
> On 12/14/16 20:39, Aaron Mason wrote:
>> All
>>
>> I'm looking for a 1U appliance that I can re-purpose into a firewall
>> using OpenBSD.  I've tried the near-free method by using an old Lacie
>> Ethernet Disk appliance I had lying around, but it turns out the
>> onboard SATA chipset is toast on this particular unit (it freezes at
>> CDBOOT when it detects hard drives and the BIOS freezes when I set it
>> to IDE mode with drives attached, plus it only has one onboard NIC and
>> one PCI slot, so I can't install another SATA card without removing
>> the other NIC I installed), so I'm looking for other options that fit
>> a limited budget.
>
> heh.  Little secret: if you look in many data centers, you will find
> lots of 1U boxes with various titles -- security appliances, load
> balancing devices, etc.  A lot of them, under the covers, are just PCs.
> And a lot of data centers have 'em rotting on the racks after they have
> been turned off and replaced, but no motivation to remove them.
>
> Just cleaned out some stuff from one of our data centers -- we had a
> three authentication devices and a couple "security appliances" that all
> turned out to have the same SuperMicro board on them...some with Pentium
> D, others with P4s...but both could pump a lot of packets through
> gigabit NICs (two on board).  The security appliances were kinda cool in
> that they have a LCD screen that looks like it could be accessed through
> a USB serial port (better yet, when you powered up the box, the LCD
> panel put up an advertisement, not for the security appliance maker, but
> for the LCD panel...including a website.  Bet there are docs there! :)
> (I once programmed the LCD panel of a Novell server to say, "WINDOWS
> SUCKS".  Wasn't noticed for years, but when it was, my name was quickly
> assumed as being responsible)
>
> We also had a couple odd little "load balancers" -- five NIC ports.  My
> coworkers were skeptical about it being a standard PC under the cover.
> Haven't tried to boot OpenBSD on them yet, but turns out the thing has a
> 128M SATA DiskOnModule (flash memory on a SATA board), a 1G CF card, and
> a SATA hard disk in the box.  Again, all in one U.
>
> And I'll admit there's a certain fun in bringing up another OS on
> something like that.  And I HAVE to at least try to bring up OpenBSD on
> them...so I can wipe the media before the hw is disposed of.  (Company
> policy says "overwrite entire disk with random data", who's got the
> fastest random number generator in town?  OpenBSD, of course!)
>
> Nick.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Hardware recommendations for compact 1U firewall

2016-12-15 Thread Aaron Mason
A search on fleabay shows that, in Australia, they still fetch >$300,
out of my price range. :(

On Thu, Dec 15, 2016 at 10:30 PM, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2016-12-15, Aaron Mason <simplersolut...@gmail.com> wrote:
>> All
>>
>> I'm looking for a 1U appliance that I can re-purpose into a firewall
>> using OpenBSD.  I've tried the near-free method by using an old Lacie
>> Ethernet Disk appliance I had lying around, but it turns out the
>> onboard SATA chipset is toast on this particular unit (it freezes at
>> CDBOOT when it detects hard drives and the BIOS freezes when I set it
>> to IDE mode with drives attached, plus it only has one onboard NIC and
>> one PCI slot, so I can't install another SATA card without removing
>> the other NIC I installed), so I'm looking for other options that fit
>> a limited budget.
>>
>> The most important criteria are that it must be 1U and it must fit
>> within a 420mm (~16.5") space (for reasons I will explain below).  I
>> have a couple of Sun Netra X1s that meet the need, but I can't push
>> more than ~60mbps over the onboard FE ports and they run quite hot to
>> the point of causing kernel panics.
>>
>> For a bit of context - I manage network and systems for a group that
>> run regular LAN parties at a local university, and our network
>> infrastructure lives in a 4RU flight case (with 420mm between the
>> front and rear vertical rails) currently occupied by three HP
>> switches.  We're currently using a Sun V20Z (admittedly running
>> pfSense, a decision made before I took over) but it's rather
>> cumbersome to carry along with three Dell 1950s (two VM hosts and a
>> Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts).  We
>> don't usually get more than 35 players and we don't do any complex
>> filtering on the firewall.
>>
>> I've been considering looking at old firewall appliances like Nokias,
>> Sonicwalls, Watchguards or Barracudas - has anyone had any luck with
>> getting OpenBSD on any of those or other such appliances?
>>
>> Gigabit ports would be nice (the university finally bought gigabit PoE
>> switches) but will accept Fast Ethernet if my budget says no.
>
> IMHO, you can get a fairly useful decent second-hand machine for a low
> enough price that it's not worth the hassle repurposing or using something
> from before GE was common, they're going to be more hassle to get working,
> and old enough that you may well run into things failing through age.
>
> How about a Dell R210 or an R210 II off ebay? 400mm deep, 2 nics onboard,
> if you need more ports then dual-port PCIe nics are pretty cheap.
> If you want to cut down on weight+noise at the expense of more cost
> and a less powerful cpu, maybe APU2 in a 1U case or something like
> supermicro SYS-5018A-FTN4.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Hardware recommendations for compact 1U firewall

2016-12-14 Thread Aaron Mason
All

I'm looking for a 1U appliance that I can re-purpose into a firewall
using OpenBSD.  I've tried the near-free method by using an old Lacie
Ethernet Disk appliance I had lying around, but it turns out the
onboard SATA chipset is toast on this particular unit (it freezes at
CDBOOT when it detects hard drives and the BIOS freezes when I set it
to IDE mode with drives attached, plus it only has one onboard NIC and
one PCI slot, so I can't install another SATA card without removing
the other NIC I installed), so I'm looking for other options that fit
a limited budget.

The most important criteria are that it must be 1U and it must fit
within a 420mm (~16.5") space (for reasons I will explain below).  I
have a couple of Sun Netra X1s that meet the need, but I can't push
more than ~60mbps over the onboard FE ports and they run quite hot to
the point of causing kernel panics.

For a bit of context - I manage network and systems for a group that
run regular LAN parties at a local university, and our network
infrastructure lives in a 4RU flight case (with 420mm between the
front and rear vertical rails) currently occupied by three HP
switches.  We're currently using a Sun V20Z (admittedly running
pfSense, a decision made before I took over) but it's rather
cumbersome to carry along with three Dell 1950s (two VM hosts and a
Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts).  We
don't usually get more than 35 players and we don't do any complex
filtering on the firewall.

I've been considering looking at old firewall appliances like Nokias,
Sonicwalls, Watchguards or Barracudas - has anyone had any luck with
getting OpenBSD on any of those or other such appliances?

Gigabit ports would be nice (the university finally bought gigabit PoE
switches) but will accept Fast Ethernet if my budget says no.

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: 350MHz IBM Intel Pentium II runs 5.9 fine

2016-12-01 Thread Aaron Mason
I've got two Sun Netra X1s (400MHz ultraSPARC IIe, 2GB RAM, 2x40GB
drives) with 5.9 installed, they crash after awhile but I suspect
that's a cooling issue since these things run pretty hot.  I'd use
them as firewalls but I can't push any more than ~50Mbps through them
and I've got a 100/40 fibre connection coming once our house is built.

On Fri, Dec 2, 2016 at 12:19 PM,  <alexmcwhir...@triadic.us> wrote:
> On a similar note, I have a Sun E6K (circa 1996, 30x 400Mhz CPU's 30GB of
> RAM) running 6.0 like a dream, with some minor patches to support more than
> 8 disks in softraid 5.



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: 350MHz IBM Intel Pentium II runs 5.9 fine

2016-12-01 Thread Aaron Mason
Could just be some garbage IBM machines of that era would spit out to
confuse anything not-Winders, as part of an agreement with Microshart.

Might pull out an old machine, give it some NICs and make it a
firewall.  Got an old Lacie 1U storage appliance with a VIA C7 mobo,
just needs an additional NIC and a couple of disks in raid1 and we're
laughing.  Will dmesg once I'm done.

On Thu, Dec 1, 2016 at 11:31 PM, Craig Skinner <skin...@britvault.co.uk> wrote:
> Hi,
>
> On Wed, 30 Nov 2016 17:09:13 +0100 butresin wrote:
>> On 16.11.29Tue 14:12, Craig Skinner wrote:
>> >
>> > real mem  = 200740864 (191MB)
>> > avail mem = 184385536 (175MB)
>> ...
>> > spdmem0 at iic0 addr 0x50: 64MB SDRAM non-parity PC100CL3
>> > spdmem1 at iic0 addr 0x51: 64MB SDRAM non-parity PC100CL3
>> > spdmem2 at iic0 addr 0x52: 64MB SDRAM ECC PC100CL2
>> > spdmem3 at iic0 addr 0x55: 1GB DDR2 SDRAM PC2-5000CL5
>>
>> This is odd.
>>
>
> None of these IBM Pentium II machines have DDR memory installed.
> I don't think it was invented in 1999. The 3 slots are old DIMM.
>
> The other dmesg:
>
> spdmem0 at iic0 addr 0x50: 128MB SDRAM non-parity PC100CL3
> spdmem1 at iic0 addr 0x51: 64MB SDRAM non-parity PC100CL3
> spdmem2 at iic0 addr 0x52: 64MB SDRAM non-parity PC100CL3
> spdmem3 at iic0 addr 0x55: 448MB DDR2 SDRAM PC2-2500CL5
>
> Another identical machine, but with only 2 DIMM slots filled:
>
> spdmem0 at iic0 addr 0x50: 256MB SDRAM non-parity PC133CL2
> spdmem1 at iic0 addr 0x51: 256MB SDRAM non-parity PC133CL2
> spdmem2 at iic0 addr 0x55: 1GB DDR2 SDRAM PC2-6500CL5
>
> Being an ordinary user, I dunno what that means, but the boxes run fine.
>
> Cheers!
> --
> Craig Skinner | http://linkd.in/yGqkv7
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: network address in vm by kvm - default gw

2016-11-30 Thread Aaron Mason
man hostname.if

On Sun, Nov 27, 2016 at 5:22 PM, Max Power <open...@cpnetserver.net> wrote:
> Hi guys,
> Forgive me, but I am not very expert of OpenBSD.
> Guide, about Virtual Host, show examples for all
> Operating System but not for OpenBSD. Stupid OVH!
> This is the FreeBSD 8.0 way:
>
> Contents of the file : /etc/rc.conf
> ifconfig_em0="inet IP.FAIL.OVER netmask 255.255.255.255 broadcast
> IP.FAIL.OVER"
> static_routes="net1 net2"
> route_net1="-net GATEWAY_VM/32 IP.FAIL.OVER"
> route_net2="default GATEWAY_VM"
>
> I can not understand how/where to set the last 2 line 'route_netX'
> Please, can someone show me how to do in OpenBSD 6.0 adm64...?
>
> Thanks very much for reply.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: alternative method for "gtar --delete"

2016-11-20 Thread Aaron Mason
Your best bet is to generate a list and use it to build your archive -
save a bit of effort and create your omit list:

# cd /site1/omit
# find . > /tmp/siteXX-omit.lst

Then use this list to filter out any unwanted files from /share and /append:

# cd /share
# find . | grep -v -f /tmp/siteXX-omit.lst | xargs tar -czpvf /site1/siteXX.tgz
# cd /append
# find . | grep -v -f /tmp/xiteXX-omit.lst | xargs tar -rzpvf /site1/siteXX.tgz

Then, for cleanliness' sake:

# rm /tmp/siteXX-omit.lst

Hope this helps

On Sat, Nov 19, 2016 at 3:44 AM, BSD <b...@cpscoatings.net> wrote:
> On Fri, 18 Nov 2016 14:07:45 +1100
> Aaron Mason <simplersolut...@gmail.com> wrote:
>
>> It's a bit long winded, but here's a possibility:
>>
>> # cd /
>> # tar zcpvf siteXX.tgz /share/* /siteX/*
>> 
>> # tar ztf siteXX.tgz | grep '^/share' | xargs rm -f
>>
>> Though I'm not entirely sure what you mean by "on a per site basis" in
>> this context, can you elaborate please, especially if the above
>> solution is not what you need.
>>
>> On Fri, Nov 18, 2016 at 10:20 AM, BSD <b...@cpscoatings.net> wrote:
>> > Does misc@ have an alternative method for "gtar --delete"?
>
> Sorry for any vagueness! I don't wish to delete any files from /share,
> but have a subset of /share in siteXX.tgz. Also should have mentioned
> that /share, /append, and /omit cannot be in the path because
> siteXX.tgz is plopped on / during an install.
>
> What I have so far is to first create an archive using files in /share.
>
> # cd /share
> # tar -cpvf /site1/siteXX.tgz *
> 
>
> Then I append to that archive using files in /site1/append.
>
> # cd /site1/append/
> # tar -rpvf /site1/siteXX.tgz *
> 
>
> Next is where I am stuck. Removing files from the archive that are
> FROM /share that are not wanted in /site1/siteXX.tgz. I planned to have
> an empty file of the same name in /site1/omit for each file to delete
> from the archive.
>
> # cd /site1/omit/
> # tar --delete /site1/siteXX.tgz *
>   
>   invalid flag
>
> Or perhaps I need to have a list of the files that gets appended and
> redacted before ever creating the archive.
>
> Hope this picture got clearer...
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: alternative method for "gtar --delete"

2016-11-17 Thread Aaron Mason
It's a bit long winded, but here's a possibility:

# cd /
# tar zcpvf siteXX.tgz /share/* /siteX/*

# tar ztf siteXX.tgz | grep '^/share' | xargs rm -f

Though I'm not entirely sure what you mean by "on a per site basis" in
this context, can you elaborate please, especially if the above
solution is not what you need.

On Fri, Nov 18, 2016 at 10:20 AM, BSD <b...@cpscoatings.net> wrote:
> Does misc@ have an alternative method for "gtar --delete"?
>
> I'm making siteXX.tgz's for multiple sites. There is a directory that
> is shared between all sites. Then, each site may have a directory of
> files to append to the archive.
>
> I'd also like to be able to remove files from the yet to be zipped
> archive that come from the shared directory on a per site basis. Just
> looking to stay within base if possible.
>
> Example files:
> /share/etc/pf.conf
> /share/etc/vi.exrc
> /share/usr/X11R6/lib/X11/fonts/TTF/Collection/...
> /site1/append/install.conf
> /site1/omit/X11R6/lib/X11/fonts/TTF/Collection/...
>
> Any advise in my methods or scheme in general would be appreciated!
>
> All the best,
>
> Keith Larsen
> CPS Coatings
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Is 6.1 expected to happen soon?

2016-11-03 Thread Aaron Mason
Aren't the snapshots running fairly well vetted code anyway - only
using code that's been accepted into the source tree?  Obviously not
as well vetted as the -STABLE and -RELEASE, of course.

On Fri, Nov 4, 2016 at 1:01 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote:
> On Thu, Nov 03, 2016 at 01:56:09AM -0400, alexmcwhir...@triadic.us wrote:
>> I know, it'll happen when it happens...
>>
>> I have a few servers that could really use the updated SMP stuff that
>> -current has. For some applications it's a night and day difference, but I'm
>> not all to comfortable running -current on production machines. I'm just
>> trying to gauge whether or not i should hold out a bit longer or just bite
>> the bullet and test some snapshots. With 6.0 being released in September i
>> am not sure if i should expect 6.1 any time soon.
>
> For most of the project's history, it has followed the six month release cycle
> quite consistently, with some deviations when absolutely necessary (such as
> the events that lead to PF being written), but generally releases have been
> dated May 1st or November 1st.
>
> As far as I know no schedule has been published for upcoming releases, but I
> would speculate that the six month cycle is quite well embedded in the 
> developers'
> lives and will be the norm going forward.  That said, the ongoing SMP work is
> one of those things that could have tentacles that have to be dealt with 
> during
> a slightly longer timespan than the ordinary six month cycle.
>
> Do keep in mind that it's only early November - if the project had stuck to
> the ordinary release schedule, we would only have had 6.0-release since the 
> day
> before yesterday. Come May (or possibly earlier) we'll know for sure how 
> closely
> the 6.1 release will stick to the established schedule.
>
> In the meantime, there are worse things knowledgeable OpenBSD users can do 
> with
> their time than trying out snapshots to get the feel for how development is
> progressing.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Segmentation fault of X under 6.0

2016-10-25 Thread Aaron Mason
On Sun, Oct 23, 2016 at 8:10 PM, Federico Giannici <giann...@neomedia.it> wrote:
> Since I upgraded my PC to 6.0 (amd64) the X server has began to crash almost
> once a day, usually after a while of minutes (it's variable, usually around
> 30-60 minutes after the boot).
>
> Video card is an "ATI Radeon HD 4350". No custom X configuration file.
> Before the upgrade to 6.0 (from 5.9) it never crashed in many years of
> usage, so I don't thing it's an hardware issue.

Have you tried a clean install of 5.9 to verify that it still works
fine?  Was the move to 6.0 done via upgrade, and if so, have you tried
a clean install of 6.0?  Probably also try a clean install of -stable
for good measure.

>
> I upgraded the kernel to a standard 6.0-stable comprehensive of the "011:
> SECURITY FIX: October 4, 2016" patches of the X library, but nothing
> changed.
>
> Here you can find the complete Xorg log and the dmesg:
>
> http://www.neomedia.it/tmp/Xorg.0.log
> http://www.neomedia.it/tmp/dmesg
>
> Here are the last lines of the Xorg log:
>
> [   159.840] (II) RADEON(0): Modeline "1440x900"x0.0   88.75  1440 1488 1520
> 1600  900 903 909 926 +hsync -vsync (55.5 kHz e)
> [   159.840] (II) RADEON(0): Modeline "1600x900"x60.0  119.00  1600 1696
> 1864 2128  900 901 904 932 -hsync +vsync (55.9 kHz e)
> [   159.840] (II) RADEON(0): Modeline "1680x1050"x0.0  119.00  1680 1728
> 1760 1840  1050 1053 1059 1080 +hsync -vsync (64.7 kHz e)
> [  2039.854] (EE) Segmentation fault at address 0x1f8cf548b000
> [  2039.854] (EE)
> Fatal server error:
> [  2039.854] (EE) Caught signal 11 (Segmentation fault). Server aborting
> [  2039.854] (EE)
> [  2039.854] (EE)
> Please consult the The X.Org Foundation support
>  at http://wiki.x.org
>  for help.
> [  2039.854] (EE) Please also check the log file at "/var/log/Xorg.0.log"
> for additional information.
> [  2039.854] (EE)
> [  2039.854] (EE) ws: /dev/wsmouse: unknown command 4
> [  2039.854] (II) AIGLX: Suspending AIGLX clients for VT switch
> [  2039.854] (EE) Server terminated with error (1). Closing log file.
>
> Do you think that the "/dev/wsmouse: unknown command 4" is a consequence of
> the crash or it could be the cause?

At first I'd say consequence, but considering the fact that everything
appears to have happened all at once... without knowing more about X,
I couldn't say with any degree of confidence.

>
> Any suggestions?
>
> Thanks.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: What are the security features in OpenBSD 6.0 that are by default disabled?

2016-10-16 Thread Aaron Mason
There needs to be a new law like Godwin's Law that states that any
technical discussion will eventually and inevitably lead to
Hitchhiker's Guide references.

But to follow on from what Raul said, it may be impossible to make
your system 100% secure without violating part 15 of the FCC rules,
probably along with several other parts.

On Sun, Oct 16, 2016 at 8:32 AM,  <bytevolc...@safe-mail.net> wrote:
> On Fri, 14 Oct 2016 20:50:20 +0200
> "thrph.i...@gmail.com" <thrph.i...@gmail.com> wrote:
>
>> or this kind...
>>
>> " The only truly secure system is one that is powered off, cast in a
>> block of concrete and sealed in a lead-lined room with armed guards -
>> and even then I have my doubts. "
>>
>
> It needs to be stored under a filing cabinet in a disused lavatory with
> a sign on the door saying Beware of the Leopard.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: New OpenSSL double-free and invalid free vulnerabilities in X509 parsing

2016-10-13 Thread Aaron Mason
If it was discovered before the LibreSSL fork, there's a good chance
it has been fixed, otherwise the move from non-standard malloc
functions has probably nipped this one in the bud.  That's my guess
based on what I know about LibreSSL.

On Fri, Oct 14, 2016 at 3:55 PM, Peter Janos <peterjan...@mail.com> wrote:
> Hello gods,
>
> http://seclists.org/fulldisclosure/2016/Oct/62
> ->
> https://github.com/guidovranken/openssl-x509-vulnerabilities
>
> a little bit old, but LibreSSL got this?
>
>
> The original X509_NAME decode free code was buggy: this
> could result in double free or leaks if a malloc failure
> occurred.
> Simplify and fix the logic.
> Thanks to Guido Vranken for reporting this issue.
> Reviewed-by: Matt Caswell <m...@openssl.org>
> (Merged from #1691)
>
> Thanks!
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: Fwd: Booting BSD on a Libreboot system - documentation needed

2016-10-05 Thread Aaron Mason
Holy frijole, just reading some of the responses from the some people
in GNU - I'm at the point where I'm not entirely convinced that GNU
isn't a cult, with Stallman as the high almighty leader.

On Wed, Oct 5, 2016 at 7:31 PM, Leah Rowe <i...@gluglug.org.uk> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Thanks.
>
> On 05/10/16 05:39, Scott Bonds wrote:
>> I've started a stab at it. My x200 is in pieces at the moment and I
>> want to retest my instructions before I submit a PR, so it may be a
>> couple weeks.
>>
>> On 10/05, Leah Rowe wrote:
>>>
>
> - --
> Leah Rowe
>
> Libreboot developer
>
> Use free software. Free as in freedom.
> https://en.wikipedia.org/wiki/Free_software
>
> Use a free operating system, GNU/Linux.
>
> Use a free BIOS.
> https://libreboot.org/
>
> Support computer user freedom.
> https://peers.community/
>
> Minifree Ltd, trading as Ministry of Freedom | Registered in England,
> No. 9361826 | VAT No. GB202190462
> Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
> Web: http://minifree.org/
> iQEcBAEBCAAGBQJX9LprAAoJEP9Ft0z50c+UUe4IAJmZ9w5nAQAuQRBF07+vSftI
> 9aW/gz/u0VRbbTbgJJAQYABtgmIOsGUWmV3eg2DvLYz/M5k7uGow4jNkr94e4gtc
> xxrjbsD1Vp5WlDF9MEBI9BFsWmY4ZGGT3wdG7/ioDzek1wKqVfRDgZsjnx5XBJz9
> IhG+BPme1+Z2CFTlml633HVEpT8dPqa2M8TqNozbZpCPLHnaaGAAoN41zgrlRTNN
> coeQyQwvVZvvvz1M6a3A1EGRtwwcaWW5bRQRR9HaESq9YkVkSMrPZh6LgElpp8ei
> l7FWuT6UG1Uq3N1zXfRCusSginE8UazKr0Q+V0XduNquVs3hqvA4Qv+7YfDVk18=
> =9M7A
> -END PGP SIGNATURE-
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



Re: umb is cool

2016-10-05 Thread Aaron Mason
Oh yes.  Direct IP is awesome.

On Wed, Oct 5, 2016 at 3:36 PM, Scott Bonds <sc...@ggr.com> wrote:
> I've got a WWAN card that required a bunch of fiddling with pppd under 5.9
> to get online. I upgraded to 6.0 and my pppd dialup script stopped working.
> I soon discovered I had a new NIC: umb0. A man page read and an ifconfig
> command later, I've got a working WWAN-based connection to the internet.
> Piece of cake.
>
> I really like being able to connect with a simple ifconfig command instead
> of all that pppd config I had before. If you're in the market for a WWAN
> card for your OpenBSD box and you have a BIOS that doesn't get in the way of
> using the hardware of your choice, you might want to consider the list of
> devices on the umb man page.
>



-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse



  1   2   3   >