Re: Time for OBSD everywhere?
On Fri, 16 May 2008 22:35:00 +0200 chefren [EMAIL PROTECTED] wrote: I know at time it was said that OpenBSD is not for everything, but so far, I still haven't find anything that I need that OpenBSD can't shine doing. I can almost second that except for the few cases in which we really need to update stuff without fuzz, then we use Debian.
Re: Time for OBSD everywhere?
On Fri, 16 May 2008 17:48:47 -0400 Daniel Ouellet [EMAIL PROTECTED] wrote: Rico Secada wrote: On Fri, 16 May 2008 22:35:00 +0200 chefren [EMAIL PROTECTED] wrote: I know at time it was said that OpenBSD is not for everything, but so far, I still haven't find anything that I need that OpenBSD can't shine doing. I can almost second that except for the few cases in which we really need to update stuff without fuzz, then we use Debian. All I need and use are in packages and using current and the pkg_add to updates couldn't be easier and faster. I find it a lots faster and easier then app_get from Debian, but that's the beauty of it all. You choose what you feel is right for you. Yes :-) but I was mainly talking about the basesystem and kernel. About it being more easy and more fast than apt-get from Debian, I have yet to witness that :-) And in some cases, release is just find and it's not liek I need the latest all the time for each packages either. A properly 6 months fresh reinstall on all always provides best results and fix what ever bugs in between that may happened. I still haven't switch some desktop to OpenBSD yet because of some stupid Microsoft customers requirements, but as far as servers are concern, hell OpenBSD beat all for me anyway. 140 servers and keep counting. I couldn't sleep better. And I should also say for the desktop there is a little bit of slacking on my part too, to switch to it. I still haven't find an easy way to setup window manager as easy as doing servers. but most likely may be my lack of spending time to learn it as well too.
Re: How secure is OpenBSD really
On Tue, 15 Apr 2008 13:45:14 +0200 Jernej Makovsek [EMAIL PROTECTED] wrote: Please just ignore this post! As I said in my first post Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat Now why did I post the Wired story? Because when I read the archive I was expecting that the penetration has been taken seriously and analysed publicly in detail. But instead it was dismissed as a joke. And it doesn`t matter if it`s form 2002, what`s important to me is how you deal with the problem. One can get flawed picture that this is how you deal with remote exploits. I was really looking forward to read your comments on how that and that developer did that and that error in analyizing the situation and how the changes you made to the exploited program changed other programs and such but instead ppl feel endangered. Ok, thanks for all the info. Flaming is starting, I have better things to do.. like make X work on OBSD. Bye On Tue, Apr 15, 2008 at 12:42 PM, Richard Toohey [EMAIL PROTECTED] wrote: What's your point? Is OpenBSD perfect? No. Does it have flaws? Yes. Can it be broken? Yes, and you've dug something out from six years ago that may or not prove that. But the same can be said of Linux, Windows, Mac OS, etc., etc. Has every flaw/bug been discovered? No. Will there be more issues found? Yes. Does it tackle security pro-actively? Yes. Does it prefer security and openness and doing things correctly over bells whistles and best performance whatever the cost? Yes - security and correctness are priorities - but you could find that out from http://www.openbsd.org/goals.html. Does that mean that it will be perfect? No. Are the developers/leaders perfect? No. Is OpenBSD the One True Secure High Performance Operating System for every imaginable task? No ... but then nor is anything else. Is OpenBSD for you? Only you can decide ... and even if it is, it may not be the best tool for EVERY job. HTH. On 15/04/2008, at 10:28 PM, Jernej Makovsek wrote: Reading the archive it seems to me that el8 was taken as a joke: List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-15 17:11:01 [Download message RAW] no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-16 18:40:17 [Download message RAW] * dayioglu ([EMAIL PROTECTED]) wrote: On Thu, 2002-08-15 at 20:11, e wrote: no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious Not to cause a flame-war but the disclosed mail traffic of K2 seem very normal. I did read the whole thing and to create so many joke mails is, err, at least unusual. Are you sure you read it all? quite sure, el8 has been known to do this same type of thing before. And that`s that. But onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read that OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise (link http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. And: Christopher Ambient Empire Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. So it appears to me that what el8 posted wasn`t a joke. Did I missed something again? With regards, Jernej On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again,
Setting up a HA server with limited resources
Hi. A customer with very limited resources needs to set up a high available system running apache, mysql, postfix and dovecot and I have gotten the task. I have only two Pentium 4 machines at my disposal, and I have begun researching how to make them work with load balancing and fail safe operations at the same time. I have one public IP address available. I would like to reach a state, if possible, in which load balancing is performed, but at the same time, if one machine fails, the other will automatically take over. I believe this setup is also very useful when deploying updates. Any advice on how to implement such a setup? Best regards. Rico.
Re: most secure graphical browser
On Sat, 19 Jan 2008 08:41:18 +1300 Joel Wiramu Pauling [EMAIL PROTECTED] wrote: but to me sounds like your making a non-issue into a mole hill. Even the most limited of hardware can run decent browsers. Why you are insisting on using your access box, when you have another machine is beyond me. Ideally just run a browser on your shit hardware, it's not that big of a deal really, yes mike take ages to load, but meh who cares. Right on the point!
Re: most secure graphical browser
On Thu, 17 Jan 2008 18:17:54 -0500 Douglas A. Tutty [EMAIL PROTECTED] wrote: On Thu, Jan 17, 2008 at 05:11:53PM -0500, STeve Andre' wrote: On Thursday 17 January 2008 03:42:38 pm Douglas A. Tutty wrote: I have a box that I want to keep as secure as I can but I also need to be able to use a graphical browser from it (I know that this is a trade-off). There is no graphical browser in base. I don't need or want this browser to do javascript or flash (I have a different box for entertainment). Of the browsers in packages, which browser would people think is likely the most secure? [snip] Why not create an OpenBSD live CD with the stuff you want on it? Because this box will also be my main server. For details, see a previous thread (I forget the title) where I'm splitting things between a secure box where anything confidential will be kept, and an entertainment box for regular browsing with javascript and, where required, flash. Also for watching DVDs and listening to music. A main server where you need a graphical browser? I am sorry, but why don't you just use your entertainment box rather than browsing graphics from your server? Doug.
Re: facts about OpenBSD (FOOOLS)
On Mon, 14 Jan 2008 12:53:35 -0800 johan beisser [EMAIL PROTECTED] wrote: Bitching and whining get you nothing. When will you people stop responding to whiners like this!? He's bitching and your just bitching back. Leave the ignorant fool alone, and he will stop barking up your three! It's not that difficult!!
Re: facts about OpenBSD
On Thu, 10 Jan 2008 12:33:57 -0600 Tony Abernethy [EMAIL PROTECTED] wrote: Nikns Siankin wrote: I see people keep repeating nonsense like this instead of talking about topic. At least he can read. And think. Leave the troll alone, he wants someone to play with, and he got that.
Re: Richard Stallman...
On Mon, 07 Jan 2008 20:46:43 -0700 L [EMAIL PROTECTED] wrote: Richard Stallman wrote: I hope that the other OpenBSD developers will repudiate such conduct. You said the other openbsd developers. In this context, it implies that I am an OpenBSD developer. The other means that I am one myself and relative to me, they are the other developers with me. This is a lie or an error. I am an OpenBSD *user* who has not participated in development. I will in the future be submitting patches and I may become a developer. Not bloody likely! You talk way to much!!
Re: Real men don't attack straw men
On Sat, 5 Jan 2008 20:14:27 +0100 Jacob Grydholt Jensen [EMAIL PROTECTED] wrote: You're missing the point why somebody is calling OpenBSD non-free. Or supposedly why emacs runs on non-free. And you apparently missed the posts where the leading developers of OpenBSD stated that they don't care about your definition of free. And my dad is stronger than your dad!
Re: Using the C programming language
On Thu, 27 Dec 2007 12:27:15 -0800 Kirk Ismay [EMAIL PROTECTED] wrote: Rico Secada wrote: On Sun, 23 Dec 2007 01:06:39 -0600 David Higgs [EMAIL PROTECTED] wrote: On Dec 22, 2007 5:53 PM, Rico Secada [EMAIL PROTECTED] wrote: It is my understanding that C is the hackers tool while Ada is the tool of the engineer. I think it is mostly because of tradition. Your understanding is wrong. I suspect that many professional engineers using C (and/or other languages) would strongly disagree with your offhand characterization. Doesn't matter what language is used, you can still shoot yourself in the foot: Nobody has argued against that :-) http://www.ima.umn.edu/~arnold/disasters/ariane.html http://www.cas.mcmaster.ca/~baber/TechnicalReports/Ariane5/Ariane5.htm http://www.ima.umn.edu/~arnold/disasters/ariane5rep.html The internal SRI software exception was caused during execution of a data conversion from 64-bit floating point to 16-bit signed integer value. The floating point number which was converted had a value greater than what could be represented by a 16-bit signed integer. This resulted in an Operand Error. The data conversion instructions (in Ada code) were not protected from causing an Operand Error, although other conversions of comparable variables in the same place in the code were protected. -- Sincerely, Kirk Ismay System Administrator -- Net Idea 201-625 Front Street Nelson, BC V1L 4B6 P:250-352-3512 | F:250-352-9780 | TF:1-888-352-3512 Check out our brand new website! www.netidea.com
Re: Using the C programming language
On Mon, 24 Dec 2007 17:01:54 -0500 Jon Radel [EMAIL PROTECTED] wrote: Rico Secada wrote: Again lets ask Boing. I'm fully aware that spelling flames are terribly tasteless, but the image of planes loaded with Ada code going boing, boing, boing down the runway just won't leave my mind. Quite funny actually - lol :-) It's Boeing. Thanks! :-) --Jon Radel [EMAIL PROTECTED] P.S. Sorry. [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Using the C programming language
On Sun, 23 Dec 2007 01:06:39 -0600 David Higgs [EMAIL PROTECTED] wrote: On Dec 22, 2007 5:53 PM, Rico Secada [EMAIL PROTECTED] wrote: It is my understanding that C is the hackers tool while Ada is the tool of the engineer. I think it is mostly because of tradition. Your understanding is wrong. I suspect that many professional engineers using C (and/or other languages) would strongly disagree with your offhand characterization. Any yet many would agree. You find Ada in almost all of Boings airplanes, and in most industry critical systems. Ada was written with compile time protection against bugs such as buffer-overflows and so on. Didn't I read a Slashdot article about the NYSE going to Linux? What language is medical software written in? What about the competing companies that aren't using Ada? How does their track record of software faults compare? Lets address your question here: http://www.adacore.com/home/ada_answers/lookwho Compile time protection isn't worth the time it takes to run them if your specification has flaws, your code doesn't match the spec, or the compiler has errors. There are MANY other types of errors that can never be caught at compile-time. Just because these errors SHOULD be accounted for in the program's spec doesn't mean that they WILL be. No but it sure makes a big difference, or maybe Airbus, Boing, EADS and BAE Systems are wrong on their choice? But like many has stated, what makes programs good and secure is the programmer, but IMHO the tools and languages are important too. You cannot use something like C in a really security demanding situation, and here I think about humans lives, like in spacecrafts. Completely false. You can use any tool you want with an appropriate model of the system; this includes your tools and code. The software for the original US moon missions was written in assembly code; portions may still be in use today because of its extreme reliability. Did you post a list somewhere or did I miss it? Ofcourse you can use any tool you want, but that's not the point. Let me rephrase what I wrote: you can use any tool you want, but you should not use something like C if your life depends on it. Again lets ask Boing. A simple buffer overflow might crash the plane, and you have to have some ways of eliminating that completely. That is why Ada was designed the way it was. You can read about the history of Ada on Wikipedia. Why so much is written in C on Unix-like systems, I think its mainly tradition. IMO Ada would be much better from a security point of view. Your opinion means nothing without code. Even with code, the OpenBSD project likely won't care anyways. You are barking up the wrong tree. I am not barking at OpenBSD. I agree that it would be better if OpenBSD or any other system for that matter was written in Ada rather than C, and they could just as well, but re-writing something as huge as OpenBSD is a MAJOR task, and what would the real benefits be in this situation? The OpenBSD team knows exactly what they are doing hence the extra security of Ada becomes almost un-necessary, but again I agree, had OpenBSD been in Ada from day one, that would save them a LOT of time! Bugs would be caught on compile time and bad-coding would almost be eliminated. Go back to Wikipedia. OpenBSD was a fork and essentially worked from day one. However, as you say, rewriting something as big as OpenBSD is a MAJOR task in the timeframe of years or decades. Instead of improving security in a known system, all those years would be wasted reinventing the wheel and playing catch-up with the pre-existing feature set of modern operating systems. Yes you are right. Your insistence on equating compile-time checks with secure programming is incorrect, and indicates your inexperience in secure programming. Academic questions like this should be googled or asked on comp.lang.ada. I did not equate compile-time checks with secure programming. Like I wrote: But like many has stated, what makes programs good and secure is the programmer, but IMHO the tools and languages are important too. Combining the two surely doesn't hurt. No matter how skillful you are at programming securely, you are going to fail sooner or later in catching a bug, and having the compiler save you from that is like have an airbag on you car. The driver still has to know how to drive, but having a safe car doesn't decrease the risk! Good luck. --david
Re: Using the C programming language
On Sun, 23 Dec 2007 21:11:50 +1100 Christopher Vance [EMAIL PROTECTED] wrote: I have used and taught Ada, for what that's worth. I also looked at Ada for writing OS kernel code, but the quality of the compilers forced me back to the C family. What compilers? Question for the proponents of Ada: how many operating system kernels do you know of which are written in Ada? Now answer the same question for C. Ada has mainly been used in real-time life dependent systems, not in operating systems. There hasn't been a free compiler around before 1995 and it hasn't been that good. For extra marks, explain why the discrepancy, paying particular attention to the strengths and weaknesses of each language in this particular usage. Free compiler. -- Christopher Vance
Re: Using the C programming language
On Sun, 23 Dec 2007 09:11:55 -0600 Marco Peereboom [EMAIL PROTECTED] wrote: Here is a constant: your code is a bad as the developer. I agree :-), and here is another constant: #define strlcpy Theo de Raadt From lwn.net in 2003: Years of buffer overflow problems have made it clear that the classic C string functions - strcpy() and friends - are unsafe. Functions like strncpy(), which take a length argument, have been presented as the safe alternatives. But strncpy() has always been poorly suited to the task; it wastes time by zero-filling the destination string, and, if the string to be copied must be truncated, the result is no longer NULL-terminated. A non-terminated string can lead to overflows and bugs in its own right. So Linus finally got fed up and put together a new copy_string() function which does what most strncpy() users really wanted in the first place. As is often the case with this sort of security-related improvement, OpenBSD got there first. In fact, back in 1996, the OpenBSD team came up with a new string API which avoids the problems of both strcpy() and strncpy(). The resulting functions, with names like strlcpy(), have been spreading beyond OpenBSD. The basic function is simple: size_t strlcpy(char *dest, const char *src, size_t size); The source string is copied to the destination and properly terminated; the return value is the length of the source. If that length is greater than the destination string, the caller knows that the string has been truncated. Linus agreed that following OpenBSD's lead was the right way forward, and strlcpy() is in his BitKeeper repository, waiting for 2.5.71. There has also been a flurry of activity to convert kernel code over to the new function. By the time 2.6.0 comes out, strncpy() may no longer have a place in the Linux kernel.
Re: Using the C programming language
Hi. I address this issue on this list, because a lot of people here are very skillfull C programmers. When looking at some of the different reasons for security problems such as: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/ I can't help wonder, why so much software are being developed using C. To conclude my study I appreciate any help on the following questions: 1. If security is a major concern, or perhaps The Main Concern, why not use Ada? I specifically mention Ada since one of the most security demanding industries are building aircrafts and they use Ada. You are right, Ada is widely used in avionics, aerospace and defence systems, systems that demand a VERY high level of security and safety regarding lives and expensive equipment. And Ada is specifically designed for embedded systems too. It is my understanding that C is the hackers tool while Ada is the tool of the engineer. I think it is mostly because of tradition. You find Ada in almost all of Boings airplanes, and in most industry critical systems. Ada was written with compile time protection against bugs such as buffer-overflows and so on. But like many has stated, what makes programs good and secure is the programmer, but IMHO the tools and languages are important too. You cannot use something like C in a really security demanding situation, and here I think about humans lives, like in spacecrafts. A simple buffer overflow might crash the plane, and you have to have some ways of eliminating that completely. That is why Ada was designed the way it was. You can read about the history of Ada on Wikipedia. Why so much is written in C on Unix-like systems, I think its mainly tradition. IMO Ada would be much better from a security point of view. 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). Some has stated that the speed of comes, among other things, from the lack of security checks and by allowing potentially unsafe operations. But that's not the reason. You just cannot do it in Ada instead, you have to re-write the OS. OpenBSD like other BSD's are written in C. To use Ada instead you have to re-write the kernel and base system and so on. You talk about what the OpenBSD security team are doing and this means that you are talking about the kernel and base system, not ports and packages. The kernel and base system is in C. I agree that it would be better if OpenBSD or any other system for that matter was written in Ada rather than C, and they could just as well, but re-writing something as huge as OpenBSD is a MAJOR task, and what would the real benefits be in this situation? The OpenBSD team knows exactly what they are doing hence the extra security of Ada becomes almost un-necessary, but again I agree, had OpenBSD been in Ada from day one, that would save them a LOT of time! Bugs would be caught on compile time and bad-coding would almost be eliminated. 3. Are there any real benefits in using C++ over C regarding security? Are C++ really better from a security perspective? You didn't ask this, but there is certainly no benefit in using C or C+ + over Ada, regarding security or other issues. Whatever you can do in C and C ++ you can do in Ada, but the Ada code is much better because it is so much more easy to read and thus more easy to maintain and the result is a hundred times safer. This has been clearly proven in the industry over the past two decades. Just ask Boing or NASA :-) Whether there is any benefits in using C++ over C from a security perspective, IMO not really. C++ has some better ways to do some things to prevent some of the errors of C, but then it has its own problems. The language is bloated with functions, it is constantly changing making backwards compatibility difficult, and really.. Its just C and then some more crap. You cannot beautify what is born ugly. Rico Secada.
Re: Using the C programming language
On Sat, 22 Dec 2007 15:08:05 +0100 Erik Wikstrvm [EMAIL PROTECTED] wrote: I'm not very familiar with Ada so I do not know if it allows for the same kinds of low-level programming (which is necessary when writing an OS or code that interacts with hardware) that C does. It does. Again, I do not know Ada so I do not know how it achieves its high level of safety but I would think that runtime checks is part of it. Yes. Use of Ada: http://www.adacore.com/home/ada_answers/lookwho
Re: Using the C programming language
On Sat, 22 Dec 2007 17:04:05 +0530 Girish Venkatachalam [EMAIL PROTECTED] wrote: 1. If security is a major concern, or perhaps The Main Concern, why not use Ada? I specifically mention Ada since one of the most security demanding industries are building aircrafts and they use Ada. I dunno about ada. 2. Rather than auditing a lot of code, correcting a lot of coding mistakes, like the OpenBSD security team has done, and still do, why not shift from C to something, just as fast and powerfull as C, but more secure? Again like Ada. (to completely avoid the possibilities of those errors). There is simply no alternative to C. Period. Now those two statements are somewhat in contradiction. You can't say that Ada isn't an alternative to C without knowing what it is. Ada fully serve as an alternative to C, but read up on that if you must know. Regarding it being an alternative to C in BSD is another issue, you have to reprogram everything then.
Theo vs. Richard - avoiding the facts!
Who am I Theo asked, a big fat nobody (maybe), but I started this issue to begin with and after criticizing Theo for being unnecessary rude to Richard I have noticed that Richard keeps avoiding the facts! Richard you continue to avoid the questions or issues brought forth by Theo, could you please focus on the issue rather than commenting the same statements over and over again! Theo wrote: On the bsd talk show you did not withhold your recommendation because the ports system suggests non-free programs. No way, that's not what you said on that show. What actually happened is that you withheld your recommendation because it CONTAINS non-free programs; that is what your words were. This is the TRUTH, anybody can hear that for himself, and that's why I wrote to the list in the first place! It turns out that the above assessment was based on a complete lack of research. It was uneducated, and you should have apologized for the error. You were really clear in your interview. And wrong. Later on, on this mailing list, you have changed your statements to say that your recommend against OpenBSD because it now... RECOMMENDS non-free software. Clearly the TRUTH as well! We have all witnessed that! We've made it quite clear that Emacs and gcc recommend the use of non-free software, by directly containing code to support those systems. The ports tree does not contain code to support non-free components. It simply provides URLs to a few select things which people might wish to use. Itself, it contains no non-free code and makes no recommendations. But gcc and emacs directly contain code which RECOMMENDS compilation on non-free systems, by actually compiling and running there. This is the TRUTH! By containing code which recommends compilation on non-free system then Richard you are doing MORE to support non-free than the OpenBSD ports system is! That's a fact! That's NOT an opinion. You are a hypocritical liar, Richard. Your lies taint the efforts of the entire FSF and GNU communities. Shame on you all for letting Richard mislead you so. I am sorry Theo, I know you don't give a rats ass, but you are right, and you have been right all along! Dear Richard unless you actually address the above mentioned issues, in context of the e-mail from Theo, you will look hypocritical! You say what you don't do yourself. Best regards. Rico Secada.
Re: Real men don't attack straw men (Theo)
I see you are being your usual friendly self ;-}. Yes, and you are being the usual slimy hypocritical asshole. I really fail to see, how a response like this serves OpenBSD or any other good purpose at all! If Richard Stallman is a hypocrite his answers and statements will show this by themselves, and nobody needs to be told. By stating it like this you only make yourself look stupid and childish, even if you are right! I used to respect you a lot Theo but that respect has been lost because of this ugly behaviour. Ofcourse you don't care about that, but I really think you are hurting BSD, and not just OpenBSD, by confirming what a lot of people has said so many times - OpenBSD has an unfriendly atmosphere. You are a slime who changes his position as he needs. You may have had value ten years ago, but people will see that you don't anymore. Richard Stallman has done one thing right during all of this, and that is to keep responding in a friendly way, explaining his views. One can agree or not, but calling someone a slime, just because you don't agree, or just because you think he is bad, really makes no sense what so ever! It just make you look bad!
Working with Docbook on OpenBSD
Hi. Are there any tools that can be installed using packages or ports for converting docbook xml files into PDF? Normally I would use FOP, but I would pref. not having to install that from source. Best regards. Rico.
Re: Working with Docbook on OpenBSD
On Fri, 14 Dec 2007 06:21:02 +0100 Rico Secada [EMAIL PROTECTED] wrote: Never mind! I found htmldoc which converts HTML into PDF very nicely. So Docbook - HTML -PDF. It does the job and without Java like FOP needs! Hi. Are there any tools that can be installed using packages or ports for converting docbook xml files into PDF? Normally I would use FOP, but I would pref. not having to install that from source. Best regards. Rico.
Lets wrap up the Richard/non-free discussion in a kind manner
Dear Richard and others It was I who started this discussion in the first place. It was I who posted the question about non-free in OpenBSD, because I had the understanding, that OpenBSD only contains non-free. After I heard you on the BSDTalk I posted to misc@openbsd.org in order to get som clarification because I got confused. I respect your work and opinion strongly, and I must apologize if this has lead to any misbehaviour directed against you or others. I do feel however, than in order to get this discussion ended, in a good and kind manner, that you should comment on the statement below from Theo d. Raadt. To clarify everything and wrap this up I do believe that the following is the truth: 1. OpenBSD does not contain any non-free software, but does have some Makefiles in the ports system which contains urls that point to non-free. The ports tree is just a scaffold. 2. Richard Stallman does not consider an OS to be non-free when it contains urls, links or guides that will help people install non-free. Futher he considers this to be un-ethical. This is an oppinion to be respected. Hence OpenBSD is un-ethical in the intrepretation of Richard. 3. Richard Stallman did make a mistake on BSDTalk that he should admit, because OpenBSD does not contain ANY non-free software, it only contains urls in Makefiles to non-free software - there is a BIG difference. The following comment from Theo is true: Richard, you are wrong. You said very clearly in your interview that the ports tree contains non-free software. It does not. It is just a scaffold of Makefiles containing URLs, and an occasional patch here or there. Lets wrap this up in a nice manner. Best and kind regards. Rico Secada.
Support for Brother HL1430
Hi. I looked at the http://openbsd.org/i386.html#hardware, but ofcourse it doesn't say anything about printers :-) Does the OpenBSD 4.2 package of ghostscript support Brother HL1430? Is it possible to get this printer running without having to patch ghostscript? Best regards. Rico.
About non-free software in OpenBSD
Hi. I have just listed to the interview of Richard Stallman on BSDTalk: http://bsdtalk.blogspot.com/2007/10/bsdtalk132-richard-stallman.html In the interview he states: I am unhappy with the various distributions of BSD, because all of them include, in their installation systems, the ports system, they all include some non-free programs. And as a result I can't recommend any of them. As I have understood, this isn't true about OpenBSD, or am I wrong? Rico.
About BSD Certification
Hi What do you think of The BSD Certification Group at bsdcertification.org? Is this a good idea? From my perspective it looks like a smart marketing way. A way to make money from people who think this would help in some way. Taking a certification doesn't prove anything imho. And the way that they focus on the 4 different BSD's.. you could have someone being an expert in OpenBSD yet he has never used DragonflyBSD, would this make him less interesting to hire for a BSD specific job? Best regards Rico
Re: About BSD Certification
On Sat, 9 Jun 2007 00:28:08 +0200 Marc Balmer [EMAIL PROTECTED] wrote: * Rico Secada wrote: What do you think of The BSD Certification Group at bsdcertification.org? It is as useless as MSCE and all the other vendor certificates. I would even go so far to claim it's a lot worse than a Microsoft or Cisco certificate. This is not backed by any industry, it just reflects what some people in the BSD community think would be needed to do a day job. My point exactly. Darren Spruell wrote: Then take a look at the names affiliated with the organization, and the people that are putting effort into furthering a BSD certification track and the reasons why. Many of the names you should recognize as contributors in our community. Contributors in our community yes, but this doesn't mean that a BSD certification is worth the money they charge. What it serves in my opinion, especially if the industri was backing it, is a way to keep very skillful people from getting a job! Not the opposite. A lot of people can't afford some 10 different certificates just to prove something which a certificate in reality doesn't prove anyway. bsdcertification.org is there to boost the ego of it's members only. There is no real value in it. Perhaps I am mistaken about the them making money part, but I agree with this. No value! Best regards Rico
Re: Chrooting users the right way
On Mon, 14 May 2007 02:43:59 +0200 [EMAIL PROTECTED] wrote: Follow-up: I found some posts on the archive about this being a very bad idea, would someone mind explaining why? On this particular system some users are trusted, but others are less trusted. The system contains some different specific files, which only the trusted user may look at. Is it a better way to simply create a group and put trusted users into that group and making that group the group of the files (chmod 750)? Also a few setups in etc are unwanted reading for less trusted user, how should one deal with that then? Forgive my ignorence on this issue! Hi I am setting up a new OpenBSD machine in which I want to chroot users. I don't want to use any of the patching solutions to OpenSSH but want to implement a real system chroot solution so any user, who is chrooted, is jailed even if he logs in manually. I have tried to find articles on this, but haven't been succesfull. Does anyone know of a good tutorial on how to do this on OpenBSD? Best and kind regards. Rico Secada.
Gluster
Hi Anyone with experience in setting up and using Gluster from GNU on OpenBSD? Rico
Re: Binary kernel and base update
On Sun, 29 Apr 2007 02:35:06 +0100 mal content [EMAIL PROTECTED] wrote: On 28/04/07, Maurice Janssen [EMAIL PROTECTED] wrote: On Thursday, April 19, 2007 at 23:45:51 +0200, Maurice Janssen wrote: Some progress was made in the last couple of days. First results are up at ftp://ftp.su.se/pub/mirrors/openbsd_stable/ I hope to add amd64, alpha and hppa in the near future. I don't have the hardware to build other architectures. If someone can help building one of the missing architectures, please let me know. Comments and suggestions are welcome. Judging by the number of reactions, nobody seems to be interested. I don't mind putting some time and effort into building these releases if people find them useful. But when nobody cares, then there are other things I can do in my spare time. I would appreciate some feedback. I'm extremely interested in binary updates as I don't yet have the resources to put together a build server and compiling updates in qemu is very painful. Until these binaries are trusted by the OpenBSD project though (which is to say, possibly never), I can't really afford the risk of putting them on live machines. Sorry. Like Mal is saying this is the problem. Someone from the devs wrote me at the beginning of this thread saying that it was a matter of resources and people. He also wrote that the devs was not commenting on this thread because, like most times, they recieve a lot of good ideas, and people talk, but nobody ever does any work, he said that people should stop talking and then just get the work done. Someone has now done the work and more are willing to contribute. I expect you'll receive other replies along the same lines. MC
Re: SSHJail patch for OpenBSD
On Thu, 26 Apr 2007 22:34:52 -0500 Marco Peereboom [EMAIL PROTECTED] wrote: What's the point again? What part didn't you understand? On Fri, Apr 27, 2007 at 03:13:12AM +0200, Rico Secada wrote: Hi Before I testrun this http://paradigma.pt/~gngs/sshjail/ does anyone already know if this patch would work with OpenSSH on OpenBSD 3.9? Best regards Rico
Re: SSHJail patch for OpenBSD
On Fri, 27 Apr 2007 10:30:03 -0700 Ted Unangst [EMAIL PROTECTED] wrote: On 4/27/07, Rico Secada [EMAIL PROTECTED] wrote: On Thu, 26 Apr 2007 22:34:52 -0500 Marco Peereboom [EMAIL PROTECTED] wrote: What's the point again? What part didn't you understand? why are you asking this list about somebody else's patch? Because I was looking for people using OpenBSD who might have issues with this patch. ask the somebody else if their patch works. If I could benefit from that, I would.
Re: SSHJail patch for OpenBSD
On Fri, 27 Apr 2007 14:41:14 -0400 Steven Harms [EMAIL PROTECTED] wrote: That is the most ignorant statement I have ever seen. You misunderstand. I guess we can assume there will be no future versions of openssh because openssh developers have already thought of everything. Good luck with that attitude. Try to understand the subject first. The guy who made the patch are not using OpenBSD and hasn't done any testing on OpenBSD hence no benefit. On 4/27/07, Marco Peereboom [EMAIL PROTECTED] wrote: On Fri, Apr 27, 2007 at 08:17:16PM +0200, Rico Secada wrote: On Fri, 27 Apr 2007 10:30:03 -0700 Ted Unangst [EMAIL PROTECTED] wrote: On 4/27/07, Rico Secada [EMAIL PROTECTED] wrote: On Thu, 26 Apr 2007 22:34:52 -0500 Marco Peereboom [EMAIL PROTECTED] wrote: What's the point again? What part didn't you understand? why are you asking this list about somebody else's patch? Because I was looking for people using OpenBSD who might have issues with this patch. If this was a good idea don't you think someone who is actually involved in OpenSSH code would have done this already? ask the somebody else if their patch works. If I could benefit from that, I would.
Re: SSHJail patch for OpenBSD
On Fri, 27 Apr 2007 15:15:02 -0400 stuart van Zee [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Marco Peereboom Sent: Friday, April 27, 2007 2:28 PM To: Rico Secada Cc: misc@openbsd.org Subject: Re: SSHJail patch for OpenBSD On Fri, Apr 27, 2007 at 08:17:16PM +0200, Rico Secada wrote: On Fri, 27 Apr 2007 10:30:03 -0700 Ted Unangst [EMAIL PROTECTED] wrote: On 4/27/07, Rico Secada [EMAIL PROTECTED] wrote: On Thu, 26 Apr 2007 22:34:52 -0500 Marco Peereboom [EMAIL PROTECTED] wrote: What's the point again? What part didn't you understand? why are you asking this list about somebody else's patch? Because I was looking for people using OpenBSD who might have issues with this patch. If this was a good idea don't you think someone who is actually involved in OpenSSH code would have done this already? ask the somebody else if their patch works. If I could benefit from that, I would. I don't know if it is a good idea or not, but I read about this patch yesterday and at first, I was pretty excited. I have been handed the requirement to move an FTP server to something more secure. All the other requirements that have been given to me for this have very strongly pointed right to SSH/SFTP. However, I have yet to figure out how to chroot users into their home folders with SFTP and that is unfortuneately what the boss wants. If someone knows how to do this without patches like these Please let me know. Otherwise, I will have to keep looking. I certianly know enough from lurking on this list to know that if there are this many people on the list opposed to something there has got to be something wrong with it and I don't want it. No patch for me please! Hi Stuart I don't want to be rude, in any way, but this is no way to judge this patch, or any other patch for that matter. The list has a major number of readers, only so many actually knows what they are talking about. A lot of good ideas has been rejected, not because the idea was bad, or because the patches was bad, but because of the lack of resources. s
Re: SSHJail patch for OpenBSD
On Fri, 27 Apr 2007 15:14:32 -0500 Marco Peereboom [EMAIL PROTECTED] wrote: On Fri, Apr 27, 2007 at 09:08:31PM +0200, Rico Secada wrote: On Fri, 27 Apr 2007 13:27:58 -0500 Marco Peereboom [EMAIL PROTECTED] wrote: On Fri, Apr 27, 2007 at 08:17:16PM +0200, Rico Secada wrote: On Fri, 27 Apr 2007 10:30:03 -0700 Ted Unangst [EMAIL PROTECTED] wrote: On 4/27/07, Rico Secada [EMAIL PROTECTED] wrote: On Thu, 26 Apr 2007 22:34:52 -0500 Marco Peereboom [EMAIL PROTECTED] wrote: What's the point again? What part didn't you understand? why are you asking this list about somebody else's patch? Because I was looking for people using OpenBSD who might have issues with this patch. If this was a good idea don't you think someone who is actually involved in OpenSSH code would have done this already? Do you think that because nobody from the OpenBSD devs has done it, that means its not a good idea? If thats the case you don't much about how the work is done. Obviously this has been discussed. There is a lot of good ideas, but only so many people and resources to get the job done. This is not a good idea since all you are trying to do can be done with the standard OS tools already. Now that you are asking, the patch and the idea behind the patch is very good. If used in combination with SSHfs it serves a very specifik purpose. And why can't you do this with the standard tools that come with the OS? You know, like chown and chgrp? Jailing somebody means that the person wont be able to go outside the jail, now what you are talking about doesn't provide that. We have been using that solution but it has provided some problems. A jail will NOT have any additional benefit. Yes it will. A lot of people, including our company - who are providing support to the developement of OpenBSD, has been wanting to be able both to jail users who only need scp/sftp, and also prevent them from SSH in, now this can be done with a sftp-server shell, but jailing without trouble hasn't been possible, forcing other solutions less purposefull solutions. Allowing ssh/sftp will by default enable the would be attacker to employ local attacks. If there is a local exploit available the box will be rooted; no jail in the world will save you. Now.. 1. Exploiting the box has absolutely nothing to do with this discussion! 2. Jailing the user is from a practical specific point of view but you have to know the exact setup before you would understand the issue. 3. What are you talking about - local attacks? There is no benefit and the code is more complex. Wrong and wrong. But lets not go there now. If you really understand and know that this is a bad idea, perhaps you wouldn't mind sharing that knowledge with the rest? Thats why I asked in the first place. If I have access to a machine and I can upload files all bets are off. All local exploits are now available; jailing will not make any difference. ask the somebody else if their patch works. If I could benefit from that, I would.
Re: SSHJail patch for OpenBSD
On Fri, 27 Apr 2007 23:38:48 +0200 Renaud Allard [EMAIL PROTECTED] wrote: Rico Secada wrote: Hi Before I testrun this http://paradigma.pt/~gngs/sshjail/ does anyone already know if this patch would work with OpenSSH on OpenBSD 3.9? Best regards Rico Honestly, you should have a look at sysjail (http://sysjail.bsd.lv) which is probably a better and more secure solution. Thank you Renaud, I will look into it.
SSHJail patch for OpenBSD
Hi Before I testrun this http://paradigma.pt/~gngs/sshjail/ does anyone already know if this patch would work with OpenSSH on OpenBSD 3.9? Best regards Rico
Re: Help needed with server setup at work
On Mon, 23 Apr 2007 20:22:05 -0700 Darren Spruell [EMAIL PROTECTED] wrote: On 4/23/07, Rico Secada [EMAIL PROTECTED] wrote: Messages should look like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 123456789012345678901234567890123456789012345678901234567890123456789012 Not like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. I already answered someone who also commented on this. I am not being rude, but why is that important? Internet etiquette. If you've never heard of it, chances are you've spent too much time in a stupid corporate messaging environment or using a retarded email client from a vendor that thinks they have to reinvent the conventions that electronic mail has followed for decades. I must be using a retarded mail client then, I am using sylpheed. http://www.google.com/search?hl=enclient=firefox-arls=com.ubuntu%3Aen-US%3Aofficialq=netiquette+wrap+mail+72btnG=Search DS
Re: shutdown gets stuck at `syncing discs...'
, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered usb2 at uhci1: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered usb3 at uhci2: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered usb4 at uhci3: USB revision 1.0 uhub4 at usb4 uhub4: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub4: 2 ports with 2 removable, self powered isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lm0 at isa0 port 0x290/8: W83697HF npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask fffd netmask fffd ttymask pctr: user-level cycle counter enabled mtrr: Pentium Pro MTRR support wd0c: aborted command, interface CRC error reading fsbn 64 (wd0 bn 64; cn 0 tn 1 sn 1), retrying wd0: transfer error, downgrading to Ultra-DMA mode 5 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 6 wd0c: aborted command, interface CRC error reading fsbn 64 (wd0 bn 64; cn 0 tn 1 sn 1), retrying wd0: soft error (corrected) dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 WARNING: / was not properly unmounted wd0: transfer error, downgrading to Ultra-DMA mode 4 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 6 wd0a: aborted command, interface CRC error reading fsbn 96 of 96-0 (wd0 bn 159; cn 0 tn 2 sn 33), retrying wd0: transfer error, downgrading to Ultra-DMA mode 3 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 3 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 6 wd0a: aborted command, interface CRC error reading fsbn 96 of 96-0 (wd0 bn 159; cn 0 tn 2 sn 33), retrying wd0: soft error (corrected) wd0: transfer error, downgrading to Ultra-DMA mode 2 wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 wd0a: aborted command, interface CRC error writing fsbn 16 of 16-0 (wd0 bn 79; cn 0 tn 1 sn 16), retrying wd0: soft error (corrected) cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x0 SENSE KEY: Not Ready ASC/ASCQ: Medium Not Present # Han -- Best and kind regards Rico Secada
Help needed with server setup at work
Hi I need some comments from you guys on using sshfs as a solution at work. I need to make some of our NFS servers available for employees at their homes (where they live). I have been looking at both IPSec together with VPN, but I really like SSH better. At debian mailinglist I got a suggestion about using sshfs and nothing else, I really love SSH, but are a bit worried about users being able to ssh in. With sshfs the workers can mount their home directories like with nfs. If userlands are setup chmod 700, and each user are in no groups but themselves, does this pose a security risk? Best regards Rico [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Help needed with server setup at work
On Tue, 24 Apr 2007 00:05:51 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: Hi I need some comments from you guys on using sshfs as a solution at work. I need to make some of our NFS servers available for employees at their homes (where they live). I have been looking at both IPSec together with VPN, but I really like SSH better. At debian mailinglist I got a suggestion about using sshfs and nothing else, I really love SSH, but are a bit worried about users being able to ssh in. With sshfs the workers can mount their home directories like with nfs. If userlands are setup chmod 700, and each user are in no groups but themselves, does this pose a security risk? This is a public mailing list. Trim your message at 72 columns. Meaning? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] mail.html specifically states not to do this, and posting them as an attachment is particularly useless. I have got no idea what this is about. I havent made any attachments. However, I presume you came here looking for advice that actually pertains to your question. sshfs uses FUSE, which is at the moment Linux-only. It's also an interesting, but rather scary, contraption. Getting it installed might not be easy. (I say 'might' because I've never tried it; for all I know, all major distributions have a package and compile the relevant part into their stock kernels. Does anybody have more information?) Using OpenBSD as a server works perfectly. The server needs nothing more than SSH. About the client I have succesfully setup Debian with fuse and it works perfectly with OpenBSD serving. I also know that FreeBSD has a port for client installation. Fuse uses the sftp part of SSH. On Debian all it takes is installing the package and using modprobe. On FreeBSD it should be almost as easy and quick. If the goal is to use SSH, you might want to take a look at ssh -w; I believe that will work for you, but read the docs first. As an alternative, consider switching to something with fixed port allocations (CIFS/SAMBA, AFS) and port forwarding. Finally, if confidentiality does not matter, consider authpf. However, the proper way to set up a VPN is to set up a VPN. The only consern I have is users snooping around because they are able to ssh in, besides that sshfs works like a charm and its so easy and quick to setup. I have combined scponly with the servers, and that works well too, but since scponly isn't safe, as in a lot of work is done security wise, I would not want to run with that as a permanent solution. I trust OpenSSH over any VPN solution anyday, but SSH might cause a problem in other areas, hence the question. Thanks Joachim. Joachim -- TFMotD: amd (8) - automatically mount file systems -- Best and kind regards Rico Secada
Re: Help needed with server setup at work
On Mon, 23 Apr 2007 19:43:53 -0400 Douglas Allan Tutty [EMAIL PROTECTED] wrote: On Tue, Apr 24, 2007 at 12:48:46AM +0200, Rico Secada wrote: On Tue, 24 Apr 2007 00:05:51 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: This is a public mailing list. Trim your message at 72 columns. Meaning? The following line is as I received it. It is 401 characters wide. I have left it as is for your edification. Using OpenBSD as a server works perfectly. The server needs nothing more than SSH. About the client I have succesfully setup Debian with fuse and it works perfectly with OpenBSD serving. I also know that FreeBSD has a port for client installation. Fuse uses the sftp part of SSH. On Debian all it takes is installing the package and using modprobe. On FreeBSD it should be almost as easy and quick. This line was also received. It is 471 characters wide. I have wrapped it. Using vim I only had to do a gqap. I am sorry if I sound stupid, but I have never heard of this being a problem before :-) Has it something to do with people using console based mailreaders? The only consern I have is users snooping around because they are able to ssh in, besides that sshfs works like a charm and its so easy and quick to setup. I have combined scponly with the servers, and that works well too, but since scponly isn't safe, as in a lot of work is done security wise, I would not want to run with that as a permanent solution. I trust OpenSSH over any VPN solution anyday, but SSH might cause a problem in other areas, hence the question. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] I have got no idea what this is about. I havent made any attachments. _somebody_ signed a post on this thread and instead of a signature the mail list server put a message that it was removed. Ok, that makes sense :-) Thanks. Doug.
Re: Help needed with server setup at work
On Tue, 24 Apr 2007 01:33:10 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Apr 24, 2007 at 12:48:46AM +0200, Rico Secada wrote: On Tue, 24 Apr 2007 00:05:51 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: Hi I need some comments from you guys on using sshfs as a solution at work. I need to make some of our NFS servers available for employees at their homes (where they live). I have been looking at both IPSec together with VPN, but I really like SSH better. At debian mailinglist I got a suggestion about using sshfs and nothing else, I really love SSH, but are a bit worried about users being able to ssh in. With sshfs the workers can mount their home directories like with nfs. If userlands are setup chmod 700, and each user are in no groups but themselves, does this pose a security risk? This is a public mailing list. Trim your message at 72 columns. Meaning? Messages should look like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 123456789012345678901234567890123456789012345678901234567890123456789012 Not like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. I already answered someone who also commented on this. I am not being rude, but why is that important? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] mail.html specifically states not to do this, and posting them as an attachment is particularly useless. I have got no idea what this is about. I havent made any attachments. Yes, you have: a new-style PGP signature is an attachment. I didn't know that, thank you for making me aware :-) However, I presume you came here looking for advice that actually pertains to your question. sshfs uses FUSE, which is at the moment Linux-only. It's also an interesting, but rather scary, contraption. Getting it installed might not be easy. (I say 'might' because I've never tried it; for all I know, all major distributions have a package and compile the relevant part into their stock kernels. Does anybody have more information?) Using OpenBSD as a server works perfectly. The server needs nothing more than SSH. About the client I have succesfully setup Debian with fuse and it works perfectly with OpenBSD serving. I also know that FreeBSD has a port for client installation. Fuse uses the sftp part of SSH. On Debian all it takes is installing the package and using modprobe. On FreeBSD it should be almost as easy and quick. Okay, so there's a FreeBSD port now. Cool. Still, you can't access it from OpenBSD. I was just wondering if that is a problem. In our case no clients are gonna run OpenBSD, only the servers will run OpenBSD. If the goal is to use SSH, you might want to take a look at ssh -w; I believe that will work for you, but read the docs first. As an alternative, consider switching to something with fixed port allocations (CIFS/SAMBA, AFS) and port forwarding. Finally, if confidentiality does not matter, consider authpf. However, the proper way to set up a VPN is to set up a VPN. The only consern I have is users snooping around because they are able to ssh in, besides that sshfs works like a charm and its so easy and quick to setup. I have combined scponly with the servers, and that works well too, but since scponly isn't safe, as in a lot of work is done security wise, I would not want to run with that as a permanent solution. I trust OpenSSH over any VPN solution anyday, but SSH might cause a problem in other areas, hence the question. If you have a restrictive SSH setup (you might want to use sftp for the user's shell, or force them to use that command - see ForceCommand in sshd_setup(5), and you definitely want to disable port forwarding), I don't think you will have too many problems. Thank you very much for you reply Joachim! I will look into that. Joachim
AFS Server on OpenBSD
Hi, I have been trying to find some information on setting up a AFS server on OpenBSD, is it even possible? Rico.
Distributed File System
Hi all. At work I am experiencing with setting up some distributed file system, at the current moment working with NFS. The problem is that it is being setup at work and people, from their homes, need to be able to mount the system. I have no prior experience in this, except for setting up and using NFS across a LAN. I would greatly appreciate any recommendations regarding security, effectiveness and other advices! I have been thinking about tunneling NFS over SSH2, and possibly using some kind of cache, but I do not know if this is actually the best approach. I have also been thinking about using AFS as posted before. Also perhaps, but not necessary, support for Windows could be needed in the long run. What are you guys using and how is it setup? Best and kind regards! Rico.
Re: Binary kernel and base update
On Fri, 13 Apr 2007 15:16:41 -0400 Daniel Ouellet [EMAIL PROTECTED] wrote: Not to put the burning on anyone here, but if that was going to be done, I would love to be sure it is done properly, meaning with some guidance of devs to follow the same standard as the project if possible. Any comments from the devs now that some guys really want to make an effort? Lets get it up and running! At a minimum, just a hosting of good and reliable binaries would already be great. In any case, I am not sure where this will go, or if anywhere, but if there is a real effort, I would do my share and can put it on openbsdsupport.org as well if that help some. There have been talk on this subject for years and I suspect it will continue for more, but I may be wrong.
Binary kernel updates
Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
Re: Binary kernel updates
On Tue, 10 Apr 2007 13:34:57 -0400 Jeremy Huiskamp [EMAIL PROTECTED] wrote: If you'd bothered to inspect the headers you would have noticed that the below message was sent before the one that has many replies but it didn't arrive until about 20 hours after it was sent. Probably stuck in the pipes somewhere, that seems to happen with misc@ alot. Rico probably figured it was lost and so he sent another which is fairly reasonable. Thank you Jeremy! That was exactly what happened :-) I thought my ISP had some problems with his SMTP server. Jeremy On 10-Apr-07, at 12:44 PM, Bryan wrote: Why post twice? Sending it as different person within 24 hours of one another is not going to get what you want... A couple of people gave you solutions, choose one, or move to Linux... Remember this??? [EMAIL PROTECTED] [EMAIL PROTECTED] to misc@openbsd.org dateApr 9, 2007 4:43 PM subject Binary kernel and base update mailed-by openbsd.org Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico On 4/9/07, Rico Secada [EMAIL PROTECTED] wrote: Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
Re: Binary kernel updates
On Tue, 10 Apr 2007 11:29:17 -0700 Bryan [EMAIL PROTECTED] wrote: I am exceedingly sorry. I realize now that it was not Rico's fault. My venom was uncalled for... Again, sorry Rico, et al... Apology accepted :-) back to the shadows... On 4/10/07, Jeremy Huiskamp [EMAIL PROTECTED] wrote: If you'd bothered to inspect the headers you would have noticed that the below message was sent before the one that has many replies but it didn't arrive until about 20 hours after it was sent. Probably stuck in the pipes somewhere, that seems to happen with misc@ alot. Rico probably figured it was lost and so he sent another which is fairly reasonable. Jeremy On 10-Apr-07, at 12:44 PM, Bryan wrote: Why post twice? Sending it as different person within 24 hours of one another is not going to get what you want... A couple of people gave you solutions, choose one, or move to Linux... Remember this??? [EMAIL PROTECTED] [EMAIL PROTECTED] tomisc@openbsd.org date Apr 9, 2007 4:43 PM subject Binary kernel and base update mailed-by openbsd.org Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico On 4/9/07, Rico Secada [EMAIL PROTECTED] wrote: Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
Re: Binary kernel and base update
On Tue, 10 Apr 2007 01:43:56 +0200 [EMAIL PROTECTED] wrote: Thanks to all for the kind and enlightening answers. When I read that it was mainly due to lack of people and so, and not because that it was a bad idea, I then hope OpenBSD will keep expanding, and one day have all the resources which it needs. Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
A little about assembly language
Hi, I am brushing up a bit on my assembly language skills, I used to work on MIPS but are now looking on x86. I have a problem choosing between following a book using the (as) ATT syntax and another using (nasm) Intel syntax. I know that this isn't directly OpenBSD related but I would appreciate any recommendations. Best and kind regards, Rico.
Re: 202 days Uptime in OpenBSD 3.6
On Wed, 10 Jan 2007 18:47:38 -0800 Greg Thomas [EMAIL PROTECTED] wrote: On 1/10/07, Francisco Valladolid [EMAIL PROTECTED] wrote: I have 202 days using OpenBSD 3.6 as router/firewall/ PPPOE. I want to share this screenshot. http://farm1.static.flickr.com/147/353353577_e8e875083d_o.jpg Wow, I am impressed, your dick is wy bigger than mine because I have become a eunuch for the kingdom of heaven's sake. (Matthew 19:12) My uptime is permanently stuck at zero now. Greg We all know that a long uptime means neglect, but that doesn't mean we should reply in a dumb way like that! Why the hell do you always feel you have to make people wanna go away!?
OpenBSD's own compiler
Hi I am curently studying the Ada programming language and I read about the different safety demands, which has been made a standard, upon compilers. I read about how Ada is been used in all areas where safety is of great issue, and about how it's being used in rockets, Boing Airplanes and so on because of it's high level of safety. What I understood from it is, that the demand and control upon compilers, rather than on the sourcecode, eliminates the possibility of a lot of errors in the sourcecode, the compiler will not compile the program, and since Ada is being used in a lot places, where lives dependt upon the software, it has to be very safe. I was wondering, would it be a stupid and bad idea, for the OpenBSD team to develope, an OpenBSD C compiler based upon the OpenBSD security knowledge and internal standards regarding the language? Making it impossible for the compiler to accept and compile programs with all the knows errors which cause problems. The OpenBSDs way of programming has clearly made it clear, what security and quality is all about. Now I know all the rules about, no talk, just develope, and whats else is here. I am not a developer. This is not an atempt to do anything other than ask a question. Seeing how OpenBSD's OpenSSH has been implemented world widely, the thought about a compiler made me wanna ask the question and learn from the answers. If you are one of those persons who just need to let of steam or just needs an excuse to flame someone, or if you in general think that my question is about the most stupid question you have ever read, then please, do something else with your time, don't answer this email, just ignore it - especially if you aren't a developer yourself. And if cant help yourself, just mail me off-list. The best and kind reagards. Rico
Why ksh?
Hi I don't want to start a religios thread and I don't want general personal opinions :-) Why has OpenBSD developers decided to run ksh as the default shell and not for example bash or zsh? The question is being asked because of a debate at our datacenter about the three shells and I would like to understand both the technical reason and the more general one - if posible someone knows and has the time to answer. Best and kind regards Rico
Something like Plesk for OpenBSD
Hi I would like recommendations on solutions like Plesk for OpenBSD. The main fokus is to make it easy for people (clients) to log on to OpenBSD servers and administer their webhotels, change FTP password and so on. What are people, if any, on the list using? Best and kind regards! Rico
Encrypting e-mails
Hi I have been looking into encrypting my e-mails and was thinking about GPG together with Sylpheed, since I am using Sylpheed. But I am wondering is there another and stronger or better way than GPG. Any recommendations? Best and kind regards, Rico
Re: UTF-8 text editor
On Mon, 10 Jul 2006 20:27:42 +0200 Mackan [EMAIL PROTECTED] wrote: Hi list! Is there any UTF-8-aware text editor (for terminal use) available for OpenBSD? Vi(m) and similar is out of question for me, I never learned those. I tried to compile latest nano from CVS, which support UTF-8, but with no luck. I get configure errors saying that my curses don't support unicode. Using 3.9/i386 with GENERIC. Suggestions anyone? I am using mcedit which is a part of Midnight Commander (mc). It is based upon cooledit which supports unicode. You can install it by using pkg_add mc or from ports. I work a lot with DocBook in UTF8 and I normally use Quanta+ but occasionally I need to make a quick change from a terminal. I then use mcedit. I find mcedit extremely user friendly and very easy to use. It has a very nice drop down menu if you press F9, which for example gives you spelling check via ISpell. Best and kind regards, Rico Thanks, Mackan
Encrypting files
Hi I have been thinking about encrypting some private files on my laptop, in case it gets stolen. I have no prior experience in this field. I have been thinking about using mcrypt with blowfish, but is this a good way to go about? Are there a better alternative? And is blowfish the best way to encrypt it? Please bear with me if these questions are ignorent. Best regards, Rico
Fw: NFSd problem - solved!
Don't respond to this mail. Problem got solved, a powercut and a toasted exports file. On Thu, 29 Jun 2006 22:44:51 +0200 Rico Secada [EMAIL PROTECTED] wrote: Hi I am having problems with one of our NFS servers at our datacenter. I have just set it up. I have edited /etc/rc.conf and changes the portmap and nfs_server to YES. I have created the /var/db/mountdtab file. I have made an entry to /etc/exports When I reboot the machine and take a look with rpcinfo, I only get portmapper running. # rpcinfo -p program vers proto port 102 tcp111 portmapper 102 udp111 portmapper If I try manually to start nfsd, it won't start. Looking at the log of daemon I get: # cat /var/log/daemon Jun 30 00:27:11 nfsserver savecore: no core dump What could be wrong here? Best and kind regards, Rico
NFSd problem
Hi I am having problems with one of our NFS servers at our datacenter. I have just set it up. I have edited /etc/rc.conf and changes the portmap and nfs_server to YES. I have created the /var/db/mountdtab file. I have made an entry to /etc/exports When I reboot the machine and take a look with rpcinfo, I only get portmapper running. # rpcinfo -p program vers proto port 102 tcp111 portmapper 102 udp111 portmapper If I try manually to start nfsd, it won't start. Looking at the log of daemon I get: # cat /var/log/daemon Jun 30 00:27:11 nfsserver savecore: no core dump What could be wrong here? Best and kind regards, Rico
