Re: relayd, rsae_send_imsg: privenc poll timeout

2021-09-28 Thread Allan Streib
On Thu, Sep 16, 2021, at 6:43 PM, Allan Streib wrote:
> On Tue, Sep 14, 2021, at 5:09 PM, Allan Streib wrote:
> > Seen a few of these in my logs (OpenBSD 6.9 release amd64)
> > 
> > Sep 14 02:12:05  relayd[78491]: rsae_send_imsg: privenc poll 
> > timeout, keyop #946
> > Sep 14 02:12:06  relayd[78491]: relay_dispatch_ca: privenc result 
> > after timeout
> > 
> > The number after "keyop" varies.
> 
> Seeing a few more of these, the system is lightly loaded but it's a hosted 
> KVM "slice"
> so perhaps the host system is oversubscribed?

Just to close loop, hosting provider found that host machine was overheating.

Moved VM to another host machine and have not seen any repeat of this problem.

Allan



Re: relayd, rsae_send_imsg: privenc poll timeout

2021-09-16 Thread Allan Streib
On Tue, Sep 14, 2021, at 5:09 PM, Allan Streib wrote:
> Seen a few of these in my logs (OpenBSD 6.9 release amd64)
> 
> Sep 14 02:12:05  relayd[78491]: rsae_send_imsg: privenc poll timeout, 
> keyop #946
> Sep 14 02:12:06  relayd[78491]: relay_dispatch_ca: privenc result 
> after timeout
> 
> The number after "keyop" varies.

Seeing a few more of these, the system is lightly loaded but it's a hosted KVM 
"slice"
so perhaps the host system is oversubscribed?

The browser (Firefox 88) gives the message:

Secure Connection Failed

An error occurred during a connection to www..com. Peer reports it
experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

The page you are trying to view cannot be shown because the authenticity of
the received data could not be verified.  Please contact the website owners
to inform them of this problem.

I thought about trying to increase RELAY_TLS_PRIV_TIMEOUT but it looks like 
that value has been unchanged for years so maybe not a good idea?

Allan



relayd, rsae_send_imsg: privenc poll timeout

2021-09-14 Thread Allan Streib
Seen a few of these in my logs (OpenBSD 6.9 release amd64)

Sep 14 02:12:05  relayd[78491]: rsae_send_imsg: privenc poll timeout, 
keyop #946
Sep 14 02:12:06  relayd[78491]: relay_dispatch_ca: privenc result after 
timeout

The number after "keyop" varies.

Seems to correlate with TLS errors in the browser but have not found a way to 
reliably reproduce. So far, reloading the page has always worked.

What does this indicate?


My (slightly redacted) relayd.conf:

# $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $
#
# Macros
#
ext_addr="xxx.xxx.250.60"

#
# Global Options
#
# interval 10
# timeout 1000
# prefork 5

#
# Tables
#
table  { 127.0.0.1 }

#
# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
#
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" value 
"$SERVER_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"

# HTTP options
http { websockets }

# Various TCP options
tcp { sack, backlog 128 }

tls { keypair www..com }
}

relay wwwtls {
listen on $ext_addr port 443 tls
protocol https

# Forward to hosts in the nitrogen table
forward to  port 8000 check http "/" code 200
}



Re: pf rules after crash

2021-07-10 Thread Allan Streib
On Sat, Jul 10, 2021, at 11:30 AM, Stuart Henderson wrote:
> On 2021-07-10, Peter Nicolai Mathias Hansteen  wrote:
> > For whatever reason your pf.conf did not parse to a valid config, so rc’s 
> > own default rules were kept in place.
> 
> Yep. dmesg -s might give a clue.

Thank you both, I suspected it might be default startup rules but I didn't know 
they were in /etc/rc.

Since I've rebooted again since the crash I don't think dmesg -s is helpful 
now, but there are other indicators in /var/log/messages that something wasn't 
right:

...
Jul  9 17:13:58 ** ntpd[24315]: constraints configured but none 
available
Jul  9 17:14:14 ** ntpd[24954]: no reply received in time, skipping 
initial time setting
Jul  9 17:14:14 ** savecore: no core dump
Jul  9 17:14:24 ** reorder_kernel: kernel relinking done
Jul  9 17:28:58 ** ntpd[24315]: constraints configured but none 
available
Jul  9 17:43:58 ** ntpd[24315]: constraints configured but none 
available
Jul  9 17:58:58 ** ntpd[24315]: constraints configured but none 
available
...

For now I'll chalk it up to an issue with the KVM host (I have a ticket open 
with the hosting provider asking about the event, since both my VMs on that 
node crashed at the same time).

If it happens again I will try dmesg -s.

Allan


pf rules after crash

2021-07-09 Thread Allan Streib
Hi,

I have a KVM host running OpenBSD 6.9 for a few days. It crashed today for some 
reason, and when I logged in and realized the uptime had changed, I checked the 
pf rules out of curiosity since I have been experimenting with pf. These rules 
are very different from what is in /etc/pf.conf.

# pfctl -s rules
block drop all
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass out inet6 proto udp from any port = 546 to any port = 547
pass out inet proto icmp all icmp-type echoreq
pass out inet proto udp from any port = 68 to any port = 67
pass out proto tcp from any to any port = 53 flags S/SA
pass out proto udp from any to any port = 53
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
pass in inet6 proto udp from any port = 547 to any port = 546
pass in proto tcp from any to any port = 22 flags S/SA
pass in inet proto udp from any port = 67 to any port = 68
pass on lo0 all flags S/SA
pass in proto carp all keep state (no-sync)
pass out proto carp all !received-on any keep state (no-sync)

# cat /etc/pf.conf
#   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
table  persist
set skip on lo
block in quick from 
block return# block stateless traffic
pass out quick inet
pass in quick on egress proto tcp from any to any port { www, https }
pass in on egress proto tcp to vio0 port ssh keep state \
(max-src-conn-rate 3/10, overload  flush)

I reloaded my rules (pfctl -f /etc/pf.conf) which worked, and then rebooted and 
checked (pfctl -s rules) which now matched the rules in /etc/pf.conf.

What could explain this?

Thanks,

Allan


#dmesg
OpenBSD 6.9 (GENERIC) #4: Mon Jun  7 08:20:14 MDT 2021
r...@syspatch-69-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1056817152 (1007MB)
avail mem = 1009557504 (962MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf58f0 (9 entries)
bios0: vendor SeaBIOS version "1.12.0-1" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Ryzen 9 3900X 12-Core Processor, 3793.36 MHz, 17-71-00
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,CPCTR,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,SHA,UMIP,SSBD,IBPB,SSBD,XSAVEOPT,XSAVEC,XGETBV1
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
acpihpet0 at acpi0: 1 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!)
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  removable
cd0(pciide0:1:1): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 00:16:72:0e:be:c6
virtio0: msix shared
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Network" rev 0x00
vio1 at virtio1: address 00:16:e8:45:ed:a4
virtio1: msix shared
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio SCSI" rev 0x00
vioscsi0 at virtio2: qsize 128
scsibus2 at vioscsi0: 255 targets
virtio2: msix shared

Re: altroot weekly.local

2021-06-23 Thread Allan Streib
Stuart Henderson  writes:

> I would prefer to use almost anything else though and get versioned
> backups. Probably my most used backup/restore action is to get back a
> version of some file from yesterday so something that will only write
> the changes is useful. I quite like borg for this but there are many
> options.

I use a slightly modified version of the script here to have a 7-day
versioned backup of important files.

https://lika.be/wp/2011/06/incremental-backup-script-with-daily-delta/

You can find it in various other sites, original credit seems to be
tri...@linuxcare.com

I've tried duplicity and one or two other more sophisticated backup
tools. I like this because it uses only one very standard utility,
rsync, and I find it easy to reason about and (importantly) easy to
restore from.

Allan



Re: unhibernate failed: original kernel changed

2021-06-11 Thread Allan Streib
Mike Larkin  writes:

> This is happening because you changed the kernel on your machine after
> you booted, then did a hibernate. The new kernel no longer matches the
> kernel loaded in memory. The kernels have to be identical. We do a few
> checks to ensure this is the case, and that's the check you're seeing.

So then is it correct to say that if I run syspatch(8), and get the
advisory message to reboot, I should be sure to do that before
hibernating?

And if I don't, my recovery would be a cold boot and abandoning my
hibernated state?

Allan



Re: MANPAGER

2021-05-29 Thread Allan Streib
Heinrich Rebehn  writes:

> I noticed that OpenBSD 6.8 switched to using less(1) for the
> manager. While this seems to offer many new useful options, I really
> dislike the clrscreen upon exit.

Have a look at -X argument to less(1):

   -X | --no-init
Disables sending the termcap initialization and
deinitialization strings to the terminal. This is
sometimes desirable if the deinitialization string
does something unnecessary, like clearing the
screen.

Allan



Re: Backup OBSD router at 6.7, anyway to upgrade it to 6.9???

2021-05-17 Thread Allan Streib
Jay Hart  writes:

> I lost internet access today for 4 hours due to a network problem.  Trying to 
> troubleshoot the problem I ended up placing my backup router
> in service.
>
> Its still at 6.7, it there anyway I can update it to 6.9 without doing a full 
> re-install, or has the only train left the station?

Any reason you don't want to go 6.7 -> 6.8 -> 6.9?

I went from 6.5 to 6.8 that way for one machine. You do have to review
the upgrade guides for any breaking changes though.

Allan



Re: sane-backends permission problems

2021-05-17 Thread Allan Streib
Predrag Punosevac  writes:

> predrag@oko$ scanimage -L
>
> No scanners were identified. If you were expecting something different,
> check that the scanner is plugged in, turned on and detected by the
> sane-find-scanner tool (if appropriate). Please read the documentation
> which came with this software (README, FAQ, manpages).

Had the same problem today. sane-find-scanner returned...

found USB scanner (vendor=0x04a9 [Canon], product=0x2206 [CanoScan], 
chip=LM9832/3) at libusb:002:002

...but scanimage -L found no scanners. This scanner uses the
sane-plustek backend, so I added my user to the _saned group, and I had
changed the ownership on (in my case) /dev/ugen0.* and /dev/usb2 per the
sane-backends pkg-readme. Something else was wrong.

Running the the scanimage program under ktrace revealed:

  98418 scanimage NAMI  "/var/spool/lock/LCK..libusb:002:002"
  98418 scanimage RET   open -1 errno 13 Permission denied

Looking at /ver/spool/lock, it appears that this lockfile should be
created in the sane/ subdirectory instead?

$ ls -l /var/spool/lock/
total 4
drwxrwxr-x  2 root  _saned  512 May 17 16:12 sane

I don't see anything in /etc/sane.d/plustek.conf that implies that I can
change the lockfile location, so not sure how to correct this?

Allan



Re: .profile not being loaded (ksh) when opening shell in X

2021-04-28 Thread Allan Streib
Leon Fischer  writes:

> If you run xrdb(1) then ~/.Xdefaults won't be evaluated.

Well that's interesting and good to know, thanks! That doesn't seem
obvious from looking at mentions of "Xdefaults" in either the X(7) or
xrdb(1) man pages, unless it's implied in this from xdrb(1):

Xrdb does not load any files on its own, but many desktop environments
use xrdb to load ~/.Xresources files on session startup to initialize
the resource database, as a generalized replacement for ~/.Xdefaults
   ^

Allan



Re: .profile not being loaded (ksh) when opening shell in X

2021-04-27 Thread Allan Streib
Stuart Henderson  writes:

> Seems that your terminal in X is not configured to run a login shell.
> By default that is done for xterm via .Xdefaults in a new user's profile
> directory (copied from /etc/skel) but if you use a different terminal
> or have modified these files, that won't be used.

With the caveat that I have not perused all possibly relevant configs on
my system, my install is fairly standard and my ~/.Xdefaults file has:

! $OpenBSD: dot.Xdefaults,v 1.3 2014/07/10 10:22:59 jasper Exp $
XTerm*loginShell:true

Yet if I run an xterm from my window manager (aweswome) it does not read
my ~/.profile. I worked around this by using the '-ls' argument to
xterm, but maybe that's hiding the real reason this is happening. I have
not tried any other window managers. For good measure, here is my
~/.xsession:

xrdb -merge ~/.Xresources
xset +fp 
/usr/local/share/fonts/Liberation,/usr/local/share/fonts/ghostscript,/usr/local/share/fonts/cantarell,/usr/local/share/fonts/noto
autocutsel -fork &
autocutsel -selection PRIMARY -fork &
xset mouse 4/1 4
xset r rate 200 50
exec awesome

Allan



Re: .profile not being loaded (ksh) when opening shell in X

2021-04-26 Thread Allan Streib
"tetrahe...@danwin1210.me"  writes:

> It looks like the custom $PATH is not being passed from the login shell
> on downwards, since ~/.profile is only read by a login shell.

I just was looking into the same thing last night. The ksh shell in the
xterm didn't seem to be processing my .profile. Adding the '-ls'
argument to the xterm command resolved that.

   -ls This option indicates that the shell that is started in the
   xterm window will be a login shell (i.e., the first character
   of argv[0] will be a dash, indicating to the shell that it
   should read the user's .login or .profile).

Allan



Re: pf faq for openBSD 5.9

2021-02-17 Thread Allan Streib
"Francisco Valladolid H."  writes:

> I'm searching the PF FAQ for OpenBSD 5.9 in the history docs without
> success.

Did you try archive.org?

https://web.archive.org/web/20160430175649/https://www.openbsd.org/faq/pf/index.html

Allan



Re: How to request a specific IP address from DHCP server

2021-01-19 Thread Allan Streib
Radek  writes:

> I don't have an access to the DHCP server side. That's the problem and
> I'm trying to find a way to have the same IP address at any time. The
> client is permanently connected to the network.

Can you configure a permanent IP address in the client configuration
(hostname.if file) that is outside the range that DHCP allocates, but
still on the same network?

Allan



Re: Dissing Misks

2020-12-22 Thread Allan Streib
Duncan Patton a Campbell  writes:

> fdisk seems unwilling to allow more than 2T in the partition:

Look at the b command for disklabel(8) to set the OpenBSD disk
boundaries.

Allan



Re: Content-Security-Policy makes page render differently

2020-12-18 Thread Allan Streib
Paul Pace  writes:

> When I load a page from OpenBSD served with relayd and httpd with 
> Content-Security-Policy set to default-src self, I can see that a basic 
> HTML page that normally renders with all of the text in the center is 
> now rendered on the left.

When you enable content security policy, it will block inline styles.

You would need to look at the headers to see what the ubuntu/nginx setup
is adding to allow them.

https://content-security-policy.com/examples/allow-inline-style/

Allan



Re: CIDR vs aliases with ifconfig/hostname.if

2020-12-03 Thread Allan Streib
Chris Bennett  writes:

> So, what happens with 104.149.1.112? Does anybody get to actually use
> it? Or is it just a placeholder?

Here is my understanding. View the address 104.149.1.112 in binary
format:

01101000.10010101.0001.0111

The /28 netmask is:

...

So in this case the "host" part is the last four bits. That gives you 16
addresses possible. When the host bits are all zero, that is the network
address. It's the "network" without any specific host. It's used in
routing tables (maybe other things?).

When the host bits are all ones, that's the broadast address. It refers
to all hosts on the network.

Hosts can use any address between these two. So the /28 network has 14
hosts. The first or last host address is typically the gateway but as
far as I know that's just convention.

Allan



Re: CIDR vs aliases with ifconfig/hostname.if

2020-12-02 Thread Allan Streib
Mike Coddington  writes:

> There was a useful tool that someone posted on misc a while back called
> netcalc. I think this is its website:
> https://jamsek.dev/posts/2019/Sep/21/ipv4-and-ipv6-cidr-subnet-calculator/
> Check it out if you want to get a better grasp on CIDR notation.

There is also ipcalc in packages and that is one I use frequently,
though it's only for IPv4.

$ ipcalc 104.149.1.112/28
address   : 104.149.1.112
netmask   : 255.255.255.240 (0xfff0)
network   : 104.149.1.112   /28
broadcast : 104.149.1.127
host min  : 104.149.1.113
host max  : 104.149.1.126

Allan



Re: OpenSMTPD and ldap+tls

2020-12-01 Thread Allan Streib
Родин Максим  writes:

> If I change url to ldaps://ldap1.mydomain.ru
> or to ldap+tls://ldap1.mydomain.ru
> then smtpd -dv shows:
> """
> _
> vdomains[50952]: warn: ldap_parse_url fail
> vdomains[50952]: warn: ldap_connect error
> vdomains[50952]: fatal: failed to connect
> """
> _
>

This doesn't directly address your question but might be an alternate
way to achieve what you are wanting. I've used spiped from packages when
I needed a secure pipe between hosts and could not use TLS for some
reason. It's similar in concept to setting up an SSH tunnel but uses a
pre-shared symmetric key. In my experience it is more reliable than an
long-running SSH connection.

Allan



Re: Set environment variable for non-interactive shell

2020-11-06 Thread Allan Streib
Kirill Peskov  writes:

> I'm currently trying to figure out, how to set global environment
> variable, valid for multiple users including root, so Ansible will be
> able to accept it as "fact" for both root and non-root users. I've
> already tried to play with .cshrc files and /etc/rc.local, nothing
> worked so far, looks like I'm missing something important.

You might want to look at configuring Ansible instead. Maybe override
its notion of the shell (ansible_env.SHELL) with a value such as
"/bin/ksh -l" to force ksh to source the /etc/profile and ~/.profile
files.

Or maybe create a login class for your ansible users and set the
environment variables in /etc/login.conf.

Also, assuming ansible is connecting via ssh, maybe set your variables
in ~/.ssh/environment. That's per-user though, and the man page does not
mention a global equivalent such as /etc/ssh/environment

None of these tested, just some ideas.

Allan



Re: Multiple USB NICs

2020-10-19 Thread Allan Streib
Lee Nelson  writes:

> I had considered some late-running script that would query the MAC's of 
> each NIC and then configure them accordingly or rewrite the hostname.* 
> files and call netstart on them, but that just seems sloppy and 
> unreliable.

What about DHCP? It supports MAC-specific configurations.

Allan



Re: libressl handling of expired CA certificate

2020-06-01 Thread Allan Streib
Stuart Henderson  writes:

> The same happens with 6.7 and -current.
>
> Hopefully this will be improved in libressl, but libressl clients
> aren't the only ones who will have problems with this - if you're in
> contact with the server admins I would recommend they remove the
> expired cert from their set of intermediates - it is doing nothing
> useful any more.

Thanks for the reply, I will pass it along.

Allan



libressl handling of expired CA certificate

2020-06-01 Thread Allan Streib
I ran into a problem today due to the expiration of the AddTrust
External CA Root. This prevented my OpenBSD 6.6 smtpd from sending email
through my campus mail-relay host.

I was referred to a web page[1] that describes the issue. It claims that
some OpenSSL clients do not properly follow trust chains. Specifically:

   "Client software that use OpenSSL libraries prior to version 1.1.1
for certificate path validation appear to always validate the full
Trust Chain A sent from the server even though modern roots were
configured to validate Trust Chain B."

I found that if I edit my /etc/ssl/cert.pem and remove the expired
AddTrust certificate then everything validates correctly.

Below are two openssl s_client transcripts. First with the original
cert.pem (Verify return code: 10 (certificate has expired)) and second
after I edited cert.pem to remove AddTrust (Verify return code: 0 (ok)).

So, I thought perhaps the issue described was also present in LibreSSL
(on my 6.6 system this is LibreSSL 3.0.2). Although removing the expired
certificate is easy, it doesn't seem to me that it should be
necessary. If LibreSSL is behaving as intended here, please let me know.

Will try to get a 6.7 system set up soon to test it there also.

[1] https://www.cmu.edu/iso/service/cert-auth/addtrust.html


$ openssl s_client -connect 129.79.1.38:587 -showcerts -starttls smtp
CONNECTED(0003)
depth=1 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = 
AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
depth=1 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = 
AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = 
AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
---
Certificate chain
 0 s:/C=US/postalCode=47405/ST=Indiana/L=Bloomington/street=107 South Indiana 
Ave/O=Indiana University-Bloomington/OU=UITS/CN=mail-relay.iu.edu
   i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
-BEGIN CERTIFICATE-
MIIHAzCCBeugAwIBAgIRAMGBzn1nqGIy319+2+YxtogwDQYJKoZIhvcNAQELBQAw
djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTkxMjA2MDAwMDAwWhcNMjExMjA1
MjM1OTU5WjCBuTELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTQ3NDA1MRAwDgYDVQQI
EwdJbmRpYW5hMRQwEgYDVQQHEwtCbG9vbWluZ3RvbjEeMBwGA1UECRMVMTA3IFNv
dXRoIEluZGlhbmEgQXZlMScwJQYDVQQKEx5JbmRpYW5hIFVuaXZlcnNpdHktQmxv
b21pbmd0b24xDTALBgNVBAsTBFVJVFMxGjAYBgNVBAMTEW1haWwtcmVsYXkuaXUu
ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzslA3Qjb9uBNae+y
mIXSu3qx8rumLW15evMWz8RDGW8aEmA1+a93D+55Gbbiutj+nbKmzln8jEp5MLiO
K4PA7TzNRR9TbPi4zFN6aTD+/SFpFWd9RsmuAaMHoRrqeSd9N1oV9HqEMhhpCvDi
L1FFRIUsVJfQUyFrw1m4kNAxN56DEFg53G4PYQrT89s6OykS8yMWlDUhAryJcYwT
AkRJfBZVMXTPlY9kzqD5dVoH577rmKHjw1gHedtNInLdYkUPJ4m5kn1zdOlDMJXf
krIZWHONp4VfdULWm38VLtrqiguNw6zCRHykLJtJtBVXfIfGhoLrgSVcyoVNKCwo
UOAZXQIDAQABo4IDRjCCA0IwHwYDVR0jBBgwFoAUHgWjd49sluJbh0umtIascQAM
5zgwHQYDVR0OBBYEFI3zL/Hll4xQWOE6nV8JFw4NNRnlMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBn
BgNVHSAEYDBeMFIGDCsGAQQBriMBBAMBATBCMEAGCCsGAQUFBwIBFjRodHRwczov
L3d3dy5pbmNvbW1vbi5vcmcvY2VydC9yZXBvc2l0b3J5L2Nwc19zc2wucGRmMAgG
BmeBDAECAjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLmluY29tbW9uLXJz
YS5vcmcvSW5Db21tb25SU0FTZXJ2ZXJDQS5jcmwwdQYIKwYBBQUHAQEEaTBnMD4G
CCsGAQUFBzAChjJodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vSW5Db21tb25SU0FT
ZXJ2ZXJDQV8yLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0
LmNvbTAcBgNVHREEFTATghFtYWlsLXJlbGF5Lml1LmVkdTCCAX0GCisGAQQB1nkC
BAIEggFtBIIBaQFnAHcAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcA
AAFu3U0edwAABAMASDBGAiEAmAFHrB6lDE/DybCP3UYzoGcaEVcJd8efUlWdi5wg
4C4CIQD5bxQNCVwfKV1L9+lchP05d7t8xS0mhB/BKE/SSdkUiAB1AESUZS6w7s6v
xEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABbt1NHmcAAAQDAEYwRAIgOuDPNTce
cfC3HJrQeXmjA2PaG+alULBHJWhTZvBgzLECIH1sZ5zwr0UtVySEY34MLFZD6p2o
mmF/HFfPRCvAs1TmAHUAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMA
AAFu3U0evwAABAMARjBEAiB3QmvKrztRgA1hDWnjFIROcAsWR0YpAZ5lObTxNbig
ZAIgG2Q9PCozjzbdadQ+u4NJZPh53WWyj4eztdVZxoZan7wwDQYJKoZIhvcNAQEL
BQADggEBACz8aRK80YMZjggxc4zzmn8WGO7YbzZUN3LDqttHuo7VGLuXEhQS3FHA
wqrf2Axb3COvhXWSsmNYfHi2Pdip4VqubwKCJj2gk1Yqs/uecNf+CdPa1tHb9S+C
76lQibM++x6F1IJtesqEWc28h63fqNHXI8cs9Mk7fhJwm6ur7jooIrQz7FQNQo3k
lDmK+sZMuC0axFWr6mDn7Zf5F8uF4VpS92u61rI5CgtzT19MvG6X/xgoxLOniH5w
YYoKExtnYoboJz10wx6f3sMnpjqe5gFGXaTTs1cEeKc67MzHxIuWa6YD1QEfAl0A
U6zHoNT62GuQYIgZlmH+syGN/CxHmXY=
-END CERTIFICATE-
 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA 
Certification Authority
-BEGIN CERTIFICATE-

Re: installation hangs/crashes on 2007 iMac

2020-04-29 Thread Allan Streib
(To misc@ readers, this reply includes an earlier reply from me that
inadvertently wasn't copied to the list).

Allan Streib  writes:

> multifred  writes:
>
>> To boot OpenBSD you have to use the internal SATA or ATA devices.
>
> Thanks, I will try that. Was about to report that a 6.7 snapshot (with
> bootx64 3.50) also didn't work (at least when booting from USB flash
> drive).

Yes, using the install67.iso worked. Thanks again! I wasn't on a
network; the built-in wifi was not recognized, but the install went
normally otherwise. I'll plug in an ethernet cable later and try running
the fw_update.

>> EFI-Booting (32-bit on my setup) works fine. To speed up boot time
>> after the installation of OpenBSD, use the Mac-proprietary bless(1)
>> command [2] once (by booting some MacOS or MacOS installation
>> medium). It writes your preferred boot volume into NV-RAM, thus skips
>> the boot volume search (grey boot screen after turning the machine on)
>> and continues booting OpenBSD immediately.
>
> Is bless required even if there is only one bootable volume? I don't
> have any need for MacOS on this machine.

As you indicated, there's a delay (perhaps 30 seconds), but with only
OpenBSD on the disk it does eventually boot up on its own without being
"blessed." I can live with that.

Allan



installation hangs/crashes on 2007 iMac

2020-04-28 Thread Allan Streib
With extra time while in quarantine I idly tried to install 6.6 on an
older iMac[1] I have.

Using install66.fs on a USB flash drive, when starting (holding ALT key)
it was offered as a boot disk choice.

It reaches the boot> prompt, then reaches the "entry point at..." and
crashes (machine restarts) after a few seconds with no further messages
on screen (transcript below)

If I enter "boot -c" at the boot> prompt, the machine never restarts but
hangs indefinitely at the same point.

I found a post[2] on r/openbsd that seemed sorta similar, and claimed to
be resolved by installing 6.4, then upgrading from there but keeping the
bootx64.efi from the 6.4 release. However on my machine the 6.4
installation had the same behavior. I didn't try anything older.
 
Is this machine known to work/not work or can I provide any more
info to debugging?

probing: pc0 mem[572K 64K 3046M 40K 16K 56K 288K 4M 316K 16K 48K 32K 1M 
196K 32K
 4M 5M 3M 148K 40K 1024M]
disk: hd0 hd1* hd2*
>> OpenBSD/amd64 BOOTX64 3.46
boot> boot -c
cannot open hd0a:/etc/random.seed: No such file or directory
booting hd0a:/6.6/amd64/bsd.rd: 3732172+1537024+3885432+0+598016 
[376562+128+455]
544+303577]=0xa648d0
entry point at 0x1001000

(hangs here, or restarts machine after a few seconds if not "boot -c")

Regards,

Allan

Footnotes: 
[1]  
https://everymac.com/systems/apple/imac/specs/imac-core-2-duo-2.0-20-inch-aluminum-specs.html

[2]  
https://www.reddit.com/r/openbsd/comments/eggg4m/64_works_perfectly_but_6566_bsd_kernel_frozen_on/



Re: dynamic dns updates for clients in my home network?

2020-04-25 Thread Allan Streib
bofh  writes:

> Hi,
> I searched through the archives and saw a couple of discussions about
> using Dnsmasq from a long time ago.
>
> Is that the best way to let the stuff in my home to have valid dns
> entries in my home network?

I've not worked with dnsmasq so can't comment on it.

> How difficult is it to get the OpenBSD provided dhcpd and unbound to
> do this?

It's been a few years and it's not something I go back to often, but I
did not find it difficult to configure dhcpd and unbound for this
scenario. I basically set up dhcpd.conf with static addresses for the
devices that would get local dns names, and a local-zone, local-data,
and local-data-ptr records for these in unbound.conf. Also configure
interface and access-control for your local network, and forward-zone to
send everything else to your ISP's DNS, Google, or whatever.

If you've never done it before, as I hadn't, do study the man pages. My
advice is to keep configurations as minimal/simple or as close to
default as possible until you understand what's going on. I found
https://dnswatch.com/dns-docs/UNBOUND/ helpful for additional reading
also, but with any blog posts be sure to crosscheck the current man
pages as blogs tend to go stale over time.

Allan




Re: More than 16 partitions

2020-04-24 Thread Allan Streib
Theo de Raadt  writes:

> Reality hasn't changed.  A sector is still 512 bytes, and
> disklabel has to fit in it.

OK.

Allan



Re: More than 16 partitions

2020-04-24 Thread Allan Streib
Theo de Raadt  writes:

> OpenBSD has apparently become popular amongst people who can't think
> and connect "real world constraints" and "reality" with "no alternative
> decision was possible".   This is very common amongst people who won't
> lift their finger.

I'm not the one complaining about the 16 partition limit, and I'm not
asking for anything to change. I've only said I think it's something
that is the way it is because of the design decisions made on the basis
of "reality" at the time, and which probably didn't contemplate the day
when everyone would have multi-terabyte hard drives and that people
might want more than 16 partitions. I stand corrected on that
speculation if I'm wrong.

Allan



Re: More than 16 partitions

2020-04-24 Thread Allan Streib
Theo de Raadt  writes:

> Allan Streib  wrote:
>
>> Seems like one of those numbers that was chosen long ago, when disks
>> had orders of magnitude less storage capacity they have now, and 16
>> partitions really would have been more than enough.
>
> the word "chosen" makes it seem like such an arbitrary decision.

No, didn't mean to imply arbitrary or ill-considered, more that
someone(s) decided that to be an adequate number, considering various
requirements and constraints. At the time, that would probably not have
included the common availability of multi-terabyte drives. Obviously I
wasn't there.

Allan



Re: More than 16 partitions

2020-04-24 Thread Allan Streib
Ingo Schwarze  writes:

> The limitation to 16 partitions definitely feels painful to me.

Well, one pragmatic solution is to add another disk -- 16 more
partitions. Not always possible, granted.

Seems like one of those numbers that was chosen long ago, when disks
had orders of magnitude less storage capacity they have now, and 16
partitions really would have been more than enough.

Allan



Re: More than 16 partitions

2020-04-23 Thread Allan Streib
> So, can I setup  openBSD labels on x86_64 without legacy/GPT partition first ?

IIRC yes you can, as long as you don't need to boot from that disk.

Allan



Re: ATI Mobility 1 support on Dell Latitude L400

2020-04-19 Thread Allan Streib
Paolo Aglialoro  writes:

> Btw, does "rcctl enable xenodm" also allow running programs remotely
> with ssh -X|Y u...@obsd.box, or is there something more to do?

Yes, in my experience I use it with -Y.

Allan



Re: ATI Mobility 1 support on Dell Latitude L400

2020-04-17 Thread Allan Streib
Paolo Aglialoro  writes:

> considering that 6.6 nuked X for my T23 as mentioned in previous recent
> post, I decided to refresh my old Dell L400, which was lagging behind at
> 6.2, with a fresh 6.6 install.
>
> Unfortunately X crashes. The first error in the log file was about setting
> machdep.allowaperture=1 and rebooting (I always used 2 before). After
> changing its value in sysctl.conf to 1, this is the new error in the log
> file:

Are you using xenodm instead of startx? Beginning in 6.5, "Xorg(1), the
X window server, is no longer installed setuid. xenodm(1) should be used
to start X."

https://www.openbsd.org/65.html



Re: Reduce attack surface - Tomcat and guacamole...

2020-04-14 Thread Allan Streib
If you want it available only to remote hosts with an ssh session, why
not tunnel the tomcat port over the ssh connection?

Steve Williams  writes:

> Hi,
>
> For a R project, I am trying to get guacamole working to be able to 
> access systems on my home network remotely.
>
> Guacamole (I believe) needs to run under something like tomcat to serve 
> up the java war file & application.
>
> I really don't want to have Tomcat exposed to the Internet without some 
> kind of authentication in front of it.
>
> I was thinking of running Tomcat bound to localhost and using pf to 
> redirect to it, but that doesn't add any security.
>
> So, I was thinking of using some form of authpf to open up pf rules when 
> I needed to access systems remotely.
>
> But, I don't want to open up Tomcat to the world when I'm using 
> guacamole, so is it possible to have authpf tweak pf rules so that the 
> originating IP address of the ssh session would be the only one that 
> could access Tomcat?
>
> Is there something better that could be done?
>
> I was thinking even httpd in front of tomcat with httpd authentication, 
> but that doesn't seem to make sense to me at a high level.
>
> I was looking at relayd but it doesn't seen to have any authentication 
> mechanism built in.
>
> Does anyone have some inspiration on how to provide a level of security 
> before packets even hit Tomcat?
>
> Thanks,
> Steve Williams
>



Re: Iridium vs Chromium

2020-04-12 Thread Allan Streib
Patrick Harper  writes:

> My understanding of -current is that it is meant for testing, not usage.

Not strictly true. Depends on your needs, and tolerance for things not
always working perfectly.

Allan



Re: secure MTA (was: news from ...)

2020-04-08 Thread Allan Streib
Claus Assmann  writes:

> On Wed, Apr 08, 2020, Kevin Chadwick wrote:
>
>> OpenSMTPD does not listen to the internet, by default and even if you do set 
>> it
>
> From: Qualys Security Advisory 
> To: oss-secur...@lists.openwall.com
> Message-ID: <20200224184538.GF17396@localhost.localdomain>
>
> - Client-side exploitation: This vulnerability is remotely exploitable
>   in OpenSMTPD's (and hence OpenBSD's) default configuration. Although
>   ^^^

My (default) smtpd.conf says:

listen on lo0

So how might that be remotely exploitable?

Allan



Re: Ports: how to install dependencies from binaries?

2020-04-08 Thread Allan Streib
Daniel Jakots  writes:

> On Wed, 8 Apr 2020 13:12:54 +1000, Stuart Longland
>  wrote:
>
>> Silly question… how do you install the dependencies of a port from
>> binaries automatically?
>
> https://man.openbsd.org/bsd.port.mk#FETCH_PACKAGES but it doesn't work
> very reliably, sadly.
>

I didn't know about that. What I have done is use the
print-build-depends target. For example, on my machine:

$ cd /usr/ports/telephony/asterisk
$ make print-build-depends
This port requires package(s) "libssh2-1.9.0 bzip2-1.0.8 lynx-2.8.9rel1p0 
libusb1-1.0.21p1 npth-1.6 pcre2-10.33 ..." to build.

Then you can copy/paste, or otherwise feed the stuff in between the
quote marks, to pkg_add. I do:

# make print-build-depends | awk -F \" '{print $2}' | xargs pkg_add

Then proceed with building/installing the port of interest.

Allan





Re: syspatch(8) return values?

2020-02-10 Thread Allan Streib
Antoine Jacoutot  writes:

> "patches waiting, but didn't do anything" might be interesting (i.e
> patches are available); dunno...

syspatch -c

Allan



Re: What are xxxterm users using today?

2020-02-03 Thread Allan Streib
Dumitru Moldovan  writes:

> Might want to look at https://github.com/tridactyl/tridactyl or
> https://github.com/lusakasa/saka-key.  Have tried the former and didn't
> quite fancy it.  Have just discovered the latter one, giving it a try…

Thanks for the tip on saka-key. It looks interesting and I hadn't heard
of it before.

Allan



What are xxxterm users using today?

2020-01-31 Thread Allan Streib
I used to use xxxterm, then xombrero, and really liked the minimal
approach and keyboard driven navigation.

Any other former users of this browser, what are you using today to
achieve any of this functionality in your browser?

Allan



Re: chrome with multiple profiles possible?

2020-01-29 Thread Allan Streib
Stuart Henderson  writes:

> You will at least need to relax the "unveil" restrictions in /etc/chromium.
> Whichever files have .config/chromium or .cache/chromium you will need to copy
> for the _a variant.

Thanks, yes that is what I needed to do.

> That might not be the only thing you need to do, but there's no chance
> without that.

So far so good!

Allan



chrome with multiple profiles possible?

2020-01-29 Thread Allan Streib
Per the man page I have tried to launch chrome with an alternate data
directory hoping to achieve separate profiles.

$ chrome --user-data-dir=~/.config/chromium_a

[75336:1591778608:0129/114259.294272:ERROR:process_singleton_posix.cc(280)] 
Failed to create /home/astreib/.config/chromium_a/SingletonLock: No such file 
or directory (2)
[75336:1591778608:0129/114259.294449:ERROR:chrome_browser_main.cc(1413)] 
Failed to create a ProcessSingleton for your profile directory. This means that 
running multiple instances would start multiple browser processes rather than 
opening a new window in the existing process. Aborting now to avoid profile 
corruption.
[75336:-995142592:0129/114259.302586:ERROR:cache_util.cc(141)] Unable to 
move cache folder /home/astreib/.config/chromium_a/ShaderCache/GPUCache to 
/home/astreib/.config/chromium_a/ShaderCache/old_GPUCache_000
[75336:-995142592:0129/114259.302696:ERROR:disk_cache.cc(178)] Unable to 
create cache
[75336:-995142592:0129/114259.302721:ERROR:shader_disk_cache.cc(605)] 
Shader Cache Creation failed: -2

I have tried this with ~/.config/chromium_a as an empty directory, and
as a copy of ~/.config/chromium (which is created successfully when
chrome is started without any args).

Thought I would ask if this is simply a known problem before I go
digging too deeply.

amd64 6.6 release with syspatches and pkg updates applied as of today.

Allan



Re: FreeBSD daemon(8)-like command for OpenBSD

2020-01-28 Thread Allan Streib
You asked about the base image, so maybe there is some reason you can't
use it, but Supervisor is in ports/packages.

Allan

Patrick Kristiansen  writes:

> Hi everyone,
>
> Is there something like the FreeBSD daemon(8) command for OpenBSD, which
> can run a process in the background and restart it if it crashes? That
> is, is there a command that comes with OpenBSD's base image with these
> capabilities? Surprisingly, Google hasn't revealed anything useful to
> me.
>
> Thanks,
> Patrick Kristiansen
>



Re: Why isn't ChallengeResponseAuthentication NO in sshd_config?

2020-01-08 Thread Allan Streib
lu hu  writes:

> So I think ChallengeResponseAuthentication should be set to NO, since
> it is not used by anything by default (you need manual steps as root
> to use ex.: skey).

If you want it set to NO, if you feel safer that way, set it to NO on
your systems.

IMHO

Allan



Re: What do you use to generate invoices on OpenBSD?

2019-12-27 Thread Allan Streib
jeanfrancois  writes:

> Thanks for that insight on using LaTeX (from ports).

If you look on CTAN there are several invoicing pacakges.

https://ctan.org/topic/invoice

Allan



Re: ldapd hangs/stalls

2019-08-28 Thread Allan Streib
Edgar Pettijohn  writes:

>
> May need to use rcctl to change it's class to ldap.
>
> Untested:
> rcctl set ldapd class ldap

Yes, that's it.

Only the class can't be changed with rcctl, it gives an error:

rcctl: "ldapd_class" is a read-only variable set in login.conf(5)

That gave me the clue that the class name in login.conf needs to be
"ldapd" not "ldap".

I changed that and now it's all working as expected.

Thanks!

Allan



Re: ldapd hangs/stalls

2019-08-28 Thread Allan Streib
Edgar Pettijohn  writes:

> May need to use rcctl to change it's class to ldap.
>
> Untested:
> rcctl set ldapd class ldap

I will try that.

I had used usermod to set the class on the _ldapd user.

$ userinfo _ldapd
login   _ldapd
passwd  *
uid 100
groups  _ldapd
change  NEVER
class   ldap
gecos   LDAP Daemon
dir /var/empty
shell   /sbin/nologin
expire  NEVER



Re: ldapd hangs/stalls

2019-08-28 Thread Allan Streib
Allan Streib  writes:

> I see that fstat -u _ldapd always ends at FD 119 when the hang occurs:
>
> [...]
> _ldapd   ldapd  42641  117* internet stream tcp 0x0 172.29.202.69:389 <-- 
> 172.29.200.108:47864
> _ldapd   ldapd  42641  118* internet stream tcp 0x0 172.29.202.69:389 <-- 
> 172.29.200.104:56746
> _ldapd   ldapd  42641  119* internet stream tcp 0x0 172.29.202.69:389 <-- 
> 172.29.200.106:40436
>
> I tried the following:
>
> Gave _ldapd a login class of "ldap"
>
> Added to login.conf:
>
> ldap:\
> :openfiles=512:\
> :tc=daemon:
>
> restart ldapd.
>
> Still hangs with fstat output the same.

OK I apparently misunderstand how login.conf works. I had assumed that
the above would give the "ldap" class an openfiles limit of 512 and
everything else as defined for the "daemon" class. My daemon entry
looked like this:

daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles-max=1024:\
:openfiles-cur=128:\
:stacksize-cur=8M:\
:localcipher=blowfish,a:\
:tc=default:

However apprently the daemon class openfiles-cur=128 was being enforced;
I changed that to 512 as a test, restarted ldapd, and now fstat is
showing around 170 FDs for _ldapd and that seems to be where it's
stabilizing, and the hangs are not occuring.

The login.conf man page says that tc "Interpolate/expands records from
corresponding login.conf. See getcap(3)."

What I'm seeing seems to indicate it's working backwards from what the
"Override resource limits" comment indicates above the bgpd and unbound
classes, which I used as a model, but maybe I'm missing something?

I include the entire login.conf below, with my current openfiles-cur
setting for the daemon class.

Allan





# $OpenBSD: login.conf,v 1.9 2017/02/06 18:11:33 sthen Exp $

#
# Sample login.conf file.  See login.conf(5) for details.
#

#
# Standard authentication styles:
#
# passwdUse only the local password file
# chpassDo not authenticate, but change users password (change
#   the YP password if the user has one, else change the
#   local password)
# lchpass   Do not login; change user's local password instead
# radiusUse radius authentication
# rejectUse rejected authentication
# skey  Use S/Key authentication
# activ ActivCard X9.9 token authentication
# cryptoCRYPTOCard X9.9 token authentication
# snk   Digital Pathways SecureNet Key authentication
# tis   TIS Firewall Toolkit authentication
# token Generic X9.9 token authentication
# yubikey   YubiKey authentication
#

# Default allowed authentication styles
auth-defaults:auth=passwd,skey:

# Default allowed authentication styles for authentication type ftp
auth-ftp-defaults:auth-ftp=passwd:

#
# The default values
# To alter the default authentication types change the line:
#   :tc=auth-defaults:\
# to be read something like: (enables passwd, "myauth", and activ)
#   :auth=passwd,myauth,activ:\
# Any value changed in the daemon class should be reset in default
# class.
#
default:\
:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin 
/usr/local/sbin:\
:umask=022:\
:datasize-max=768M:\
:datasize-cur=768M:\
:maxproc-max=256:\
:maxproc-cur=128:\
:openfiles-max=1024:\
:openfiles-cur=512:\
:stacksize-cur=4M:\
:localcipher=blowfish,a:\
:tc=auth-defaults:\
:tc=auth-ftp-defaults:

#
# Settings used by /etc/rc and root
# This must be set properly for daemons started as root by inetd as well.
# Be sure reset these values back to system defaults in the default class!
#
daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles-max=1024:\
:openfiles-cur=512:\
:stacksize-cur=8M:\
:localcipher=blowfish,a:\
:tc=default:

#
# Staff have fewer restrictions and can login even when nologins are set.
#
staff:\
:datasize-cur=1536M:\
:datasize-max=infinity:\
:maxproc-max=512:\
:maxproc-cur=256:\
:ignorenologin:\
:requirehome@:\
:tc=default:

#
# Authpf accounts get a special motd and shell
#
authpf:\
:welcome=/etc/motd.authpf:\
:shell=/usr/sbin/authpf:\
:tc=default:

#
# Building ports with DPB uses raised limits
#
pbuild:\
:datasize-max=infinity:\
:datasize-cur=4096M:\
:maxproc-max=1024:\
:maxproc-cur=256:\
:tc=default:

#
# Override resource limits for certain daemons started by rc.d(8)
#
bgpd:\
:openfiles=512:\
:tc=daemon:

unbound:\
:openfiles=512:\
:tc=daemon:

ldap:\
:openfiles=512:\
:tc=daemon:



Re: ldapd hangs/stalls

2019-08-28 Thread Allan Streib
Claudio Jeker  writes:

> I guess the problem is in the error handling of one of the filter codes
> which leaks an fd. At least I suspect that the error message about filter
> type is suggesting that.

I guess a possibility. But why stopping at FD 119 in the fstat output? I
have several hundred hosts that might be connecting and issuing
queries. Feels to me more like a limit is being hit.

Allan



Re: ldapd hangs/stalls

2019-08-28 Thread Allan Streib
Allan Streib  writes:

> Running a rather busy ldapd host, and seeing some hangs in responses to
> queries.


I see that fstat -u _ldapd always ends at FD 119 when the hang occurs:

[...]
_ldapd   ldapd  42641  112* internet stream tcp 0x0 172.16.0.169:389 <-- 
172.16.0.38:44708
_ldapd   ldapd  42641  113* internet stream tcp 0x0 172.16.0.169:389 <-- 
172.16.0.45:43392
_ldapd   ldapd  42641  114* internet stream tcp 0x0 172.16.0.169:389 <-- 
172.16.0.26:54300
_ldapd   ldapd  42641  115* internet stream tcp 0x0 172.29.202.69:389 <-- 
172.29.200.100:36250
_ldapd   ldapd  42641  116* internet stream tcp 0x0 172.29.202.69:389 <-- 
172.29.200.109:45362
_ldapd   ldapd  42641  117* internet stream tcp 0x0 172.29.202.69:389 <-- 
172.29.200.108:47864
_ldapd   ldapd  42641  118* internet stream tcp 0x0 172.29.202.69:389 <-- 
172.29.200.104:56746
_ldapd   ldapd  42641  119* internet stream tcp 0x0 172.29.202.69:389 <-- 
172.29.200.106:40436


I tried the following:

Gave _ldapd a login class of "ldap"

Added to login.conf:

ldap:\
:openfiles=512:\
:tc=daemon:

restart ldapd.

Still hangs with fstat output the same.

$ vmstat
 procsmemory   pagediskstraps  cpu
 r   s   avm fre  flt  re  pi  po  fr  sr sd0 sd1  int   sys   cs us sy id
 1  70   44M  22728M5   0   0   0   0   0   0   0   2579   84  0  0 100



$ netstat -m 
444 mbufs in use:
220 mbufs allocated to data
168 mbufs allocated to packet headers
56 mbufs allocated to socket names and addresses
180/520 mbuf 2048 byte clusters in use (current/peak)
0/30 mbuf 2112 byte clusters in use (current/peak)
0/64 mbuf 4096 byte clusters in use (current/peak)
0/72 mbuf 8192 byte clusters in use (current/peak)
0/42 mbuf 9216 byte clusters in use (current/peak)
0/50 mbuf 12288 byte clusters in use (current/peak)
0/40 mbuf 16384 byte clusters in use (current/peak)
0/16 mbuf 65536 byte clusters in use (current/peak)
4520/5008/524288 Kbytes allocated to network (current/peak/max)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines



ldapd hangs/stalls

2019-08-28 Thread Allan Streib
Running a rather busy ldapd host, and seeing some hangs in responses to
queries.

Some (possibly irrelevant) messages in /var/log/daemon

  Aug 28 12:47:51 ldap02 ldapd[39626]: filter type 5 not implemented
  Aug 28 12:48:19 ldap02 last message repeated 13 times
  Aug 28 12:49:41 ldap02 last message repeated 132 times

Are there some limits I should consider raising?

I have tried (as a guess) raising kern.somaxconn without much improvement.

Everything is at defaults right now.

$ doas sysctl -a
kern.ostype=OpenBSD
kern.osrelease=6.5
kern.osrevision=201905
kern.version=OpenBSD 6.5 (GENERIC.MP) #1: Mon May 27 18:27:59 CEST 2019

r...@syspatch-65-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

kern.maxvnodes=41633
kern.maxproc=1310
kern.maxfiles=7030
kern.argmax=262144
kern.securelevel=1
kern.hostname=[redacted]
kern.hostid=0
kern.clockrate=tick = 1, tickadj = 40, hz = 100, profhz = 100, stathz = 100
kern.posix1version=200809
kern.ngroups=16
kern.job_control=1
kern.saved_ids=1
kern.boottime=Thu Jun 27 17:36:01 2019
kern.domainname=
kern.maxpartitions=16
kern.rawpartition=2
kern.maxthread=1950
kern.nthreads=122
kern.osversion=GENERIC.MP#1
kern.somaxconn=128
kern.sominconn=80
kern.nosuidcoredump=1
kern.fsync=1
kern.sysvmsg=1
kern.sysvsem=1
kern.sysvshm=1
kern.msgbufsize=98256
kern.malloc.buckets=16,32,64,128,256,512,1024,2048,4096,8192,16384,32768,65536,131072,262144,524288
kern.malloc.bucket.16=(calls = 108817 total_allocated = 768 total_free = 127 
elements = 256 high watermark = 1280 could_free = 0)
kern.malloc.bucket.32=(calls = 124260 total_allocated = 896 total_free = 419 
elements = 128 high watermark = 640 could_free = 81)
kern.malloc.bucket.64=(calls = 205096 total_allocated = 1728 total_free = 78 
elements = 64 high watermark = 320 could_free = 14)
kern.malloc.bucket.128=(calls = 429562 total_allocated = 1920 total_free = 234 
elements = 32 high watermark = 160 could_free = 52250)
kern.malloc.bucket.256=(calls = 79465 total_allocated = 544 total_free = 354 
elements = 16 high watermark = 80 could_free = 44064)
kern.malloc.bucket.512=(calls = 47604 total_allocated = 4320 total_free = 39 
elements = 8 high watermark = 40 could_free = 5737)
kern.malloc.bucket.1024=(calls = 1215544 total_allocated = 88 total_free = 10 
elements = 4 high watermark = 20 could_free = 0)
kern.malloc.bucket.2048=(calls = 1069269 total_allocated = 1060 total_free = 13 
elements = 2 high watermark = 10 could_free = 282412)
kern.malloc.bucket.4096=(calls = 114423 total_allocated = 68 total_free = 1 
elements = 1 high watermark = 5 could_free = 0)
kern.malloc.bucket.8192=(calls = 7233 total_allocated = 60 total_free = 2 
elements = 1 high watermark = 5 could_free = 0)
kern.malloc.bucket.16384=(calls = 4530 total_allocated = 7 total_free = 0 
elements = 1 high watermark = 5 could_free = 0)
kern.malloc.bucket.32768=(calls = 12 total_allocated = 10 total_free = 0 
elements = 1 high watermark = 5 could_free = 0)
kern.malloc.bucket.65536=(calls = 263551 total_allocated = 2 total_free = 0 
elements = 1 high watermark = 5 could_free = 0)
kern.malloc.bucket.131072=(calls = 2 total_allocated = 2 total_free = 0 
elements = 1 high watermark = 5 could_free = 0)
kern.malloc.bucket.262144=(calls = 0 total_allocated = 0 total_free = 0 
elements = 1 high watermark = 5 could_free = 0)
kern.malloc.bucket.524288=(calls = 3 total_allocated = 3 total_free = 0 
elements = 1 high watermark = 5 could_free = 0)
kern.malloc.kmemnames=free,,devbuf,,pcb,rtableifaddr,soopts,sysctl,counters,,ioctlops,iov,mount,,NFS_req,NFS_mount,,vnodes,namecache,UFS_quota,UFS_mount,shm,VM_map,sem,dirhash,ACPI,VM_pmapfile,file_desc,sigio,proc,subproc,VFS_cluster,,,MFS
_node,,,Export_Host,NFS_srvsock,,NFS_daemon,ip_moptions,in_multi,ether_multi,mrt,ISOFS_mount,ISOFS_node,MSDOSFS_mount,MSDOSFS_fat,MSDOSFS_node,ttys,exec,miscfs_mount,fusefs_mount,pfkey_data,tdb,xform_data,,pagedep,inodedep,newblk,,,indirdep,,,
,,VM_swap,,UVM_amap,UVM_aobj,,USB,USB_device,USB_HC,witness,memdesc,,,crypto_data,,IPsec_credsemuldata,ip6_options,NDP,,,temp,NTFS_mount,NTFS_node,NTFS_fnode,NTFS_dir,NTFS_hash,NTFS_attr,NTFS_data,NTFS_decomp,NTFS_vrun,kqueue,,SYN_
cache,UDF_mount,UDF_file_entry,UDF_file_id,,AGP_Memory,DRM
kern.malloc.kmemstat.free=(inuse = 0, calls = 0, memuse = 0K, limblocks = 0, 
mapblocks = 0, maxused = 0K, limit = 78644K, spare = 0, sizes = (none))
kern.malloc.kmemstat.devbuf=(inuse = 5883, calls = 2142582, memuse = 4849K, 
limblocks = 0, mapblocks = 0, maxused = 4857K, limit = 78644K, spare = 0, sizes 
= (16,32,64,128,256,512,1024,2048,4096,8192,16384,32768,65536,131072))
kern.malloc.kmemstat.pcb=(inuse = 98, calls = 23509, memuse = 25K, limblocks = 
0, mapblocks = 0, maxused = 27K, limit = 78644K, spare = 0, sizes = 
(16,32,128,1024,2048,4096))
kern.malloc.kmemstat.rtable=(inuse = 419, calls = 2142, memuse = 12K, limblocks 
= 0, mapblocks = 0, maxused = 12K, limit = 78644K, spare = 0, sizes = 
(16,32,64,128,256))

backing up ldapd data

2019-08-23 Thread Allan Streib
With OpenLDAP slapd I would run slapcat periodically to dump out the
directory in LDIF format for backup.

What is the best approach for backing up ldapd?

Thanks,

Allan



Re: help with understanding __BSD_VISIBLE

2019-07-15 Thread Allan Streib
Philip Guenther  writes:

> There are four options here:
> 1) change the software to not use the name 'bcrypt' for a non-static
> function.  OpenBSD has only been using it for 15 years...

Agree, but for now I'm trying to keep changes to a minimum as I work out
larger issues. This is in an erlang wrapper for bcrypt. It includes its
own copy of bcrypt.c

The change that diverges from the OpenBSD version is in this commit, in
case anyone is interested.

https://github.com/smarkets/erlang-bcrypt/commit/1277ee41bba86d47e039e3f24a47a491efe48d78

> 3) *IF* the software was written to only rely on the interfaces of some
> version of the POSIX standard, then follow the compilation rules
> described in that standard.  You mention POSIX 2008, so perhaps this
> software would build when following those rules, passing the compiler
> -D_POSIX_C_SOURCE=200809L to only declare the symbols from that
> standard

This seems to work, at least I don't get any compile errors. Thank you.

Allan



help with understanding __BSD_VISIBLE

2019-07-12 Thread Allan Streib
Probably an elementary question stemming from my lack of C expertise.

I am trying to complile some C code that includes its own "bcrypt"
function. This is conflicting with the declaration in pwd.h.

error: conflicting types for 'bcrypt'
int bcrypt(char *, const char *, const char *);
^
/usr/include/pwd.h:112:8: note: previous declaration is here
char*bcrypt(const char *, const char *);

In pwd.h I see that the bcrypt declaration is wrapped in a #if block:

#if __BSD_VISIBLE
int  setpassent(int);
int  uid_from_user(const char *, uid_t *);
const char  *user_from_uid(uid_t, int);
char*bcrypt_gensalt(u_int8_t);
char*bcrypt(const char *, const char *);
int bcrypt_newhash(const char *, int, char *, size_t);
int bcrypt_checkpass(const char *, const char *);
struct passwd   *pw_dup(const struct passwd *);
#endif

So I'm trying to work out why __BSD_VISIBLE is 1 when I'm compiling.

sys/cdefs.h says:

/*
 * Finally deal with BSD-specific interfaces that are not covered
 * by any standards.  We expose these when none of the POSIX or XPG
 * macros is defined or if the user explicitly asks for them.
 */
#if !defined(_BSD_SOURCE) && \
   (defined(_ANSI_SOURCE) || defined(__XPG_VISIBLE) || 
defined(__POSIX_VISIBLE))
# define __BSD_VISIBLE  0
#endif

__POSIX_VISIBLE is defined as 200809, so __BSD_VISIBLE should be 0 and
the pwd.h declaration for bcrypt should be skipped?

Allan








Re: shell_exec() exec() and system() not working in php 5.6 openbsd 6.4

2019-07-09 Thread Allan Streib
Martijn van Duren  writes:

> You haven't given enough information for a definitive answer, but my
> guess is that you run php through php-fpm, which is by default chrooted
> to /var/www. Since shell_exec and system first call /bin/sh and you
> most likely didn't copy it to /var/www/bin/sh it can't find your shell.
> After that you'd also need to copy the binaries (in this case ls) to
> your chroot and possible library dependencies (not needed for files
> under /bin).
>
> Hope this helps for illustrative purposes, but please don't use it in
> production.

Agree this is likely the problem, unfortunately in PHP-land sometimes
you can't avoid it. For platforms such as Drupal (just to pick an
example I am familiar with) some of the modules will run shell commands
to do things such as send email.

Allan



Re: 4GB RAM too little for Firefox?

2019-07-08 Thread Allan Streib
ropers  writes:

> 1. I think the same behaviour may be what's going on with your
> so-called "ghost" files.
> I.e.: Files and file descriptors get created, the files get unlinked,
> but Firefox still has them open and *is still growing* them, which
> continues until it actually fclose(3)s them.

Yes, this is the behavior. They are not "dot-files" or any other
obscured file name, as du(1) should find those, and nothing that would
account for the space is found in the output of "ls -alR /tmp" either.

It does behave like the file is opened and then unlinked. Sorry for my
term "ghost" file I couldn't quite find the right words for what I was
seeing.

Allan



Re: 4GB RAM too little for Firefox?

2019-07-08 Thread Allan Streib
Richard Ulmer  writes:

> I heard multiple times now, that Firefox leaks memory. Maybe I'll give
> a new browser a shot. Iridium looked interesting, but upon research I
> found a lot of people concerned about whether this project has the
> resources to keep up with Chromiums security standards. The last
> commit for Iridium was 3 Months ago [1], so I'm not to sure if I want
> to use it..

I have recently encountered another issue with firefox, that is it will
fill up my /tmp partition with "ghost" files. Meaning, df(1) (and other
applications) will tell me that my 4GB /tmp is full, but I don't see any
files there and du(1) will say that /tmp only has 18KB used. If I kill
firefox, the /tmp space becomes available again.

Have not yet identified which site is triggering this behavior, but I
suspect it's one of Gmail, Google Sheets, etc which I tend to have open
for long periods of time.

OpenBSD 6.5 GENERIC.MP#1 amd64

Landry's FF build (67.0.4) with uBlock Origin.

Allan



Re: Route through different gateways depending on process

2019-06-21 Thread Allan Streib
Claudio Jeker  writes:

> On Fri, Jun 21, 2019 at 02:11:53PM +, slackwaree wrote:
>> Hello,
>> 
>> I wonder if the following scenario can be solved with OpenBSD on 1 single 
>> machine or with VMM:
>> 
>> I got 3 OpenBSD vms, all of them are exactly the same running squid except 
>> they use different default routers to route their traffic out.
>> 
>> I would like to merge these to one VM if it is possible somehow to tell 
>> OpenBSD to use different gateway depending on the squid process.
>> 
>> If not would the same thing be possible with VMMs? All the gateways are in 
>> the same IP range.
>> 
>
> A simple way to solve this is with multiple routing tables.
>
> Create multiple routing tables with:
> route -T1 add default 
> route -T2 add default 
> route -T3 add default 
>
> And start the 3 squid processes with route -T1 exec, route -T2 exec.
> You can also use the the *_rtable variable in rc.d(8) to do that
> automatically.
>
> This requires that the 3 squids listen on different IPs or ports.


As I learned recently (investigating another issue and reading the
rc.subr(8) man page), if you start these with rc scripts, you can set
daemon_rtable there, as well as likely setting up the config file or
port/ip address options in daemon_flags. Also be sure pexp variable is
set to somthing that can differentiate the proceses or the rcctl
stop/check stuff will not work.

Allan



Re: 6.5 PowerPC Packages

2019-05-09 Thread Allan Streib
Andrew Luke Nesbit  writes:

> I am a user of Apple PowerBook G4, POWER8, and POWER9.  I am new to
> OpenBSD and I intend to experiment with it on these architectures.

Unless https://www.openbsd.org/plat.html is out of date, it doesn't look
like OpenBSD is currently supporting POWER8 or POWER9 plaftorms.

Allan



Re: Got hits Job offering in the mail

2019-05-02 Thread Allan Streib
Dan Shechter  writes:

> Greetings of the day!!

Spam giveaway. No recruiter in the USA would use that phrase. That and
the other grammatical and sentence structure errors are red flags.

Allan



Re: Good options for SAS HBA or SATA expansion cards?

2019-04-12 Thread Allan Streib
Paul de Weerd  writes:

> Not exactly what you're looking for, but I have a startech.com 2 Port
> SATA 6Gbps PCI Express eSATA controller card [1].  I use this to
> (occasionally) connect an external disk shelve (using a port
> multiplier) to my machine.

Incidentally, does OpenBSD support hot-plugging external drive on eSATA
ports?

I had a similar StarTech card and it worked fine if the external drive
was attached and powered up at boot but did not recognize it if attached
later. But was probably around 6.1 release if not older the last time I
tried that.

Allan



Re: something like script(1) but for clipboard

2019-04-03 Thread Allan Streib
Mihai Popescu  writes:

> I am looking for a command or port application to copy large text from
> terminal into the clipboard for immediate paste operation in another
> window. I use to do that with left mouse click select then middle
> click. It should be something like script(1), but for clipboard inside
> an X session.

Look at the xclip package.

Allan



Re: Best practices for validating downloaded config files in OpenBSD

2019-02-21 Thread Allan Streib
Tom Smyth  writes:

> we have an in house shell script based deployment system for our
> OpenBSD boxes in the field this involves the boxes pulling config
> files over https but Im always concerned that if the downloaded files
> are incomplete or empty that this would break the configs and require
> heavy manual intervention to fix and Im wondering is there a framework
> or best practices guide or a good script example where OpenBSD folks
> have solved this issue

rsync(1)

Allan



Re: radeondrm failure on amd64 but not on i386?

2018-12-17 Thread Allan Streib
Found a cheap card on eBay, dmesg shows it as ATI Radeon HD 7470,
working well in

OpenBSD 6.4-current (GENERIC.MP) #499: Mon Dec 10 11:33:10 MST 2018.

Allan

Allan Streib  writes:

> Still having this issue on -current as of Dec10. machdep.allowaperture=2
> does get me past this, but am seeing weird behavior, some regions of
> screens/terminals not painting or refreshing.
>
> So, as this is a major inconvenience I am looking to update the video
> card.
>
> Any recommendations for a low-profile card that is working on
> 6.4/current?
>
> Thanks,
>
> Allan



Re: radeondrm failure on amd64 but not on i386?

2018-12-12 Thread Allan Streib
Still having this issue on -current as of Dec10. machdep.allowaperture=2
does get me past this, but am seeing weird behavior, some regions of
screens/terminals not painting or refreshing.

So, as this is a major inconvenience I am looking to update the video
card.

Any recommendations for a low-profile card that is working on
6.4/current?

Thanks,

Allan


Allan Streib  writes:

> Same issue, also on a Dell machine with ATI Radeon HD 2400 XT.
>
> Allan
>
> OpenBSD 6.4 (GENERIC.MP) #0: Sat Nov 17 22:15:46 CET 2018
> 
> r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4141871104 (3949MB)
> avail mem = 4007075840 (3821MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0450 (82 entries)
> bios0: vendor Dell Inc. version "A11" date 01/21/2011
> bios0: Dell Inc. OptiPlex 960
> acpi0 at bios0: rev 2
> acpi0: TCPA checksum error
> acpi0: sleep states S0 S1 S3 S4 S5
> acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA DMAR SLIC SSDT 
> SSDT SSDT
> acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI4(S5) PCI2(S5) PCI3(S5) PCI1(S5) 
> PCI5(S5) PCI6(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2992.96 MHz, 06-17-0a
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
> cpu0: 6MB 64b/line 16-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
> cpu0: apic clock running at 332MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2992.51 MHz, 06-17-0a
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
> cpu1: 6MB 64b/line 16-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins, remapped
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xf800, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 4 (PCI4)
> acpiprt1 at acpi0: bus 2 (PCI2)
> acpiprt2 at acpi0: bus 3 (PCI3)
> acpiprt3 at acpi0: bus 1 (PCI1)
> acpiprt4 at acpi0: bus -1 (PCI5)
> acpiprt5 at acpi0: bus -1 (PCI6)
> acpiprt6 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(1000@1 mwait.1), PSS
> acpicpu1 at acpi0: C1(1000@1 mwait.1), PSS
> acpibtn0 at acpi0: VBTN
> acpicmos0 at acpi0
> "*pnp0c14" at acpi0 not configured
> cpu0: Enhanced SpeedStep 2992 MHz: speeds: 3000, 2667, 2333, 2000 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Q45 Host" rev 0x03
> ppb0 at pci0 dev 1 function 0 "Intel Q45 PCIE" rev 0x03: msi
> pci1 at ppb0 bus 1
> radeondrm0 at pci1 dev 0 function 0 "ATI Radeon HD 2400 XT" rev 0x00
> drm0 at radeondrm0
> radeondrm0: msi
> "Intel Q45 HECI" rev 0x03 at pci0 dev 3 function 0 not configured
> pciide0 at pci0 dev 3 function 2 "Intel Q45 PT IDER" rev 0x03: DMA 
> (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI
> pciide0: using apic 8 int 18 for native-PCI interrupt
> pciide0: channel 0 ignored (not responding; disabled or no drives?)
> pciide0: channel 1 ignored (not responding; disabled or no drives?)
> puc0 at pci0 dev 3 function 3 "Intel Q45 KT" rev 0x03: ports: 16 com
> com4 at puc0 port 0 apic 8 int 17: ns16550a, 16 byte fifo
> com4: probed fifo depth: 0 bytes
> em0 at pci0 dev 25 function 0 "Intel ICH10 D BM LM" rev 0x02: msi, address 
> 00:22:19:31:bf:96
> uhci0 at pci0 dev 26 function 0 "Intel 82801JD USB" rev 0x02: apic 8 int 16
> uhci1 at pci0 dev 26 function 1 "Intel 82801JD USB" rev 0x02: apic 8 int 17
> uhci2 at pci0 dev 26 function 2 "Intel 82801JD USB" rev 0x02: apic 8 int 22
> ehci0 at pci0 dev 26 function 7 "Intel 82801JD USB" rev 0x02: apic 8 int 22
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
> addr 1
> azalia0 at pci0 dev 27 function 0 "Intel 82801JD HD Audio" rev 0x02: msi
> azalia0: codecs: Analog Devices AD1984A
> audio0 at azalia0
> ppb1 at pci0 dev 28 function 0 "Intel 82801JD PCIE" rev 0

Re: radeondrm failure on amd64 but not on i386?

2018-11-27 Thread Allan Streib
Andy Bradford writes:

> After  Jonathan  suggested  adding   some  printf  debug  statements,  I
> continued to do so and was able to see that the rdev->bios variable that
> is being inspected  at lines 834--840 in radeon_bios.c  has neither ATOM
> nor MOTA in the string at that address for amd64, but has ATOM for i386:
>
>   tmp = rdev->bios_header_start + 4;
>   if (!memcmp(rdev->bios + tmp, "ATOM", 4) ||
>   !memcmp(rdev->bios + tmp, "MOTA", 4)) {
>   rdev->is_atom_bios = true;
>   } else {
>   rdev->is_atom_bios = false;
>   }
>
> I suppose additional debug might  involve writing the entire contents of
> rdev->bios to a file and then hexdump it?

The issue was also reported here, with no follups but more debug info:

https://marc.info/?l=openbsd-bugs=153398230416756=2

Allan



Re: radeondrm failure on amd64 but not on i386?

2018-11-25 Thread Allan Streib
Same issue, also on a Dell machine with ATI Radeon HD 2400 XT.

Allan

OpenBSD 6.4 (GENERIC.MP) #0: Sat Nov 17 22:15:46 CET 2018

r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4141871104 (3949MB)
avail mem = 4007075840 (3821MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0450 (82 entries)
bios0: vendor Dell Inc. version "A11" date 01/21/2011
bios0: Dell Inc. OptiPlex 960
acpi0 at bios0: rev 2
acpi0: TCPA checksum error
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET TCPA DMAR SLIC SSDT SSDT 
SSDT
acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI4(S5) PCI2(S5) PCI3(S5) PCI1(S5) 
PCI5(S5) PCI6(S5) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2992.96 MHz, 06-17-0a
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 332MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2992.51 MHz, 06-17-0a
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu1: 6MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins, remapped
acpimcfg0 at acpi0
acpimcfg0: addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 4 (PCI4)
acpiprt1 at acpi0: bus 2 (PCI2)
acpiprt2 at acpi0: bus 3 (PCI3)
acpiprt3 at acpi0: bus 1 (PCI1)
acpiprt4 at acpi0: bus -1 (PCI5)
acpiprt5 at acpi0: bus -1 (PCI6)
acpiprt6 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C1(1000@1 mwait.1), PSS
acpibtn0 at acpi0: VBTN
acpicmos0 at acpi0
"*pnp0c14" at acpi0 not configured
cpu0: Enhanced SpeedStep 2992 MHz: speeds: 3000, 2667, 2333, 2000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Q45 Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel Q45 PCIE" rev 0x03: msi
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 0 function 0 "ATI Radeon HD 2400 XT" rev 0x00
drm0 at radeondrm0
radeondrm0: msi
"Intel Q45 HECI" rev 0x03 at pci0 dev 3 function 0 not configured
pciide0 at pci0 dev 3 function 2 "Intel Q45 PT IDER" rev 0x03: DMA 
(unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI
pciide0: using apic 8 int 18 for native-PCI interrupt
pciide0: channel 0 ignored (not responding; disabled or no drives?)
pciide0: channel 1 ignored (not responding; disabled or no drives?)
puc0 at pci0 dev 3 function 3 "Intel Q45 KT" rev 0x03: ports: 16 com
com4 at puc0 port 0 apic 8 int 17: ns16550a, 16 byte fifo
com4: probed fifo depth: 0 bytes
em0 at pci0 dev 25 function 0 "Intel ICH10 D BM LM" rev 0x02: msi, address 
00:22:19:31:bf:96
uhci0 at pci0 dev 26 function 0 "Intel 82801JD USB" rev 0x02: apic 8 int 16
uhci1 at pci0 dev 26 function 1 "Intel 82801JD USB" rev 0x02: apic 8 int 17
uhci2 at pci0 dev 26 function 2 "Intel 82801JD USB" rev 0x02: apic 8 int 22
ehci0 at pci0 dev 26 function 7 "Intel 82801JD USB" rev 0x02: apic 8 int 22
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
azalia0 at pci0 dev 27 function 0 "Intel 82801JD HD Audio" rev 0x02: msi
azalia0: codecs: Analog Devices AD1984A
audio0 at azalia0
ppb1 at pci0 dev 28 function 0 "Intel 82801JD PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 1 "Intel 82801JD PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
uhci3 at pci0 dev 29 function 0 "Intel 82801JD USB" rev 0x02: apic 8 int 23
uhci4 at pci0 dev 29 function 1 "Intel 82801JD USB" rev 0x02: apic 8 int 17
uhci5 at pci0 dev 29 function 2 "Intel 82801JD USB" rev 0x02: apic 8 int 18
ehci1 at pci0 dev 29 function 7 "Intel 82801JD USB" rev 0x02: apic 8 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xa2
pci4 at ppb3 bus 4
pcib0 at pci0 dev 31 function 0 "Intel 82801JDO LPC" rev 0x02
ahci0 at pci0 dev 31 function 2 "Intel 82801JD AHCI" rev 0x02: msi, AHCI 1.2
ahci0: port 0: 3.0Gb/s
ahci0: port 1: 1.5Gb/s
ahci0: PHY offline on port 2
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct 
fixed naa.500a0751094531c8
sd0: 915715MB, 512 

Re: "relay as" domain rewrite in new smtpd.conf syntax

2018-11-09 Thread Allan Streib
Gilles Chehade  writes:

> On Thu, Nov 08, 2018 at 12:40:51PM -0500, Allan Streib wrote:
>> Prior to 6.4, in smtpd.conf(5), the relay directive supported the "as"
>> parameter:
>> 
>> If the as parameter is specified, smtpd(8) will rewrite the sender
>> advertised in the SMTP session. address may be a user, a domain
>> prefixed with "@", or an email address, causing smtpd(8) to rewrite
>> the user-part, the domain-part, or the entire address, respectively.
>> 
>> In the new smtpd.conf(5) syntax, how is that rewrite achieved,
>> specifically the "@" prefix behavior to rewrite the domain part?
>> 
>
>  The relay delivery methods also support additional options:
>
>[...]
>
>  mail-from mailaddr
>  Use mailaddr as the MAIL FROM address within the SMTP
>  transaction.
>
>
> so this would be something like:
>
>action relay_00 relay mail-from "@foobar.org"
>
>match [...] action relay_00

Thanks! I didn't realize that the mail-from option would support the
same forms as the old "as" parameter.

Allan



"relay as" domain rewrite in new smtpd.conf syntax

2018-11-08 Thread Allan Streib
Prior to 6.4, in smtpd.conf(5), the relay directive supported the "as"
parameter:

If the as parameter is specified, smtpd(8) will rewrite the sender
advertised in the SMTP session. address may be a user, a domain
prefixed with ‘@’, or an email address, causing smtpd(8) to rewrite
the user-part, the domain-part, or the entire address, respectively.

In the new smtpd.conf(5) syntax, how is that rewrite achieved,
specifically the "@" prefix behavior to rewrite the domain part?

Thanks,

Allan



Re: 6.4 - Unable to boot after successfully installed

2018-11-07 Thread Allan Streib
Luthing  writes:

> Hey,
> I am partitioning my disk manually like :
> ~80% for /root partition
> ~20% for swap
>
> That's all
> Any idea?

https://www.openbsd.org/faq/faq4.html#Partitioning

Allan



Re: syntax error and doas.conf

2018-10-31 Thread Allan Streib
Stuart Henderson  writes:

> If you aren't sure about a change you're about to make, keep a spare
> root shell open (or at least keep the editor open - save the file
> but don't exit - and test on another terminal).

I would add that this is not really OpenBSD-specific. Yes there's no
direct analogue to visudo(8) but it's perfectly possible to lock
yourself out of sudo access even with a correctly formatted /etc/sudoers
file, and visudo will happily let you shoot yourself in the foot that
way. With the sudoers(5) man page clocking in at about 20x the size of
the doas.conf(5) page, it's probably quite likely.

Allan



Re: cyrus-sasl/openldap question

2018-10-24 Thread Allan Streib
Have you looked at OpenBSD's ldapd(8) instead of openldap?

It supports SASL PLAIN auth, according to the 6.3 man page.

I don't currently use SASL but otherwise have found the config of ldapd
to be much simpler than slapd.

Yes, last time I had set up OpenLDAP with SASL it was fragile and
required a lot of fiddling to get it working. That was on Linux, about
10 years ago.

Allan



Re: OT: Firmware encryption hacked?

2018-09-13 Thread Allan Streib
Carlos Lopez  writes:

> Uhmm … Reality? 
> https://techcrunch.com/2018/09/12/security-flaw-in-nearly-all-modern-pcs-and-macs-leaks-encrypted-data/?guccounter=1

Somewhat better writup from the source:

https://blog.f-secure.com/cold-boot-attacks/

The vulnerability seems to be when a computer is running or "sleeping"
not actually off or hibernating. There are then ways that an attacker
with physical access might recover encryption keys or other data from
RAM.



DHCP on several VLANs

2018-09-13 Thread Allan Streib
I need to set up DHCP for several VLANs. The server has 1 physical
interface (bnx1) available for this.

My naive thought is I create the vlans with bnx1 as the "parent", e.g.

/etc/hostname.vlan101:
inet 172.16.101.253 255.255.255.0 NONE parent bnx1 vnetid 101

/etc/hostname.vlan102:
inet 172.16.102.253 255.255.255.0 NONE parent bnx1 vnetid 102

/etc/hostname.vlan103:
inet 172.16.102.253 255.255.255.0 NONE parent bnx1 vnetid 103

bnx1 is connected to switch port with all three VLANs tagged.

Then, rcctl set dhcpd flags vlan101 vlan102 vlan103

Is there a better approach?

Allan




growisofs unable to allocate 56 bytes

2018-09-05 Thread Allan Streib
This has been a recurring problem for a least a couple of releases. I'm
currently on 6.3 release with syspatches. Generally happens after
machine has been up for a while; if I reboot and burn the DVD right away
it usually works.

$ doas growisofs -dvd-compat -Z /dev/rcd0c=rhel-server-7.5-x86_64-dvd.iso  
:-( unable to allocate 56 bytes: Cannot allocate memory

$ ulimit -a
time(cpu-seconds)unlimited
file(blocks) unlimited
coredump(blocks) unlimited
data(kbytes) 2097152
stack(kbytes)16384
lockedmem(kbytes)10808805
memory(kbytes)   32419944
nofiles(descriptors) 512
processes256

$ top | grep ^Mem
Memory: Real: 5431M/7626M act/tot Free: 23G Cache: 976M Swap: 0K/8302M


OpenBSD 6.3 (GENERIC.MP) #8: Sat Aug  4 16:56:56 CEST 2018

r...@syspatch-63-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34249834496 (32663MB)
avail mem = 33204748288 (31666MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xebc60 (115 entries)
bios0: vendor American Megatrends Inc. version "3402" date 08/18/2016
bios0: ASUS All Series
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG ASF! SSDT UEFI HPET MSCT SLIT SRAT 
WDDT SSDT
acpi0: wakeup devices IP2P(S3) XHCI(S4) EHC1(S4) EHC2(S4) RP01(S4) RP02(S4) 
RP03(S4) RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) BR1A(S4) BR1B(S4) 
BR2A(S4) BR2B(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.67 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
acpitimer0: recalibrated TSC frequency 2998278840 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 8 (application processor)
cpu4: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 0, core 4, package 0
cpu5 at mainbus0: apid 10 (application processor)
cpu5: Intel(R) Core(TM) i7-5960X CPU @ 3.00GHz, 2998.27 MHz
cpu5: 

Re: Lesser evil

2018-09-04 Thread Allan Streib
Kevin Chadwick  writes:

> Windows updates do still take way too long though and perhaps they are
> gathering usage information, not that I care much. I hear they are
> working on the speed in insider previews.

Windows 10 has a lot of telemetry and data collection that sends
information back to Microsoft. It can be disabled. This is easier with
Enterprise Edition. You might consider the LTSB branch if you are under
a volume license agreement. Those releases do not include Windows Store,
Cortana, or most of the pre-installed applications. They get security
updates, but no new features.

Allan



Re: Selling things through the mailing list allowed? I have compatible THIN CLIENTS for Firewall / Router appliance use Available

2018-08-30 Thread Allan Streib
I quote from the FAQ:

Complaining about and commenting upon spam on the list proper is
counter-productive, as it generates more traffic than the spam
itself.

I am cognizant that I am violating this rule right now, but maybe helps
reduce pointless traffic in the future...

Allan



Re: Why openbsd use only 2 of my 4 CPU ?

2018-07-25 Thread Allan Streib
vincent delft  writes:

> I've migrated to -current to test the auto-join, but since then, my system
> is slow. Specially with libreoffice, firefox, ...
>
> By looking at top, I've saw that only 2 CPU are actually running.

[...]

> cpu0: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2694.16 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2693.78 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 1 (application processor)
> cpu2: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2693.77 MHz
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 1, core 0, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2693.77 MHz
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 1, core 1, package 0

Your CPU has 2 cores. With SMT (HyperTheading), it appears to have
4, but SMT was disabled in -current for security.

https://www.mail-archive.com/source-changes@openbsd.org/msg99141.html

Allan



ldapd sync with outside data

2018-06-13 Thread Allan Streib
Has anyone tried LSC on OpenBSD to synchronize between ldapd and a SQL
database such as MariaDB? How well did it [not] work, or do you use
something else?

https://lsc-project.org/

Thanks,

Allan



Re: OT: how do you write your tools /scripts for everyday tasks

2018-05-30 Thread Allan Streib
Markus Rosjat  writes:

> So what you guys using these days, is it shellscripts, c programs,
> perl or?

I've moved almost all my sysadmin automation to ansible. Ansible
provides a large library of modules that handle most common things in an
idempotent way.

https://docs.ansible.com/ansible/latest/index.html

I still use shell scripts for some things, cron jobs and other
housekeeping-type things.

Allan



Re: opensmtpd / ldap unreliable

2018-05-23 Thread Allan Streib
"Paul B. Henson"  writes:

>> What you ask is a very general question: If A depends on B, and B is
>> missing, how do expect A to behave?
>
> In this specific case, I expect A to complain it was unable to contact
> B, to continue initializing, return temporary failures for any
> operation which requires B, and reattempt a connection to B on a
> regular basis until it is successful. From a reliability and full
> tolerance perspective, falling over and dying doesn't seem a very good
> choice for the circumstances.

Falling over and dying is the simplest thing. It makes no assumptions
about the cause of the problem and when it might be resolved. It does
not attempt to carry on in some hobbled fashion, possibly creating
further problems.

If you depend on services being up, you will need monitors/supervisors
to detect when they are not up, and attempt restarts and/or notify you
as appropriate. Baking this into the services themselves is a
duplication of functionality that can be handled externally.

Allan







Re: Date of yesterday

2018-04-09 Thread Allan Streib
Tom Smyth  writes:

> Howdy...
> Daylight savings time sucks...  :/...
>  Is there a way to Reference UTC and then do  the calculating
> n and then convert to local time zone if  you are worried about
> calculating yesterday on the edge case of the 2 hrs a year
> that this would make an impact...

Yes, use the perl example someone suggested hours ago.

You don't want to mess with this stuff yourself. Use a proper date
libarary to do date calculations.

Allan



Re: locale settings for spelling, paper size, etc

2018-03-26 Thread Allan Streib
Austin Hook  writes:

> I have for a long time set my /etc/papersize to "letter".  In my 
> experience Firefox ignores it.  At some point the default setup for the 
> Firefox package became A4 and I have to manually re-set it to letter, 
> manually in the pop-up, whenever I print.  Can't make it default to 
> letter.  Can't find an about:config for Firefox that works for me.

That suggestion of aoubt:config prompted me to look, there are several
print.print_paper_* settings, have you tried those?

This post indicates that print.print_paper_name may be the way...

  
https://superuser.com/questions/184476/how-to-set-default-page-setup-%e2%86%92page-size-as-a4-in-firefox#309175

... but it doesn't work for me in FF 58.0.2

I see the following:

print.print_paper_data  integer 0
print.print_paper_heightstring  11.69
print.print_paper_name  string  iso_a4
print.print_paper_size  integer 0
print.print_paper_size_unit integer 0
print.print_paper_width stirng  8.27

I have tried resetting to default, tried "letter" and "na_letter" as the
print_paper_name, but the print dialog always defaults to A4 regardless.

> Keep telling myself to look for a change to compile in, but shudder to
> think of building Firefox.

Agreed. I tried once and after quite some time if failed for lack of
resources (don't remember exactly what, now).

Allan



Re: OpenSMTPd maillist "compatible" manager Majordomo or what?

2018-03-20 Thread Allan Streib
Does mlmmj provide self-service-via-email? I could not quite tell from
their online man pages.

E.g. as a subscriber to a list, can I send an email to something like
listname+unsubscr...@example.com to unsubscribe?

Allan



locale settings for spelling, paper size, etc

2018-03-13 Thread Allan Streib
Seems like a FAQ, though I didn't find it. I've noticed that in
applications such as Firefox, LibreOffice, etc. the spell checking uses
British English spelling. Also printing defaults to A4 instead of
US-Letter paper size.

I select us.swapctrlcaps keyboard when installing, and
LC_CTYPE=en_US.UTF-8.

Is this something I just need to change per application, or is there
another system-wide way to indicate I want American defaults?

Allan



Re: Lenovo X130e blank video at boot.rd

2018-02-28 Thread Allan Streib
j...@bitminer.ca writes:

> Just for laughs I booted an OpenBSD 4.2 CD, circa 1997 (and five years 
> older than the hardware) and while it recognized few devices it did show 
> all video correctly.  The video device vga1 shows as vendor "ATI" 
> unknown product 0x9806 rev 0x00.

That release predates the introduction of the framebuffer console.

I have had a problem since that started, the video mode selected is
incorrect and I see the boot messages in VGA mode until the framebuffer
console is activated, then the screen goes blank and pops up a message
complaining about the video mode. I have to do a blind login and then
run startx. Never learned how to disable wsdisplay and keep the simple
80x24 console.

Allan



Re: LibreSSL Linux portability and OpenBSD security

2018-02-09 Thread Allan Streib
Kevin Chadwick  writes:

> I wish libressl could keep the 32 bit time_t workaround til linux
> kernel had fixed the problem instead of knowingly break things. Now I
> don't see we have much of an option since 32 bit linux is basically
> not supported by libressl at this point.

Contortions in the code to provide backwards support for various
obsolete platforms is part of what got OpenSSL into such a mess in the
first place.

Allan



Re: Segmentation fault / firefox (core dumped)

2018-01-26 Thread Allan Streib
Roderick  writes:

> On Thu, 25 Jan 2018, meg...@r53sound.com wrote:
>
>> Have you tried increasing  datasize-cur and -max under "default:\"
>> in /etc/login.conf ? I have mine set to 2048M
>
> I have 512 MB there. My computer has 1024MB Ram. For what does firefox
> need so much memory?!

Mine is set to 2048M also. I almost never have Firefox crashes
esp. on newer builds from Landry Breuil as described here:

  https://undeadly.org/cgi?action=article=20170425173917

I Run three or four browser profiles simultaneously, use Gmail, Google
Docs, Google Sheets, etc. quite well. With Firefox Quantum it's even
more stable than Chromium which is the reverse of my prior experience
using Google services.

> I only need a browser.

Surf? w3m?

Allan



Re: font path ignorance

2018-01-24 Thread Allan Streib
Ed Ahlsen-Girard  writes:

> What have I missed?

In my ~/.xinitrc I have:

xset +fp 
/usr/local/share/fonts/mscorefonts,/usr/local/share/fonts/ghostscript,/usr/local/share/fonts/extra

Regards,

Allan



Re: OpenBSD !HTTPS websites - why?

2018-01-15 Thread Allan Streib
who one  writes:

> 70% of the websites in the world uses HTTPS: https://letsencrypt.org/stats/ , 
> see "Percentage of Web Pages Loaded by Firefox Using HTTPS". If OpenBSD is 
> security oriented, HTTPS should be de facto. 

Letsencrypt is possibly not the best example to cite, since they
recently disclosed a vulnerability in one of the protocols they use to
validate control of a domain.

https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/5a55777ed9a9c1024c00b241

https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

Allan



Re: Community-driven OpenBSD tutorials wiki?

2018-01-04 Thread Allan Streib
andrew fabbro  writes:

> read the man pages, read the FAQ, read the source code

I have to say that I've found that in most cases the man pages and FAQ
will get you a long way. If you're a new arrival from the linux world,
used to googling for how-to blog posts, this will not be expected or
habitual. Try it, and you might be surprised.

Allan



Re: Kernel memory leaking on Intel CPUs?

2018-01-04 Thread Allan Streib
"Alceu R. de Freitas Jr."  writes:

> I guess Intel does not give a shit about non-profit groups. Linux got
> this attention because there are a lot of players making money from
> it, players that surely have some sort of partnership with Intel.

>From what I have read in the past 24 hours, the spectre attacks are not
limited to Intel CPUs, but in theory could affect any that use
speculative execution (including, at least, modern ARM designs and AMD
processors).

My uninformed take on this is that when you allow anyone in the world to
run programs on your systems (i.e. JavaScript in browsers, "cloud"
hosted virtual machines running on shared hardware, etc.) these sorts of
things occasionally happen. No CPUs or software are perfectly secure.

Allan



Re: bug tracking system for OpenBSD

2017-12-19 Thread Allan Streib
Kai Wetlesen  writes:

> There are many decisions that would need to be made that will piss
> somebody off. Decisions like what software/platform to use, where to
> host the thing, and how much the tool should integrate into existing
> bug reporting mechanisms (right now just fancy emailing).

So it's a lot more work than it might first appear.

> To answer your tactful question Theo, I personally haven’t done
> anything because I do not have your blessing nor of someone who can
> say “yes just effing do it". But, if you would be willing to give me
> free reign it will be done.

You seem to be asking for endorsement of something you haven't done
yet. In my time on this list I've learned that's not how it works.

Allan



Re: The many ways of running firefox on OpenBSD

2017-12-06 Thread Allan Streib
Kevin Chadwick  writes:

> https://undeadly.org/cgi?action=article=20170425173917

Fantastic! Thanks for posting this!

Allan



Re: xterm(1) changing UTF-8 characters when copy-pasting?

2017-12-01 Thread Allan Streib


Allan Streib <astr...@indiana.edu> writes:

> $ printf "e\xcc\x81\n" | od -a
> 000e  cc  81  nl
>
> $ printf "e\xcc\x81\n"
> é
>
> ^ copy/pasting: $ echo "é" | od -a
> 000   c3  a9  nl

Also in case it's interesting:

$ printf "e\xcc\x81" | xclip -i

$ xclip -o | od -a  
000e  cc  81


$ echo "é" | od -a
000e  cc  81  nl

In the above, the "é" was obtained with middle-click (paste).


$ echo "é" | od -a
000   c3  a9  nl

In the above, the entire command 'echo "é" | od -a' was copied from the
prior line and pasted with the mouse.

Allan





Re: xterm(1) changing UTF-8 characters when copy-pasting?

2017-12-01 Thread Allan Streib
Philippe Meunier  writes:

> - Allan probably did his tests with the precompose resource set to its
>   default true value.

I assume this is correct because I have never deliberately changed it.

And you're right after all.

$ printf "e\xcc\x81\n" | od -a
000e  cc  81  nl

$ printf "e\xcc\x81\n"
é

^ copy/pasting: $ echo "é" | od -a
000   c3  a9  nl

Allan



Re: xterm(1) changing UTF-8 characters when copy-pasting?

2017-11-30 Thread Allan Streib
Philippe Meunier <meun...@ccs.neu.edu> writes:

> Allan Streib wrote:
>>Are you using xterm(1) or uxterm(1)?
>
> uxterm does not exist anymore on OpenBSD 6.1:
> https://www.openbsd.org/faq/upgrade61.html

Hm. Well that's one that I overlooked. I've been upgrading since 5.x and
I never removed uxterm. I'm on 6.2 now and still using it.

Allan



Re: xterm(1) changing UTF-8 characters when copy-pasting?

2017-11-30 Thread Allan Streib
Philippe Meunier  writes:

> So there seems to be two problems:
>
> - Copy-pasting the result of printf "e\xcc\x81\n" never works correctly in
>   xterm, regardless of whether I use TrueType fonts or not.  xterm
>   copy-pastes the correct sequence of bytes but that sequence is not
>   displayed correctly.  That's the same problem I noticed in my previous
>   email.
>
> - When using TrueType fonts, printf "e\xcc\x81\n" does not show the accent.

Are you using xterm(1) or uxterm(1)?

When I start uxterm I don't see these behaviors. I see the correct
accented e in all cases.

Allan



Re: STYLE: whitespace at end of input line

2017-11-29 Thread Allan Streib
Jan Stary  writes:

> The offending portion is:
>
> .Bd -literal
> $ ecurve 7 0 3
>
>   *  * 
>   *  * 
>**  
>   *  * 
>**  
>**  
> .Ed
>
> I can just delete the trailing whitespace and the reader will see the same,
> but the whitespace actually has a meaning here: it's a 7x7 ascii bitmap
> of an elliptic curve (y^2 = x^3 + 3 over Z_7).

Can you draw a box around it? E.g.

+---+
|  *  * |
|  *  * |
|   **  |
|  *  * |
|   **  |
|   **  |
+---+

Allan



  1   2   >