Re: lcamtuf on the recent xz debacle
Katherine Mcmillan: > Just for clarity, does anyone know what "Unix-like operating systems" > would be affected by this? None. TLDR: The build process of the backdoor explicitly aborts on platforms other than Linux x86-64. As the maintainer of the archivers/xz port, I took a look at the build stages of the malicious code, because I had already prepared an update to 5.6.1 and run the code in question. Two ostensible test files were committed to the xz repository immediately before the 5.6.0 release and updated immediately before 5.6.1: bad-3-corrupt_lzma2.xz, which as the name suggests is a malformed compressed file, and good-large_compressed.lzma, which is a valid file and extracts to a mixture of easily compressible repeated characters and uncompressible pseudo-random data. By themselves those files are completely harmless. As is common practice, the xz repository only contains input files like configure.ac and Makefile.am for the GNU autotools. For the release tarball, an autotools run generates the actual configure script, Makefile.in, etc., so the result can be built with "./configure && make". For the 5.6.0 and 5.6.1 release, the build-to-host.m4 macro package that ships as part of GNU gettext was replaced by a modified version that was copied into the release tarball and, importantly, was used to generate a modified configure script. Let's call this stage 0. When you run the configure script, the stage 0 shell snippet is executed. The malicious code runs a pipe of commands that reads the bad-3-corrupt_lzma2.xz file, swaps some byte values to turn it into a valid file, extracts the file with xz (which must already be installed), and feeds the content--let's call it stage 1--into a shell. In 5.6.1, the stage 1 script will abort right away if the operating system doesn't identify as "Linux" with uname(1). The script runs another pipe of commands that decompresses good-large_compressed.lzma, picks some chunks of the result, replaces some byte values to turn it into a valid LZMA data stream, extracts the content--let's call it stage 2--and feeds it into a shell. The data manipulation in stage 1 uses the head(1) command with the "-c" command flag, which isn't available on OpenBSD. In 5.6.1 there is another early attempt in the stage 2 script to verify that the operating system is Linux, however the syntax is broken so it doesn't actually do anything. The stage 2 script runs quite a number of tests to ensure that the environment in which it executes is the one it expects: details of the directory tree, details of the files generated by configure, that the platform is x86-64 Linux, that the compiler is gcc and the linker GNU ld, that the IFUNC feature is available, that is runs as part of a .deb or .rpm package build. If any single one of those tests fails, the script aborts right away. If everything checks out, stage 2 again runs a series of data manipulation commands to extract from good-large_compressed.lzma two object files and injects them into the build to generate a manipulated liblzma. Various checks that stage 2 performs will fail on OpenBSD and again it relies on "head -c" and now also on the GNU version of sed(1) to perform the required data manipulations. For the actual code inserted into liblzma on Linux x86-64, I have to refer to the ongoing reverse engineering performed by the Linux people. It is my understanding that its code is triggered by an IFUNC constructor during dynamic linking that checks that it is in the address space of a /usr/sbin/sshd process and then proceeds to redirect an RSA signature verification routine to its own malicious code. Liblzma ends up dynamically linked to sshd because of a systemd-related extension added by many Linux packagers that pulls in liblzma as an unrelated dependency. The actual backdoor is triggered by an SSH connection that authenticates with a certificate that includes an RSA public key, part of which is a payload that is checked against a fingerprint, then verified for a correct Ed448 signature with a key only the attacker knows, and then this content is directly executed in a shell spawned by sshd for remote code execution. The build stage of the backdoor is well hidden. The stage 0 shell snippet looks at first glance like a plausible part of the poorly readable autoconf/automake tooling. The test files that hide the further stages and actual backdoor code are unsuspicious by themselves. 5.6.1 added further tests to abort early on non-Linux platforms, presumably so that nobody examining build problems would stumble over anything suspicious. I think the check for a .deb or .rpm build is intended to inject the backdoor only during automated package building, so people developing or debugging xz would not accidentally discover it in the build directory. I can identify four commits in the xz Git repository that are related to the backdoor. In chronological order: 2024-02-23 cf44e4b Tests: Add a few test files. 2024-03-09
Re: Entry in the list of UNIX and OpenBSD providers
"Theobald, Gerd": > C Germany > P Baden-Wuerttemberg > T Nuremberg > Z D-90411 Nuremberg is not in Baden-Wuerttemberg. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: cvs revert specific commit
Hrvoje Popovski: > I would like to revert only if_em.c rev. 1.369, but would like to leave > TSO stuff if_em.c rev. 1.370 and if_em.h rev 1.81. > > is this somehow possible? $ cd /sys/dev/pci $ cvs diff -kk -r1.369 -r1.368 if_em.c | patch -p0 -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: time keeping fallback mechanics during reboot on octeon
Otto Moerbeek: > http://man.openbsd.org/octrtc seems to suggest EdgeRouter does not have > an RTC. A dmesg should give more certainty. I think the original poster is aware of this. If I understand correctly, he expects that on reboot the system clock is restored to the last value from before the reboot (so only a minute or so is lost), and that this value is transported by a time stamp on the root filesystem. Apparently that doesn't happen. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Why is BRE still around? (Re: Porting shell scripts from Tiny Tools)
Marc Chantreux: > I the same mood: I realized recently that no implementation of awk > seems to implement quantifiers which is really desapointing. Awk uses EREs, so if by quantifiers you mean {n,m}, then awk most certainly supports this. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Why is BRE still around? (Re: Porting shell scripts from Tiny Tools)
Marc Chantreux: > But is there another good reason for BRE to be still alive? > (perfomance, simplicity, or anything else). I think it is mostly for historical reasons, but note that BREs are not a strict subset of EREs: BREs allow back-references, EREs do not. The GNU project turned BREs and EREs into one and the same feature set in their implementation, just with different syntaxes, causing a great deal of confusion. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Reptar aka CVE-2023-23583
not jacinda ardern: > I saw something about a new intel microcode coming out (subject line) for a > goofy new bug somebody found. Do you guys package that up into the fw_update > (firmware.openbsd.org) magic or does it only come via the oem's bios updates? Whatever Intel releases. Yesterday they published a microcode update that should address this. The updated firmware package is already on the mirrors. CVSROOT:/cvs Module name:ports Changes by: j...@cvs.openbsd.org 2023/11/14 16:34:51 Modified files: sysutils/firmware/intel: Makefile distinfo Log message: update intel microcode to 20231114 release notes: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114 mitigates: https://lock.cmpxchg8b.com/reptar.html https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/redundant-prefix-issue.html -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: ETA for 7.4 packages-stable for aarch64?
Stephan Somogyi: > aarch64 packages-stable has historically been available; for 7.4 it's > populated for only for amd64, i386, and sparc64 on cdn.openbsd.org and > assorted mirrors. > > Is there an ETA for 7.4 aarch64 packages-stable? Uh, right. They were delayed because of a problem with the machine building them, but they are available now... I just need to sign them. There, done. They'll hit the mirrors soon. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: SSH from old Mac fail to login via ssh rsa key
"Daniele B.": > I went to my Mac (SSH -V: OpenSSH 6.9p1 LibreSSL 2.1.8) and launched > ssh-keygen produced for my my user a nice RSA key. I grabbed it and I > went on my > cloud server (SSH -V: OpenSSH 9.2p1 OpenSSL 3.0.9) and appended it in > my .ssh/authorized_keys. While RSA _keys_ are still supported, the RSA signature _algoritm_ has changed: rsa-sha2-{256,512} is used nowadays and the old ssh-rsa scheme has been disabled by default. rsa-sha2 was introduced with OpenSSH 7.2, so 6.9 is too old. The easiest solution is to use an Ed25519 key, supported since OpenSSH 6.5: $ ssh-keygen -t ed25519 -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Problem with nsd not being reloaded.
WATANABE Takeo: > I am using nsd, which runs by default on OpenBSD 7.2 amd64. > To update the zone file after changes have been made. > > As far as I could find, restarting the host seems to be > the only way to update the zone information. nsd-control(8) -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: sysctl ddb.trigger
Paul de Weerd: > Indeed, `sysctl kern.securelevel=-1` allows entering DDB with `sysctl > ddb.trigger=1`. (Yes, I am logged in over serial, and that works > well). That was not clear from the ddb manpage, nor from the > securelevel manpage It's in sysctl(2): DBCTL_TRIGGER (ddb.trigger) When DBCTL_CONSOLE is set, writing to DBCTL_TRIGGER causes the system to enter ddb(4). When running with a securelevel(7) greater than 0, the process writing to this variable must be running on the console in order to enter ddb(4). > --- ddb.4 22 Dec 2022 19:53:22 - 1.105 > +++ ddb.4 30 May 2023 06:34:19 - > @@ -46,7 +46,9 @@ is invoked upon a kernel panic when the > is set to 1. > It may be invoked from the console when the sysctl > .Va ddb.console > -is set to 1, using any of the following methods: > +is set to 1 and > +.Va kern.securelevel > +is set to 0 or -1, using any of the following methods: But your problem appears to be that you are invoking it not from the console. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: hw RNG on APUs
Theo de Raadt: > That was in 2022. Lots of people will have machines without new BIOS. I have the latest firmware and the ccp(4) RNG returns nothing but 0. > I wonder if our kernel should have similar code to enable the registers. I tried that yesterday to no effect... but I'm not certain that what I'm trying to do below is equivalent to this coreboot change: + /* Enable access to PSP MMIO BARs. This is needed for CCP. */ + dev = pcidev_on_root(8, 0); + if (dev != NULL) + pci_update_config8(dev, 0x48, 0xff, 0x3d); # pcidump 0:8:0 0:8:0: AMD 16h Crypto Index: dev/pci/ccp_pci.c === RCS file: /cvs/src/sys/dev/pci/ccp_pci.c,v retrieving revision 1.7 diff -u -p -r1.7 ccp_pci.c --- dev/pci/ccp_pci.c 24 Oct 2022 04:57:29 - 1.7 +++ dev/pci/ccp_pci.c 22 Apr 2023 21:52:32 - @@ -31,7 +31,8 @@ #include -#define CCP_PCI_BAR0x18 +#define CCP_PCI_BAR0x18 +#define CCP_PSP_BAR_ENABLES0x48 intccp_pci_match(struct device *, void *, void *); void ccp_pci_attach(struct device *, struct device *, void *); @@ -62,7 +63,8 @@ ccp_pci_attach(struct device *parent, st { struct ccp_softc *sc = (struct ccp_softc *)self; struct pci_attach_args *pa = aux; - pcireg_t memtype; + pci_chipset_tag_t pc = pa->pa_pc; + pcireg_t memtype, reg; memtype = pci_mapreg_type(pa->pa_pc, pa->pa_tag, CCP_PCI_BAR); if (PCI_MAPREG_TYPE(memtype) != PCI_MAPREG_TYPE_MEM) { @@ -75,6 +77,10 @@ ccp_pci_attach(struct device *parent, st printf(": cannot map registers\n"); return; } + + reg = pci_conf_read(pc, pa->pa_tag, CCP_PSP_BAR_ENABLES); + reg |= 0x3d; + pci_conf_write(pc, pa->pa_tag, CCP_PSP_BAR_ENABLES, reg); ccp_attach(sc); } -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: curl-8.0.1 exists in two non-comparable versions (Someone forgot to bump a REVISION)
Andrew Daugherity: > This happened when I ran 'pkg_add -u' after upgrading an i386 system > from 7.2 to 7.3: > Error: curl-8.0.1 exists in two non-comparable versions > Someone forgot to bump a REVISION > It seems that it succeeded in the end, but what happened? Is there a > 7.3-stable curl pkg with new dependencies but the same revision as > 7.3? (Or maybe a 7.2-stable pkg, since I was apparently at 8.0.1 > already?) The 7.2-stable and 7.3 packages are both at the same version 8.0.1 but have different dependencies, because QUIC support was added in -current on the way to 7.3 but not to 7.2-stable. I should have kept -current at a higher REVISION than -stable, but although I _know_ about this problem, I somehow failed to realize that it applied in this case. Too many things to keep track of. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: hw RNG on APUs
Christian Weisgerber: > I built a kernel with an instrumented driver. Unfortunately, no > entropy is provided: FWIW, it appears to work on the SoftIron OverDrive 1000: ccp: rng 058f9dad ccp: rng f0a495ba ccp: rng a757bdf7 ccp: rng 31b21d19 ccp: rng d1ce1c78 ccp: rng 863c9199 -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: hw RNG on APUs
Christian Weisgerber: > ccp(4) attaches, so presumably it is used as a source of entropy. > Whether the hardware actually provides random output, I don't know. I built a kernel with an instrumented driver. Unfortunately, no entropy is provided: ccp: rng ccp: rng ccp: rng ccp: rng ccp: rng This is with the lastest firmware: bios0: vendor coreboot version "v4.19.0.1" date 01/31/2023 Index: dev/ic/ccp.c === RCS file: /cvs/src/sys/dev/ic/ccp.c,v retrieving revision 1.3 diff -u -p -r1.3 ccp.c --- dev/ic/ccp.c29 May 2020 04:42:25 - 1.3 +++ dev/ic/ccp.c19 Apr 2023 15:12:17 - @@ -56,6 +56,7 @@ ccp_rng(void *arg) trng = bus_space_read_4(sc->sc_iot, sc->sc_ioh, CCP_REG_TRNG); if (trng != 0) enqueue_randomness(trng); + printf("ccp: rng %08x\n", trng); - timeout_add_msec(>sc_tick, 100); + timeout_add_msec(>sc_tick, 5000); } -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: hw RNG on APUs
Jan Stary: > Does OpenBSD use any hardware RNG on the PC Engines APUs? ccp0 at pci0 dev 8 function 0 "AMD 16h Crypto" rev 0x00 ccp(4) attaches, so presumably it is used as a source of entropy. Whether the hardware actually provides random output, I don't know. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: disabling horizontal scroll in ksh
sewn: > hi, i've recently switched to ksh and i've been very annoyed by the > horizontal scroll feature (happens when a commmand is longer than the > terminal's width) is there anyway to disable this feature? i would > prefer > to see the whole command, like in bash or ash. That's just the way the ksh command line editor works. Somebody would have to rewrite it from scratch / hook in editline(3) and redo the whole area of the command line editor and key bindings. pdksh's command line editor is patterned after that of ksh88, which was purposely constrained to a single line so it could be implemented with backspace/carriage return and overprinting, without requiring arbitrary cursor positioning and termcap(3). -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: xsnow bitmap include in base?
David Rinehart: > After 7.2 install, I see this include file: > > /usr/X11R6/include/X11/bitmaps/xsnow > > Just curious - With xsnow removed, is this file used for anything? Well, you could use it for something, e.g.: $ xsetroot -bitmap /usr/X11R6/include/X11/bitmaps/xsnow -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Some NFS clients won't mount
"vitmau...@gmail.com": > My /var/log/daemon regarding the issue: > mountd[91001]: Refused mount RPC from host 192.168.1.4 port 57264 The client's mount request didn't come from a reserved port, i.e. <1024. OpenBSD's mountd(8) does not accept this. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: less prints superfluous characters with --no-init
On 2022-11-20, Reuben mac Saoidhea wrote: >> It is a builtin, so it is documented inside ksh. > > i think the 4.3BSD manual allowed for example `man while' for `man sh'? FreeBSD has a builtin(1) man page that attempts to list the csh(1) and sh(1) builtins and points to the respective man pages: https://www.freebsd.org/cgi/man.cgi?query=builtin It's an attempt to do something about this problem, but I think the result isn't that great. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: less prints superfluous characters with --no-init
"Richard Ulmer": > I find this behaviour unexpected: > > $ printf foo | less --no-init | xxd > : 666f 6f1b 5b41 1b5b 4b foo.[A.[K > > less prints ANSI escape codes for 'cursor up' and 'erase in line' at the > end of my message. I cannot reproduce this. $ printf foo | less --no-init | hexdump -C 66 6f 6f |foo| 0003 -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: sndio and bit perfect playback
Andre Smagin: > There is possibly one more use case for "bit-perfect". I have a small > collection of surround sound (5.1, 4.1, quad, etc) recordings extracted > from various DVDs, SACDs, and other sources. Yup. I even have a commercially released DTS-CD lying around somewhere, which is basically an ordinary CD except that the audio is encoded as DTS and not PCM. > My desktop is connected to a receiver via optical SPDIF cable. To get > the surround sound, I use mpd with 'device "snd/0"' option and Ario to > control the mpd daemon. I'm curious, what's the actual audio hardware? azalia(4) or uaudio(4)? > Bit depth does not seem to matter. I don't care about "bit-perfect", but > only about sending the dts stream to the receiver as-is, which works. S/PDIF actually has a native depth of 20 bits per sample. There are also 4 spare bits in the frame, which can optionally be used to transport 24 bits. If an audio source provides only 16 bits per sample, those are fit into the 20 bit frame with the remaining bits unused. DTS and AC3 encodings for S/PDIF only use 16 bits. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: dump(8) is slow
On 2022-08-10, Tomasz Rola wrote: >> DUMP: Date this dump completed: Tue Aug 9 13:51:01 2022 >> DUMP: Average transfer rate: 36530 KB/s >> >> That is far below the read-write speed of a modern SATA drive. > > Ok. But what is a theoretic speed limit for this device? The data sheet claims 237 MB/s typical sustained transfer rate. # dd if=/dev/rsd0c of=/dev/null bs=64k count=1m 1048576+0 records in 1048576+0 records out 68719476736 bytes transferred in 270.039 secs (254479653 bytes/sec) -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: dump(8) is slow
Kenneth Gober: > Are you certain that dump(8) is the big bottleneck here? My recollection > is that restore(8) is significantly slower, so of course if restore(8) is systat's default vmstat display shows you the time spend in disk accesses. Typical figures during the dump-restore run were 1.0 for the dump disk and 0.0 for the restore disk, i.e., the dump disk was saturated and the restore disk was practically idle. Also the number of transfers was a magnitude higher for the dump disk, i.e., a larger number of smaller reads compared to a smaller number of larger writes. So, yeah, the dump(8) side is the bottleneck. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: cdio(1): cdplay with next and prev
On 2022-08-08, Lucian Popescu wrote: > lucian-pc# cdio cdplay > track 1 'a' 0200/00018053 1% > > From another terminal I issue the following command to play the next > song: > > lucian-pc# cdio next #exit code is 0 > > However this does not work. Can I use next and prev with cdplay? The man > page does not make this clear. No, "next" and "previous" work with "play". The fact that it is impossible to issue other commands as long as "cdplay" is running should be sufficiently clear, your very determined effort to circumvent this nonwithstanding. > What I observed is that when using 'cdio play' with 'cdio next' the > track reported by 'cdio status' is indeed changed. The problem with this > approach is that 'cdio play' does not output any sound. Oh, it does--to the (probably nonexistent) analog output of your CD drive, which needs to be hooked up to a corresponding input on your soundcard. You have now traveled back in time to the 1990s. cdio(1) was designed for the way CD drives were connected into the system back then. This has been long obsolete. At some point, the "cdplay" and "cdrip" commands were bolted onto cdio to accommodate the then current model where the audio data was digitally read off the CD over the SCSI/SATA/USB/etc. bus. However, contrary to "play", the "cdplay" command is blocking. "Play" would return you to the cdio prompt right away, and you could fire off other command such as "next", "previous", "pause", "stop", etc. With "cdplay" you are stuck while it is running. cdio(1) is cobbled together, mostly designed for a world that no longer exists, and would have to be redesigned from scratch for a consistent user experience. Nobody has stepped forward to do this, even when CD drives were still common, so I don't expect it to ever happen. -- Christian "naddy" Weisgerber na...@mips.inka.de
dump(8) is slow
Moving 9TB with dump|restore from an old hard disk to a bigger one reminded me again that dump(8) is, well, slow: DUMP: 9104433830 tape blocks DUMP: Date of this level 0 dump: Sat Aug 6 16:36:52 2022 ... DUMP: Date this dump completed: Tue Aug 9 13:51:01 2022 DUMP: Average transfer rate: 36530 KB/s That is far below the read-write speed of a modern SATA drive. systat(1) clearly showed that the source disk and dump(8) was the bottleneck, not the target disk and restore(8). Too much seeking? And we are not talking about a filesystem full of small files. Average size 3.9 GB, median 2.1 GB. Both NetBSD and FreeBSD have in different ways added some kind of caching to dump. Has anybody looked into this? -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: "set -o multiline" in ksh?
On 2022-08-08, Federico Giannici wrote: > What I really miss is multiline editing of current (very long) commands > (ksh simply horizontally "scrolls", showing only a part of the command > line). > > I know that in standard ksh this functionality is activated with "set -o > multiline", but under OpenBSD (7.1 amd64) it gives this error: OpenBSD's ksh is a tweaked pdksh, which in turn was intended as a clone of ksh88, which simply did not implement multiline editing, and so OpenBSD's ksh does not either. "set -o multiline" and the related functionality is a ksh93 feature. > So, is there any way to activate the multiline option in ksh? No. The pdksh/ksh88 line editor only uses extremely basic terminal controls (backspace, carriage return) and overprinting, so it just works on any video terminal. Multiline editing requires arbitrary cursor positioning and thus the need to bring in termcap/terminfo. Admittedly, after some 35 years that design decision is feeling rather outdated. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: bsdtar -O | --to-stdout
On 2022-05-26, Nick Holland wrote: >> i'm looking for a way to reproduce -O flag in bsdtar/gtar using tar >> or pax but i didn't find one. > > Sounds like you are trying to send tar output (or input) to > stdin/stdout. No, to extract a file to stdout. OpenBSD's tar(1) or pax(1) can't do this. I use bsdtar or gtar when I need this. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Please put vi in base
Ian Darwin: > It doesn't take that long to learn ed from the "bottom line" of vi, ed(1) is much like an interactive version of sed(1). Which is no coincidence. If you know the basics of sed(1), ed(1) is straightforward. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Please put vi in base
i...@tutanota.com: > I know how to use vi, but ed just draws the line. Here's just the book for you: Michael W. Lucas, Ed Mastery https://mwl.io/nonfiction/tools#ed -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Who is responding to my audio volume keys?
On 2021-12-18, "Richard Ulmer" wrote: > This works nicely, but one thing is missing: The volume keys on my > Laptop (ThinkPad T450) don't change the volume when the USB sound card > is used. They work when the internal sound card is used, but I don't > recall ever configuring this. There has to be someone listening to these > keys, but I couldn't find who it is. It's handled by the kernel. There are a bunch of drivers that pick up volume key presses--mostly wskbd(4), but also umstc(4) and some acpi drivers--and call a function provided by audio(4) that changes the volume of the audio0 device. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: lpr woes printing a broken pdf
Jan Stary: > I don't think it's lpr's fault, so this might not even be the list, > for lpr just sends what it gets (except wrapping it in the cf, df files > of the lpr protocol, right?), but I would still like to know: Exactly. lpr/lpd is just a transport protocol. > is it that gv can somehow interpret the broken pdf in the right way, > sending the right bits to the printer to print, but the Brother printer > (i.e., the printer's pdf interpreter?) can not? Well, my HP LaserJet Pro M252dw occasionally refuses to print a PDF, declaring it corrupt. My usual workaround is to view to file with xpdf and print from there, which sends a PostScript conversion to the printer. So, yes, there are definitely malformed PDFs that a PDF viewer might cope with but a printer might not. (FWIW, my M252 prints your document correctly according to your description.) -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Snapshot generation stalled?
Karel Gardas: > installed snapshot on amd64 week or so ago to see how it is working. It's > #195 from Aug 23. During the past few days I've checked from time to time > with sysupgrade (with or without -s) but it always claimed I'm on the latest > snapshot. BTW, I use this to check the date of the lastest available snapshot: ftp -MVo- https://ftp.openbsd.org/pub/OpenBSD/snapshots/$(uname -m)/BUILDINFO > So let me ask is snapshot generation stopped for whatever reason for now, Yes. Base snapshots are not being built at the moment. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Run a command on "last day of month"
Goetz Schultz: > I would go the other way and check tomorrows date. If it is "01", then I > know today is the last of this month: > > date --date="tomorrow" +%d > 02 That's not OpenBSD. $ date --date="tomorrow" +%d date: unknown option -- - usage: date [-aju] [-f pformat] [-r seconds] [-z output_zone] [+format] [[cc]yy]mm]dd]HH]MM[.SS]] -- Christian "naddy" Weisgerber na...@mips.inka.de
scp -M sftp
Damien Miller: > CVSROOT: /cvs > Module name: src > Changes by: d...@cvs.openbsd.org2021/08/02 17:38:27 > > Modified files: > usr.bin/ssh: scp.1 scp.c > usr.bin/ssh/scp: Makefile > > Log message: > support for using the SFTP protocol for file transfers in scp, via a > new "-M sftp" option. Marked as experimental for now. [...] You want to test this but * are tired of typing "-M sftp" all the time, and * can't use alias scp='scp -M sftp' because you frequently use -3? Here you go, this simple wrapper should take care of it: ---> #!/bin/sh sftp='-M sftp' while getopts :12346ABCTdfpqrtvD:F:J:M:P:S:c:i:l:o: name; do case $name in [3M]) sftp='' ;; esac done exec /usr/bin/scp $sftp "$@" <--- -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: nmea/udcf recommendation
Stuart Henderson: > > I don't have any practical experience with nmea(4), but I'd like > > to draw attention to ldattach(8)'s -t option. Unless your receiver > > offers a pulse per second signal, you are limited to a very jittery > > timestamp from the serial telegram, mirroring udcf's fundamental > > problem. > > The problem isn't getting the pulses generated, it's getting > them hooked up to the computer and figuring out accurately > when they occurred. That's why I mentioned ldattach -t. We can timestamp on DCD or CTS transitions. On a real serial port, those will trigger an interrupt. That shouldn't be too bad. I see that we also have code for timestamping on ucom(4), but since USB devices cannot directly generate interrupts and are in fact polled by the host controller, that will give poor results. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: nmea/udcf recommendation
Jan Stary: > playing with ntpd a bit, I am looking for a working > nmea or udcf sensor. Can people please recommend > an easy to use device known to work? The Gude mouseCLOCKs were discontinued years ago, so I don't think you could buy any udcf(4) hardware even if you wanted to, and udcf is literally the most stupid device possible. Don't believe me? The hardware supplies a single bit of information that needs to be polled for changes. In practice, it is read by the kernel at HZ (= 100 on most archs) times per second, limiting the precision correspondingly. From ntpd's point of view, a udcf sensor will frequently jump back and forth by 10 ms. ntpd's frequency correction is effectively a differentiator, which is not very happy with jumps. I mean, you can keep time with it, but it's just poor compared to the ~1 ms precision you get from public NTP servers on the Internet. I don't have any practical experience with nmea(4), but I'd like to draw attention to ldattach(8)'s -t option. Unless your receiver offers a pulse per second signal, you are limited to a very jittery timestamp from the serial telegram, mirroring udcf's fundamental problem. The last time I looked--admittedly it's been a few years-- if you wanted to have a PPS on a serial port, you had to get some industrial GPS module and do your own soldering. And you can't do it over USB. Also, GPS doesn't work well indoors and mounting a roof antenna presumably does not qualify as "easy to use". Basically, OpenBSD does not support any useful sensor devices unless you are desperate and need to keep time in a remote mountain cabin without Internet access. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: DHCP non-issues
Peter J. Philipp: > Would OpenBSD be interested in a daemon that gets nameserver information from > pppoe0 and passes this nameserver information to resolvd(8)? Currently there > is no way to do that, so a userland daemon that uses a bpf device to spy on > pppoe(4) may be worthwhile to write? Is this overcomplicating things? Too complicated. Quoting from resolvd.8: resolvd also monitors the routing socket for proposals learned by dhclient(8), dhcpleased(8), slaacd(8), or network devices which natively learn DNS information such as umb(4). I think pppoe(4)--well, sppp(4) actually--needs to learn the nameserver information and send it to the routing socket. umb(4) should provide a template. -- Christian "naddy" Weisgerber na...@mips.inka.de
DHCP non-issues
Look guys, it's simple. If you want IPv6 (SLAAC) autoconfiguration, you set "inet6 autoconf" for that interface. slaacd(8) will then automatically handle things. If you want IPv4 (DHCP) autoconfiguration, you set "inet autoconf" for that interface. dhcpleased(8) will then automatically handle things. If you require special DHCP options that dhcpleased(8) doesn't include, then you don't enable autoconfigurarion and run dhclient(8) instead, which can be extensively configured. Both slaacd(8) and dhcpleased(8) pass nameserver information to resolvd(8), which adds those nameservers to /etc/resolv.conf unless unwind(8) is running. If you don't want that to happen for some other reason, you turn off resolvd(8). And that's it. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: reposync:host key verification failed
On 2021-06-06, Avon Robertson wrote: > reposync: host key verification failed - see > /var/db/reposync/known_hosts > > The same error was then recorded in my log on the 3rd, 4th, 5th, and > 6th of June. The above known_hosts file does not exist on this machine. > The FILES section of reposync(1) I have interpreted as meaning that the > above known_hosts file, is not needed when the official keys exist in > file /usr/local/share/reposync/ssh_known_hosts which they do on this > machine. So what are the fingerprints of the SSH keys in your ssh_known_hosts? $ ssh-keygen -lf /usr/local/share/reposync/ssh_known_hosts How do they compare against those given for anoncvs.au.openbsd.org on https://www.openbsd.org/anoncvs.html ? > Hints as to where the problem is would be very appreciated. anoncvs.au.openbsd.org could have changed SSH keys, but that is not the case. The entries on anoncvs.html have not been updated recently and they match the keys that I see from this host right now. 256 SHA256:kg2Zaqpd8ZuluPzlpFS9rEw0KR1UmxD9jSG6+2tr28A anoncvs.au.openbsd.org (ECDSA) 2048 SHA256:pPcBY4E33vwreETbz5KJUIzZpWWzaZPhrpnLaFa7WuQ anoncvs.au.openbsd.org (RSA) 256 SHA256:4CbDtzH/6mqQ/f6KDLz0rdqK2Thk4dQQtHXOxTONEvk anoncvs.au.openbsd.org (ED25519) Your /usr/local/share/reposync/ssh_known_hosts could have become corrupted. Somebody could be hijacking your TCP connections and trying to redirect them to a different machine. That is what the SSH host keys protect against. THIS IS APPROXIMATELY NEVER THE CASE. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Firefox: glxteset:libpci missing
"Peter N. M. Hansteen": > $ Crash Annotation GraphicsCriticalError: |[0][GFX1-]: glxtest: libpci > missing (t=0.395391) [GFX1-]: glxtest: libpci missing > > firefox runs, so it's not fatal. I suspect it's a misclassified > dependency in the package (build vs runtime). FWIW, I see the same warning on FreeBSD. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment
Tom Smyth: > if you were to have a 1MB file or a database that needed to read 1MB > of data, i > f the partitions are not aligned then > your underlying storage system need to load 2 chunks or write 2 > chunks for 1 MB of data, written, You seem to assume that FFS2 would align a 1MB file on an 1MB border within the filesystem. That is not case. That 1MB file will be aligned on a blocksize border (16/32/64 kB, depending on filesystem size). Aligning the partition on n*blocksize has no effect on this. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment
Tom Smyth: > just installing todays snapshot and the default offset on amd64 is 64, > (as it has been for as long as I can remember) It was changed from 63 in 2010. > Is it worth while updating the defaults so that OpenBSD partition > layout will be optimal for SSD or other Virtualized RAID environments > with 1MB Chunks, What are you trying to optimize with this? FFS2 file systems reserve 64 kB at the start of a partition, and after that it's filesystem blocks, which are 16/32/64 kB, depending on the size of the filesystem. I can barely see an argument for aligning large partitions at 128 sectors, but what purpose would larger multiples serve? > Is there a down side to moving the default offset to 2048 ? Not really. It wastes a bit of space, but that is rather insignificant for today's disk sizes. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Another potential awk or xargs bug?
Jordan Geoghegan: > --- /tmp/bad.txt Wed Apr 14 21:06:51 2021 > +++ /tmp/good.txt Wed Apr 14 21:06:41 2021 I'll note that no characters have been lost between the two files. Only the order is different. > The only thing that changed between these runs was me using either xargs -P 1 > or -P 2. What do you expect? You run two processes in parallel that write to the same file. Obviously their output will be interspersed in unpredictable order. You seem to imagine that awk's output is line-buffered. But when it writes to a pipe or file, its output is block-buffered. This is default stdio behavior. Output is written in block-size increments (16 kB in practice) without regard to lines. So, yes, you can end up with a fragment from a line written by process #1, followed by lines from process #2, followed by the remainder of the line from #1, etc. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Help with ssh(1) between OpenBSD and iSH/Alpine on iOS
Erling Westenvik: > I can ssh FROM any OpenBSD box INTO iSH on my iPhone, and once > authenticated I can ssh back from there to the OpenBSD box or to any > other OpenBSD or Linux box, but! -- From iSH itself (ie. "directly" from > my iPhone) I can only successfully ssh to Linux boxes; if I ssh from the > phone itself to any OpenBSD box I'm getting authenticated and receive a > full shell prompt Right here, I'd start ktrace(1)-ing the login shell on the OpenBSD box to see... > but the moment I hit Enter the client drops the connection. ... what this looks like at the OpenBSD end. > ssh FAILS from iSH > to OpenBSD > ssh WORKS from iSH > to Linux > ssh WORKS from OpenBSD > to iSH (and from iSH (back) to Linux/OpenBSD) > > I guess there must be something obvious I'm missing but for the life of > me I cannot figure out what. Any help is appreciated. I don't think it's anything obvious. Smells like an interop problem at a level above SSH to me. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: libreoffice package broken in -current 3.509
On 2021-01-17, "Nicola Dell'Uomo" wrote: > after upgarding packages from 3.507 to 3.509 in -current, libreoffice > crashes when it starts. This should be fixed with the next amd64 packages snapshot, which will appear sometime on Monday (UTC). -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: phonetics on OpenBSD: IPA transcription
On 2021-01-08, Jan Stary wrote: > How do I install a font that has glyphs for those symbols? > Is there anything for that in ports? The Dejavu font that is included by default covers IPA. It's unlikely that you need to install anything else. And if you do, just install the Noto fonts and be done with it. Even the "fixed" font that xterm uses by default covers IPA for all practical purposes. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: help needed with httpd.conf and rewrite directive
On 2021-01-07, John McGuigan wrote: > httpd's regex is based on Lua's, the following site will help you figure it > out: Or, you know, the patterns(7) man page. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: -current amd64 packages not updated? Impatient or broken?
Steve Williams: > I hesitate to send this because perhaps I'm just too impatient, but then > again, perhaps not. This is not critical/time sensitive. > > I just thought I'd check if there a problem with the current packages folder > from the mirrors? No, the amd64 package builds have been slightly delayed. First by a problem in lang/rust, which semarie@ fixed in admirably short time. Then the package build was cut short because the machine running dpb(1) panicked with filesystem corruption. A new build is running now and will take another 24h to complete if all goes well. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: UNIX printing demystified
On 2020-10-24, Mihai Popescu wrote: > Is there a way to interface LPD directly with GUI apps like Chromium, > mupdf, etc? I mean just to print from GUI menu Print. Those print menus _should_ offer the option to print to lpr. They traditionally did. If they don't now, then this is worth examining. What GUI toolkit does the application use and what does this toolkit do? The GTK+ case is instructive. Once upon a time, the GTK print menu offered printing to lpr. A number of years ago that disappeared. Why? Originally, GTK produced print output in PostScript. The assumption was that you could send this to any lpr printer, since PostScript has effectively been the standard printer language in Unix for decades. The print menu changed, because GTK had switched to producing print output in PDF. The assumption was that random lpr printers could not handle PDF, so the option of printing to lpr was removed. Fast-forward to the present. Virtually all printers that can handle PostScript also accept PDF directly and have been able to do so for years. Finally, two weeks ago (!) the GTK people relented and have marked the lpr backend as capable of accepting PDF. This means that print-to-lpr is going to become available again in GTK applications. On OpenBSD that will most likely happen with the next x11/gtk+3 update. Are there still any GTK+2 applications with a print menu in the ports tree? Let me know, and I'll take a look at what's up there. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Router advertisements for dynamic IPv6 prefix
On 2020-10-14, Fernando Gont wrote: > Set the VL to 30', and the PL to 15'. You could even set the VL to 15', > and the PL to 7.5', if necessary. How does this influence the lifetime of privacy addresses? Even with rad(8)'s defaults, I already need to specify an originating non-privacy address for all long-running ssh sessions, otherwise they die when the privacy address they're using is forcefully expired after a week or so. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: time_t
On 2020-10-05, Roderick wrote: > The source of my confusion with FreeBSD: > /usr/include/x86/_types.h contains: >typedef __int32_t __time_t; >typedef int __int32_t; $ fgrep time_t /usr/include/x86/_types.h typedef __int64_t __time_t; /* time()... */ typedef __int32_t __time_t; There's an #ifdef __LP64__ ... -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: time_t
On 2020-10-05, "Peter N. M. Hansteen" wrote: > I hadn't looked in a while, but it amazes me that FreeBSD still has > 32-bit time_t. Only on FreeBSD/i386. On all other architectures, time_t is int64_t. See src/sys/*/include/_types.h. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: iwm0: fatal firmware error on Dell Latitude E5570
On 2020-09-24, Jan Stary wrote: > This is 6.8-beta/amd64 on a Dell Latitude E5570 (dmesg below). > iwm stopped working, saying > > iwm0: hw rev 0x200, fw ver 34.0.1, address e4:a4:71:40:21:08 > iwm0: fatal firmware error > iwm0: could not remove MAC context (error 35) I've been getting a lot of those lately, but my iwm keeps recovering from them eventually. Frankly, I've mostly stopped paying attention. I update my laptop every other week or so, and the reliability of wi-fi keeps fluctuating from kernel to kernel, sometimes it's better, sometimes it's worse, and I don't think it correlates well with commits or firmware updates. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Understanding of keydisk backup for FDE
On 2020-08-27, Andreas Menge wrote: > I try to wrap my head around why the FAQ > (https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk) says that one > should create a backup of the keydisk with bs=8192 and skip=1. > > From the FAQ: > > # dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img > # dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd1a This copies the relevant softraid meta data. > My personal inclination was to just dd the whole disk (like dd if=/dev/rsd1c) > ... That works, but it means the disks will now share the same disklabel with the same size (even if the USB sticks differ in size), the same label, the same "unique" disk ID. That won't matter for their use as keydisk, but if you ever re-use them for something else later, you'll need to remember to recreate the disklabel or weird things may happen. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: i386, parallel port permission error?
On 2020-08-19, Doug Moss wrote: > I think the problem in lcdproc is in the code from this file (port.h) > https://github.com/lcdproc/lcdproc/blob/master/server/drivers/port.h > > I am out of my depth with this code. I have never even seen these > calls 'outb' and 'inb' You're saying this as if you never did any MS-DOS or CP/M programming. Which is the mindset with which some of those "drivers" were written. I've had to touch the lcdproc port a bunch of times, because it keeps breaking, and we had to disable ever more of it. It supports a zillion LCD modules--virtually all of them vastly obsolete, I assume--with userland "drivers" that frequently need direct hardware access. The concept is fundamentally broken on Unix. I have no idea if the fraction of functionality that is still available is even useful, and I would be inclined to just remove the port. Apparently there is some newer upstream code available, but there is no port maintainer, nobody cares, it won't fix the fundamental problems, and so the rotting carcass just languishes. No, no, don't remove it, it might still work for somebody somewhere... Oh well, then. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: gcc not on new OpenBSD 6.7 machine, clang problems
"Whiskey T.": > My datacenter installed OpenBSD 6.7 on a new machine: > > # uname -a > OpenBSD machine name 6.7 GENERIC.MP#182 amd64 > > # which gcc > which: gcc: Command not found. > configure:3711: checking whether the C compiler works > configure:3733: ccconftest.c >&5 > ld: error: cannot open crt0.o: No such file or directory Your OpenBSD installation is incomplete. The "comp" set was not installed. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: scp host:file* /tmp/nonexistent
On 2020-08-01, Roderick wrote: > It is not documented in 4.4BSD. I suppose this is not original BSD? Public service announcement: The original BSD repository can be browsed here (converted from SCCS): https://svnweb.freebsd.org/csrg/ Wanna know what those hippies at Berkeley really did? You can look it up. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Upgrade old 6.2 but 6.3 SHA256.sig on mirror different
"Theo de Raadt": > Johan Mellberg wrote: > > and https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/SHA256.sig > > (Canada, as I like to take them from different sources). I then ran: > > The format of the .sig files was changed in a very small way, intentionally, > way back then. You are hitting that issue. Sorry, no, the file is corrupted. I just downloaded https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/SHA256.sig and it contains only nul bytes. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Cleaning system's old ibraries/files after update to next -release or -current
On 2020-07-14, Ottavio Caruso wrote: >> > After system update I found lots of 'old' libraries versions >> > and possibly binaries from previous releases. >> >> If you need to ask, just don't remove them. Those files eat no bread, >> and in some situations, some of the libs may still be in use. > > What about if one compiles ports? If OpenBSD is anything similar to > NetBSD, on the latter having multiple libs might cause build > breakages. Old versions of libraries are innocuous. They will simply be ignored. Potential sources of trouble are old copies of libraries that no longer exist and header files that no longer exist. OpenBSD hasn't retired a base library in a long time, so that isn't an issue. I recommend cleaning up /usr/include, though. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: hostname.pppoe0, !/bin/sh when reconnecting
On 2020-06-17, Lévai, Dániel wrote: > I'm trying to run a script whenever I get a new IP address from my ISP over > pppoe0. They disconnect me occasionally and the router reconnects then, eg.: > /bsd: pppoe: GENERIC ERROR: RP-PPPoE: Child pppd process terminated > /bsd: pppoe0: received unexpected PADO > last message repeated 2 times > > I have this as the last line in /etc/hostname.pppoe0: > !/bin/sh /etc/hostname.pppoe0.script pppoe0 0.0.0.1 > > It doesn't seem to be executed when this happens, only when I reboot the > router. /etc/hostname.* is only executed once when the system starts. The PPP disconnect/reconnect is handled entirely by pppoe(4)--well, sppp(4) really--in the kernel. There is no callout to the userland available. It may be possible to use ifstated(8) for this. I haven't tried that, but it's where I would start looking. > Is the culprit here something along the lines of not (re)configuring the > interface with ifconfig up/down (in which case the script would run), Note that ifconfig down/up will not run /etc/hostname.* either. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Filling a 4TB Disk with Random Data
On 2020-06-05, Roderick wrote: >> I'd think that a degausser would also erase the servo tracks which will make >> the disk irrevocably unusable. If that's what you want then just drill holes >> through the disk - it's quicker. > > Or perhaps to put it on an induction cooktop? I always keep a vat of molten steel at hand so I can easily dispose of old disk drives, killer robots from the future, etc. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Issues expanding partition to grow disk
On 2020-06-02, "Darren S." wrote: > I'm dealing with a VPS on KVM with the disk having been recently > expanded from 50 >> 80 GB. > > Disklabel shows reasonable total sectors: > > # disklabel sd0 > total sectors: 167772160 > boundstart: 64 > boundend: 115330635 The upper boundary is still set to 55G. In the disklabel editor use b * to move it to the end of the disk. > Is this something to do with it being a virtual disk in a certain > configuration? And is this a case where I may need to set the disk > boundaries in disklabel(8) as described (although I don't know if this > fits description of "ports with fdisk(8) partition tables where..."): It fits the unmentioned case of a labeled disk later growing. Actual drives don't do that. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Filling a 4TB Disk with Random Data
On 2020-06-01, Justin Noor wrote: > Has anyone ever filled a 4TB disk with random data and/or zeros with > OpenBSD? Yes. > How long did it take? I don't remember. Hours. At a plausible 100 MB/s write speed it will take 11 hours. > What did you use (dd, openssl)? Can you share the command that you used? # dd if=/dev/random of=/dev/rsd1c bs=64k# random data # dd if=/dev/zero of=/dev/rsd1c bs=64k # zeros Take care to pick the proper device corresponding to the drive you want to overwrite. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Convert ffs1 to ffs2?
On 2020-05-20, Christer Solskogen wrote: > Is that possible? umount, dump, newfs, mount, restore -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: OpenBSD insecurity rumors from isopenbsdsecu.re
On 2020-05-11, Stuart Longland wrote: > BSD came from the US (University of California), but most of today's > implementations have been very significantly changed since then. BSD built on top of AT UNIX, which came from Bell Labs in New Jersey. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: More than 16 partitions
On 2020-04-23, Ian Darwin wrote: > So: I was able to newfs, mount, and use an OpenBSD partition which > disklabel called 'a' and which had no trace of an fdisk partition around it. > > As Allan pointed out, this is not for booting from - none of those > fdisk partitions looks very healthy. biosboot(8) has an MBR boot signature. If the BIOS doesn't check for a valid MBR partition table--some do, some don't--then it should be able to directly run biosboot(8) from sector 0. installboot(8) tries to prevent such a configuration, but it could be tweaked, or you could try to tweak the disklabel and set the type to floppy, because floppies don't have MBR partitions. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Wine for OpenBSD?
On 2020-04-11, Nikita Stepanov wrote: > Wine for OpenBSD? At hackathons, we typically ask the French developers to pick out a wine from the menu, but they are pretty reluctant to take on this responsibility. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: riscv
On 2020-03-13, "Peter J. Philipp" wrote: > Any developer working on a riscv port and willing to share their unofficial > work for possible future collaboration? I think I'd have heard by now if somebody was, so I'll go out on a limb and say no, nobody's working on a RISC-V port. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: man to render pure text? (or a pipe in vi macros ?)
On 2020-03-02, Marc Chantreux wrote: > i felt dumb reading this as i gave a try to the mandoc man. but i just > double checked: > > man mandoc|col -b|grep -w col > > gives me nothing. $ man mandoc|col -b|grep -w col to col(1) -b instead. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: man to render pure text? (or a pipe in vi macros ?)
Marc Chantreux: > > > * is there a way to ask man to deliver pure (non-formatted) text ? > > Pipe its output through "col -b". > > what is the gain of using col over fmt ? It's the designated tool for the job. That fmt also happens to replace sequences character1-backspace-character2 with character2 is more of a lucky coincidence. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: man to render pure text? (or a pipe in vi macros ?)
Marc Chantreux: > * is there a way to ask man to deliver pure (non-formatted) text ? Pipe its output through "col -b". > * is there a way to introduce a | in vi macros? Yes, by prefixing it with a ^V character. To enter ^V in vi's input mode, press control-V twice. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: setxkbmap cannot completely set compose key
Xianwen Chen (陈贤文): > I forgot to report maybe an important piece of information. I use scim > to type in Chinese. I use the default xdm. Here is my .xsession: > > export LC_CTYPE=en_US.UTF-8 > > export XMODIFIERS=@im=SCIM > export GTK_IM_MODULE="scim" > export QT_IM_MODULE="scim" > scim -d I suspect it works as intended for xterm. The compose key handling is a simple input method built into libX11. You are swapping out this default IM for the SCIM one. This area of X11 seems to be virtually undocumented. See XSetLocaleModifiers(3). -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
On 2020-02-05, Janne Johansson wrote: >> # /etc/hostname.vlan101 >> description 'WLAN attached untrusted hosts' >> inet 192.168.156.0/24 255.255.255.0 vlandev run0 > > VLANs and wifi sounds like a non-starter. Yep, if you're building your access point with OpenBSD. More generally, though, any AP in the business segment has support for multiple SSIDs that can be assigned to different VLANs on the Ethernet side. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
Denis, I suspect the fundamental problem is that you don't understand what VLANs are. There should be a lot of articles about this topic on the net; maybe somebody here can recommend a good one. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network
On 2020-02-03, Denis wrote: > Some hosts should be limited in internet access and/or local access or > simply be restricted in some way because they are untrusted. > > I'm looking for a possibility to isolate untrusted inside LAN using any > approach applicable. How do people isolate undesirable hosts in their > networks? Put hosts with different trust requirements into different networks at the IP level, connected to a central gateway where you can easily permit/deny traffic between them. Use VLANs to separate the IP networks. For example, my home network is split into three networks: * Trusted hosts. These are allowed to initiate traffic to the Internet and to the other networks. * Untrusted hosts with outside access. These are allowed to initiate traffic to the Internet at large, but not to the other networks. This is mostly my wi-fi. Also a RIPE Atlas probe. * Untrusted hosts without outside access. These cannot initiate traffic to any destination outside their network. Includes my printer and the SIP phone[1] for my "landline". That's three vlan(4) interfaces on my gateway, which provides basic DHCP/SLAAC, DNS, NTP services on all of them and has a small pf(4) ruleset to enforce the restrictions above about who can start talking to whom. [1] A SIP phone that is not allowed to talk to the outside may seem surprising, but it only needs to talk to siproxd on the gateway, and siproxd is required for NAT traversal anyway. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Low throughput with 1 GigE interface
On 2020-01-30, Jordan Geoghegan wrote: > All you're doing is benchmarking the speed of iperf on that machine. I vaguely remember a thread somewhere that concluded that one of these network benchmark tools degenerated into a benchmark of gettimeofday(2), which apparently is very cheap on Linux and not cheap on OpenBSD. So you end up measuring the performance of this system call. I don't remember whether it was iperf... -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Low throughput with 1 GigE interface
On 2020-01-30, livio wrote: > I am unable to achieve decent throughput with a 1 GigE interface > (Intel I210) on OpenBSD 6.6. When running iperf3 I get around 145Mbit/s. I get more than 30 Mbytes/s over SSH (!) to an APU2. $ scp -caes128-...@openssh.com /usr/ports/distfiles/texlive-20190410-texmf.tar.xz partoc:/dev/null texlive-20190410-texmf.tar.xz 100% 2714MB 31.8MB/s 01:25 I can't help you, I'm just posting this in the service of squashing rumors. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Odd /tmp behavior
On 2020-01-08, Nick Holland wrote: > Weird stuff happens when Softdeps are working as designed. To put it simply: Meta-data writes are delayed. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: possible SSH algorithm issues?
On 2020-01-08, "lu hu" wrote: > are these real issues? No. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: thank you for 6.6 and bsd.rd
On 2019-12-20, "Theo de Raadt" wrote: > well you missed out > > for 6.5 onwards, all you had to was type > > sysmerge > sysupgrade I think that was intended to read syspatch sysupgrade > for 6.6 onwards you'll only need sysupgrade -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: What happened to 6.6/sgi?
On 2019-12-08, Stefan Hagen wrote: > I was browsing around and noticed that there are no files for the SGI > platform on the mirrors. OpenBSD/sgi has been discontinued. No 6.6 release was built. The mips64 CPU architecture remains alive on the octeon platform. > SGI is mentioned in the 6.6/README, That was an oversight. > (snapshot/sgi exists) A several-months-old snapshot that simply hasn't been removed. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: LibreSSL vs. OpenSSL enc command
Dieter Rauschenberger: > This was serveral years ago before Libressl was invented. Now I wanted > to decrypt the docs with: > > openssl enc -aes-256-cbc -d < FOO.aes256 > FOO > > This did not work. The password did not work anymore. The default message digest function used for key derivation changed from MD5 to SHA256 in OpenSSL 1.1.0 and LibreSSL followed suit. openssl enc -aes-256-cbc -d -md md5 < FOO.aes256 > FOO -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: iPXE and UEFI boot
Christer Solskogen: > > With UEFI and PXE I have successfully netbooted > > * amd64 (Thinkpad X1C5) with BOOTX64.EFI after bluhm@'s recent > > bootdev_dip fix > > Is that already in current? Yes, it was committed five days ago. > I now tried having bsd.rd in tftp root > directory, and BOOTX.EFI does find it (renamed bsd.rd to bsd, just to use > the default settings) > It loads the kernel but I only get a black screen. No kernel messages, what > so ever. I guess there are more bugs waiting to be found. :-( -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: iPXE and UEFI boot
On 2019-12-01, Christer Solskogen wrote: > I've tried sanboot for iso, but it fails. I *can* get BOOTX64.EFI to start, > but it cant find bsd.rd (perhaps BOOTX64.EFI requires tftpd?), No "perhaps". BOOTX64.EFI uses TFTP to load the kernel, just like pxeboot does. With UEFI and PXE I have successfully netbooted * arm64 (OverDrive 1000) with BOOTAA64.EFI * amd64 (Thinkpad X1C5) with BOOTX64.EFI after bluhm@'s recent bootdev_dip fix -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: vi in ramdisk?
On 2019-11-15, Roderick wrote: >> ed is included in the ramdisk, but if your use case is using vi to fix a > > I imagine, it is there for using it in scripts. Interestingly enough, the installer itself does not use ed, as far as I can tell. * I pretty regularly use ed to perform some configuration tweaks before rebooting a freshly installed system. * I have, rarely, used ed to recover a system from errors in /etc/fstab. * Since the installer itself is just a script, it can be modified with ed in the install environment and then re-run. From time to time I do this when debugging the installer or working on some feature there. If you have some passing familiarity with sed, then ed will feel very familiar. It's just an interactive sed. (Historically, it's the other way around, of course.) > I think, for editing config files, there are sure editors that > are simpler, smaller, not so powerful, but easier to use than ed. By all means, do not keep us in suspense and tell us the names of these editors. How large is a C implementation of TECO? -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Requesting vi tips
On 2019-10-18, Nam Nguyen wrote: >> Since 'q' is unused in nvi, I have this in my .nexrc: >> map q !}fmt > > I just wanted to add that you can Ctrl-v Enter to produce the ^M at the end. > This way it inputs and executes the command for you. > > It could be like this if you want it to press Enter for you: > map q !}fmt^M And upon closer inspection I see that's what I actually have in my .nexrc; less(1) didn't show the ^M and I had forgotten about it. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Requesting vi tips
On 2019-10-18, cho...@jtan.com wrote: > I didn't know [how] ! took movement commands. Thanks. I'll have a play > with that one. > > It's not quite M-q (it's M not C) but I'm using vi after all. Since 'q' is unused in nvi, I have this in my .nexrc: map q !}fmt Close enough to emacs's M-q. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Why regex doesn't work in while loop's condition?
On 2019-09-06, Andreas Kusalananda Kähäri wrote: >> read x; while [ "$x" != [abc] ]; do echo "Not a, b or c"; break; done > > The shells in the OpenBSD base system do not support matching regular > expressions with that syntax. You may have been thinking of bash, Just to head off crazy rumors: bash doesn't either. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: openrsync out of memory
On 2019-08-16, Jan Stary wrote: >> Does that mean openrsync tries to mmap() the entire file? >> The machine only has 256MB of memory, but it does transfer >> a test file of 300MB, so that can't be it. > > I forgot about 1GB swap, so that's why it works > for files up to around 1.2G, but not larger. Why would the size of physical memory + swap matter? mmap() doesn't copy a file into memory, it maps it into the address space. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Postscript printer recommendations
On 2019-07-13, "Jonathan Drews" wrote: > Hi Folks: I need some recommendations on what brand of printers will > work > with Ghostscript (Postscript). The cartridges for my 15 year old HP > Deskjet have gotten too expensive. I know Xerox makes some > Postscript printers. Are there any other manufactureres of Postscript > printers? Your question is confused and self-contradictory. A "Postscript printer" processes Postscript itself. By contrast, Ghostscript is used to process Postscript on the host computer and send the raster data to a dumb printer that cannot handle Postscript by itself. So which type of printer are you asking about? -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: When will OpenBSD become a friendly place for bug reporters?
On 2019-07-11, Ingo Schwarze wrote: > Quite likely. I'm so clueless that right now, i can't even seem to get > Compose to work even though i'm sure i had it working in the past. I use "setxkbmap -option compose:ralt" and compose works as expected for me in xterm. Zwölf Boxkämpfer jagen Viktor quer über den großen Sylter Deich. Dès Noël où un zéphyr haï me vêt de glaçons würmiens je dîne d'exquis rôtis de bœuf au kir à l'aÿ d'age mûr & cætera ! Pójdźże, kiń tę chmurność w głąb flaszy! (Yes, I entered those in an OpenBSD xterm.) -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: ssh-keygen specify max keysize for ed25519
On 2019-07-03, jungle boogie wrote: > $ ssh-keygen -t ed25519 -b 1000 > Bits has bad value 1000 (too large) That's fine, that's a generic argument parsing error. > $ ssh-keygen -t ed25519 -b 2 > key bits exceeds maximum 16384 That error makes no sense. ED25519 keys have a fixed length, and 16384 is the limit for RSA keys. Looks like an error path that dates back to when only DSA and RSA were supported and that wasn't updated when additional key types were added. I'll send a tweak to tech@. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: The su manual doesn't mention use root account by default
On 2019-06-13, "Theo de Raadt" wrote: >> I always considered that su is coming from _s_uper _u_ser. But maybe I >> am wrong, I am not from old UNIX days. > > incorrect. > > NAME > su - substitute user identity Well, that's V7, which appears to have engaged in a bit of revisionism together with the then newly expanded functionality. Earlier in V6 it was "su - become privileged user" and "Su allows one to become the super-user, who has all sorts of marvelous (and correspondingly dangerous) powers". http://man.cat-v.org/unix-6th/8/su -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: IPsec bandwidth perf on APU4C4
mabi: > Last question hopefully... Reading the iked.conf man page I conclude that all > I need for that is to add to my ikev2 config is the following additional > parameter: > > childsa enc aes-128-gcm Correct. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: IPsec bandwidth perf on APU4C4
mabi: > > enc aes-128-gcm etc. > > That part for the "enc" parameter makes sense to me but what about the "auth" > parameter? No "auth". AES-GCM is an authenticated encryption algorithm, i.e., it handles both encryption and authentication at the same time. Specifying an additional "auth" algorithm doesn't make sense. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: IPsec bandwidth perf on APU4C4
mabi: > Thanks for the tip regarding the cpu cost of the authentication algorithm. > Now I was wondering how do you use the AES-GCM combo? I can't find any auth > or enc parameters mentioning that combo. enc aes-128-gcm etc. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: IPsec bandwidth perf on APU4C4
On 2019-06-10, mabi wrote: > Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput > which is quite satisfying. The bandwidth throughput over my IPsec tunnel > achieves a max of 80 Mbit/s which I was sort of expecting with the default > encryption settings (auth hmac-sha2-256 enc aes-256). It helps to understand that the authentication algorithm can require as much or more CPU than the encryption. HMAC-SHA2 is expensive. On hardware that has AES-NI support, like the APU2 family, AES-GCM is generally the fastest encryption/authentication combo. > In order to increase bandwidth throughput over my IPsec tunnel I wanted to > know what you guys think is a good compromise between performance and > security? I was thinking for example of changing the encryption cipher to > aes-128 instead of aes-256 and maybe blowfish? What would you recommend? AES-128 is good enough, although on the APU2 family with AES-NI it seems to be only marginally faster than AES-256. Don't use Blowfish. It's obsolete. And its reputation for speed precedes the introduction of AES. > Anything else I should be looking at? maybe like a hardware crypto > accellerator miniPCI card compatible with the APU4 and OpenBSD? No, that was 15 years ago. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Behaviour of eval in sh(1) and ksh(1) in AND-OR list with set -e
On 2019-06-05, Andreas Kusalananda Kähäri wrote: > When running under set -e, why does > eval false || echo ok > terminate the script with the execution of eval? I think that's a bug. > then why does the below behave differently? > eval ! true || echo ok That's actually the documented, POSIX-specified behavior. Somewhat bizarrely, ! disables errexit. The eval doesn't matter here. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Lenovo w/ AMD Ryzen CPU
On 2019-06-04, Patrick Wildt wrote: > I'd love to have one as well... I hadn't intended to buy a new laptop anytime soon, but the Thinkpad X395 is tempting... -- Christian "naddy" Weisgerber na...@mips.inka.de