Re: can texlive package be installed ?

2021-02-27 Thread Jan Betlach


Are you using Fastly? Try PlanetUnix, it should work…

Jan



> On 27. 2. 2021, at 15:18, Shadrock Uhuru  wrote:
> 
> system information.
> OpenBSD 6.9 GENERIC.MP#343 amd64
> flavor: current
> 
> when i try to install texlive,
> all i get is :-
> 
> doas pkg_add -v texlive_texmf-full
> Update candidates: quirks-3.588 -> quirks-3.588
> quirks-3.588 signed on 2021-02-26T23:14:00Z
> Ustar
> [https://ftp.OpenBSD.org/pub/OpenBSD/snapshots/packages/amd64/texlive_texmf-full-2020p1.tgz][share/texmf-dist/bibtex/bib/beebe/printing-history.bib]:
> Premature end of archive in header:
> pkg_add: Installation of texlive_texmf-full-2020p1 failed, partial
> installation recorded as partial-texlive_texmf-full-2020p1.6
> 
> 
> any suggestions ?
> 
> shadrock
> 



pf and Wireguard

2020-09-26 Thread Jan Betlach



Hi,

I’ve setup Wireguard on my home router running -current.
The tunnel works, I have access to my LAN resources ONLY in case pf is 
disabled. When I enable pf, Wireguard connects, does handshakes, however 
I cannot even ping the router nor access anything in the network.


So that it seems my rules in pf are the reason. I admit I am a novice in 
respect with pf. Therefore I’d like to ask you to help or direct me to 
a solution.


My pf rules are pretty easy, basically taken from FAQ - building a 
router. Here they are:


wan="em0"
lan="em1"
localnet=$lan:network
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   203.0.113.0/24 }
set skip on lo0
set block-policy drop
set loginterface egress
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $lan }
block in quick on egress from  to any
block return out quick on egress from any to 
block all
pass out quick inet keep state
pass in on { $lan } inet keep state
pass in proto udp from any to any port XXX keep state
match out on egress from (wg0:network) to any nat-to (egress:0)

Last two lines are Wireguard related. Being a noob, I suspect the last 
NAT line may be the problem,


Thank you in advance for any comments.

Regards

Jan









Re: pkg_add -u: no such dir

2020-05-05 Thread Jan Betlach


Thanks. My bad, I’ve realized that as soon as I’ve hit the send button.




On 5 May 2020, at 17:19, Andinus wrote:

> Jan Betlach @ 2020-05-05 17:05 IST:
>
>> Is 6.7 being released already?
>
> No, they're probably using a snapshot.



Re: pkg_add -u: no such dir

2020-05-05 Thread Jan Betlach


Is 6.7 being released already?

Jan



On 5 May 2020, at 13:28, Groot wrote:

> I tried updating all applications, only to be greeted with
> the following message.
>
> doas pkg_add -u
> https://ftp.OpenBSD.org/pub/OpenBSD/6.7/packages/amd64/: no such dir
> list of applications
>
> I'm sure someone must have noticed by now.
> Only the directories within https://ftp.OpenBSD.org/pub/OpenBSD/6.7/
> give 404 Not found error in a browser.



Re: More than 16 partitions

2020-04-23 Thread Jan Betlach




For a non-native English speaker like myself, it is very difficult to 
read your mestuff…


Jan



On 23 Apr 2020, at 19:47, zeurk...@volny.cz wrote:


theo wrote:

That is a rewriting of history.


It's history the way meknows it. Mecertainly predates some of it.


The disklabel format predates the PC.


Indeed. Mewasn't sure where and when exactly it appeared, so meleft 
that

bit out. But medid know it was older, and metried to communicate that
fact (obviously mefailed -- meapologizes).


It came from the the ancient attempt to handle things in CSRG's
4.3reno/4.4 work on the hp300. It was probably a rewrite of the
native HPUX disk format.


Hmm, hp300, eh?


This was then put on all the other architectures, as a unified
view of the disk. It was modified and extended on as as-needed
basis.

Rewriting the history like this is pathetic inaccurate and
narrowminded. Your history is absolutely false and you've made
up a bunch of balony.


So, what did memake up? Did mepresent a timeline? An exact order of
events? Did mepresent a scientific study? Or didmejust try to give an
overview of things in terms that Groot (and many others, mesuspects) 
may

just understand?


It is not true, and even a elementary
review of the history of disklabel.h back into the early NetBSD
tree will make it clear what's going on.


Like mesaid, it's the history the way meknows it. Me's not a bloody
authority on the history of either BSD or the IBM pee-cee, *at all*.

Perhaps meshould've made that clearer.


OH, and I did most of the early work post-CSRG, because we needed
to "emulate" this on SunOS, and I ported Torek's sparc code into
NetBSD.


Mehas _no doubt at all_ that you know BSD (including its history) 
better

than me (that is, of course, an understatement).


I urge you to stop posting such balony.


Then it's me turn to urge you to not read me overview as an historical
account of any exactness.

After all, the goal, for me, was trying to help Groot understand the
relationships he sought clarification for.

Perhaps meindeed should've included a disclaimer. Then again, mehas no
offical role here (nor does mewant one), and in no way are me words to
be taken for the one and universal truth.

Can we please just assume that Groot is mature enough to be able to 
form

his own view based on our individual contributions?

Me'd like that.

  --zeurkous.

--
Friggin' Machines!




Re: Recommendations for video call/conferencing server on OpenBSD?

2020-04-01 Thread Jan Betlach


Hi,

I am using jitsi.org and tox.chat (on Linux VM).

Jan




On 1 Apr 2020, at 22:53, T. Ribbrock wrote:

> Hi all,
>
> with more and more colleagues and friends sitting at home, I'm
> considering installing some video call/conferencing software on my
> existing OpenBSD server.
>
> I currently have Nextcloud installed on that server, so the easiest
> option was the Nexcloud Talk plugin, which I'm playing with now.
>
> Nonetheless, I'd be curious about what others use/recommend for video
> calls/conferencing - any suggestions?
>
> Thanks in advance,
>
> Thomas



Re: Full disk encryption including /boot, excluding bootloader?

2020-02-17 Thread Jan Betlach



I’m interested as well.

Jan



On 17 Feb 2020, at 17:10, Kevin Chadwick wrote:


On 2020-02-17 15:09, Julius Zint wrote:
Some feedback from the OpenBSD community on this would also be 
appreciated. Are there

enought people interessted in a Trusted Boot with OpenBSD?


I'm interested




Re: Syspatch

2020-01-16 Thread Jan Betlach



Thank you. Yes, as I had already replied, it has been out-of-sync clock. 
Interestingly enough ntpd was running. Anyway, clock has been corrected 
and everything is working OK now.


Jan




On 16 Jan 2020, at 15:13, Edgar Pettijohn wrote:

On Jan 16, 2020 8:09 AM, Christer Solskogen 
 wrote:


On Thu, Jan 16, 2020 at 1:45 PM Jan Betlach  
wrote:




Any ideas what is wrong? Might as well be a pebkac I am unaware 
of…




Clock out of sync?


I have seen this a few times and it was always my system clock out of 
whack. Might be as easy as making sure ntpd is running.




Fwd: Syspatch

2020-01-16 Thread Jan Betlach




Forwarded message:


From: Jan Betlach 
To: stan 
Subject: Re: Syspatch
Date: Thu, 16 Jan 2020 13:50:59 +0100

Wow / pebkac as I’ve said. Of course date/time was off for some 
reason. Thank you very much.


Jan







On 16 Jan 2020, at 13:48, stan wrote:


On Thu, Jan 16, 2020 at 01:43:44PM +0100, Jan Betlach wrote:


Hi,

I am getting following error when running syspatch as root on my 
APU2C4:
ftp: SSL write error: certificate verification failed: certificate 
is not

yet valid

I am using Fastly in my installurl: 
https://cdn.openbsd.org/pub/OpenBSD


Other machines run syspatch without any problem, using Fastly CDN as 
well.


Any ideas what is wrong? Might as well be a pebkac I am unaware 
of???




Have you verifed the date/time is corect on the machine in question?
--
"They that would give up essential liberty for temporary safety 
deserve

neither liberty nor safety."
-- Benjamin Franklin




Syspatch

2020-01-16 Thread Jan Betlach



Hi,

I am getting following error when running syspatch as root on my APU2C4:
ftp: SSL write error: certificate verification failed: certificate is 
not yet valid


I am using Fastly in my installurl: https://cdn.openbsd.org/pub/OpenBSD

Other machines run syspatch without any problem, using Fastly CDN as 
well.


Any ideas what is wrong? Might as well be a pebkac I am unaware of…

Thanks

Jan



Re: Why isn't ChallengeResponseAuthentication NO in sshd_config?

2019-12-23 Thread Jan Betlach



Isn’t it commented out by default?

Jan



Hello,

nobody about the $subject? :)

Why isn't ChallengeResponseAuthentication NO in sshd_config by 
default?


It would be more secure, afaik.

Many thanks.



Sent: Thursday, December 19, 2019 at 7:58 PM
From: "lu hu" 
To: misc@openbsd.org
Subject: Re: Why isn't ChallengeResponseAuthentication NO in 
sshd_config?



Sent: Wednesday, December 18, 2019 at 9:49 PM
From: "Bodie" 
To: misc@openbsd.org, owner-m...@openbsd.org
Subject: Re: Why isn't ChallengeResponseAuthentication NO in 
sshd_config?




On 18.12.2019 18:48, lu hu wrote:

Hello,


# what am I talking about?

https://man.openbsd.org/sshd_config#ChallengeResponseAuthentication

ChallengeResponseAuthentication
	Specifies whether challenge-response authentication is allowed. 
All
authentication styles from login.conf(5) are supported. The default 
is

yes.


# what does linux distros use:

If I ex.: read:

https://access.redhat.com/solutions/336773

then I can see ChallengeResponseAuthentication is NO for security
reasons. Ubuntu too.


# what else says ChallengeResponseAuthentication should be NO?

https://www.openwall.com/lists/oss-security/2019/12/04/5
->


These issues were quickly fixed in OpenBSD as you can see in 
Security




This isn't related to the subject.




1. CVE-2019-19521: Authentication bypass

this attack should be more mitigated if
ChallengeResponseAuthentication would be by default set to NO.


# FIX:

from this:
cat /etc/ssh/sshd_config
...
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
...

to this:
vi /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
...
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
...

But of course by default, without fixing sshd_config it should be 
NO.


Who the hell uses s/key with sshd nowadays?



And you are aware that this option is not there just for S/Key, 
right?
It's for example PAM Google authenticator too on Linux and 
others


I think you missed couple of points. Eg.:

https://www.openbsd.org/faq/faq10.html#SKey

and the fact that login.conf(5) on OpenBSD by default enables S/Key.



I checked the https://www.openbsd.org/faq/faq10.html#SKey

first step is to have a /etc/skey dir. So checked it:

66# ls /etc/skey
ls: /etc/skey: No such file or directory
66#

There is no /etc/skey by default. So you have to do the "skeyinit -E" 
as root, etc. Same for Google authenticator, etc. So 
ChallengeResponseAuthentication should be only enabled then.. when 
you set up extra auth methods.


So afaik skey isn't enabled by default on OpenBSD, but for still some 
unkown reason (for me) ChallengeResponseAuthentication is set to yes 
by default on OpenBSD.


Why?




So please, can we make the default sshd_config more secure and set 
the

"ChallengeResponseAuthentication to NO"?



Some practical examples at hand of the current vulnerability which 
will

make this change reasonable?


It is about proactive security, to avoid future possible security 
issues.





Many thanks and whishing a peaceful xmas!










Re: Home NAS

2019-11-15 Thread Jan Betlach



Hi,

thank you all for comments.

I am restoring backup to my new OpenBSD based home NAS as of writing 
this.


Why I have decided to go this route and not with other option like ZFS:
- FFS seems to be reliable and stable enough for my purpose. ZFS is too 
complicated and bloated (of course it has its advantages), however major 
factor for me has been that it is not possible to encrypt ZFS natively 
on FreeBSD as of now.
I am also more comfortable with Open BSD than with Free BSD. I did not 
want to go with Linux at all.
- I have installed Open BSD on an external unencrypted USB stick. So 
that I don’t need to have access to the box in case of restart. Main 
data NAS disk is 2TB internal one in the box (Zotac nano), which is 
encrypted. I can easily mount it via SSH in case of restart. Backups are 
automated via rsync to the encrypted external hardware RAID disks. Using 
DUIDs for all drives.

- I do keep offsite backup as well.

I have tested this setup in the last couple of days before going all in. 
So far so good. Performance is plenty acceptable for my usage. Mounting 
the NAS storage via SSHFS on client machines (Macs and OpenBSDs) works 
flawlessly and speed is also OK.


Thanks again

Jan


On 15 Nov 2019, at 16:02, pierre1.bar...@orange.com wrote:


Hello,

I tried a home NAS with ZFS, then BTRFS. Those filesystems needs tons 
of RAM (~1 GB of RAM by TB of disk), preferably ECC.

I found it very expensive for home usage, so I wouldn't recommend it.
Recovy systems were also inexistent at the time (no btrfsck), I don't 
know if it has improved since.


I ended with LVM : cheap to implement and very easy to extend. I am 
very happy with it.


--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : owner-m...@openbsd.org  De la part de 
Rafael Possamai

Envoyé : vendredi 15 novembre 2019 14:35
À : Jan Betlach 
Cc : misc@openbsd.org
Objet : Re: Home NAS

My experience with ZFS (FreeNAS for the most part) is that it becomes 
more "expensive" to expand your pool after the fact (for a couple of 
different reasons, see below), but if 5TB is all you're ever going to 
need in this specific case, I think you should be fine and can take 
advantage of ZFS features like you said.


I have sources for this at home (a couple of articles and link to a 
forum thread), but these are saved on my desktop at home. Just let me 
know and I'll share them with you later.


On Thu, Nov 14, 2019, 8:27 AM Jan Betlach  wrote:



Hi guys,

I am setting up a home NAS for five users. Total amount of data 
stored

on NAS will not exceed 5 TB.
Clients are Macs and OpenBSD machines, so that SSHFS works fine from
both (no need for NFS or Samba).
I am much more familiar and comfortable with OpenBSD than with 
FreeBSD.

My dilema while stating the above is as follows:

Will the OpenBSD’s UFS stable and reliable enough for intended
purpose? NAS will consist of just one encrypted drive, regularly
backed to hardware RAID encrypted two-disks drive via rsync.

Should I byte the bullet and build the NAS on FreeBSD taking 
advantage

of ZFS, snapshots, replications, etc? Or is this an overkill?

BTW my most important data is also backed off-site.

Thank you in advance for your comments.

Jan




_

Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez 
recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les 
messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, 
deforme ou falsifie. Merci.


This message and its attachments may contain confidential or 
privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and 
delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have 
been modified, changed or falsified.

Thank you.




Home NAS

2019-11-14 Thread Jan Betlach



Hi guys,

I am setting up a home NAS for five users. Total amount of data stored 
on NAS will not exceed 5 TB.
Clients are Macs and OpenBSD machines, so that SSHFS works fine from 
both (no need for NFS or Samba).

I am much more familiar and comfortable with OpenBSD than with FreeBSD.
My dilema while stating the above is as follows:

Will the OpenBSD’s UFS stable and reliable enough for intended 
purpose? NAS will consist of just one encrypted drive, regularly backed 
to hardware RAID encrypted two-disks drive via rsync.


Should I byte the bullet and build the NAS on FreeBSD taking advantage 
of ZFS, snapshots, replications, etc? Or is this an overkill?


BTW my most important data is also backed off-site.

Thank you in advance for your comments.

Jan



OpenBSD was right

2019-09-02 Thread Jan Betlach


I hope it is OK to share here:
https://www.youtube.com/watch?v=jI3YE3Jlgw8


Jan



Re: 4GB RAM too little for Firefox?

2019-07-06 Thread Jan Betlach



Richard,

have you increased the shared memory limits and kern parameters in the 
sysctl.conf for more relaxed desktop usage?


Jan


On 6 Jul 2019, at 10:11, maillists.rul...@mailbox.org wrote:


Otto Moerbeek  wrote:
On Sat, Jul 06, 2019 at 09:32:22AM +0200, 
maillists.rul...@mailbox.org wrote:



Otto Moerbeek  wrote:

You still did not tell which platform you are running. It matters.

-Otto
I'm using a ThinkPad T450 (i5-5300U, SSD, FullHD Display for which 
0.5G
of the RAM are used by the graphics card). Im running OpenBSD 6.5 
and

use full disk encryption (don't know if this matters for swapping
performance).

Best Regards,
Richard Ulmer


That does not tell us the platform. It matters a lot if you are
running i386 or amd64. To make it explcit: what does "uname -p" say?

-Otto

Oh, sorry, platform is amd64.




Re: Reboot and re-link (fwd) Maxim Bourmistrov: Re: Reboot and re-link (fwd) Maxim Bourmistrov: Re: Reboot and re-link (fwd) Maxim Bourmistrov: Re: Reboot and re-link

2019-06-20 Thread Jan Betlach



It was either a really bad joke or mental. Now it is threatening.

So sad.

Jan



On 20 Jun 2019, at 23:54, Theo de Raadt wrote:


Someone is going to have regrets.

Maxim Bourmistrov  wrote:


IF  NOT, I'll  start to talk to Canadian govs

On Thu, 20 Jun 2019 at 23:48, Maxim Bourmistrov 
 wrote:


 Now, I'd like to se all bills.As I'm  funding this project. 5 years 
from now on.


 On Thu, 20 Jun 2019 at 23:25, Maxim Bourmistrov 
 wrote:


 I'd say this whole project is your milking cow.(Having a good times 
biking??)
 You really don't move froward much. Except poor guy trying to fix 
net stack.

 You move around  vars, back and forward. But really - no progress.
 Community thinks their push money to dev stuff, in real - their push 
Theos

 bills forward. Nice illusion.
 I'm yet another one in this line. Disappointed, seen to much AND 
been rejected

 by Theos. One in line.

 On Thu, 20 Jun 2019 at 23:08, Maxim Bourmistrov 
 wrote:


 For me, this does not really matter. )
 I give a sh.
 You just loose yet another testbed.

 On Thu, 20 Jun 2019 at 23:05, Maxim Bourmistrov 


 wrote:


The OpenBSD user community is has too many people like this.

 I think ppl get frustrated. Like me, been following obsd since 3.2.
 I think look down on those whom uses your fork.
 and yet, you want donations.
 I think that you have to ask first, if you want to get public 
private

 conversation.
 I think this is controlled by law.


 On Thu, 20 Jun 2019 at 22:51, Theo de Raadt 
 wrote:

 The OpenBSD user community is has too many people like this.

 From: Maxim Bourmistrov 
 Date: Thu, 20 Jun 2019 22:34:54 +0200
 Subject: Re: Reboot and re-link
 To: Theo de Raadt 

 Go away?! I'm your user - FIX IT.

 On Thu, 20 Jun 2019 at 22:32, Theo de Raadt 
 wrote:

  I take a lot of responsibility, which is why the system has KARL.

  Go away.

 From: Maxim Bourmistrov 
 Date: Thu, 20 Jun 2019 22:35:21 +0200
 Subject: Re: Reboot and re-link
 To: Theo de Raadt 

 Fix it NOW!

 On Thu, 20 Jun 2019 at 22:34, Maxim Bourmistrov
  wrote:

  Go away?! I'm your user - FIX IT.

  On Thu, 20 Jun 2019 at 22:32, Theo de Raadt 
 wrote:

  I take a lot of responsibility, which is why the system has KARL.

  Go away.

 From: Maxim Bourmistrov 
 Date: Thu, 20 Jun 2019 22:41:25 +0200
 Subject: Re: Reboot and re-link
 To: Theo de Raadt 

 You are not true here.
 You get paid.
 Fuck man, I like OS and been following for a long time. Team does
 good stuff.
 But something is not OK, since 6.5.
 Question is what is not OK.
 You devs might help out.





Thinkpad donation

2019-06-05 Thread Jan Betlach



Hi,

I may have one spare Thinkpad X270 in mint conditions, which I would be 
willing to donate to one of the OpenBSD developers. Not sure how to 
proceed with this.
I would probably prefer a developer located somewhere close to me (Czech 
Republic, eastern part of Germany,…) as it will be possible for me to 
hand it over personally.


Regards

Jan



Re: Portslist

2018-11-24 Thread Jan Betlach
Yes, it probably was, sorry for that. I did not think adding the portslist
package is a correct solution as it has not been found, therefore asked
here...

Jan

On Sat, Nov 24, 2018 at 7:34 PM Marc Espie  wrote:

> On Sat, Nov 24, 2018 at 07:22:09PM +0100, Jan Betlach wrote:
> > Because when I tried to add the portslist package, it has not been found
> (
> > ftp.spline.de mirror) yesterday. I have tried adding it again now after
> > reading you message and it has been successfully installed.
>
> Ah, so your reporting was very sloppy.
>
> Mirrors do tend to get out-of-date from time to time.
>


Re: Portslist

2018-11-24 Thread Jan Betlach
Because when I tried to add the portslist package, it has not been found (
ftp.spline.de mirror) yesterday. I have tried adding it again now after
reading you message and it has been successfully installed.

Looks like the problem is solved now. Thank you.

Jan




On Sat, Nov 24, 2018 at 7:10 PM Marc Espie  wrote:

> On Sat, Nov 24, 2018 at 02:32:02PM +0100, Jan Betlach wrote:
> > Hi all,
> >
> > strange problem. I am running -current. I have downloaded latest ports
> > tree .tar.gz to /temp, then tar xzf in /usr.
> > All ports are where they belong (/usr/ports).
> > However when searching anything (make search key=package) I get
> > following error:
> > Please install portslist
> > pkg_add portslist
> > *** Error 1 in /usr/ports (Makefile:80 '/usr/local/share/ports-INDEX':
> > @exit 1)
> >
> > Any help is appreciated. Thank you
> >
> > Jan
> So why don't you read the error message and do just that ?
>


Portslist

2018-11-24 Thread Jan Betlach
Hi all,

strange problem. I am running -current. I have downloaded latest ports
tree .tar.gz to /temp, then tar xzf in /usr.
All ports are where they belong (/usr/ports).
However when searching anything (make search key=package) I get
following error:
Please install portslist
pkg_add portslist
*** Error 1 in /usr/ports (Makefile:80 '/usr/local/share/ports-INDEX':
@exit 1)

Any help is appreciated. Thank you

Jan


Re: Syncthing

2018-11-24 Thread Jan Betlach
Hi Joshua,

thank you very much, your solution helped.

Jan

On Sat, Nov 24, 2018 at 3:37 AM joshua stein  wrote:

> On Fri, 23 Nov 2018 at 19:48:04 +0100, Jan Betlach wrote:
> > Hi all,
> >
> > I am trying to sync my media libraries via Syncthing with other machine.
> > However Syncthing on OBSD complains about "too many open files" and
> refuses
> > therefore to scan and synchronize the folder.
> >
> > I have increased sysctl kern.maxfiles as well as openfiles-max for the
> > staff group (of which the user is a member) in login.conf. Probably still
> > not enough.
> >
> > What are safe maximal values for both (kern.maxfiles and openfiles-max)
> to
> > use?
>
> Hi,
>
> Newer versions of syncthing use kqueue by default to watch for file
> changes which ends up using a couple file descriptors
> per-sub-directory.
>
> You may be better off just disabling this on large shared folders
> and go back to periodic scanning.  This can be done through the web
> interface by clicking on the folder, then Edit, then Advanced, then
> uncheck 'Watch for Changes'.
>
> https://github.com/syncthing/syncthing/issues/5025
>
>


Syncthing

2018-11-23 Thread Jan Betlach
Hi all,

I am trying to sync my media libraries via Syncthing with other machine.
However Syncthing on OBSD complains about "too many open files" and refuses
therefore to scan and synchronize the folder.

I have increased sysctl kern.maxfiles as well as openfiles-max for the
staff group (of which the user is a member) in login.conf. Probably still
not enough.

What are safe maximal values for both (kern.maxfiles and openfiles-max) to
use?

Thank you

Jan


httpd and Wordpress

2017-06-10 Thread Jan Betlach
Hi guys,

I have a small problem with httpd and Wordpress.
When I go to https://myipaddress I get "Access denied". If I go to
https://myipaddress/wordpress, everything works as expected.
I have tried to change the appropriate line in the httpd.conf to:
root "/htdocs/wordpress". In that case the webpage is loaded, but in the
"broken" form.

My current httpd.conf:

# $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $
# Macros
ext_addr="*"
# Global Options
# prefork 3
# Servers
# A minimal default server
server "default" {
listen on $ext_addr port 80
listen on $ext_addr tls port 443 block return 301 "https://
$SERVER_NAME$REQUEST_URI"
tls {
key "/etc/ssl/private/server.key"
certificate "/etc/ssl/server.crt"
}
directory {
no auto index, index "index.php"
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
root "/htdocs"
}
# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}


Any ideas where I am making a mistake?

Thank you

Jan


Re: Encryption

2017-03-22 Thread Jan Betlach
Solene, Ken,

thanks a lot for quick responses. Primarily I need to protect the laptop
against losing/stealing it. Therefore FDE would be ideal, however I've red
somewhere that FDE is not officially supported on OpenBSD.
It would probably make sense to combine both - FDE and to have most
sensitive data additionally encrypted using virtual block device (as I do
not need to have these permanently mounted).

Jan


On Wed, Mar 22, 2017 at 6:11 PM, Ken <catatonicpr...@gmail.com> wrote:

> To expand on Solène's reponse. Keep in mind if you need to cover both
> scenarios for whatever your threat-model is... you can do both too.
>
> Another valuable result of FDE is that it helps ensure the integrity
> of your boot drive (presuming your encrypting your boot volume). i.e.
> prevents attacks like the sysadmin sticky-keys "attack" on windows
> boxes. So someone can't just boot and mount the partition and modify
> your shadow file to add a new root user or other backdoor. Good for
> scenarios where physical access isn't necessarily controlled by the
> 3Gs (guards, gates, guns).
>
> In my experience, setting up FDE with OpenBSD has been very easy with
> just a couple of calls to bioctl to set it up. Pretty much seamless if
> you have a quick tutorial on it.
>
> Don't lose your passphrases/keys, and have fun!
>
> On Wed, Mar 22, 2017 at 9:38 AM, Solène Rapenne <sol...@perso.pw> wrote:
> > Le 2017-03-22 17:28, Jan Betlach a écrit :
> >>
> >> Hi misc,
> >>
> >> planning to install -current on my Thinkpad T450s (SSD).
> >>
> >> I need to have several data directories encrypted, however would not
> mind
> >> whole-disk encryption. Which method would be more supported /
> recommended?
> >> Whole-disk encryption or creating a container file, loop device and then
> >> virtual device with the encryption layer on it?
> >>
> >> Thanks in advance
> >>
> >> Jan
> >
> >
> > Hello Jan,
> >
> > That would depend on your need, do you want to protect against someone
> > who would steal your computer, or against some malicious software
> > running under your system to read your data ?
> >
> > In the first case, you should go with FDE (full disk encryption), your
> > data would be available only after you type the password at boot.
> >
> > In the second case, you should use some kind of encrypted volume that
> > would be available only when you need to. I think that's possible to
> > create an encrypted ffs volume contained into a file, that you can
> > mount when you need.
> >
> > Regards



Encryption

2017-03-22 Thread Jan Betlach
Hi misc,

planning to install -current on my Thinkpad T450s (SSD).

I need to have several data directories encrypted, however would not mind
whole-disk encryption. Which method would be more supported / recommended?
Whole-disk encryption or creating a container file, loop device and then
virtual device with the encryption layer on it?

Thanks in advance

Jan



Encrypted data partition

2016-12-14 Thread Jan Betlach
Hello,

I'd like to have an encrypted Ext2 data partition, which can be shared
between OpenBSD and Linux. LUKS probably does not work in OpenBSD. Maybe
something like EncFS is the way to go?

Thank you

Jan



Re: ral(4) problems on current/i386 ALIX

2016-11-27 Thread Jan Betlach
I plan to use Ubiquiti Unifi AC LR.



On Sun, Nov 27, 2016 at 4:25 PM, Jan Stary  wrote:

> After an upgrade to the latest i386 snapshots,
> those messages have disappeared. Looking at the source,
> it's because it became a DEBUG only message.
> (Yes, the ral throughput still sucks.)
>
> What kind of wifi are people using
> on the ALIX serving as an AP?
>
> Jan
>
> OpenBSD 6.0-current (GENERIC) #0: Fri Nov 25 10:47:36 MST 2016
> bu...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
> 432 MHz
> cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> real mem  = 133713920 (127MB)
> avail mem = 118501376 (113MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 12/10/07, BIOS32 rev. 0 @ 0xfceb2
> pcibios0 at bios0: rev 2.1 @ 0xf/0x1
> pcibios0: pcibios_get_intr_routing - function not supported
> pcibios0: PCI IRQ Routing information unavailable.
> pcibios0: PCI bus #0 is the last bus
> bios0: ROM list: 0xe/0xa800
> cpu0 at mainbus0: (uniprocessor)
> mtrr: K6-family MTRR support (2 registers)
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x31
> glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
> vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10,
> address 00:0d:b9:12:9f:2c
> ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11,
> address 00:0d:b9:12:9f:2d
> ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12,
> address 00:0d:b9:12:9f:2e
> ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> ral0 at pci0 dev 12 function 0 "Ralink RT2560" rev 0x01: irq 9, address
> 00:11:09:0d:d3:36
> ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
> glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3,
> 32-bit 3579545Hz timer, watchdog, gpio, i2c
> gpio0 at glxpcib0: 32 pins
> iic0 at glxpcib0
> pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel
> 0 wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 1-sector PIO, LBA, 7279MB, 14909328 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 ignored (disabled)
> ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 15, version
> 1.0, legacy support
> ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 15
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev
> 2.00/1.00 addr 1
> isa0 at glxpcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> usb1 at ohci0: USB revision 1.0
> uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev
> 1.00/1.00 addr 1
> vmm at mainbus0 not configured
> nvram: invalid checksum
> vscsi0 at root
> scsibus1 at vscsi0: 256 targets
> softraid0 at root
> scsibus2 at softraid0: 256 targets
> root on wd0a (bf940e6c7aaf2c50.a) swap on wd0b dump on wd0b
> clock: unknown CMOS layout
> On Sep 20 10:46:54, h...@stare.cz wrote:
>
> > This is ALIX 2C1, just upgraded to current/i386 (dmesg below).
> > It serves as a wifi AP using ral(4). The console gets spammed with
> >
> >   ral0: sending data frame failed 0x02faaafa
> >
> > This used to work fine since 5.9/i386.
> >
> > $ cat /hostname.ral0
> > inet 192.168.33.1 255.255.255.0 NONE  \
> >   media autoselect mediaopt hostap nwid stare.cz  chan 11 \
> >   wpakey XXX
> >
> > $ netstat -I ral0
> > NameMtu   Network Address  Ipkts IerrsOpkts
> Oerrs Colls
> > ral0150000:11:09:0d:d3:36  310   327  326
>  120 0
> > ral01500  192.168.33/ 192.168.33.1   310   327  326
>  120 0
> >
> > Typical wifi clients of this AP are the phones
> > and tablets in the family; they all seem to connect fine.
> >
> > How can I help debug this?
> >
> >   Jan
> >
> >
> > OpenBSD 6.0-current (GENERIC) #2064: Mon Sep 19 20:35:29 MDT 2016
> > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> > cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD"
> 586-class) 432 MHz
> > cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> > real mem  = 133713920 (127MB)
> > avail mem = 118611968 (113MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: date 12/10/07, BIOS32 rev. 0 @ 0xfceb2
> > pcibios0 at bios0: rev 2.1 @ 0xf/0x1
> > 

Re: OpenBSD and you

2016-11-26 Thread Jan Betlach
I am (almost) total newbie in respect with networks. Currently in process
of building my own firewall/gateway for home network (based on APU 2C4),
I've decided to take the right (and difficult, at least for me) way of
doing so by using OpenBSD's pf.
Peter's excellent book is my main help and knowledge source and I am
grateful it has been written :-)



On Sat, Nov 26, 2016 at 1:23 PM, Peter N. M. Hansteen 
wrote:

> On 11/26/16 04:57, R0me0 *** wrote:
> > As I did see any mention around here, I was boosted to post this great
> > presentation by Peter N . M. Hansteen.
> >
> > https://home.nuug.no/~peter/blug2016/
>
> It's nice to hear you like it!
>
> The meeting where I presented this was a lot less well attended than I
> had hoped but the web server logs seem to indicate that it has some use
> as advocacy on the web.
>
> (The odd format is kind of an accident - this is a descendant of a
> company-internal presentation I did for a group of colleagues and in
> $dayjob land it's the branded pptx templates or no go. Trying to convert
> to something marginally saner only served to re-ignite the passion with
> which I hate 'office'-style presentation apps.)
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.