Suspend/hibernate broken [upgrade: 6.9 to 7.0] (solution)

2021-12-29 Thread Clint Pachl
This is how I got suspend and hibernate working again on my Huawei
Matebook after upgrading to 7.0 release. I thought I'd share here in
case it helps someone else.


SYNOPSIS:

Initiating a "sleep" state blanks the screen and illuminates the
keyboard (indicating sleep is immenent); but the laptop would never go
to sleep. It would also never wake up. However, pressing the power
button cleanly shutdown the system.

After comparing the 7.0 dmesg with an older version (6.6), I noticed
this difference:

tpm0 at acpi0 TPM_ addr 0xfed40040/0x1000: timed out waiting for
validity

acpi(4) confirmed that the TPM does connect to the ACPI driver. The
kernel error message above is a good hint that the TPM could be
preventing suspend and hibernate.


SOLUTION #1:

I disabled TPM in the kernel at the boot prompt (i.e., boot -c). Within
UKC, "tpm" matched another device. I disabled TPM specifying the device
number (devno) of the tpm0 device.

  UKC> list tpm
  UKC> disable 433

If this is the solution for you, make it permanent using the kernel
configuration file, bsd.re-config(5).


SOLUTION #2:

There is a "TCM/TPM" setting in BIOS; I disabled it. Booting the
base 7.0 kernel (TPM enabled) also fixed "sleep" modes.

This is the solution I decided to use.


REQUEST FOR COMMENT:

I'm not sure if disabling TPM like this creates a security issue.
Please let me know if there are negative repercussions.

Also, is this a bug that should be reported to bugs@?


ACPI from 7.0 DMESG:

"ELAN2201" at acpi0 not configured
"INT0E0C" at acpi0 not configured
"INT33A1" at acpi0 not configured
"INT3400" at acpi0 not configured
"INT3403" at acpi0 not configured
"INT3403" at acpi0 not configured
"INT3403" at acpi0 not configured
"INT3403" at acpi0 not configured
"INT3403" at acpi0 not configured
"INT344B" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"WDT0001" at acpi0 not configured
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP UEFI UEFI ECDT SSDT MSDM SSDT SSDT TPM2 SSDT
SSDT SSDT ASPT BOOT HPET APIC MCFG SSDT WSMT SSDT DBGP DBG2 SSDT SSDT
DMAR NHLT FPDT BGRT acpi0: wakeup devices GLAN(S4) XHC_(S3) XDCI(S4)
HDAS(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4)
PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) [...] acpiac0 at acpi0: AC
unit online acpials0 at acpi0: ALSD acpibat0 at acpi0: BAT0 model
"BASE-BAT" serial 123456789 type Li oem "Kollur" acpibtn0 at acpi0:
LID_ acpibtn1 at acpi0: PWRB acpicmos0 at acpi0
acpicpu0 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33),
C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C3(200@1034 mwait.1@0x60),
C2(200@151 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0:
C3(200@1034 mwait.1@0x60), C2(200@151 mwait.1@0x33), C1(1000@1
mwait.1), PSS acpiec0 at acpi0 acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (RP01)
acpiprt10 at acpi0: bus -1 (RP10)
acpiprt11 at acpi0: bus -1 (RP11)
acpiprt12 at acpi0: bus -1 (RP12)
acpiprt13 at acpi0: bus -1 (RP13)
acpiprt14 at acpi0: bus -1 (RP14)
acpiprt15 at acpi0: bus -1 (RP15)
acpiprt16 at acpi0: bus -1 (RP16)
acpiprt17 at acpi0: bus -1 (RP17)
acpiprt18 at acpi0: bus -1 (RP18)
acpiprt19 at acpi0: bus -1 (RP19)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt20 at acpi0: bus -1 (RP20)
acpiprt21 at acpi0: bus -1 (RP21)
acpiprt22 at acpi0: bus -1 (RP22)
acpiprt23 at acpi0: bus -1 (RP23)
acpiprt24 at acpi0: bus -1 (RP24)
acpiprt3 at acpi0: bus -1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiprt5 at acpi0: bus -1 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiprt7 at acpi0: bus 1 (RP07)
acpiprt8 at acpi0: bus -1 (RP08)
acpiprt9 at acpi0: bus 2 (RP09)
acpipwrres0 at acpi0: WRST
acpipwrres1 at acpi0: WRST
acpipwrres10 at acpi0: WRST
acpipwrres11 at acpi0: WRST
acpipwrres12 at acpi0: WRST
acpipwrres13 at acpi0: WRST
acpipwrres14 at acpi0: WRST
acpipwrres15 at acpi0: WRST
acpipwrres16 at acpi0: WRST
acpipwrres17 at acpi0: WRST
acpipwrres18 at acpi0: WRST
acpipwrres19 at acpi0: WRST
acpipwrres2 at acpi0: WRST
acpipwrres3 at acpi0: WRST
acpipwrres4 at acpi0: WRST
acpipwrres5 at acpi0: WRST
acpipwrres6 at acpi0: WRST
acpipwrres7 at acpi0: WRST
acpipwrres8 at acpi0: WRST
acpipwrres9 at acpi0: WRST
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpitz0 at acpi0: critical temperature is 98 degC
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
tpm0 at acpi0 TPM_ addr 0xfed40040/0x1000: timed out waiting for
validity



How to split (A/B) test landing pages using httpd(8)

2021-04-15 Thread Clint Pachl
Does anyone know if it's possible to rotate/alternate between two
files for the same given request path, using just httpd?

For example, I want to split test two pages: /test/A & /test/B. I would
like to serve half of the traffic to each for the request path /test/.

Ideally, I would like to do an internal rewrite of the request. And be
able to log which file was actually served to the client.

Here's what I have so far, but I would like to avoid the redirect and
URL change on the client.

# httpd.conf: A/B test

location "/test/*[0-4]" {
request rewrite "/test/A"
}
location "/test/*[5-9]" {
request rewrite "/test/B"
}
location "/test/" {
block return 302 "$DOCUMENT_URI$REMOTE_PORT"
}


I'm using OpenBSD 6.8. I see there is a "not found" directive in 6.9.
Maybe something like that could provide possibilities?



Unexpected security(8) output

2018-01-26 Thread Clint Pachl

I received the following output from security(8):

Running security(8):
Can't 
opendir(/home/pachl/.cache/mozilla/seamonkey/e8cxa4g0.default/safebrowsing-backup):
 No such file or directory at /usr/libexec/security line 594.



I didn't realize security parses through user files; beyond a few dot 
files. I don't understand perl. Is the script keeping state somewhere? 
How did it know to even try opening the safebrowsing-backup directory?


The missing directory isn't listed in /etc/changelist or 
/etc/mtree/{special,*.secure}. I couldn't find any trace of it in /var/.


So I manually ran the security script again. It returned no output. I'm 
confused.


Can anyone explain this?

Thank you,
Clint



Spammer whitelisted by spamd. How?

2017-02-04 Thread Clint Pachl
Can someone explain how the spammer at 81.7.16.33 got white listed by 
spamd and delivered 3 spam emails to me? What exactly triggered the 
white listing?


I may not understand spamd's behavior, but according to the spamd log 
below, the spammer attempted only 5 deliveries via spamd, each with a 
different envelope-from address. Correct?


If so, shouldn't white listing be considered only if, during passtime, 
the retries from a GREY host contain the same envelope-from and 
envelope-to? Legitimate mail would be resent with the same 
envelope-from/-to, but spammers (this one in particular) often do not. 
Ensuring consistent envelope addresses may be a way to stop more spam. No?



# passtime set short as I'm currently experimenting
$ rcctl get spamd | grep flags
spamd_flags=-G 1:10:1080

$ fgrep 81.7.16.33 /var/log/spamd
Feb  3 16:58:27 zeus spamd[34374]: 81.7.16.33: connected (3/1)
Feb  3 17:00:05 zeus spamd[21625]: new entry 81.7.16.33 from 
 to , helo minyu1esc.com
Feb  3 17:00:10 zeus spamd[34374]: 81.7.16.33: disconnected after 103 
seconds.

Feb  3 17:06:50 zeus spamd[34374]: 81.7.16.33: connected (3/2)
Feb  3 17:07:10 zeus spamd[21625]: new entry 81.7.16.33 from 
 to , helo minyu1esc.com
Feb  3 17:07:10 zeus spamd[34374]: 81.7.16.33: disconnected after 20 
seconds.

Feb  3 17:07:47 zeus spamd[34374]: 81.7.16.33: connected (3/2)
Feb  3 17:08:00 zeus spamd[21625]: new entry 81.7.16.33 from 
 to , helo minyu1esc.com
Feb  3 17:08:02 zeus spamd[34374]: 81.7.16.33: disconnected after 15 
seconds.

Feb  3 17:08:28 zeus spamd[34374]: 81.7.16.33: connected (4/3)
Feb  3 17:08:41 zeus spamd[21625]: new entry 81.7.16.33 from 
 to , helo minyu1esc.com
Feb  3 17:08:41 zeus spamd[34374]: 81.7.16.33: disconnected after 13 
seconds.

Feb  3 17:10:22 zeus spamd[34374]: 81.7.16.33: connected (4/3)
Feb  3 17:10:39 zeus spamd[21625]: new entry 81.7.16.33 from 
 to , helo minyu1esc.com
Feb  3 17:10:39 zeus spamd[34374]: 81.7.16.33: disconnected after 17 
seconds.

Feb  3 17:12:13 zeus spamd[34374]: 81.7.16.33: connected (5/4)
Feb  3 17:12:29 zeus spamd[34374]: 81.7.16.33: disconnected after 16 
seconds.

Feb  3 17:12:50 zeus spamd[17428]: queueing add of 81.7.16.33
Feb  3 17:12:50 zeus spamd[17428]: whitelisting 81.7.16.33 in /var/db/spamd



Re: spamd and network whitelisting

2016-12-20 Thread Clint Pachl

Devin Reade wrote on 12/19/16 12:59:

You might also want to look at bgp-spamd.


Yes, this was on my radar for quite some time. However, my simple spamd 
setup with assistance from the zen.spamhaus.org DNSBL has been extremely 
effective. It's nice to know we've got more big guns if needed.




With respect to dealing with SPF, the simple solution (permitting an
IP if it is on the sending domain's SPF list) doesn't work too well
in the general case since it appears many spammers publish SPF records.


You're right. When I ran ruby-spf against the the TRAPPED IPs in my 
spamdb, a surprising number passed SPF (like 15%). On the other hand, 
one of the popular email domains from our customer DB is @att.net, which 
doesn't even publish SPF. After some real life testing against our 
client email DB, I determined SPF was not effective in filtering spam 
for us. If it is used, it should be a small factor at best.




Re: spamd and network whitelisting

2016-12-20 Thread Clint Pachl
Some have requested my scripts and configurations so here it is. Below 
you fill find the spamd-dnsbl and spamclusterd scripts that are used for 
blacklisting spammers and whitelisting networks, respectively. Also 
included is dnsbl-check which I use for testing IPs against multiple DNSBLs.


In the crontab below, you will see that I archive the spamdb daily and 
save some stats mainly for post analysis. For instance, my initial spam 
fighting technique many years ago (prior to enabling spamd actually) was 
to block the IP networks (20,000+ IPv4 networks) of the countries in 
which we received the most spam, yet weren't expecting legitimate email 
from (i.e. China, Russia, India, Brazil, etc.). I still had this enabled 
up until 2016-12-17. So I make notes of changes like this to see the 
positive or negative effects and I have the spamdb archives to assist 
the analysis. Changing spamd_flags is something else I document.


A side note: Years ago, blocking spamming countries, for me here in the 
US, essentially got rid of my spam problem, but has become ineffective 
as many spammers are sending from US networks now, thus spamd. It has 
only been three days since I disabled spam country blocking, but I have 
received exactly 2 emails that have made it pass spamd, which would have 
otherwise been blocked by the country IP block. Not bad, but we'll see 
what the stats look like in a couple of weeks. However, I can guarantee 
that the number of trapped entries in my spamdb will increase. I 
originally created my pf table of spamming countries from 
http://www.ipdeny.com/ipblocks/data/countries/


One of the other tests, which had significant impact, was using 
spamd.alloweddomains. I tried a few things, but settled on my current 
setup: for one email domain I list just the domain part (e.g. 
@domain1.com), but for the other domain, which has limited users, I list 
the full email addresses of all current accounts (e.g. 
us...@domain2.com, us...@domain2.com, ...). This increased my TRAPPED 
entries by 30%. These additional TRAPPED IPs were mainly one-shot 
spammers, so it was nice to tarpit them while I had the chance. So far 
spamd has been very effective so I haven't defined and published any 
SPAMTRAP addresses, but this is just another knob I can turn on and 
measure if needed.


To assist with spam management without root privileges, I added the spam 
administrator to the _spamd group, gave r/w group privileges on 
/var/db/spamd, and added a few pfctl commands to the doas.conf.


Overall I am ecstatic about spamd and its integration with pf, as well 
as the simple spamdb interface (with the help of grep(1), cut(1), 
sort(1), wc(1), column(1), sed(1), etc.). It is an extremely flexible 
and powerful toolset. Hopefully my experience and scripts are helpful to 
other spam fighters. I think you can look to other projects, like 
spamassassin for example, to get ideas of spam fighting techniques which 
can be implemented at a lower level using pf and spamd. For example, a 
set of factors could determine a spam "score" similar to spamassassin: 
if an IP is on multiple DNSBLs (each list weighted by quality), the DNS 
PTR doesn't correspond to the HELO, and it fails SPF, then it is 
probably safe to blacklist. The bgp-spamd.net project is another tool 
that could be added to the mix. You will have to balance complexity and 
effectiveness, but I would encourage simplicity and minimal resource usage.


Again, hats off to all the developers.


=== spamclusterd ===

#!/bin/sh
#
# Whitelist an SMTP cluster network.
#
# NOTE: pipe spamdb(8) or an archive to stdin.

extract_helo_tld() { echo "$1" | sed -En 's/.*[[:<:]]([^.]+\.[^.]+)$/\1/p'; }
extract_ip_net() { echo "${1%.*}"; }

print_ip_net_with_mask() {
echo "$(extract_ip_net $1).0/24"
}

helo_tld_match()
{
tld1=$(extract_helo_tld "$1")
tld2=$(extract_helo_tld "$2")
[[ -n $tld1 && $tld1 = $tld2 ]]
}

ip_net_match()
{
net1=$(extract_ip_net $1)
net2=$(extract_ip_net $2)
[[ $net1 = $net2 ]]
}

_ip=""
_helo=""
_from=""
_to=""
is_cluster=0

grep "^GREY" |
tr "|" "\t" |
cut -f2-5 |
sort -k3,4 -k2 -k1 |
while read ip helo from to
do
if [[ $to = $_to && $from = $_from ]] &&
   helo_tld_match "$helo" "$_helo" &&
   ip_net_match "$ip" "$_ip"
then
is_cluster=1
elif [[ $is_cluster = 1 ]]
then
is_cluster=0
print_ip_net_with_mask $_ip
fi

_ip="$ip"
_helo="$helo"
_from="$from"
_to="$to"

done




=== spamd-dnsbl ===

#!/bin/sh
#
# Query DNSBL using the IPs in spamdb(8). If an IP is on a black list, add it
# as a TRAPPED entry in the spamdb.
#
# It seems most spammers send once and go away. The 1 minute pass time is
# effective at stopping most of these spammers. The other spammers seem to
# resend 10 minutes to more than an hour later, so a longer pass time won't
# defend against such spammers. 

spamd and network whitelisting

2016-12-16 Thread Clint Pachl
I would like to share my 45-day experience with running spamd and my 
observations and how I'm allowing mail from SMTP clusters to bypass 
spamd. Feedback and discussion would be greatly appreciated.


I have two domains that I have been using for my businesses: one is 13 
years old and the other is 8 years old. I have never had a spam problem 
until about six months ago. In October I was getting about 100-200 spams 
per day per domain. The spam rate was increasing from month to month. 
All mail was going directly to my OpenSMTPd. I was not using filtering 
of any kind so the signal-to-noise was very low, and frustrating.


So I read the spamd and related man pages and enabled spamd on my 
firewall on November 1. I was astonished! I literally got 6 spam emails 
that first week for both domains!


However, the big problem was, I also wasn't getting legitimate business 
emails that were sent from SMTP clusters/pools. After studying my logs, 
tweaking spamd(8) flags, looking to external solutions (DNSBL, SPF, 
reverse IP verification), I had some observations and discovered some 
patterns. Here's the solution I'd like to share:


I wrote two very small scripts: spamd-dnsbl and spamclusterd. These 
scripts work together to keep spam to a minimum while passing all 
legitimate email (in my case so far).


1) spamd-dnsbl: Queries a DNSBL using the IPs in spamdb(8). If an IP is 
on a black list it is added as a TRAPPED entry in the spamdb. The script 
only checks IPs which have been added since last run. Currently, only 
the zen.spamhaus.org DNSBL is queried because I found it to be the most 
true of all those listed at 
http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. 
Alternatively, multiple DNSBLs could be queried and the results could be 
used in aggregate to determine spam status, thus promoted to TRAPPED.


2) spamclusterd: Queries spamdb(8) for networks to whitelist, which it 
adds to a pf table that bypasses spamd. So before this script gets 
carried away allowing IP blocks to bypass spamd, the spamdb(8) is first 
pruned of spammers using the spamd-dnsbl script.


I've only been running this setup for about 30 days, but I haven't 
missed an email yet; plus spam is still about 1 per day across both 
domains. I receive emails from all the common SMTP clusters, such as 
Gmail, Microsoft (hotmail.com, outlook.com, msn.com, etc.), and Yahoo 
but also US government agencies such as, mail.mil, usmc.mil, uscg.mil, 
irs.gov, etc.


I noticed a pattern of commonalities of these legitimate sending clusters:

1. The envelope's from and to addresses are identical across tuples.

2. The HELOs are very similar, with the TLD from each tuple almost 
certainly the same.


3. They make multiple attempts from different IP addresses, however, the 
IPs differ only by a few bits. (Caveat: I'm only using IPv4)


These 3 points are the basis of spamclusterd. How it works is, if two or 
more GREY tuples with matching "to" and "from" addresses, HELOs with 
matching TLDs, and IPs with matching network bits (/24), then add the 
/24 network to the spamd-cluster table in pf, which bypasses spamd.


I was going to get fancy and do an SPF lookup and try to determine the 
exact network to whitelist, but simply whitelisting a 256 IP block seems 
good enough. Once in awhile the subsequent client IP will be outside 
this block, but the /24 seems to work better than 90% of the time.


Currently, just two client IPs from the same /24 network is enough to 
get that network whitelisted, which seems like a low bar. However, with 
the prior DNSBL pruning, this seems sufficient for now.


## Some other observations ##

Spammers, even if sending from the same IP or IP network and regardless 
of the
TO address, tend to randomize the FROM and/or HELO. Therefore, in the 
case of my spamclusterd script, whitelisting a spammer is less likely 
when ensuring both HELO and FROM match for multiple tuples. These IPs 
will then continue to deal with spamd, and it's business as usual.


I initially tried setting 1 minute passtime and 12 hour greyexp times 
for spamd (i.e. -G 1:12:864) in hopes to eventually whitelist a client 
IP, originating from a cluster, that has reattempted within that large 
window. However, in my first week, I missed a couple of Gmails which 
resent for 5+ days and ultimately failed to deliver. What was 
interesting was one of the Google server IPs retried after 12 hours and 
3 minutes, just missing the grey window, while others retried after 24 
hours. I now set -G 1:10:1080.


It seems safe to assume a spammer if reverse IP lookup returns NXDOMAIN 
and IP
is on at least 1 reputable DNSBL or lookup returns SERVFAIL after two 
attempts.


Using SPF seems unreliable as of 11/22/16. Tested SPF on hundreds of IPs 
in spamdb using the ruby spf gem. More than half the IPs did not specify 
SPF or it failed in some

way.

If the envelope's "from" is our domain (i.e., to and from addresses are 
the same domain), it is definitely a 

Re: Installer : deselecting X* sets if user doesn't want to run X

2016-12-05 Thread Clint Pachl

Clément 'wxcafé' Hertling wrote on 12/03/16 07:29:

Hey,

So each time I install an OpenBSD system I have to both answer no as to whether
I want to run X on the system, and then deselect the X* sets.

It's not a big thing, but I thought it couldn't be that hard to make it
automatic, that is, if the user indicated they are not planning to run X,
deselect the X* sets by default, since it's probably the most common case (they
could want to have the sets to build some software or to run remote X
applications, but in my opinion most users who indicate they don't want to run X
won't need these sets).


Back in the day before the automated install stuff was in base, I 
created my own. One thing my updater did, which is apropos to what 
you're asking, is it would look for existing well-known X11 directories 
which were part of the X sets. If it found them, it would install the X 
sets accordingly.


I wonder if this would be a useful solution?



Re: Recommendation for firewall appliance running of and OpenBSD

2016-11-25 Thread Clint Pachl

Tito Mari Francis H. Escaño wrote on 11/24/16 13:15:

Hi everyone,
Can somebody please recommend me a firewall appliance that can run OpenBSD and
pf, and can be upgradeable to the latest version? It would be a great plus if
the appliance can also be configured as part of CARP firewall group. pfSense
with FreeBSD doesn't cut it :)

I would highly recommend the Lanner embedded or network appliances. I 
bought a FW-7541 and a LEC-2280 back in 2012. I installed OpenBSD on an 
SSD in each. I've upgraded to every release since with zero issues.


I use the FW-7541 for my firewall/gateway, which also runs dhcpd, httpd 
(hosts OpenBSD sets/packages for the LAN), nsd, spamd, unbound, and 
tftpd (PXE booting). I think I paid about $400 for the Intel Atom CPU 
D525 @ 1.80GHz with 4GB RAM back in 2012, not including the SSD. It 
works awesome and can be found here:

http://www.lannerinc.com/products/x86-network-appliances/desktop/fw-7541

However, it looks like the FW-7541 has been replaced by the FW-7525:
http://www.lannerinc.com/products/x86-network-appliances/x86-desktop-appliances/fw-7525

I also bought another Lanner, the LEC-2280, for my main application server:
http://www.lannerinc.com/products/embedded-box-pcs/industrial-automation/lec-2280

I did contact Lanner support with an OpenBSD question shortly after 
setting them up. They were able to help. However, at that time, the 
engineer said they employed a couple of people who were familiar with 
OpenBSD, but basically they just made sure they were able to boot the 
latest OBSD release; not much assurances beyond that. However, I now see 
they have added OpenBSD and FreeBSD as officially supported OSes on some 
of their models.


I originally bought these two machines because of their fanless design 
and low power consumption. My meter measures 9-13W of power consumption 
for the the FW-7541.


If you can instal OBSD yourself and configure everything from the 
command line, I would highly recommend one of the Lanner desktop network 
appliances. I use the uplcom Prolific Technology Inc. USB-Serial 
Controller to access the console for administrative tasks like upgrades 
and backups.


Here is the dmesg for my FW-7541 firewall:

OpenBSD 6.0 (GENERIC.MP) #2: Mon Oct 17 10:22:47 CEST 2016
r...@stable-60-amd64.mtier.org:/binpatchng/work-binpatch60-amd64/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4267245568 (4069MB)
avail mem = 4133445632 (3941MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xfbea0 (22 entries)
bios0: vendor American Megatrends Inc. version "080016" date 08/03/2012
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI
acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) 
USB2(S4) USB3(S4) EUSB(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) 
P0P9(S4) HDAC(S4) USB4(S4) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.26 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR

cpu0: 512KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, C-substates=0.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR

cpu1: 512KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR

cpu2: 512KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Atom(TM) CPU D525 @ 1.80GHz, 1800.01 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,SENSOR

cpu3: 512KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (P0P1)
acpiprt2 at acpi0: bus 2 (P0P4)
acpiprt3 at acpi0: bus 3 (P0P5)
acpiprt4 at acpi0: bus 4 (P0P6)
acpiprt5 at acpi0: bus 5 (P0P7)

Re: Saw-shaped load on idle computer

2016-11-16 Thread Clint Pachl

li...@wrant.com wrote on 11/16/16 18:07:

Tue, 15 Nov 2016 14:34:28 -0700 Clint Pachl <pa...@ecentryx.com>

Does /var/log/* have any clues?

No.


Philippe Meunier wrote on 11/15/16 06:11:

Hello,

I'm just curious: what is it in the kernel that wakes up about every
minute to do some work even on a completely idle machine?  I'm asking
because xload shows some curious looking saw shaped load like this:
http://www.ccis.northeastern.edu/home/meunier/xload.jpg
That's on an idle Thinkpad T43 running OpenBSD 6.0-release.  At first
I thought it might be something like cupsd, but even after killing
daemons one by one and going to single user mode these regular peaks
still continue.  So I guess it's due to some kernel thread?  I tried
to use "top -S" but couldn't figure out the source.  Does anyone have
any idea of how to find it?

Thanks,

Philippe

Hi Philippe,

It is most likely the result of running X while idling measuring idling..
Well, it is most interesting what you would be trying to measure with it.



But Philippe is noticing this behavior even in single user mode, right? 
In single user, init and a shell should be all that is running in userland.


If in single user, I would suspect hardware interrupting the kernel. 
Make sure your monitoring tool isn't the culprit.




Re: Saw-shaped load on idle computer

2016-11-15 Thread Clint Pachl

Does /var/log/* have any clues?


Philippe Meunier wrote on 11/15/16 06:11:

Hello,

I'm just curious: what is it in the kernel that wakes up about every
minute to do some work even on a completely idle machine?  I'm asking
because xload shows some curious looking saw shaped load like this:
http://www.ccis.northeastern.edu/home/meunier/xload.jpg
That's on an idle Thinkpad T43 running OpenBSD 6.0-release.  At first
I thought it might be something like cupsd, but even after killing
daemons one by one and going to single user mode these regular peaks
still continue.  So I guess it's due to some kernel thread?  I tried
to use "top -S" but couldn't figure out the source.  Does anyone have
any idea of how to find it?

Thanks,

Philippe




Re: Removal of old libraries

2016-11-14 Thread Clint Pachl

Jan Stary wrote on 11/14/16 03:00:

On Nov 14 00:14:19, pa...@ecentryx.com wrote:

But the very next step in the upgrade blows away the system by overwriting
it anyway. Right?

What could happen? What if following the normal procedure of untaring the OS
sets on top of the existing system fails midway? Then you have an
inconsistent system too.

Yes, you have an inconsistent system, as opposed to nothing.


This sounds like someone who is not confident in their backup/restore 
procedure, if one even exists. I think you need to worry more about that 
than me saving a few megabytes with my upgrade process.


Like I mentioned a couple times in the thread, I have "level 0" dumps; 
that's consistency. I would not classify that as "nothing." There is a 
reason why restore(8) and ftp(1) are included on bsd.rd.



This behavior of mine may stem from my days as a hard-real-time embedded
systems engineer where we had to get rid of every single byte that did not
matter. I used to count the assembly instructions and add up all the clock
cycles for each hardware interrupt routine to make sure we would never
stall/slow the system. I just like minimal I guess.

Say I compile a C program on your system,
which gets linked to /usr/lib/libc.so.84.2.
After an upgrade, my program no longer works.
Bad, bad admin!


Oh yeah, and before you know it your crufty libc.so.84.2 is 2 years old 
and full of security vulnerabilities. Thank god your users can still use 
it and you don't have to bother them with a recompile.


I thought the philosophy of the project is to move forward for the sake 
of proactive security and correctness, not to rely on buggy legacy code 
because it's convenient and lazy.




Re: Removal of old libraries

2016-11-13 Thread Clint Pachl

Amit Kulkarni wrote on 11/08/16 07:22:

On Tue, Nov 8, 2016 at 12:53 AM, Clint Pachl <pa...@ecentryx.com> wrote:


Ax0n wrote on 09/03/16 13:12:


I've got a Toshiba NB305 netbook that's been my daily-use laptop for more
than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in
early May 2011. I've been quite happy with how it works, and I've been
doing bsd.rd upgrades and M:Tier binary updates ever since.

There is a lot of seemingly unused cruft in /usr/local/lib -- stuff with
an
atime of my last level 0 dump several months ago.   Looks like pkg_add -u
left a bunch of stuff behind. Is there a recommended way to clean this
stuff up, or should I just start chopping away with something like:

find /usr/local/lib -type f -atime +90 | doas xargs rm

(after a new level 0 dump, obviously...)



Ax0n wrote on 09/03/16 13:12:

I've got a Toshiba NB305 netbook that's been my daily-use laptop for more
than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in
early May 2011. I've been quite happy with how it works, and I've been
doing bsd.rd upgrades and M:Tier binary updates ever since.

There is a lot of seemingly unused cruft in /usr/local/lib -- stuff with

an

atime of my last level 0 dump several months ago.   Looks like pkg_add -u
left a bunch of stuff behind. Is there a recommended way to clean this
stuff up, or should I just start chopping away with something like:

find /usr/local/lib -type f -atime +90 | doas xargs rm

(after a new level 0 dump, obviously...)

I've been removing the old system during the upgrade script since 4.9,
coincidentally. I haven't had a problem yet while upgrading two production
servers and my two laptops, from release to release.

After selecting the OS sets during the upgrade, but before hitting ENTER,
type ! at the “Set name(s)?� prompt to enter a shell. Then run: `cd /mnt

&&

rm -rf bin sbin usr/!(local) && exit`. Then just hit enter and continue
running the upgrade script.

WARNING: this will wipe out your system, so if the upgrade fails for some
reason, you are TOTALLY SCREWED!

I periodically (every few releases) clean out /usr/local. First, get a
list of manually installed packages using `pkg_info -m`. Then uninstall
everything. It is interesting to see what gets left behind. If any garbage
is left over, remove it. Then reinstall from your generated list. I don't
do this very often anymore as `pkg_delete -a` seems to clean up quite well.

As insurance, I take level 0 dumps just before upgrading or cleaning
/usr/local. Also, one of my laptops is a spare that has all the same
software installed as the production servers and my main laptop. So this
laptop is a test run if you will. If there are quirks, my main laptop is my
second chance to make sure I know what the hell I'm doing before finally
upgrading my two production systems.

Also, just a public announcement, test your restore-from-backup process
once in awhile.

I've always thought about sharing this process, but always thought it is
probably not the best advice.



Clint,

pkg_add sysclean

This will restore your system as close to a new install as possible. What
you are doing is quite dangerous.



But the very next step in the upgrade blows away the system by 
overwriting it anyway. Right?


What could happen? What if following the normal procedure of untaring 
the OS sets on top of the existing system fails midway? Then you have an 
inconsistent system too.


I'd rather start with a clean slate and build on top of that than chip 
away at an existing, running system, which others have recommended via 
the sysclean package (I haven't looked at the code so I don't know what 
it does, but I wouldn't trust it until I inspected the code).


I have all my OS sets and packages stored on a local server along with 
my level 0 dumps, which I've never needed by the way. If the worst 
happens, I just PXE boot the ramdisk image and do a quick restore of the 
system to where it was just before the upgrade.


I've always liked the clean install process, and this modified process 
gets me close without actually doing a clean install. I've done this for 
11 releases now with 4 systems without any problems. Just thought I'd 
share, but with the warnings I provided earlier.


This behavior of mine may stem from my days as a hard-real-time embedded 
systems engineer where we had to get rid of every single byte that did 
not matter. I used to count the assembly instructions and add up all the 
clock cycles for each hardware interrupt routine to make sure we would 
never stall/slow the system. I just like minimal I guess.




Re: Removal of old libraries

2016-11-07 Thread Clint Pachl

Ax0n wrote on 09/03/16 13:12:

I've got a Toshiba NB305 netbook that's been my daily-use laptop for more
than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in
early May 2011. I've been quite happy with how it works, and I've been
doing bsd.rd upgrades and M:Tier binary updates ever since.

There is a lot of seemingly unused cruft in /usr/local/lib -- stuff with an
atime of my last level 0 dump several months ago.   Looks like pkg_add -u
left a bunch of stuff behind. Is there a recommended way to clean this
stuff up, or should I just start chopping away with something like:

find /usr/local/lib -type f -atime +90 | doas xargs rm

(after a new level 0 dump, obviously...)



Ax0n wrote on 09/03/16 13:12:
> I've got a Toshiba NB305 netbook that's been my daily-use laptop for more
> than 6 years now. The last fresh install I did was OpenBSD 4.9-RELEASE in
> early May 2011. I've been quite happy with how it works, and I've been
> doing bsd.rd upgrades and M:Tier binary updates ever since.
>
> There is a lot of seemingly unused cruft in /usr/local/lib -- stuff 
with an

> atime of my last level 0 dump several months ago.   Looks like pkg_add -u
> left a bunch of stuff behind. Is there a recommended way to clean this
> stuff up, or should I just start chopping away with something like:
>
> find /usr/local/lib -type f -atime +90 | doas xargs rm
>
> (after a new level 0 dump, obviously...)

I've been removing the old system during the upgrade script since 4.9, 
coincidentally. I haven't had a problem yet while upgrading two 
production servers and my two laptops, from release to release.


After selecting the OS sets during the upgrade, but before hitting 
ENTER, type ! at the “Set name(s)?” prompt to enter a shell. Then run: 
`cd /mnt && rm -rf bin sbin usr/!(local) && exit`. Then just hit enter 
and continue running the upgrade script.


WARNING: this will wipe out your system, so if the upgrade fails for 
some reason, you are TOTALLY SCREWED!


I periodically (every few releases) clean out /usr/local. First, get a 
list of manually installed packages using `pkg_info -m`. Then uninstall 
everything. It is interesting to see what gets left behind. If any 
garbage is left over, remove it. Then reinstall from your generated 
list. I don't do this very often anymore as `pkg_delete -a` seems to 
clean up quite well.


As insurance, I take level 0 dumps just before upgrading or cleaning 
/usr/local. Also, one of my laptops is a spare that has all the same 
software installed as the production servers and my main laptop. So this 
laptop is a test run if you will. If there are quirks, my main laptop is 
my second chance to make sure I know what the hell I'm doing before 
finally upgrading my two production systems.


Also, just a public announcement, test your restore-from-backup process 
once in awhile.


I've always thought about sharing this process, but always thought it is 
probably not the best advice.




Re: Mouse click problems with firefox and firefox-esr (and Seamonkey)

2016-04-23 Thread Clint Pachl

Nick wrote on 03/30/16 11:23:

I have tried both firefox and firefox-esr in both OpenBSD 5.8 and 5.9 and can 
say that there are issues with the mouse not picking up 10-15% of my clicks, 
sometimes having to click a good 3 times or more for it to actually work 
correctly! When I select and drag text, it can randomly un-select it as if I 
have let go of the mouse and clicked elsewhere.. Just all sorts of stangeness. 
I never have a problem with moving the mouse cursor though. To say it's a 
nuisance is a bit of an understatement as I am now having to use chromium - 
which I detest, being a keen avoider of any google pish.

For extra info, I am using XFCE.

Does anyone have this issue? What is going on?


I have this exact same problem with Seamonkey using cwm(1) on a ThinkPad 
T61. I've ran OpenBSD on this laptop for almost a decade now and it's 
never had this issue before 5.8. It's really very annoying but I've been 
living with it through 5.8, assuming it will be fixed in 5.9. Well I 
just upgraded to 5.9 the other day and was eager to see if it was fixed, 
but it exhibits the same annoying behavior.


I don't know what to do or test. I run no ad-ons with Seamonkey.



Re: the problem with the OpenBSD installer

2016-01-17 Thread Clint Pachl

Jan Stary wrote on 01/17/16 14:29:

After installing various UNIX-like systems today,
I realized what the problem is with the installer:
it makes installing any other system a DAMN ORDEAL.


The installer is what initially addicted me to OpenBSD.

Back in the late 90s until about 2003 I used various Linux distros. I 
settled on Slackware for many years because it seemed the most 
straightforward and transparent. I could tell it was a bit different and 
simpler than the other Linux distros. Then I read that Slackware 
borrowed many ideals from BSD. I had not heard of BSD. After some 
research, I installed FreeBSD 4.8, which became my OS of choice for both 
server and desktop for 2 years.


Then, for some reason, I became more interested in security. I think I 
was also having stability issues with FreeBSD 5.x and was growing tired 
of the complexity of the system. So I looked into OpenBSD. The 
simplicity of the system, from install to management, immediately blew 
me away. I migrated all my systems to OpenBSD 3.6 in early 2005 and 
never looked back. I have been running OpenBSD exclusively for more than 
10 years now. I can't be happier with the developers and the directions 
and decisions they make. They have created a rock solid OS. It runs 
everything from my business to my kid's media center.


I used to write device drivers for hard real-time embedded systems in a 
previous life. I hope to someday have the time to contribute code to my 
favorite OS. In the meantime, I support the project with donations. I 
don't know what I would do without this OS. Thank you!




doas(1) -s argument; What's the benefit?

2016-01-12 Thread Clint Pachl
First, thank you Mr. Unangst for a beautifully simple piece of code. The 
configuration file is a delight as well. I was happy to remove sudo from 
my servers.


What I don't understand is the `-s` argument used to execute a shell. 
What would a corresponding doas.conf(5) look like?


Can't shell execution be accomplished using doas.conf only, without the 
need for the doas "-s" argument?


For example, the following two configurations seem to accomplish the 
same with the exception of the environment variables explicitly set by 
su(1):


  $ cat /etc/doas.conf
  permit USR as root cmd su
  $ doas su
  #

  $ cat /etc/doas.conf
  permit USR as root cmd /bin/ksh
  $ doas -s
  #

Other than compatibility with `sudo -s`, what are the benefits of `doas -s`?

Thank you,
Clint



Re: Recommended Industrial PCs?

2015-12-01 Thread Clint Pachl

Martin Haufschild wrote on 08/26/15 12:11:
can someone recommend me an Industrial PC (IPC) to use with OpenBSD? I 
would like to have a lot of hardware supported from this IPC by OpenBSD.


I've had great luck with Lanner (http://www.lannerinc.com/).

I've been running a LEC-2280 and FW-7541 for almost 2 years now for my 
business. They run the local network and public ecommerce website. The 
LEC is the main server with an Intel Core i7-3555LE @ 2.5GHz. The FW is 
the firewall/gateway running other light services, like DNS and NTP, 
with an Atom D525 1.8GHz.


I set them on top of a cabinet in a closet and just forget about them; 
nobody knows they exist. I haven't physically touched them since I 
installed them almost 2 years ago. The ambient temperature ranges from 
about 70-90F. These two boxes always stay cool regardless of the temp; 
plus these machines are fanless so they don't suck dust.


I interconnected them with serial cables to assist with out-of-band 
maintenance. For instance, I SSH into one machine, then connect via 
serial to the other for console access. That's been working out really 
well through 3 or 4 upgrade cycles now.


With the maximum RAM and best CPUs at the time, the LEC-2280 and FW-7541 
were about $1200 USD and $400 USD, respectively. I would highly 
recommend them. Plus, their customer support was very helpful. Their 
tech support even tests and runs OpenBSD, which is what sealed the deal 
for me.


http://www.lannerinc.com/products/embedded-box-pcs/industrial-automation/lec-2280
http://www.lannerinc.com/products/x86-network-appliances/desktop/fw-7541



Re: hw.sensors and high fan RPM

2015-03-13 Thread Clint Pachl
I have a T410 as well and I don't use it because of the fan noise. I 
bought it to replace my T61, but I continue to use the T61 because it's 
slightly less noisy at 2935 RPM.


I looked for solutions several times but never found one. I even laid 
down new Arctic Silver 5 thermal paste and installed brand new fans on 
both laptops, but no change. The CPUs run cool in the 30s for the T410 
and in the lower 40s for the T61, but the fans just spin loudly. Even 
`apm -L` doesn't help.


Both laptops had Windows on them when I bought them and the fans were 
silent. So I know it's a possibility.



Joseph Oficre wrote, On 03/11/15 05:33:

Hi, some time ago i created the mail like this, but i have some new
information about my problem. So, there is my hw.sensors:
# sysctl hw.sensors
hw.sensors.cpu0.temp0=34.00 degC
hw.sensors.cpu1.temp0=34.00 degC
hw.sensors.cpu2.temp0=34.00 degC
hw.sensors.cpu3.temp0=34.00 degC
hw.sensors.acpitz0.temp0=53.00 degC (zone temperature)
hw.sensors.acpibtn0.indicator0=On (lid open)
hw.sensors.acpibat0.volt0=10.80 VDC (voltage)
hw.sensors.acpibat0.volt1=11.77 VDC (current voltage)
hw.sensors.acpibat0.power0=34.30 W (rate)
hw.sensors.acpibat0.watthour0=42.96 Wh (last full capacity)
hw.sensors.acpibat0.watthour1=2.15 Wh (warning capacity)
hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity)
hw.sensors.acpibat0.watthour3=29.21 Wh (remaining capacity), OK
hw.sensors.acpibat0.watthour4=47.52 Wh (design capacity)
hw.sensors.acpibat0.raw0=2 (battery charging), OK
hw.sensors.acpiac0.indicator0=On (power supply)
hw.sensors.acpithinkpad0.temp0=53.00 degC
hw.sensors.acpithinkpad0.temp1=53.00 degC
hw.sensors.acpithinkpad0.temp2=53.00 degC
hw.sensors.acpithinkpad0.temp3=53.00 degC
hw.sensors.acpithinkpad0.temp4=53.00 degC
hw.sensors.acpithinkpad0.temp5=53.00 degC
hw.sensors.acpithinkpad0.temp6=53.00 degC
hw.sensors.acpithinkpad0.temp7=53.00 degC
hw.sensors.acpithinkpad0.fan0=4510 RPM
hw.sensors.itherm0.temp0=0.00 degC (Thermometer)
hw.sensors.itherm0.temp1=51.03 degC (Core 1)
hw.sensors.itherm0.temp4=54.00 degC (CPU/GPU Max temp)
hw.sensors.itherm0.temp9=54.00 degC (GPU/Memory controller abs.)
hw.sensors.itherm0.temp10=59.00 degC (PCH abs.)
hw.sensors.itherm0.power0=7.00 W (CPU power consumption)
hw.sensors.aps0.temp0=45.00 degC
hw.sensors.aps0.temp1=45.00 degC
hw.sensors.aps0.indicator0=Off (Keyboard Active)
hw.sensors.aps0.indicator1=Off (Mouse Active)
hw.sensors.aps0.indicator2=On (Lid Open)
hw.sensors.aps0.raw0=511 (X_ACCEL)
hw.sensors.aps0.raw1=505 (Y_ACCEL)
hw.sensors.aps0.raw2=511 (X_VAR)
hw.sensors.aps0.raw3=505 (Y_VAR)


So. i have 34 cpu temperature. And only problem i see is 59C PCH temp. And
as u can see i have 4500 RPM, and its SO DAMN LOUD.
This notebook (thinkpad t410) ran freebsd, several linux systems, and i
NEVER have this kind of problems.


apmd daemon with -L, -C option do nothing about this.
Can i somehow decrease RPM manually?
Cuz i cant sleep at night, lol. When i boot freebsd system - everything
works quite nice.




Re: dump and duid

2015-03-07 Thread Clint Pachl

Jan Stary wrote, On 02/27/15 06:09:

This is current/amd64.

After cleaning my machine I reconnected two of my disks in reverse;
what was sd0 is sd1 now, and vice versa.

I do nightly dumps of the filesystems,
starting with level 0 on early Monday morning,
continuing with incremental 1, 2 etc through the week.
Usually this means that the Monday dump -0 is big,
and the subsequent incrementals are relatively small:


-rw---  1 hans  wheel   299G Feb 23 03:26 dump.biblio.0
-rw---  1 hans  wheel  19.7M Feb 24 01:32 dump.biblio.1
-rw---  1 hans  wheel   1.4G Feb 25 01:32 dump.biblio.2
-rw---  1 hans  wheel   674M Feb 26 01:32 dump.biblio.3
-rw---  1 hans  wheel   240G Feb 27 02:55 dump.biblio.4
-rw---  1 hans  wheel  16.7G Feb 23 01:40 dump.home.0
-rw---  1 hans  wheel   326M Feb 24 01:32 dump.home.1
-rw---  1 hans  wheel  54.5M Feb 25 01:32 dump.home.2
-rw---  1 hans  wheel  59.4M Feb 26 01:32 dump.home.3
-rw---  1 hans  wheel  52.3M Feb 27 01:32 dump.home.4
-rw---  1 hans  wheel  93.9M Feb 23 01:30 dump.root.0
-rw---  1 hans  wheel   100K Feb 24 01:30 dump.root.1
-rw---  1 hans  wheel  80.0K Feb 25 01:30 dump.root.2
-rw---  1 hans  wheel  80.0K Feb 26 01:30 dump.root.3
-rw---  1 hans  wheel   7.4M Feb 27 01:30 dump.root.4
[...]

Now, on the night after I interchanged the disks,
the dump -4 of sd1a (/biblio) is huge again; apparently,
dump -4 is dumping everything again.

Is this simply because /etc/dumpdates deals
with device names, as opposed to duids?


I ran into this quite awhile ago. My tests definitely confirm dump does 
not recognize DUIDs. Many utilities have been made DUID aware, but not 
dump(8). Dump reads /etc/dumpdates, which only lists device paths.




Re: What are the disadvantages of soft updates?

2015-02-02 Thread Clint Pachl

Alexandre Ratchov wrote, On 01/19/15 02:44:

On Mon, Jan 19, 2015 at 03:59:34AM +, currellbe...@gmail.com wrote:

Hello,

The FAQ[1] states that soft updates result in a large performance increase
in disk writing performance, and links to a resource[2] which claims that
soft updates, in addition to being a performance enhancement, can also
maintain better disk consistency.  Resource 2 links to several academic
papers[3][4], which while they are a bit above my level, contain discussions
of how soft updates can increase performance and speed recovery on crash.

My question is: what are the downsides of soft updates?

- softdep consumes more cpu in kernel mode, which hurts interactive
   programms on very slow machines. It has the reputation of
   consuming more memory.

- the softdep code is more complex (likely to have more bugs).


Also, does journaling provide a better data-safety guarantee?

They are not the same. On OpenBSD, softdep makes cerain operations
much faster while ensuring that upon power loss, all
inconsistencies can be automatically fixed by fsck on next boot.

Journaling would write data twice (first in the journal, then in
the filesystem) and would allow last operations to be replayed on
next boot, so no need to run fsck, which in turn makes system boot
fast after a power loss.

In theory, from data safety point of view they are equivalent.



Jeez, I've been misinformed for many years. I do not enable softdep on 
my battery-backed production servers thinking it was safer; the whole 
idea of running less complex code and fewer lines of it. I figured 
backup power would keep the filesystem from crashing, thus consistent, 
and therefore no need for softdep.


Plus, IIRC, the default installer doesn't enable softdep either. So I 
figured there was a good reason for that.


Coincidently, I was just running benchmarks two days ago for a web 
session manager that I wrote. It simply stores session data to file for 
each client. I tested it on ffs, ffs+softdep, and tmpfs. Here are the 
average total times for creating 2,000 session files, each roughly 200 
bytes, randomly distributed across 62 directories:


0.74s tmpfs
0.76s ffs+softdep
1.17s ffs

The FFS is on an Intel SSD.

So softdep can definitely enhance performance. And according to Kirk 
McKusick, it also enhances FS consistency. So I think I'll be enabling 
softdep on my production servers.


I'm sure all the bugs in that complex softdep code have been worked 
out by now. ;-)




Retired 4.4-beta

2014-09-24 Thread Clint Pachl

I just wanted to share my story ...

I finally retired my old AOpen desktop router which was running 4.4-beta 
from July 2008 until now. I originally set it up to test pf and routing 
for my company's network. It seemed to work fine so I put it into 
production. Then I just kind of forgot about it.


I originally installed an old WD Caviar 3.4 GB drive, which I bought in 
bulk, used on Ebay (like 20 drives for $10).


During those 6 years of commission, I only had two hardware failures. I 
replaced the old spinning disk, which died a couple years ago, with a 
compact flash drive. The power supply fan was also replaced.


Other than taking the machine down for those repairs, it ran 365/24/7. 
No crashing. No problems. Just routing/filtering traffic and offering 
DHCP leases. Talk about set it, and for get it! And that was on a BETA 
version.


This machine was replaced with the much smaller, more efficient, and 
quieter Lanner FW-7541 with a dual core Atom D525 1.8GHz, 4GB DDR3, and 
8GB Transcend SSD. Unlike its predecessor, I plan to upgrade this 
machine with every release.


Anyway, I just wanted to share. I also wanted to thank the devs for a 
solid OS, time and time again.



OpenBSD 4.4-beta (GENERIC) #979: Wed Jul 16 09:40:32 MDT 2008
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 401 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR

real mem  = 268005376 (255MB)
avail mem = 250929152 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/24/00, BIOS32 rev. 0 @ 0xfb280, 
SMBIOS rev. 2.2 @ 0xf0800 (29 entries)
bios0: vendor Award Software International, Inc. version 4.60 PGMA 
date 07/24/00

apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0xb6f8
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdd90/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x02
ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 Trident 3DImage 9850 rev 0xf3
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0xe500, size 0x40
piixpcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02
pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: ATAPI, CD-ROM DRIVE-36X, 36FP ATAPI 
5/cdrom removable

cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
wd0 at pciide0 channel 1 drive 0: TRANSCEND
wd0: 1-sector PIO, LBA, 1983MB, 4061232 sectors
wd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: irq 10
piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x02: SMI
iic0 at piixpm0
dc0 at pci0 dev 9 function 0 ADMtek AN983 rev 0x11: irq 10, address 
00:04:5a:81:8f:44
ukphy0 at dc0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 
0x000749, model 0x0001
dc1 at pci0 dev 10 function 0 ADMtek AN983 rev 0x11: irq 12, address 
00:12:17:52:7a:33
ukphy1 at dc1 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 
0x000749, model 0x0001
dc2 at pci0 dev 13 function 0 ADMtek AN983 rev 0x11: irq 10, address 
00:03:6d:18:72:e8

acphy0 at dc2 phy 1: AC_UNKNOWN 10/100 PHY, rev. 0
isa0 at piixpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1
biomask ef65 netmask ff65 ttymask 
mtrr: Pentium Pro MTRR support
softraid0 at root
wd0(pciide0:1:0): timeout
type: ata
c_bcount: 512
c_skip: 0
pciide0:1:0: bus-master DMA error: missing interrupt, status=0x21
wd0c: device timeout reading fsbn 0 (wd0 bn 0; cn 0 tn 0 sn 0), retrying
wd0(pciide0:1:0): timeout
type: ata
c_bcount: 512
c_skip: 0
pciide0:1:0: bus-master DMA error: missing interrupt, status=0x21
wd0: transfer error, downgrading to PIO mode 4
wd0(pciide0:1:0): using PIO mode 

Re: How to log in automatically to GUI?

2014-09-01 Thread Clint Pachl

Clint Pachl wrote, On 08/25/14 16:36:
It seems one should be able to get getty(8) to do this using 
/etc/ttys. I tried:


  console  /usr/bin/su -l USER -c /usr/X11R6/bin/startx  xterm on 
secure


which automatically launched X, but I didn't have access to the 
console (i.e., no write permission on /dev/console, no keyboard, 
etc.). I looked into fbtab(5), but I'm not sure how this works in this 
situation.


Thanks to David Coppa, he set me on the right track by sharing Marc 
Balmer's Starting X11 Applications on OpenBSD at Boot Time. I will 
summarize:


Use rc.local to launch X server manually on a virtual terminal and make 
sure getty(8) is not listening on that VT. This setup will not require 
user login or authentication. It can operate as a kiosk.


First, setup an unprivileged user (USER) that will automatically run X11 
and any specified GUI apps. Then add an .xinitrc startup script for the 
USER's X11 session. Here we will launch Chrome and load a local web 
application.


/home/USER/.xinitrc:
/usr/local/bin/chrome http://localhost/app

Now, just execute X11 as the unprivileged user from the system local 
script. Note we are running the X server on display 0 on virtual 
terminal 5. The startx script will run the .xinitrc above.


/etc/rc.local:
(
while sleep 1
dosu -l USER -c '/usr/X11R6/bin/startx -- /usr/X11R6/bin/Xorg 
vt05 :0'

done
) 

Now if Chrome crashes or quits, X will restart and relaunch Chrome.

Finally, make sure getty does not interfere with this finely tuned 
operation.


/etc/ttys:
ttyC4   /usr/libexec/getty std.9600   vt220   off



Re: How to log in automatically to GUI?

2014-09-01 Thread Clint Pachl

Andy Bradford wrote, On 08/27/14 08:35:

Thus said Clint Pachl on Mon, 25 Aug 2014 16:36:26 -0700:


If someone knows how to do this properly via getty(8), I would be very
interested.

I've used this successfully (not sure how proper it is):

/etc/ttys:

ttyC0   /usr/libexec/getty console.nopw   vt220   on  secure

/etc/gettytab:

console.nopw:\
:sp#9600:lo=/usr/bin/autologin:

/usr/bin/autologin:

#!/bin/sh
exec /usr/bin/login -f $@


FYI: $@ equals -p -- USER where USER is the username entered at the 
login prompt. I never would have guessed that the -p option was included.


I just wanted to point out that this still requires someone to enter a 
valid username to get a login session. Is it possible to bypass even 
this step and just get a user login session (i.e., auto-login)?


I noticed some GETTYS (e.g., agetty) have an auto-login feature. I'm 
wondering if OpenBSD's getty can do do similar using the lo capability?




Re: Problems with older nc without -N option ... also how to detect nc version

2014-08-29 Thread Clint Pachl

Alan McKay wrote, On 08/27/14 09:56:

I'm writing some scripts to clone over the network, and since I have
mostly boxes that do not have the -N option on nc, this is proving to
be an issue.

I have a bunch of dump files - one for each filesystem - that were
created from a live system.  When I want to send them back over the
network to another system, it seems that the sender never really sees
the end of the file.

One the sender I do

nc DEST IP DEST PORT  dump.file

On the receiver I do simply

nc -l DEST PORT | restore -rf -

That send/receive pair will just hang there forever.  But if I add the
-N option to the sender, it works as expected.

However I've also implemented some rudimentary handshaking - when the
recipient is done with the file I do :

echo OK | nc SENDER IP DEST PORT

Note no -N option - and it works great.  The other end is just doing
nc -l DEST PORT


hmmm ... that's not what happens between my 5.5 systems. Neither end 
will shutdown when the -N option is omitted (receiver or transmitter).


I wonder why your connection shuts down here without -N?


The difference seems to be the pipe.

So I'm thinking maybe introduce a superfluous dd on the original
sender, perhaps :

dd if=dump.file | nc DEST IP DEST PORT

But I try that and get the same results - they will just stay in that
state forever.

Any ideas on how to solve this problem?


I think the best solution is using the nc(1) -w timeout, which you 
seemed to have discovered. I've seen the timeout solution recommended 
in the past for this exact situation. I'm not sure there is another way 
to shutdown the connection without the -N option.




Re: hang at syncing disks... done

2014-08-25 Thread Clint Pachl

Marko Cupać wrote, On 08/21/14 15:32:

On 21-08-2014 11:38, Marko Cupać wrote:

I have just installed OpenBSD 5.5 on my ThinkPad T440. At first
glance everything seems to work OK, except for the fact that, when
shutting down or restarting, system hangs at 'hang at syncing
disks... done'.

This could be possibly due to my questionable decision not to create
swap partition. Once I reinstalled, with swap partition this time, the
problem went away.


I'm not convinced. I never create swap partitions on my Thinkpads (T61, 
T410) and they never hang at shutdown (or `halt -p`). These laptops have 
been running the release version since at least 5.0.


Also, I never touch my rc.shutdown.

I'm wondering if your disk is failing?



Re: How to log in automatically to GUI?

2014-08-25 Thread Clint Pachl

somelooser3...@hushmail.com wrote, On 08/25/14 12:54:

I installed an OpenBSD desktop and in the /etc:

 rc.conf.local:xdm_flags=# enabled during install

How can I set the automatic login for a user without prompting for
password?



It seems one should be able to get getty(8) to do this using /etc/ttys. 
I tried:


  console  /usr/bin/su -l USER -c /usr/X11R6/bin/startx  xterm on secure

which automatically launched X, but I didn't have access to the console 
(i.e., no write permission on /dev/console, no keyboard, etc.). I looked 
into fbtab(5), but I'm not sure how this works in this situation. It 
seems the default fbtab should suffice.


I also tried:

  console  /usr/bin/login -f USER  vt220 on secure

but that didn't work. It's apparently not setting up the login 
environment properly. I figured it I could get a user logged in. From 
that point you could run startx(1) from the user's login script.


If someone knows how to do this properly via getty(8), I would be very 
interested.




Re: Generating random.seed for network boot clients

2014-08-17 Thread Clint Pachl

Christian Weisgerber wrote, On 08/16/14 08:54:

On 2014-08-16, Christian Weisgerber na...@mips.inka.de wrote:


How about making etc/random.seed a named pipe and feeding chunks
of /dev/random to it?

I've now put this into my /etc/rc.local:

---
# Provide fresh random.seed for pxeboot

if cd /tftpboot/etc; then
 rm -f random.seed
 mkfifo random.seed
 # do not fill up filesystem if the FIFO disappears
 # dd of= does not block on open
 sh -c 'while [ -p random.seed ]; do dd count=1 random.seed; done' \
 /dev/random 2/dev/null 
fi
---

* It blocks until random.seed is read.
* It doesn't run amok if random.seed is accidentally removed.
* It's easy to identify with ps(1).


Very nice. It seems like this might be a good addition to /etc/rc 
because the OS depends on it. It's not like it's system, site, or 
application specific.


Anyway, thanks everyone for all the feedback on this subject.



Re: Why are there NSA, CSIS, and GOOGLE IDs in my ftplist.cgi

2014-08-17 Thread Clint Pachl

Theo de Raadt wrote, On 08/16/14 09:39:

On Sat, Aug 16, 2014 at 04:03, Clint Pachl wrote:

I checked out my saved install configurations at
http://129.128.5.191/cgi-bin/ftplist.cgi and noticed that at the end of
the file there are fields named NSA_ID, CSIS_ID, and GOOGLE_ID.
They all sound scary. Each time I refresh the page, only one of the
three IDs appear, but they seem to rotate. WTF?

Checking to see who's paying attention.

1 person noticed.  Took about 6 years.


So the NSA/CSIS/GOOGLE has been spying on us for 6 years and no one 
noticed. Damn, they're good. Someone should report this.




Re: Generating random.seed for network boot clients

2014-08-16 Thread Clint Pachl

Paul de Weerd wrote, On 08/15/14 14:51:

At any rate, this changes that to allow world readable files (still
not taking world writable files).  We can't check S_IWOTH over tftp,
we should probably assume 0777 for files transferred that way.  But,
if you're trusting the kernel you're getting over tftp, then why the
hell are you not trusting random.seed?  That attacker that could maybe
influence your randomness would NEVER touch your kernel to ensure it
only produces well known (to them) randomness.  That would be way too
easy...


Good point.



Index: boot.c
===
RCS file: /cvs/src/sys/stand/boot/boot.c,v
retrieving revision 1.43
diff -u -p -r1.43 boot.c
--- boot.c  19 Feb 2014 22:02:15 -  1.43
+++ boot.c  15 Aug 2014 21:41:01 -
@@ -153,7 +153,7 @@ loadrandom(char *name, char *buf, size_t
}
if (fstat(fd, sb) == -1 ||
sb.st_uid != 0 ||
-   (sb.st_mode  (S_IWOTH|S_IROTH)))
+   (sb.st_mode  (S_IWOTH)))
goto fail;
(void) read(fd, buf, buflen);
  fail:


Nonetheless, on a generally secure internal network it's a benefit to 
have this the extra random source. But if it doesn't exist or it is 
known to the world, like Theo previously said, it isn't worse.


The only downside is if the random.seed was used in a compromise of the 
PRNG of the client (not sure if that's possible). But then I guess I 
revert to Paul's point above.




Re: Generating random.seed for network boot clients

2014-08-16 Thread Clint Pachl

Christian Weisgerber wrote, On 08/15/14 18:36:

On 2014-08-15, Paul de Weerd we...@weirdnet.nl wrote:


What you could do is use the -r option to tftpd(8) to hand out a new
file to each client that connects.  Or just periodically (like, every
hour or every minute, depending on the load of your tftp server)
replace it with a new random file.

How about making etc/random.seed a named pipe and feeding chunks
of /dev/random to it?  Something like

# cd /tftpboot
# mkfifo etc/random.seed
# while true; do dd if=/dev/random count=1 etc/random.seed 2/dev/null; done 

seems to work at first blush.


I liked de Weerd's idea using the -r option with tftpd. I was thinking I 
could use a socket to signal a small script containing nc(1) for the 
domain socket communication. The script would detect if the requested 
file was etc/random.seed, and if so, refresh the randomness, otherwise 
just pass the original request file back (essentially a NOP). Then tftpd 
would serve up this freshly generated randomness on a per request basis.


But shit, Christian's one-liner above works like a charm!

I was skeptical at first, but after some testing I'm convinced that it 
works great with tftpd(8).


# cd /tftpboot
# mkfifo test.seed
# while :; do dd if=/tmp/counter of=test.seed 2/dev/null; done 

# cnt=0
# cd /tmp

# echo $((cnt++))  counter
# echo get test.seed\nquit | tftp localhost
# cat test.seed
0

# echo $((cnt++))  counter
# echo get test.seed\nquit | tftp localhost
# cat test.seed
1

# echo $((cnt++))  counter
# echo get test.seed\nquit | tftp localhost
# cat test.seed
2

# ###DON'T UPDATE COUNTER### echo $((cnt++))  counter
# echo get test.seed\nquit | tftp localhost
# cat test.seed
2

and you get the picture ...



Why are there NSA, CSIS, and GOOGLE IDs in my ftplist.cgi

2014-08-16 Thread Clint Pachl
I checked out my saved install configurations at 
http://129.128.5.191/cgi-bin/ftplist.cgi and noticed that at the end of 
the file there are fields named NSA_ID, CSIS_ID, and GOOGLE_ID. 
They all sound scary. Each time I refresh the page, only one of the 
three IDs appear, but they seem to rotate. WTF?


Here is a sample of my ftplist.cgi output:

# BEGIN
http://sys.mokaz.com/pub/OpenBSD/5.5/amd64
http://ftp5.usa.openbsd.org/pub/OpenBSD Redwood City, 
CA, USA

http://ftp3.usa.openbsd.org/pub/OpenBSD Boulder, CO, USA
...
http://ftp.hostserver.de/pub/OpenBSD Frankfurt, Germany
http://ftp.cc.uoc.gr/mirrors/OpenBSD Heraklion, Greece
TZ=US/Arizona
method=http
NSA_ID=0x177d9eb4802b6efc7d45d76c5743816f7d999c90446855738835bfad5b4b91ee
TIME=1408186536
RND_BYTES=0x(LOOONG RANDOM GOODNESS)
# END

Is the source code for ftplist.cgi and ftpinstall.cgi publicly available?

Thanks,
Clint



Generating random.seed for network boot clients

2014-08-15 Thread Clint Pachl
Is it safe to generate some randomness in /tftpboot/etc/random.seed for 
clients that PXE boot?


My concern is that this file will be available to everyone on the 
network via TFTP. So does knowing this randomness help predict the 
PRNG output of the clients that use it?


I read in a de Raadt interview earlier this year that there are other 
sources mixed in at the boot loader state. So I'm guessing it shouldn't 
hurt, but probably help. Some clarification on the subject from an 
expert would be greatly appreciated.


Thanks,
Clint



Terminate session on serial terminal (com0) when ssh disconnects

2014-08-12 Thread Clint Pachl
Here's my situation: I ssh into a remote server in my group. From that 
server, I connect to an adjacent, local server in the group via the 
serial terminal using tip(1) or cu(1). If the ssh connection is 
disconnected, the login session to the second server's serial com0 will 
remain open/active.


Is there a reliable, system-wide method or configuration to terminate 
the serial session if the ssh connection dies?


So far, all I have come up with is the shell's timeout variable (i.e., 
TMOUT). However, this can be overridden by the user.


I also tried the gettytab(5) timeout option to, but that didn't work 
as expected. It terminates and restarts the initial terminal login 
process, not the user session.


Thanks,
Clint



Generating a secret: /dev/random vs openssl rand

2013-10-24 Thread Clint Pachl
For years I've been using `openssl rand -base64 N` to generate secrets. 
However, I recently saw `dd if=/dev/random bs=N count=1 | openssl 
base64` used.


Is one more secure and random than the other?

Is openssl rand not secure if the -rand file option is omitted? 
I'm guessing openssl may suck from /dev/*random in addition to the 
optional -rand file?




Re: Blocking facebook.com: PF or squid?

2013-10-18 Thread Clint Pachl

mia wrote, On 10/18/13 16:33:
If you're handling DHCP for all of the traffic for your site, why not 
just set up a dns server, point your dhcp clients to this DNS server 
and create an authoritative zone for facebook.com that points to 
somewhere other than facebook?


Running your own own DNS resolver is the best solution to deny the whole 
network facebook access. With Unbound this is simple:


# This will block facebook.com and all subdomains.
local-zone: facebook.com redirect
local-data: facebook.com A 127.0.0.1

The more savvy users could get around this altering their dns servers 
manually which you can stop blocking DNS traffic out of your network, 
this has the added bonus of cutting down bandwidth out of your network.

Exactly!

If they get really sneaky and try to put host entries in for facebook, 
you can do as you've been doing, blocking IPs, and maybe creat a 
script that does an hourly lookup of all facebook IPs and having it 
update your pf config and then reloading pf.
If it gets to this point, I'd say they should lose their network 
privileges. ;-) Next thing you know they will be using a proxy server to 
circumvent your IP block. There's always a way around.




FFS vs FFS2: newfs fsck

2013-05-23 Thread Clint Pachl
I created a new filesystem on a 232.9 GB partition on a 500 GB external 
USB drive that will be used as backup storage for dump files. Out of 
curiosity, I recreated the filesystem using FFS2 (I never created an 
FFS2 before). I noticed it was much faster, so I clocked it for comparison:


# ### FFS ###
# time newfs -O 1 sd1a
   ...
1m55.04s real 0m0.26s user 0m0.40s system
# time fsck -f /dev/rsd1a
...
1m13.89s real 0m0.30s user 0m0.10s system
# dumpfs -m sd1a
newfs -O 1 -b 32768 -e 8192 -f 4096 -g 16384 -h 64 -m 5 -o time -s 
488353792 sd1a



# ### FFS2 ###
# time newfs -O 2 sd1a
   ...
0m3.98s real 0m0.20s user 0m0.02s system
# time fsck -f /dev/rsd1a
...
0m7.58s real 0m0.40s user 0m0.16s system
# dumpfs -m sd1a
newfs -O 2 -b 32768 -e 4096 -f 4096 -g 16384 -h 64 -m 5 -o time -s 
488353792 sd1a


# ### END ###

The only difference in the default parametrization of `newfs` is the 
max blocks per group (-e). So I also tried `-e 4096` for FFS, but that 
did not change the result, still slow.


A quick search of FFS vs FFS2 returns mailing list threads that mention 
FFS and FFS2 are identical in performance. The only difference, which 
the manual also states, is that FFS is the default for less than 1 TB 
filesystems while FFS2 becomes the default for larger filesystems.


I'm on an old snapshot, so maybe this is irrelevant:

OpenBSD 5.2-current (GENERIC.MP) #1: Wed Aug 29 21:17:12 MDT 2012
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Nonetheless, I just thought it was interesting that the real time 
executions are an order of a magnitude different. Any thoughts?




Re: Is fdisk, disklabel and newfs enough to reset an SSD

2013-05-15 Thread Clint Pachl

Jan Stary wrote:

If so, how does one reset a used SSD for
optimal operation with a fresh install?

Just treat it as any other disk - which it is.


This is wrong, unfortunately. From the OS perspective, sure, sort of. 
But there is more to the story.


There is overprovising, garbage collection, entire page write 
restrictions/design, TRIM, wear leveling, non-linear aspects, write 
amplification concerns, etc.


Anyway, Ted and Christer nailed it with the ATA Secure Erase command. 
That's exactly what I was looking for. It's a hardware level reset that 
reconstitutes the over provisioned areas, unsets core storage (not a 1 
or 0), and reinitializes wear leveling, etc.


Thanks,
Clint



Is fdisk, disklabel and newfs enough to reset an SSD

2013-05-13 Thread Clint Pachl
I would like to reinstall a fresh system on an SSD that contains an 
existing installation. From my limited knowledge of SSDs, I wonder if 
the drive controller may retain data from the old filesystem, unaware 
that there is a new filesystem put in place.


Is this a concern? If so, how does one reset a used SSD for optimal 
operation with a fresh install?




Re: Is fdisk, disklabel and newfs enough to reset an SSD

2013-05-13 Thread Clint Pachl

Scott McEachern wrote:
2) Do you mean there could still be data residing on unused parts of 
the SSD?  Yes, it can happen.
Yes, this is what I'm referring to. I was hoping there was some way to 
instruct the drive controller that the entire drive space is free?


SSDs have their own way of wear-leveling.  What the filesystem 
considers to be cylinder X, head Y and sector Z will probably not be 
the same *physical* cells on the SSD twice in a row.  That's not a 
function of the OS, but the SSD itself.

I understand. That's why I'm concerned about #2 above.

Would dd'ing to the drive all 1s then all 0s be effective?

I see Intel has an SSD Toolbox that does secure erase. It requires 
windows so I am unable to check it out.


www.intel.com/go/ssdtoolbox

I wonder what this utility does to achieve secure erase? Can we 
replicate its functionality with standard Unix tools?




Re: Emacs Meta bindings not working after upgrade

2012-09-12 Thread Clint Pachl

I would like to clarify that I'm using cwm. However, I have the same
issue from a login terminal (without X).

Also, I don't use Emacs, the editor, just the emulation on the command
line. So in my ~/.kshrc I have:
set -o emacs


Clint Pachl wrote:

After upgrading my system to the latest snapshot my Emacs META bindings
are not working properly in the terminal. For instance, from xterm, the
bindings:
  M-B (backward-word),
  M-F (forward-word),
  M-D (kill-word),
output the the characters, â, æ, ä, respectively.

However, the standard or control bindings work as expected. For example:
  C-D (delete-char)
  C-B (backward-char)
  C-E (end-of-line)

How can I get the META bindings working normally at the command line?


Things I've Tried
==
Adding either or both of the following to my ~/.Xdefaults makes my Emacs
META bindings work at the command line, but breaks my Vim mappings which
use ALT/META.

XTerm*metaSendsEscape: true
XTerm*eightBitInput: false


Additional Info
=
$ xev  # press Left ALT key

KeyRelease event, serial 32, synthetic NO, window 0x261,
root 0xa9, subw 0x0, time 971309600, (178,136), root:(623,676),
state 0x18, keycode 64 (keysym 0xffe9, Alt_L), same_screen YES,
XLookupString gives 0 bytes:
XFilterEvent returns: False

$dmesg | head -2
OpenBSD 5.2-current (GENERIC.MP) #1: Wed Aug 29 21:17:12 MDT 2012
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP




Emacs Meta bindings not working after upgrade

2012-09-11 Thread Clint Pachl

After upgrading my system to the latest snapshot my Emacs META bindings
are not working properly in the terminal. For instance, from xterm, the
bindings:
  M-B (backward-word),
  M-F (forward-word),
  M-D (kill-word),
output the the characters, â, æ, ä, respectively.

However, the standard or control bindings work as expected. For example:
  C-D (delete-char)
  C-B (backward-char)
  C-E (end-of-line)

How can I get the META bindings working normally at the command line?


Things I've Tried
==
Adding either or both of the following to my ~/.Xdefaults makes my Emacs
META bindings work at the command line, but breaks my Vim mappings which
use ALT/META.

XTerm*metaSendsEscape: true
XTerm*eightBitInput: false


Additional Info
=
$ xev  # press Left ALT key

KeyRelease event, serial 32, synthetic NO, window 0x261,
root 0xa9, subw 0x0, time 971309600, (178,136), root:(623,676),
state 0x18, keycode 64 (keysym 0xffe9, Alt_L), same_screen YES,
XLookupString gives 0 bytes:
XFilterEvent returns: False

$dmesg | head -2
OpenBSD 5.2-current (GENERIC.MP) #1: Wed Aug 29 21:17:12 MDT 2012
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP



Re: Most secure Operating-System?

2011-09-07 Thread Clint Pachl

Alec Taylor wrote:

What's the most secure operating system?

/me is thinking OpenBSD

   


SELinux by far.

I just listened to an interview with one of the devs on the project 
(http://twit.tv/show/floss-weekly/156). Wow! With SELinux, you basically 
just flip a switch and boom, you're secure. No process can talk to any 
other processes without your permission. No process can access the 
Internet if you don't want it to. Say goodbye to buffer overflows! It's 
implemented by the USA's NSA so you know it's the most secure OS in the 
Universe. It's truly amazing security. Set it and forget it!


Alec, I think you really need to refocus on SELinux.



Re: laptop questions/comments

2011-04-19 Thread Clint Pachl

STeve Andre' wrote:

On 04/15/11 19:03, Paul M wrote:

Hi all,

It's time for a new OpenBSD laptop, and I have a couple of questions.

Note that I dont want to spend money on performance I dont need, but 
I do want to spend money on a decent quality machine.


First, finding quality machines in the backwoods where I live is 
really hard. The shops seem full of rubbish. Various retailers 
suggest either Toshiba or Asus. Does anybody have any comments on 
these brands in general? I'll admit to a psychological block against 
Toshiba, but I have no idea where it came from, it could be 
completely bogus.


Second, One I've found which seems a good fit is the Toshiba 
Satellite Pro C650 (with the celeron cpu, not the i3). Anybody using 
one of these with OpenBSD?
I stuck a 4.8 release CD in, and the dmesg indicated problems with 
these devices (sorry for the vagueness, I was scribbling down stuff 
in the store. I can get better info if it's required)-

  Intel GM45
  Attansic something - 0x2060 - the 10/100 wired ethernet
  SMBus
  ehci1 timed out waiting for bios
  There was also a message at the end that suggested that wd1 was not 
available.
Anybody know how things have improved with these devices since 4.8, 
and which are showstoppers?


The camera and audio also appeared to have limited or no support, but 
I dont care about those.



Thanks for any input
paulm


Definitely use a 4.9-current CD.  New things are supported all the 
time, so go

with the best version of OpenBSD.

I get hornswoggled all too often in helping folks with their laptops, 
and I'm really
saddened with the quality of the hardware, overall.  The Lenovo 
ThinkPads (NOT
the other brands that Lenovo has) have consistently been the best 
laptops out
there, in terms of quality, serviceability, and life-span.  The $400 
laptop can be
considered a throwaway unit.  Few of the bargin laptops friends 
bought in 2009

are working today.

If you look at the Lenovo site you'll see the T series.  A T420i is 
$799 with a 1
year warranty.  Thats more money than a $499 laptop, but it is likely 
to work

several years from now.

--STeve Andre'


I second the Thinkpads.

I recently upgraded from a T22 to a T61 (Core2 Duo, 2.4GHz, 2GB RAM). It 
cost me about 400 USD for the like-new laptop, docking station, and a 
brand new 8GB SSD (all on Ebay). All I had to do was replace the CPU fan 
and install the SSD. I run amd64 -current. All the relevant hardware 
works very well. I run cwm(1), xterm, tmux, Gimp, Chromium, Firefox, 
Seamonkey-Mail. It's a very fast system, way more computer than I need 
and will last me many years, as my T22 did.




ruby-thin: Errno::EPERM wtih QUIT Signal

2011-02-23 Thread Clint Pachl

I use Thin (ruby-thin) as the HTTP frontend for my web frameworks.

STARTING/STOPPING:
$ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} start
$ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} stop


THIN_PRODUCTION_CONF:
---
rackup: config/config.ru
address: localhost
port: 3020
servers: 4
max_conns: 1024
max_persistent_conns: 512
timeout: 30
environment: production
pid: tmp/thin-production.pid
log: log/thin-production.log
daemonize: true


When sending the thin stop command, I get the following error on STDOUT:

Stopping server on localhost:3020 ...
Sending QUIT signal to process 15182 ...
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in `getpgid': 
Operation not permitted (Errno::EPERM)
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in `running?'
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:118:in 
`send_signal'

from /usr/local/lib/ruby/1.8/timeout.rb:67:in `timeout'
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:117:in 
`send_signal'
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:103:in 
`kill'
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:87:in 
`stop'
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:128:in 
`tail_log'
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:86:in 
`stop'
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in 
`send'
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in 
`run_command'
from 
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:143:in 
`run!'

from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/bin/thin:6
from /usr/local/bin/thin:19:in `load'
from /usr/local/bin/thin:19


Here's a snipped from daemonizing.rb:

 6: def running?(pid)
 7:Process.getpgid(pid) != -1
 8:  rescue Errno::ESRCH
 9:false
10:  end

As you can see, the ESRCH error is rescued here, which is the other 
error that getpgid(2) can return.



Can anyone explain this?

When the thin processes are daemonized, are they detached from the 
session and that's why it's complaining with an EPERM error?


The daemonized processes all do quit, but not without a delay, which may 
be the reason for entering the timeout.rb code? So I'm not sure I need 
to worry. I've been running things like this for over 2 years now, but 
I'd just like to quiet it down as it doesn't seem normal.


Thanks,

Clint



Re: ruby-thin: Errno::EPERM wtih QUIT Signal

2011-02-23 Thread Clint Pachl

Thanks Jeremy. I also reported this on Thin's bug tracking system as well.


Jeremy Evans wrote:

On Wed, Feb 23, 2011 at 4:32 PM, Clint Pachlpa...@ecentryx.com  wrote:
   

I use Thin (ruby-thin) as the HTTP frontend for my web frameworks.

STARTING/STOPPING:
$ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} start
$ sudo -u #{USER} thin -C #{THIN_PRODUCTION_CONF} stop


THIN_PRODUCTION_CONF:
---
rackup: config/config.ru
address: localhost
port: 3020
servers: 4
max_conns: 1024
max_persistent_conns: 512
timeout: 30
environment: production
pid: tmp/thin-production.pid
log: log/thin-production.log
daemonize: true


When sending the thin stop command, I get the following error on STDOUT:

Stopping server on localhost:3020 ...
Sending QUIT signal to process 15182 ...
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in
`getpgid': Operation not permitted (Errno::EPERM)
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:7:in
`running?'
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:118:in
`send_signal'
from /usr/local/lib/ruby/1.8/timeout.rb:67:in `timeout'
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:117:in
`send_signal'
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/daemonizing.rb:103:in
`kill'
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:87:in
`stop'
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:128:in
`tail_log'
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/controllers/controller.rb:86:in
`stop'
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in
`send'
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:177:in
`run_command'
from
/usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/lib/thin/runner.rb:143:in
`run!'
from /usr/local/lib/ruby/gems/1.8/gems/thin-1.2.7/bin/thin:6
from /usr/local/bin/thin:19:in `load'
from /usr/local/bin/thin:19


Here's a snipped from daemonizing.rb:

  6: def running?(pid)
  7:Process.getpgid(pid) != -1
  8:  rescue Errno::ESRCH
  9:false
10:  end

As you can see, the ESRCH error is rescued here, which is the other error
that getpgid(2) can return.


Can anyone explain this?
 

Yes.  The original author is not checking all of the errors he should
be checking.  He should be rescuing Errno::EPERM and returning true, I
think.

Looks like a patch for exactly that was committed in June of last
year: https://github.com/macournoyer/thin/blob/master/lib/thin/daemonizing.rb#L8

So thin should probably be updated after ports unlocks.  I'll take care of it.

Jeremy




Re: cwm: xterm -e and ssh-to

2011-02-22 Thread Clint Pachl

Dmitrij D. Czarkoff wrote:

Hello!

I'm running OpenBSD 4.9-beta (GENERIC.MP) #754: Thu Jan 20 17:49:26 MST 2011.

I want my cwm to open xterm window with tmux on CM-Return, so I write in my
~/.cwmrc:

command termuxterm +sb -bg #000 -fg #aaa -e tmux

That does the trick with tmux, but ssh-to dialog fails to open. When I remove
-e tmux from the command, ssh-to works fine, but I have to manualy start
tmux of new xterm windows, which isn't a desired behaviour.

Sure, I can have in ~/.cwmrc:

bind CM-Return  uxterm +sb -bg #000 -fg #aaa -e tmux
command termuxterm +sb -bg #000 -fg #aaa

But as I understand, the term command was supposed to avoid setting that
twice.

Therefor, the question is, what would be the right way to do what I want it to
do? Does there exist some syntax for nested commands? Or is there some way of
commands concatination? Or anything else I may be missing?

   


Whenever I have a complex command sequence like this in cwmrc (I usually 
run into problems too), I just break it out into a separate script in 
~/bin/ then bind a key sequence to that script.




Re: find(1) manpage caveats section

2011-02-09 Thread Clint Pachl

Subtle; and what a caveat it is.

Thanks Paul and Otto for setting me straight.


Paul de Weerd wrote:

On Wed, Feb 09, 2011 at 12:25:09AM -0700, Clint Pachl wrote:
| In the caveats section it states the following:
|
|
|  Passing the output of find to other programs requires some care:
|
|$ find . -name \*.jpg | xargs rm
|  or
|$ rm `find . -name \*.jpg`
|
|  would, given files ``important .jpg'' and ``important'', remove
|  ``important''.  Use the -print0 or -exec primaries instead.
|
|
| Is this an error? The language indicates that ``important'' will be
| removed (and possibly ``important.jpg''; it's not clear) when
| executing both above commands. Is this correct?
|
| If it is correct, then I don't get what the caveat is. For example:
|
| $ touch important important.jpg
| $ find . -name \*.jpg | xargs rm
| $ ls
| important
|
| What does -print0 or -exec have to do with it?

There's a space in the first filename. important .jpg.

Paul 'WEiRD' de Weerd




find(1) manpage caveats section

2011-02-08 Thread Clint Pachl

In the caveats section it states the following:


 Passing the output of find to other programs requires some care:

   $ find . -name \*.jpg | xargs rm
 or
   $ rm `find . -name \*.jpg`

 would, given files ``important .jpg'' and ``important'', remove
 ``important''.  Use the -print0 or -exec primaries instead.


Is this an error? The language indicates that ``important'' will be 
removed (and possibly ``important.jpg''; it's not clear) when executing 
both above commands. Is this correct?


If it is correct, then I don't get what the caveat is. For example:

$ touch important important.jpg
$ find . -name \*.jpg | xargs rm
$ ls
important

What does -print0 or -exec have to do with it?



Re: OpenBSD 4.8's bsd.mp doesn't detect 4GB Memory

2010-12-14 Thread Clint Pachl

Denise H. G. wrote:

I've switched to FreeBSD for my desktop with 4G memory...
   


  Unnecessary fear :

  $ sysctl kern.version
  kern.version=OpenBSD 4.8-current (GENERIC.MP) #547: Tue Dec  7 23:16:34 MST
 

2010
   

   dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP

  $

  load averages:  0.76,  1.14,  1.06


hostname 13:27:52
  49 processes:  1 running, 45 idle, 1 zombie, 2 on processor
  CPU0 states:  2.0% user,  0.0% nice,  1.6% system,  0.0% interrupt, 96.4%
 

idle
   

  CPU1 states:  3.8% user,  0.0% nice,  1.2% system,  0.0% interrupt, 95.0%
 

idle
   

  Memory: Real: 321M/610M act/tot  Free: 2651M  Swap: 0K/8189M used/tot

  $ dmesg | grep mem
  RTC BIOS diagnostic error 11memory_size
  real mem  = 3487125504 (3325MB)
  avail mem = 3420016640 (3261MB)
  spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM PC3-10600
  spdmem1 at iic0 addr 0x52: 2GB DDR3 SDRAM PC3-10600
  kqemu: kqemu version 0x00010300 loaded, max locked mem=1702696kB
 


I think Bodzar's point here is that you don't need 4GB, especially on a 
desktop.


Sure, your car can do 230 kph, but how often do you ever get over 150?

Unless you're running a very busy database server or a crazy web server, 
I don't think you'll ever need much above 2GB.


I have 2GB in most of my i386 and amd64 laptops and servers. None of my 
machines ever touch the swap. In fact, most of the time I have 50% FREE 
RAM. On my development laptop I typically run a Seamonkey Browser with 
50 tabs and Mail (400MB), about 20 terminals (half of which are SSHed to 
remote machines), Inkscape, Gimp, Postgresql locally for dev, 
ruby-sinatra, etc. and I've never been over 1.2GB. I do run cwm as my 
window manager. So lets say for shits and giggles that you're running 
KDE or something bloated like that, then maybe you'll use another gig. 
So what, you're still under 3GB.


Save yourself time and headaches and just run OpenBSD stable or 
snapshots. Compiling kernels is a waste of time when you're doing it for 
performance reasons. I used to do this shit about 8 years ago just to 
eek out a little more performance, so I thought. I was also coming from  
Linux/FreeBSD to OpenBSD at that time. I finally realized that my time 
is better spent doing other things. Now I run OpenBSD exclusively on all 
four of my systems and my life is easy.


One last thing: when developers say don't do something, they know best 
so listen. Compiling in BIGMEM is bad if they told you no.




Re: OpenBSD 4.8's bsd.mp doesn't detect 4GB Memory

2010-12-14 Thread Clint Pachl

roberth wrote:

omg, i am using 95% of my memory all the time, should i be worried?
maybe kern.bufcachepercent=95 has something to do with it; blame Bob.
   


Holy shit! Mine's at 10%. Maybe I should crank mine up to to 95% and 
then buy more RAM.




Re: OT - secondary DNS recommendations

2010-12-08 Thread Clint Pachl

Scott McEachern wrote:
 It seems my free-as-in-beer secondary DNS service, EveryDNS.net, has 
abandoned WikiLeaks, so I'd like to return the favour.


Given the (general) support of WikiLeaks here, I was wondering if 
anyone could recommend a free alternative to replace EveryDNS.net?


I'm not sure how these will work from CA. I'm also unaware of their 
stance on wikileaks.


Level 3
  4.2.2.1
  4.2.2.2

OpenDNS (if you can cope with their non-standard way of dealing with DNS 
misses, etc.)

   208.67.222.222
   208.67.220.220



Re: Donations

2010-12-07 Thread Clint Pachl

Jason Crawford wrote:

Better add Visa to the list as well
   


And Swiss banks and Swedish women. :-)



Re: How to open PDF that requires Adobe 9

2010-12-06 Thread Clint Pachl

Joachim Schipper wrote:

On Sat, Dec 04, 2010 at 06:28:04PM -0700, Clint Pachl wrote:
   

When I open [the UPS developer's guide] with xpdf(1) I get a [message]
to download the the latest Adobe crapware to view it.
 

This is cheating, but have you tried throwing it into Google docs?

Joachim
   



Damn Joachim, nice cheat! I can't believe I didn't think of giving this 
a try.


I was hopeful it would work. Unfortunately, I get the same error:

For the best experience, open this PDF portfolio in Acrobat 9 or Adobe 
Reader 9, or later.



I'd also like to mention I tried the pdftops and pdf2ps commands without 
success. Still get a single page PDF stating the above message.


I guess it has to do with this PDF being a portfolio, like Anthony 
Bentley mentioned.


Thanks,
Clint



Re: How to open PDF that requires Adobe 9

2010-12-06 Thread Clint Pachl

Joel Wiramu Pauling wrote:

I would be surprised if okular didn't open it. (okular being the KDE viewer)
   


I don't have KDE so I can't test. But I did find this link:

http://forum.kde.org/viewtopic.php?f=20t=91242

It looks like portfolio PDFs are not supported, although someone there 
mentions a possible hack. okular apparently uses poppler as the backend. 
Poppler is a fork of xpdf-3.0, so we're back to square one.




Re: How to open PDF that requires Adobe 9

2010-12-06 Thread Clint Pachl

ropers wrote:

On 6 December 2010 22:42, Clint Pachlpa...@ecentryx.com  wrote:
   

Still get a single page PDF stating the above message.

I guess it has to do with this PDF being a portfolio, like Anthony Bentley
mentioned.
 

How are the constituent PDFs stored in the portfolio PDF? Unencrypted?
   


pdfinfo says they are encrypted, although it is probably only reporting 
on the container file.



Does anyone have a link to a
copy of the OP's original offending PDF, so I could try to poke it in
this way? (I'm not gonna register w/ UPS just to see that guide.)
   


I posted one here for you to play with: http://pachl.us/ups.pdf

Thanks,
Clint



Re: How to open PDF that requires Adobe 9

2010-12-06 Thread Clint Pachl

Anthony Bentley wrote:

This happens when there are multiple PDFs embedded in a single PDF file.
I remember reading a Ghostscript bug about this (could probably find it
again if I had the exact error message), but unfortunately Mupdf still
doesn't support it.
 

Here is the Ghostscript bug:
http://bugs.ghostscript.com/show_bug.cgi?id=690422

 From here it looks like you might be able to get it with gs after all.
   


Good research Anthony. That bug describes my situation exactly. The only 
thing is that I didn't know what the hell a portfolio PDF was until now.


Unfortunately, the gs ports is version 8.63 (released 2008-08-01). This 
bug report/fix happened in April 2009.


Shit, now Mr. Schroder is going to be on my ass about patches again. :-P



How to open PDF that requires Adobe 9

2010-12-04 Thread Clint Pachl
UPS is so annoying. The UPS developer's guide is in a 9MB PDF file. When 
I open it with xpdf(1) I get a (1) page PDF that states I need to 
download the the latest Adobe crapware to view it.


How can I get around this? Why does xpdf even abide?

I tried the following gs(1) command hoping it would convert it, but 
failed with an unrecoverable error (I can paste the error output here if 
someone thinks it will be helpful):


gs -dNOPAUSE -dSAFER -dBATCH -sDEVICE=pdfwrite -sOutputFile=foo.pdf 
guide.pdf


I also tried without the options, NOPAUSE, etc.

Any suggestions?



Re: How to open PDF that requires Adobe 9

2010-12-04 Thread Clint Pachl

Brynet wrote:

Hi,

Why are you using xpdf? it's so old and crummy :-).

print/epdfview, which uses the poppler library.
textproc/mupdf, independent renderer, pretty good.

-Bryan.
   


All I can say is that I use cwm and don't like interfaces, GTK, gnome, 
or KDE. I highly agree with Patrick.




OpenCVS in Base?

2010-11-20 Thread Clint Pachl
I am starting a new project that needs version control and I was 
thinking about using OpenCVS. However, I'm not sure if it is in the base 
(I'm running -current). My old 4.4 firewall has /usr/bin/opencvs. Is 
/usr/bin/cvs actually opencvs?


I noticed http://www.openbsd.org/plus48.html states Removed OpenCVS 
from the build.


And OpenCVS.org directs me to 
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/cvs/.


What's the status?



Re: Need Advice: Thinkpad T60 or T61?

2010-10-26 Thread Clint Pachl

David Vasek wrote:

On Sun, 24 Oct 2010, Clint Pachl wrote:

If I really need portability (flying, camping) and I'm just going to 
be writing code in vim, then I use my trusty Sony Vaio SR17, weighing 
in at less than 3 pounds (~1.3KG). I paid about 2400USD for it new in 
2000; works like a charm. I'm still getting my moneys worth out of 
it. :-)


On Sun, 24 Oct 2010, Clint Pachl wrote:

It's a good step up from my T22, which I've been using for about 5 
years. I've always been happy with Thinkpads. I got the T22 when it 
was about 3 years old for about 250USD. Now I'm back in the market 
because the T22 is getting a little slow. The T6[01] are in the 
250USD range and are about 3 years old now, so it's perfect for me 
running OpenBSD. I never spend more than 400 for a system.


Considering I paid about 2400USD and I never more than 400 
together, it sounds quite contradictory. ;-) 


Damn David, you're good! I was actually wondering if anyone would catch 
that. There is a simple explanation.


The 2400USD Sony Vaio was the first brand new computer I ever bought 
back in 2000 (before that, my parents bought my computers). It seemed 
like such a waste when only after a year or so it depreciated greatly. 
About that time, I started running FreeBSD and OpenBSD and realized that 
these OSes worked like a charm on older hardware. It was from that point 
on that I decided I would not waste my money on new computer hardware. 
Circa 2002 was also the last time I ran Windows as well.


So there you go, contradiction explained. ;-)



Re: Need Advice: Thinkpad T60 or T61?

2010-10-24 Thread Clint Pachl

Henning Brauer wrote:

intagp0 at vga1
agp0 at intagp0: aperture at 0xe000, size 0x1000
inteldrm0 at vga1: apic 1 int 16 (irq 10)
drm0 at inteldrm0
Intel GM965 Video rev 0x0c at pci0 dev 2 function 1 not configured
   


Does this mean you don't get hardware graphics acceleration?



Re: Need Advice: Thinkpad T60 or T61?

2010-10-24 Thread Clint Pachl

Henning Brauer wrote:

2. I would like graphics hardware acceleration. I know I need to
  stay away from nVidia. The T60 comes with ATI Radeon and the T61 is
  the integrated Intel 965GM.

  Is there anything else I need to be concerned with regarding OpenBSD
  on the T-Series? What would you guys choose and why?
 

T61. why?
   


It's a good step up from my T22, which I've been using for about 5 
years. I've always been happy with Thinkpads. I got the T22 when it was 
about 3 years old for about 250USD. Now I'm back in the market because 
the T22 is getting a little slow. The T6[01] are in the 250USD range and 
are about 3 years old now, so it's perfect for me running OpenBSD. I 
never spend more than 400 for a system.



LVDS connected 1400x1050+0+0 (normal left inverted right x axis y axis) 287mm x 
215mm

these are a bit hard to find tho. but I really don't see the point in
an XGA 14 display (XGA is for 12 :)), and I hate all that widescreen
shit. 14.1 1400x1050 is awesome.
   


I love all the wide screen shit! I decided to buy a T61 with Intel 
graphics GM965. It has the 15.4 WSXGA+ (1680x1050). I also got the 
docking station with a DVI out. I'm not sure if it will run my 24 WUXGA 
monitor at it's native 1920x1200 resolution though.




Re: Need Advice: Thinkpad T60 or T61?

2010-10-24 Thread Clint Pachl

Henning Brauer wrote:

* Clint Pachlpa...@ecentryx.com  [2010-10-24 22:33]:
   

Henning Brauer wrote:
 

intagp0 at vga1
agp0 at intagp0: aperture at 0xe000, size 0x1000
inteldrm0 at vga1: apic 1 int 16 (irq 10)
drm0 at inteldrm0
Intel GM965 Video rev 0x0c at pci0 dev 2 function 1 not configured
   

Does this mean you don't get hardware graphics acceleration?
 
   

inteldrm0 at vga1: apic 1 int 16 (irq 10)
   

that is pretty clear, isn't it?
   


Well, I have this on a Dell Precision 220 and graphics acceleration 
doesn't work in X.


pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x2500 
rev 0x03

agp at pchb0 not configured
radeondrm0 at vga1: apic 2 int 16 (irq 9)
drm0 at radeondrm0

I figured if there is a not configured or unknown product associated 
with anything in the graphics subsystem, then you don't get graphics 
acceleration or hardware support in general. Hence the:


Intel GM965 Video rev 0x0c at pci0 dev 2 function 1 not configured


What's not configured here?



Re: Need Advice: Thinkpad T60 or T61?

2010-10-24 Thread Clint Pachl

Paolo Aglialoro wrote:

Just a small hint after the 60 series all thinkpads rock... but I
wouldn't go to T series unless you'll be moving quite seldom. My advice is a
whooping X61, ultraportable yet powerful and really silent.
   


I thought about the X61. However, my laptop will rarely leave my desk 
and will spend much of it's life in a docking station.


If I really need portability (flying, camping) and I'm just going to be 
writing code in vim, then I use my trusty Sony Vaio SR17, weighing in at 
less than 3 pounds (~1.3KG). I paid about 2400USD for it new in 2000; 
works like a charm. I'm still getting my moneys worth out of it. :-)




Re: Need Advice: Thinkpad T60 or T61?

2010-10-24 Thread Clint Pachl

Henning Brauer wrote:

Well, I have this on a Dell Precision 220 and graphics acceleration
  doesn't work in X.
  
  pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product

  0x2500 rev 0x03
  agp at pchb0 not configured
  radeondrm0 at vga1: apic 2 int 16 (irq 9)
  drm0 at radeondrm0
 

hmm, you have radeondrm aka you should have accelleration.
   


That's what I thought, but xdriinfo says otherwise and glxgears sucks 
(33fps). No hints in Xorg.0.log either. Permissions on /dev/drm0 are 
correct.


Anyway, not a big deal on the Dell workstation. I'm just hoping my 
Thinkpad T61 has acceleration. I'll find out in a few days I guess.




Re: Need Advice: Thinkpad T60 or T61?

2010-10-24 Thread Clint Pachl

Henning Brauer wrote:

1. Core Duo 32-bit (T60) or Core 2 Duo 64-bit (T61)? I've only used
  i386, should I think about amd64?
 

shouldn't make a difference. personally, I run i386 anyway.
   


Any interesting reason you run i386 on 64-bit hardware? Stability? 
Performance?




Need Advice: Thinkpad T60 or T61?

2010-10-22 Thread Clint Pachl
I've been using an IBM Thinkpad T22 (P3 900MHz) laptop for quite some 
time and I want to upgrade. I am looking for some expert advice on what 
to upgrade to in the Thinkpad T-Series.


Two main considerations:

1. Core Duo 32-bit (T60) or Core 2 Duo 64-bit (T61)? I've only used 
i386, should I think about amd64?


2. I would like graphics hardware acceleration. I know I need to stay 
away from nVidia. The T60 comes with ATI Radeon and the T61 is the 
integrated Intel 965GM.


Is there anything else I need to be concerned with regarding OpenBSD on 
the T-Series? What would you guys choose and why?


Thanks,

Clint



Re: Need Advice: Thinkpad T60 or T61?

2010-10-22 Thread Clint Pachl

Ted Unangst wrote:

On Fri, Oct 22, 2010 at 9:04 PM, Clint Pachlpa...@ecentryx.com  wrote:
   

1. Core Duo 32-bit (T60) or Core 2 Duo 64-bit (T61)? I've only used i386,
should I think about amd64?
 

Are you sure about that? I didn't think they made any T60s with plain
Core chips, though I could be wrong.  My T60 has a Core 2, anyway.
Regardless of whether you want 64-bit or not, the Core 2 performance
is considerably better.
   


Actually, the T60 comes with 32-bit (T2xxx) or 64-bit (T[57]xxx) 
processors:

http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-62487

Core Duo T2500 processor: http://ark.intel.com/Product.aspx?id=27236

I've seen T60 with Core or Core 2 selling here locally on craigslist. I 
figured, if I go with a 64-bit Core 2, I would just opt for the T61 with 
the slightly faster bus and supposedly lower acoustics. Plus they are 
selling for the same price.




Re: Need Advice: Thinkpad T60 or T61?

2010-10-22 Thread Clint Pachl

Neal Hogan wrote:

On Fri, Oct 22, 2010 at 8:04 PM, Clint Pachlpa...@ecentryx.com  wrote:
   

I've been using an IBM Thinkpad T22 (P3 900MHz) laptop for quite some time
and I want to upgrade. I am looking for some expert advice on what to
upgrade to in the Thinkpad T-Series.

Two main considerations:

1. Core Duo 32-bit (T60) or Core 2 Duo 64-bit (T61)? I've only used i386,
should I think about amd64?

2. I would like graphics hardware acceleration. I know I need to stay away
from nVidia. The T60 comes with ATI Radeon and the T61 is the integrated
Intel 965GM.

Is there anything else I need to be concerned with regarding OpenBSD on the
T-Series?
 

This is probably obvious and it doesn't address your main
considerations, but wifi card support may be an issue. I have an
atheros card in my T400 that is not yet supported (although, there has
been some chatter on this list about someone working on it).
   


I'm not too concerned about wifi as this thing will mostly be plugged 
into a docking station. If I have to, I'll just stick a ral or ath 
pccard in it.




Kerberos: Server not found in database: krbtgt/ualberta...@realm

2010-10-04 Thread Clint Pachl

In the KDC log file, I get the following errors:

2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for 
afs/ualberta...@mokaz.com
2010-10-04T02:40:11 Server not found in database: 
afs/ualberta...@mokaz.com: No such entry in the database
2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for 
krbtgt/ualberta...@mokaz.com
2010-10-04T02:40:11 Server not found in database: 
krbtgt/ualberta...@mokaz.com: No such entry in the database



Why am I getting these errors? Are they compiled in?

How do I quiet this?

For clients, all of my Kerberos settings are in DNS; there is no krb5.conf.

Here is krb5.conf on the Kerberos server:

[libdefaults]
default_realm = MOKAZ.COM
clockskew = 120
[kadmin]
require-preauth = true
password_lifetime = 365 days
[kdc]
require-preauth = true
[logging]
kadmind = FILE:/var/heimdal/kadmind.log



BIOCTL Rebuild: invalid argument

2010-10-04 Thread Clint Pachl
I tried to rebuild a single disk in a 4 disk raid-10 array using the 
following command:


# bioctl -R 0:3 sd0
bioctl: BIOCSETSTATE: invalid argument

What does this mean exactly?

I did rebuild the array via the MegaRAID BIOS utility. Are we able to 
rebuild arrays via bioctl?


# bioctl sd0
Volume  Status   Size Device
 ami0 0 Online73494691840 sd0 RAID10
  0 Online36747345920 0:1.0   noencl FUJITSU 
MAP3367NP   0108
  1 Online36747345920 0:2.0   noencl FUJITSU 
MAP3367NP   0108
  2 Online36747345920 0:3.0   noencl FUJITSU 
MAP3367NP   0108
  3 Online36747345920 0:4.0   noencl FUJITSU 
MAP3367NP   0108


$ sysctl hw.sensors.ami0
hw.sensors.ami0.drive0=online (sd0), OK

$ dmesg | grep ^ami
ami0 at pci2 dev 4 function 0 AMI MegaRAID rev 0x20: apic 2 int 20 
(irq 11)

ami0: AMI 475, 64b/lhc, FW 163D, BIOS v5.07, 32MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives


OpenBSD 4.8-current (GENERIC.MP) #385: Tue Sep 21 05:01:01 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,SER,MMX,FXSR,SSE

real mem  = 2138599424 (2039MB)
avail mem = 2093604864 (1996MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/26/01, BIOS32 rev. 0 @ 0xfd7e3, 
SMBIOS rev. 2.1 @ 0xef840 (46 entries)
bios0: vendor Intel Corporation version 
L440GX0.86B.0133.P14.0103261759 date 03/26/01

bios0: Intel L440GX+
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices PCI0(S4) COMB(S4) USBC(S1)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 1 (boot processor)
cpu0: apic clock running at 99MHz
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel Pentium III (GenuineIntel 686-class) 1 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,SER,MMX,FXSR,SSE

ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: SLPB
bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x1000
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82440BX AGP rev 0x00
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xf800, size 0x400
ppb0 at pci0 dev 1 function 0 Intel 82440BX AGP rev 0x00
pci1 at ppb0 bus 1
ppb1 at pci1 dev 15 function 0 DEC 21150-BC PCI-PCI rev 0x06
pci2 at ppb1 bus 2
ami0 at pci2 dev 4 function 0 AMI MegaRAID rev 0x20: apic 2 int 20 
(irq 11)

ami0: AMI 475, 64b/lhc, FW 163D, BIOS v5.07, 32MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
sd0: 70090MB, 512 bytes/sec, 143544320 sec total
scsibus1 at ami0: 16 targets
ahc0 at pci0 dev 12 function 0 Adaptec AIC-7896/7 U2 rev 0x00: apic 2 
int 19 (irq 11)

scsibus2 at ahc0: 16 targets, initiator 7
ahc1 at pci0 dev 12 function 1 Adaptec AIC-7896/7 U2 rev 0x00: apic 2 
int 19 (irq 11)

scsibus3 at ahc1: 16 targets, initiator 7
em0 at pci0 dev 13 function 0 Intel PRO/1000MT (82546EB) rev 0x01: 
apic 2 int 17 (irq 11), address 00:04:23:ac:66:d2
em1 at pci0 dev 13 function 1 Intel PRO/1000MT (82546EB) rev 0x01: 
apic 2 int 22 (irq 5), address 00:04:23:ac:66:d3
fxp0 at pci0 dev 14 function 0 Intel 8255x rev 0x08, i82559: apic 2 
int 21 (irq 10), address 00:03:47:11:2e:58

inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ohci0 at pci0 dev 16 function 0 NEC USB rev 0x43: apic 2 int 16 (irq 
11), version 1.0
ohci1 at pci0 dev 16 function 1 NEC USB rev 0x43: apic 2 int 21 (irq 
10), version 1.0

ehci0 at pci0 dev 16 function 2 NEC USB rev 0x04: apic 2 int 22 (irq 5)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 NEC EHCI root hub rev 2.00/1.00 addr 1
piixpcib0 at pci0 dev 18 function 0 Intel 82371AB PIIX4 ISA rev 0x02
pciide0 at pci0 dev 18 function 1 Intel 82371AB IDE rev 0x01: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus4 at atapiscsi0: 2 targets
cd0 at scsibus4 targ 0 lun 0: SONY, DVD RW DRU-720A, JY02 ATAPI 
5/cdrom removable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 18 function 2 Intel 82371AB USB rev 0x01: apic 2 int 
21 (irq 10)

piixpm0 at pci0 dev 18 function 3 Intel 82371AB Power rev 0x02: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 512MB SDRAM registered ECC PC100CL2
spdmem1 at iic0 addr 0x51: 512MB SDRAM registered ECC PC100CL2
spdmem2 at iic0 addr 0x52: 512MB SDRAM registered ECC PC100CL2
spdmem3 at iic0 addr 0x53: 512MB SDRAM registered ECC PC100CL2
vga1 at pci0 dev 20 function 0 Cirrus Logic CL-GD5480 rev 0x23
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, 

Re: Changing password in kerberized environment is not working.

2008-08-30 Thread Clint Pachl

John Nietzsche wrote:

Hi folks,

i have configured my openbsd kerberos server. It is serving two other
computer in my home network. One of this client is running openbsd the
other is Windows XP.

I am able to login into any of these 2 client and authentication goes
through kerberos 100% successful. I can log in to the server 100% ok.
After logged in any given machine, i can reach another through
obtaining a service ticket, what gives me a SSO enviroment.

The problem is that i cannot change password from any of those
machine, i got the following:

[EMAIL PROTECTED] passwd -K
[EMAIL PROTECTED]'s Password:
New password:
Verifying password - New password:
Reply from server: Authentication failed
[EMAIL PROTECTED]


[EMAIL PROTECTED] passwd -K
[EMAIL PROTECTED]'s Password:
New password:
Verifying password - New password:
Reply from server: Authentication failed
[EMAIL PROTECTED]


And on windows i get a screen witht he following:

1326: Logon failure: unknow user or bad password.

What i cannot understand is why i can login on any of the machine, but
cannot change password.

What am i doing wrong?


OpenBSD machine is 4.3 stable and the other, Windows XP.
Kerberos(heimdal) is the standard that comes with OpenBSD 4.3
  


1) Is kpasswdd(8) running on the Kerberos master?
2) Is a firewall blocking traffic on port 464/udp?

Kerberos ticket services run on port 88. The Kerberos admin and newer 
password changing protocols run on port 749/tcp. OpenBSD still uses the 
old password changing protocol which utilizes port 464/udp.


If needed, you can change the port that kpasswdd(8) listens on.



Does anyone use sup(1)?

2008-08-09 Thread Clint Pachl
It seems the other BSDs have removed it from the base. Is anyone using 
it on OpenBSD? I thought it might be useful tool to update some configs 
on my network, but I can't seem to get it working.


I'm getting errors like:
SUP: SCM GOAWAY Can't read list file sup/junk/list [t22.mokaz.com]

I've read the man pages and the PDF titled The SUP Software Upgrade 
Protocol I found at 
http://www.cs.cmu.edu/afs/cs.cmu.edu/project/mach/public/sup/sup.ps. The 
documentation seems very verbose and unclear. Can anybody give me a 
clue, like an example sup file on the client and the directory structure 
on both the client and server?


Maybe I shouldn't be using sup(1) anyway? Other suggestions for keeping 
config files updated among servers on a network? I like sup because of 
the execute trigger mechanism.




Re: svnd questions (encrypting all of a partition or disk)

2008-07-23 Thread Clint Pachl

Ted Unangst wrote:

On 7/19/08, Chris Kuethe [EMAIL PROTECTED] wrote:
  

 - svnd backed by a whole slice on disk



I know some people have done this, but the code doesn't like it.  I'd
stick with normal files.
  


I have done file, partition, and whole disk; each one gets progressively 
slower.




Re: Multicasting on OpenBSD

2008-05-18 Thread Clint Pachl

Insan Praja SW wrote:

Hi Misc@,
Just wondering around, is there any multicasting technology (PIM-SM, 
PIM-SSM etc) currently developed or implemented in OpenBSD?. Since 
working with this unbelievable OS (especially with 
routing/filtering/forwarding) I wish to know more about it.
Right now I managed to use OBSD4.3-current to BGP routing 
(redundant/loadbalance with carp), storing the prefix to pftable, set 
the rtlabel, labeling rules with pf, multiple routing table, tagging 
rules, just unbelievable awesome.

Best of luck to the guys working such a nice OS.
Thanks,


$ apropos multicast

(did people forget about the manpages?)



Re: All memory not recognized (4GB) - AMD64 Snapshot, Macbook 3,1

2008-05-15 Thread Clint Pachl

alemao wrote:

Hi,

I installed OpenBSD/amd64 snapshot on a Macbook 3,1 (Late 2007).
It recognizes both processors but not all memory (3GB instead of 4).
There's something i can do?
  


No. Read the archives or Google it.



Re: ral(4) hostap plea

2008-05-08 Thread Clint Pachl

James Turner wrote:
I've been trying to get my new ral(4) card to work like I would expect it 
to. I've read through most if not all the talk on misc@ about running these

cards in hostap mode.  I would really like to replace my wi(4), which
works really well, with my new ral(4) and enjoy 11g and later wpa.
Sadly, the performance is just not there in both 11b or 11g modes.

Some info, the ral(4) is a Gigabyte GN-WP01GS which is an RT2561S.  My
basic hostname.ral0 reads: inet 192.168.1.1 255.255.255.0 NONE media
autoselect mode 11g mediaopt hostap nwid my_net nwkey secret chan 11.
I've enabled RAL_DEBUG in my kernel and selected one of the standard
channels with the highest power.  This is on 4.2 -release + patches.  If
anyone has any new or additional information that might be helpful I
would greatly appreciate it, otherwise I guess I'll stick to my trusted
wi(4).
  


I used to have terrible reception and connectivity with my ral(4) when 
using OBSD4.0. It was always shutting down the interface, setting the 
OACTIVE bit. There was a nice patch in 4.1 that fixed this issue and 
upgrading almost eliminated my problems. I also determined that my 
ral(4) had a crappy antenna. I used an antenna with a 2 foot pigtail in 
order to get it up above my equipment. Then I built a parabolic shield 
like the one found here: http://www.freeantennas.com/projects/template/.


After that, my WLAN works like a dream. I was so frustrated for such a 
long time and was ready to go back to my Linksys wireless router. 
However, a little troubleshooting, upgrading, and tweaking got 
everything running like a champ.


I would say don't blame the OS. I have also had the experience that no 
matter what I do the reception/connectivity just sucks. That has been my 
experience with Planet Wireless NICs. I'm currently using LevelOne NICs 
(PCI and PCcard) and I'm extremely satisfied. We also have Macs that 
wirelessly stream video via 11g through the OpenBSD firewall and I've 
never had a problem. I would know if there were issues because my 
girlfriend would be bitching if she couldn't stream her shows.


I'd also like to note that antenna impedance matching can play a factor. 
I've got a Planet Wireless antenna connected to the LevelOne NIC. I was 
able to get higher signal strength on the LevelOne NIC with the Planet 
W. antenna than with the original LevelOne antenna.


One other thing I noticed is that my 2.4GHz cordless phones reduced 
signal for some NICs more than others. Try experimenting with different 
channels.


Here is my LevelOne PCI card that I bought from NewEgg years ago:

ral0 at pci0 dev 12 function 0 Ralink RT2561S rev 0x00: irq 11, 
address 00:11:6b:37:07:b2

ral0: MAC/BBP RT2661B, RF RT2527

-pachl



Re: mrxvt and ksh issue

2008-04-23 Thread Clint Pachl

Jesus Sanchez wrote:

Hi, I'm using 4.2.


I'm using 4.1.



I have installed from ports the program mrxvt it works well as people
say but I have (I believe) found a buggy behaviour when using mrxvt and
ksh (the OpenBSD one).

I launch startx (with fvwm2 and mrxvt on my .xinitrc) as a regular user
(it's in the wheel group) and then I open a few tabs on mrxvt (3 or 4),
then I close X with Ctrl+Alt+Backspace and I found with 'ps -ax' that
the ksh opened with mrxvt (ttyp0, ttyp1, and more) are still running,
not mrxvt.


I am also using fvwm2, but I use xdm instead of startx. I used to have 
the same problem you describe and I can't remember what I did to fix it.


In my ~/.Xdefaults I have the line:
mrxvt.macro.Primary+Ctrl+W: Close 0

I only have that because it matches the shortcut to close a tab in my 
Seamonkey browser.


Also, I'm not sure if I installed from ports. OpenBSD didn't have an 
mrxvt port for quite awhile so I always compiled my own. Here are the 
characteristics of my current mrxvt:


[EMAIL PROTECTED] mrxvt -h
Mrxvt v0.5.2
Options: XPM,Jpeg,PNG,transparent,fade,tint,utmp,menubar,XIM,
scrollbars=rxvt+NeXT+xterm+sgi+plain,xft,frills,linespace,selectionscrolling,
256colour,cursorBlink,pointerBlank,session management,Resources



When I try to kill them this doesn't works and ps return the Is+ STATE
I get 0wn3d and then try (as root) kill -9 PIDs and still doesn't
works, ps returns IEs+ STATE.  Even If I have to power off the
computer with 'halt -p' these ksh sessions make it imposible, I have to
use 'halt -p -q'.


What happens when you type the exit command instead of using the 
keyboard shortcut to close a tab/terminal? I wish I could remember what 
I did to fix the problem, but I also found this interesting line in my 
~/.Xdefaults that may help:


mrxvt.holdExit: 0x00



This stuff doesn't happends with tcsh and mrxvt. And also if I use rxvt
instead of mrxvt this also doesn't happends with ksh.

I have not added my dmesg or something else because I really don't know
if it's necessary.


You may also want to try the mrxvt mailing lists. I'm subscribed and 
they seem very active. The lead developer is top notch.


-pachl



Re: aterm, rxvt -- memory usage

2008-04-21 Thread Clint Pachl

Jesus Sanchez wrote:

Hi all,

I'm using 4.2 without problem, and I'm trying to find one xterm to my
personal use with only one thing in mind: low cpu and memory usage.


I have been using mrxvt for years. It's also multi-tabbed. Currently, 
I'm running 10 terminals in a single mrxvt process and it is currently 
using Size: 2644K, and Res: 4472K and barely touches the CPU. I'm 
running a custom compiled version with all the fancy features turned 
off. It is extremely fast and reliable; I haven't found anything faster.


-pachl



Privilege Seperation on HTTP Server in DMZ

2008-04-15 Thread Clint Pachl
I'm running nginx web server on my DMZ servers. It has the ability to 
run the master process as root and the workers as a non-root user. All 
logs, pid file, etc. are written by the master process. I was thinking 
of redirecting port 80 traffic to a non-privileged port via pf and 
running nginx master and worker procs as non-root user.


Would there be more security in this configuration?

The only downside I can think of is that if a worker proc is 
compromised, the log files could be as well. Other than that, it seems 
more secure to avoid running as root, especially third party apps. Am I 
missing something?


-pachl



Kerberos ~/.k5user file

2008-04-07 Thread Clint Pachl
Is the ~/.k5user file supported in OpenBSD's Heimdal implementation? I'm 
running OBSD 4.1.


kadmin list *
root
pachl
default
root/root
pachl/root
pachl/admin
kadmin/admin
kadmin/hprop
kadmin/changepw
krbtgt/MOKAZ.COM
changepw/kerberos
host/htx.mokaz.com
host/kerberos.mokaz.com
host/morpheus.mokaz.com
host/hercules.dmz.mokaz.com

/root/.k5user on hercules.dmz.mokaz.com:
[EMAIL PROTECTED] /bin/ls

/etc/login.conf on hercules.dmz.mokaz.com contains:
auth-defaults:auth=krb5:

[EMAIL PROTECTED] su root -c '/bin/ls /root'

I have tried the passwords for root, root/root, and pachl and cannot get 
/bin/ls to execute. The password for pachl/root of course gives me full 
su privileges.


BTW, what is /root/.klogin? Is it for kerberos 4? It doesn't have a man 
page and doesn't seem to work. The ~/.k5login works properly.


-pachl



Re: More then 1 dhcrelay process on 1 router

2008-03-06 Thread Clint Pachl

Guido Tschakert wrote:

Hello folks

short:
will 2 (or more) dhcrelay work on one router without problems

long:
I have a router connected to 3 networks:
a.b.1.0/24 connected to if1,
a.b.2.0/24 connceted to if2,
a.b.3.0/24 connected to if3.

Lets say I have a dhcpd on a.b.1.1

Is it possible to start the two dhcrelay processes:

dhcrelay
/usr/sbin/dhcrelay -i if2 a.b.1.1
/usr/sbin/dhcrelay -i if3 a.b.1.1

or will they interfere?

If no one knows an answer I will test it next week, as for now I don't
have a spare machine with enough network cards ready ;-)

thanks guido
  


I have been doing this for over a year and have not had a problem. The 
only small issue is that you must run them from rc.local because 
rc.conf.local is only capable of running one dhcrelay.




Re: Using CVS to back up /etc

2008-02-19 Thread Clint Pachl

Richard Wilson wrote:

Increasingly, I find that I have many servers, especially OpenBSD
servers, where the only bit of the hard drive worth backing up is /etc.
Good examples are routers or spamtrap boxes where everything is part of
base. If a hard drive goes pop, all I need is to install the OS, and
re-populate /etc.

Currently I back up /etc on these machines using variants on rsync and
rsnapshot, and it works OK. However, I've got it into my head to shift
to using CVS to back up /etc on these machines. Advantages I think I see:

1) /etc is mostly flat text files. It makes more sense to back it up
using a system which is text-based, rather than the belt and braces of
rsync.

2) CVS is big on diffs and such. Checking to see which config changes
happened to a given file, and when, gets really easy.

3) The nightly backup procedure just becomes a 'cvs ci' in cron. If
nothing changed, no additional space is taken. However, if a change has
been made, that change is stored efficiently, and cron will
auto-magically send me an email of the change delta, because of the
output from the cvs ci.

4) If someone makes big changes, they can manually do a checkin, just to
be sure.

5) If everything goes hideously titsup, and there's disk corruption on
the CVS server, I've still got a chance to recover data, as the CVS data
storage format looks vaguely like plain text. This is more of a
cvs-vs-svn (eep BDB.) If things are sufficiently bad that both a machine
I back up and the CVS server are having issues, I suspect I will care
about something this unlikely.



Before I embark on this, I have a couple of questions:

1) Can anyone think of an idea why I'm being dumb? I hope not, but it
doesn't hurt to ask.

2) How will /etc, and the things that read it, react to /etc becoming a
working copy, with CVS, Entries, et al? I'm thinking of things that eg
Include /etc/appname/* barfing on unexpected files left by CVS.
  


This is exactly why I don't allow /etc, /var/cron/tabs, and so on to be 
working directories. Like you mentioned, it will crap out some programs. 
I use rcs instead of cvs; much simpler and effortless to setup and 
manage. What I do is create an RCS root, /root/rcsroot. The first time I 
need to change a system file, I copy it into /root/rcsroot, maintaining 
directory hierarchy of course. For example, /etc/pf.conf would go to 
/root/rcsroot/etc/pf.conf. I make changes to files in the rcsroot, and 
when I like the way they look, I copy them to the system and check them 
in. This preserves original file permissions and doesn't clutter the 
system with repos stuff. Also, I can quickly see and maintain only what 
I have modified.


I must confess that I perform these actions manually, like the copying 
of the working file back to the system. This could be scripted to make 
it even easier. I thought about it, but it's just so easy already. For 
example you could modify a config file using a single command: `confedit 
/etc/pf.conf`. It could perform the 2 or 3 other commands needed to copy 
files around and do the check-in.


For backup, I do `dump | ssh backupbox` from cron. Simple and easy.


To any and all who have read all the way through my disjointed waffle, I
thank you. I'll report back once I give it a go :-)
  


This is a good discussion. Please do enlighten use with your setup.

-pachl



Re: setting up a noiseless workstation

2008-02-02 Thread Clint Pachl

Zbigniew Baniewski wrote:

On Fri, Feb 01, 2008 at 08:16:49PM +0200, Imre Oolberg wrote:

  

As an operating system my first choice would OpenBSD and second is Linux.
In fact at the moment i run such a kind of setup using Linux but i feel
need to upgrade my hardware, i have old 700 MHz Celeron, 19 monitor
(1024x768) and 100MBit/s network.

I would be very thankful if somebody could share their experience about 
putting together such a kind of computer or what do you recommend.



You can use old Pentium II 400 MHz - there are still many of them available,
which doesn't need any cooler, its radiator will do. Such way the only
moving part would be PS-fan, which you can slow down a little, using
a resistor 50-100 Ohm - additionally reducing a noise.

Full Pentium II with 400 MHz clock will give you in practice about as much
power, as that Celeron 700 (a little less, but not that much).
  


I have this setup exactly. I put a resistor on the fan in the PS and the 
machine is virtually inaudible. And the last time I checked, it consumes 
less than 20W. It has 64MB RAM, a DVI graphics card and an em NIC that 
is connected via a cross-over cable to my main server in the next room, 
which I cannot hear. The 400MHz machine boots an extremely minimal 
FreeBSD system via PXE, runs X, and connects to the main server via XDM. 
400MHz for this machine is over-kill actually. I have used an old P166 
that works just as well, but for some reason my DVI card doesn't work in it.


Because of the way X operates, all the applications run run on my main 
server. The main server is s a dual P3 1GHz with 2GB RAM and a 4 SCSI 
disk RAID0 running OpenBSD. I have been using this setup for almost 3 
years now.




Re: photo/ image viewing software

2008-02-02 Thread Clint Pachl

Chris wrote:

I am after a software that would allow me to view photos from my
digital camera which I usually mount in /mnt/camera. I tried from the
ports tree: digikam, gphoto, gtkam, kphotoalbum, wmphoto, kamera -
none of them really work well in showing the pictures; some of them
want to detect my camera when all I want is to view my photos
(thumbnails and full size) from /mnt/camera.

Anyone would recommend any decent program to do this? Thanks.
  


I have been using qiv for years. The pics look high quality and can be 
resized to fit your screen, and it is pretty fast too.




Re: most secure graphical browser

2008-01-17 Thread Clint Pachl

Douglas A. Tutty wrote:

I have a box that I want to keep as secure as I can but I also need to
be able to use a graphical browser from it (I know that this is a
trade-off).  


There is no graphical browser in base.  I don't need or want this
browser to do javascript or flash (I have a different box for
entertainment).  Of the browsers in packages, which browser would people
think is likely the most secure?  
  


I use Seamonkey. You can turn off Javascript. Java and Flash won't run 
if they are not configured. Seamonkey has been very solid for me for 
many years. I usually have it open and running for 2-4 weeks at a time 
and I have only experienced about 2 crashes in over 5 years. BTW, 
Seamonkey is derived from the the old Mozilla code base. It hasn't 
changed much over the years as far as features go. It does get security 
updates regularly though. Check out the fixes:

http://www.mozilla.org/projects/security/known-vulnerabilities.html#SeaMonkey

One drawback is that the version of Seamonkey in the OpenBSD packages is 
usually a minor version or two behind the latest Seamonkey. I have never 
let this bother me and it has never been a problem.


-pachl



Re: most secure graphical browser

2008-01-17 Thread Clint Pachl

Rico Secada wrote:

On Thu, 17 Jan 2008 18:17:54 -0500
Douglas A. Tutty [EMAIL PROTECTED] wrote:

  

On Thu, Jan 17, 2008 at 05:11:53PM -0500, STeve Andre' wrote:


On Thursday 17 January 2008 03:42:38 pm Douglas A. Tutty wrote:
  

I have a box that I want to keep as secure as I can but I also
need to be able to use a graphical browser from it (I know that
this is a trade-off).

There is no graphical browser in base.  I don't need or want this
browser to do javascript or flash (I have a different box for
entertainment).  Of the browsers in packages, which browser would
people think is likely the most secure?


[snip]

Why not create an OpenBSD live CD with the stuff you want on it?
  

Because this box will also be my main server.  For details, see a
previous thread (I forget the title) where I'm splitting things
between a secure box where anything confidential will be kept, and
an entertainment box for regular browsing with javascript and, where
required, flash.  Also for watching DVDs and listening to music.



A main server where you need a graphical browser? I am sorry, but why
don't you just use your entertainment box rather than browsing graphics
from your server?
  


No kidding. Having X installed on a main server is a bad idea. What does 
this main server do? If you need a GUI on your server you should 
probably use Linux or Windows.


If you just need a browser to view documentation on the Internet use 
lynx; it's in the base.


If you want security, get rid of X.



Re: mutt and Stallman

2007-12-18 Thread Clint Pachl

Girish Venkatachalam wrote:

I am giving first aid after the war but still it will help.

I can give a lot of relief to those of you who had nervous breakdowns
and blood pressure problems due to spam mails getting in the way of
useful technical stuff.

It is not hard at all.

First thing is install mutt from packages.

# pkg_add -i mutt
(Choose one of the flavors)

Then get a cool muttrc. If you want mine mail me offlist.

There are several good ones floating on the Internet ocean.

Next ensure this. It is most critical.

$ grep sort ~/.muttrc

set sort=threads

Now just watch the fun.

Whenever you see a thread with the favorite subject line or as soon as
you read the first mail that is a symptom of impending health problems,
all you have to do is hit Ctrl-D. All the mails in the thread get
deleted. Cool eh? 


This is the OpenBSD way of solving real life problems with a bit of
technical knowledge instead of pleading and complaining. ;)

Anyway hopefully my recipe will come in handy for future occasions.

History repeats itself...

-Girish
  


If you're using Seamonkey Mail, enable the Thread header in the 
message header pane. Then click on the thread icon and press Shift+Delete.


-pachl



Re: Using tip or cu with a multi-port serial card

2007-11-28 Thread Clint Pachl

Jeff Ross wrote:

Hi,

I got my 4 port serial card and installed it in my firewall today

puc0 at pci1 dev 0 function 0 Oxford OX16PCI954 rev 0x00: ports: 4 com
pccom3 at puc0 port 0 irq 11: st16650, 32 byte fifo
pccom3: probed fifo depth: 16 bytes
pccom4 at puc0 port 1 irq 11: st16650, 32 byte fifo
pccom4: probed fifo depth: 16 bytes
pccom5 at puc0 port 2 irq 11: st16650, 32 byte fifo
pccom5: probed fifo depth: 16 bytes
pccom6 at puc0 port 3 irq 11: st16650, 32 byte fifo
pccom6: probed fifo depth: 16 bytes
puc1 at pci1 dev 0 function 1 Oxford Exsys EX-41098 rev 0x00: ports: 
4 com

pccom7 at puc1 port 0 irq 5: ns16450, no fifo
pccom8 at puc1 port 1 irq 5: ns16450, no fifo
pccom9 at puc1 port 2 irq 5: ns16450, no fifo
pccom10 at puc1 port 3 irq 5: ns16450, no fifo

I'm using a null modem cable to connect another server to the serial 
card's pigtail but when I try to connect to the remote server with tip 
or cu, all I get is Connected.  At that point I can ~^D and ~^v and 
that's about it.


Connected doesn't necessarily mean there is a well-formed connection 
between the two devices. Connected just means you are electrically 
connected and something is on the other end of the cable. However, the 
communication link may not be synchronized. Have you tried variations 
of line speed, stop and data bits, and parity? If you can connect via 
the built-in serial connections of the computer, it doesn't seem like 
this would be the problem.


I have a Dell PowerConnect switch that does what you're describing. If I 
hit enter 2 times, it will sync and give me back a login.




Connected
~v
beautify true
baudrate 9600
dialtimeout 60
eofread
eofwrite
eol
escape ~
exceptions
force \020
framesize 1024
host cu9600
log /var/log/aculog
phones
prompt \012
raise false
raisechar \000
record
remote
script false
tabexpand false
verbose false
SHELL /bin/ksh
HOME /home/jross
echocheck false
disconnect
tandem true
linedelay 0
chardelay 0
etimeout 0
rawftp false
halfduplex false
localecho false
parity none
hardwareflow false
linedisc 0
direct true


These commands you are using are taking place on your local side only.



Is there a way I can see on the remote system if indeed I'm connecting?


If you can login into the server via ssh or console, look for processes 
that would have been instantiated in order to make the connection, such 
as a getty or a shell process.




If I connect one server directly to the one external serial port on 
the firewall with a null modem cable I can connect with cu no problem, 
and I have full control.


There are at least a couple of null wiring layouts. Your serial card may 
have a different layout than your built-in serial connections. For 
example, some of the handshake lines may be crossed-over. I have never 
used a serial card before, but maybe you need a straight-through cable 
instead of a null modem cable. If you're handy with a soldering iron and 
can get your hands on some DB-9 connectors, you can make your own cables 
using CAT5. Just some ideas.




I'd appreciate any suggestions.

Thanks!

Jeff Ross

full dmesg

OpenBSD 4.2-current (GENERIC) #5: Fri Nov 16 19:34:39 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class) 802 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE 


real mem  = 535261184 (510MB)
avail mem = 509726720 (486MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/17/00, BIOS32 rev. 0 @ 
0xfdb80, SMBIOS rev. 2.3 @ 0xf0640 (132 entries)

bios0: vendor American Megatrends Inc. version 0700xx date 11/17/00
bios0: Supermicro 370SSR/370SSE
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3810/224 (12 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801AA LPC rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xc000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82815 Hub rev 0x02
vga1 at pci0 dev 2 function 0 Intel 82815 Graphics rev 0x02: 
aperture at 0xf800, size 0x400

wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x01
pci1 at ppb0 bus 1
puc0 at pci1 dev 0 function 0 Oxford OX16PCI954 rev 0x00: ports: 4 com
pccom3 at puc0 port 0 irq 11: st16650, 32 byte fifo
pccom3: probed fifo depth: 16 bytes
pccom4 at puc0 port 1 irq 11: st16650, 32 byte fifo
pccom4: probed fifo depth: 16 bytes
pccom5 at puc0 port 2 irq 11: st16650, 32 byte fifo
pccom5: probed fifo depth: 16 bytes
pccom6 at puc0 port 3 irq 11: st16650, 32 byte fifo
pccom6: probed fifo depth: 16 bytes
puc1 at pci1 dev 0 function 1 Oxford Exsys EX-41098 rev 0x00: ports: 
4 com

pccom7 at puc1 port 0 irq 5: ns16450, no fifo
pccom8 at puc1 port 1 irq 5: ns16450, no 

Re: can't change password with passwd comand

2007-11-21 Thread Clint Pachl

Kafriki wrote:
ok here is a user with full details: (this is in plain text, hope it's 
more readable)


cat.cat:$2a$07$aYgatzjxAULHQmmZkjmvteGEaO8Ie8geMoUfhl7AAzKi.WeRhuoA6:10006:20::0:0:Pussy 
Cat:/smbhome/student_homedirs/cat.cat:/bin/ksh


Ok, so you're a cat lover.

Anyway, that dot in the username may be causing some problems. passwd(5) 
says:


The login name may be up to 31 characters long.  For compatibility with
legacy software, a login name should start with a letter and consist
solely of letters, numbers, dashes and underscores.  The login name must
never begin with a hyphen (`-'); also, it is strongly suggested that nei-
ther uppercase characters nor dots (`.') be part of the name, as this
tends to confuse mailers.  No field may contain a colon as this has been
used historically to separate the fields in the user database.

I successfully added the user cat.cat and changed the user's password 
with passwd(1) on my 4.1 system. I'm not sure what is going on in your 
system.


Try using vipw to replace the password with an * then try running 
passwd again.


Are you sure there isn't an empty line in master.passwd?

I appended an empty line to my master.passwd and ran passwd and I 
received the same exact error as you did. BTW, how many lines are in 
your master.passwd file (wc -l  /etc/master.passwd) and what is the line 
number with the error reported by passwd?


Because vipw is working for you, try removing the invalid line, then run 
passwd for another account. This should test whether your passwd program 
is working properly. It is weird that vipw works, but passwd complains.





- Original Message - From: Clint Pachl
To: Jumping Mouse
Cc: misc@openbsd.org
Sent: Tuesday, November 20, 2007 8:56 PM
Subject: Re: can't change password with passwd comand


Jumping Mouse wrote:
Hi Clint,  Yes I am the one.   as for changing the password this 
seems to
happen to any user except for the root acount, I am able to use  
passwd to
change the root account password.  Here is line 24: (I removed the 
password
and real usernmame) 
username::1000:0::0:0:username:/home/username:/bin/ksh


I was going to say, don't remove the username or password because the
problem could be embedded in either one of those fields. Anyway, check
to make sure that there is no whitespace adjacent to any colons.

 I
don't know if this matters but there is no ptmp file in the /etc 
directory

(no was there before I followed your earlier instructions)


Doesn't matter. Just wanted to make sure it wasn't causing any problems
when running passwd, which uses that file name as it's temp file.




Re: can't change password with passwd comand

2007-11-21 Thread Clint Pachl

Jumping Mouse wrote:

Ok, Ok I get the point.   I agree that posting line 24 will not help, any user
except root gives the same issues.  And as a last and final attempt I will
check the end of the file for any spaces as Clint suggested.
  


You mean you haven't check for empty lines and trailing and adjacent 
spaces yet?



finally:

What if I try a master.passwd file form a working machine of same Build.  If
that file does work then we can conclude it is systemic.


What are you saying?

If you try a master.passwd file from a working machine and it does work, 
then we can conclude your original master.passwd file was crap.


At this point, I would say end the troubleshooting on the crappy 
master.passwd file and do what Holland said. Extract a master.passwd 
file from a pristine etcXX.tgz and go from there. DO NOT use a 
master.passwd from another working machine. We don't need to introduce 
other variables.




Re: Compromising a host with pf enabled?

2007-11-21 Thread Clint Pachl

Darren Spruell wrote:

On Nov 19, 2007 10:53 PM, Clint Pachl [EMAIL PROTECTED] wrote:
  

In my DMZ research, some sources state that all services need to be
replicated in each DMZ. Following that advice, I would have to setup
Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like
a lot of work. What do you guys think?



A company I know just moved to this architecture. They have something
on the scope of 5 DMZs consisting of about 10 different
segments/tiers. This was the result of security architecture design
for the most secure setup to provide segmentation.

I think it sucks. While the amount of segmentation they have is
probably A Good Thing, the way it is implemented imposes this
necessary duplication of infrastructure services in each of the
segments. So instead of a pair of DNS servers, they've got a pair of
DNS servers *per segment.* Ditto for LDAP, DHCP, monitoring, backup
and administration jump servers. Maybe more. It significantly
increased the amount of systems that need to be maintained in the
organization. Introducing jump servers increased the number of
administrative accounts that were needed by everyone. It increased the
complexity of the design and processes for administration. It
increased the amount of replication of services and data transfer on
the networks for that. It significantly increased the cost to
implement. We have suspicions that it's now too difficult for
administrators to effectively maintain the hosts in these segments and
some may be slipping on patches, backups, or other necessary
administration tasks.

Moral: only do this crap if you can balance it out with the ability to
reasonably manage the outcome and not incur disproportionate cost to
the benefit it provides.
  


Thanks for that feedback. That example you gave sounds like an admin 
nightmare.


I've decided to go with a fairly flat topology. I will have a single 
DMZ, a LAN segment, and a segment for WLAN and use a single firewall to 
route between the segments. Anything that will be directly accessible 
from the Internet will go in the DMZ, otherwise everything else goes in 
the LAN. I will poke holes in the firewall from the DMZ to the LAN as 
necessary (i.e. webservers - {database,kerberos,etc}). Every host on 
the network will have pf enabled, only allowing services to specified 
hosts. I will also be setting up nagios and snort to keep the network in 
check and watch for illegal communications between servers.


I've done a lot of network and DMZ design research over the last 3 days. 
I've looked at hundreds of websites and newsgroup postings and read the 
following titles:


Building DMZs for Enterprise Networks 
http://www.amazon.com/Building-Enterprise-Networks-Robert-Shimonski/dp/1931836884/ref=sr_1_6?ie=UTF8s=booksqid=1195677170sr=1-6
Designing and Building Enterprise DMZs 
http://www.amazon.com/Designing-Building-Enterprise-DMZs-Flynn/dp/1597491004/ref=sr_1_8?ie=UTF8s=booksqid=1195677170sr=1-8
Designing Large Scale LANs 
http://www.amazon.com/Designing-Large-Scale-Kevin-Dooley/dp/0596001509/ref=sr_1_11?ie=UTF8s=booksqid=1195677281sr=1-11


I've also built highly segmented networks and find them difficult to 
manage and they have highly complex traffic flows and firewall rule 
sets. And I don't believe they offer much more security because many 
attacks are taking place at the application level and on the inside 
carried out by compromised hosts. I think every server should be 
hardened and monitored and trust no one.


In all my research, I like best this article about MIT's security 
architecture:

http://www.computerworld.com/securitytopics/security/story/0,10801,100021,00.html



Re: can't change password with passwd comand

2007-11-20 Thread Clint Pachl

Jumping Mouse wrote:

Hi Clint and others,

I tried:

  

# rm spwd* pwd* passwd* ptmp # pwd_mkdb /etc/master.passwd



then
#passwd username

but I am still getting: (for all users)

pwd_mkdb: corrupted entrypwd_mkdb: at line #24pwd_mkdb: /etc/ptmp:
Inappropriate file type or formatpasswd: /etc/master.passwd: unchanged

I have searched the faqs but have not been able to find a good solution to
this issue.  Does anyone have any thoughts?
  


Does line #24 have a subtle error? Check the format against passwd(5).

BTW, are you the guy that inherited an OpenBSD system without a root 
account?




Re: can't change password with passwd comand

2007-11-20 Thread Clint Pachl

Jumping Mouse wrote:

One more follow up:

I added a new user.
then tried to change the users password with the passwd command and I get the
same results:

pwd_mkdb: corrupted entrypwd_mkdb: at line #25pwd_mkdb: /etc/ptmp:
Inappropriate file type or formatpasswd: /etc/master.passwd: unchanged
  


That's interesting. The line with the error moved from #24 to #25. Make 
sure there are no empty lines anywhere in the file (check the last line) 
and no trailing spaces after any entry.


Also, the formatting of your replies are really messed up and are 
difficult to read. Are you sending in plain text?




Re: can't change password with passwd comand

2007-11-20 Thread Clint Pachl

Jumping Mouse wrote:

Hi Clint,  Yes I am the one.   as for changing the password this seems to
happen to any user except for the root acount, I am able to use  passwd to
change the root account password.  Here is line 24: (I removed the password
and real usernmame) username::1000:0::0:0:username:/home/username:/bin/ksh


I was going to say, don't remove the username or password because the 
problem could be embedded in either one of those fields. Anyway, check 
to make sure that there is no whitespace adjacent to any colons.

 I
don't know if this matters but there is no ptmp file in the /etc directory
(no was there before I followed your earlier instructions)


Doesn't matter. Just wanted to make sure it wasn't causing any problems 
when running passwd, which uses that file name as it's temp file.




Compromising a host with pf enabled?

2007-11-19 Thread Clint Pachl
Is it possible for a cracker to compromise or root a machine on a 
network that has pf enabled with the single rule block all in?




Re: can't change password with passwd comand

2007-11-19 Thread Clint Pachl

Jumping Mouse wrote:

When I try to change a user password I get an error.
I do this:

#  passwd  username
enter a new password and  get: pwd_mkdb:  corrupted entrypwd_mkdb: at line
#24pwd_mkdb: /etc/ptmp: Innapropriate file type or formatpasswd:
etc/master.passwd unchanged

how can I fix this?
  


# cd /etc
# cp -p spwd.db pwd.db passwd /root/  # backup
# rm spwd* pwd* passwd* ptmp
# pwd_mkdb /etc/master.passwd
# passwd username  # try again



Re: Compromising a host with pf enabled?

2007-11-19 Thread Clint Pachl

Chris Zakelj wrote:

Clint Pachl wrote:
Is it possible for a cracker to compromise or root a machine on a 
network that has pf enabled with the single rule block all in?
I suspect you're just fishing, but in the interests of spirited 
debate
- Is block in all the first rule, the last rule, or somewhere in 
between?  (Yes, it DOES matter)
- Does the cracker have alternate methods of entry (tty, ssh, console, 
etc)?




Not fishing, just thinking. I didn't want to get into too many 
non-OpenBSD details on MISC, but I will expound a little.


I'm trying to design a simple, but secure network with a couple of DMZs 
and a minimum of firewalls. Here is my initial thought.



   [Internet]
   |
   |
[DMZ_2]---[FW]---[DMZ_1]
   |
   |
 [LAN]

DMZ_1 = web servers
DMZ_2 = database servers
LAN   = servers like Kerberos, ntp, DNS, backup (dump via ssh),  
engineering workstations


Traffic Flow

Internet - DMZ_1 (people need web pages)
DMZ_1- DMZ_2 (get data to populate the web pages)
DMZ_2- LAN (for Kerberos, ntp, DNS, backup)
DMZ_1- LAN (for Kerberos, ntp, DNS, backup)

Ok, so you're never supposed to let a server on a public DMZ access a 
server on your LAN. So I was thinking of creating a management subnet 
that would allow out-of-band services, such as backup, Kerberos, ntp, 
etc. To implement the out-of-band channel, each of the hosts on the DMZs 
would get an additional NIC for communicating on the management subnet. 
None of these hosts would allow packet forwarding and all would use the 
block in rule for that interface. There is no need to login to the 
hosts via ssh because they are automatically configured, pulling updates 
from a golden server. If a login is needed, it would be from the 
serial console.


Below is my topology re-design that implements the management subnet. 
The DMZs access the LAN directly via the management subnet for Kerberos, 
ntp, backup, and DNS service. I would probably put a network monitor on 
the management subnet to detect suspicious traffic. Is this topology 
insecure? Suggestions and criticisms are very welcome.


   [Internet]
   |
   |
[DMZ_2]---[FW]---[DMZ_1]
  ||   |
  ||   |
  --[LAN]-


In my DMZ research, some sources state that all services need to be 
replicated in each DMZ. Following that advice, I would have to setup 
Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like 
a lot of work. What do you guys think?


-pachl



Re: Compromising a host with pf enabled?

2007-11-19 Thread Clint Pachl

Chris Zakelj wrote:

Greg Thomas wrote:


 It does say single rule.
Yes, but at that point it becomes a rather useless system. It's likely 
to break in curious ways, since anything using the 127.0.0.1 loopback 
will, I think, either become unresponsive or start throwing errors.


Ok, I'm in brainstorm/big-picture mode and wasn't concerning myself with 
the technical details, but I will clarify. pf will block all incoming 
external connections. All traffic will pass on the loopback.




  1   2   >