Re: relayd forward with tls
Take a look at the example in man relayd.conf. You have to set the X-header like: match header set "X-Forwarded-For" \value "$REMOTE_ADDR" match header set "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" I could post an example when I'm back at my machine. Am 8. Januar 2024 23:51:33 MEZ schrieb Adriano Barbosa : >On Mon, Jan 08, 2024 at 07:01:04AM -0800, Paul Pace wrote: >> On 1/7/24 1:31 PM, Adriano Barbosa wrote: >> > On Sun, Jan 07, 2024 at 05:21:04AM -0800, Paul Pace wrote: >> > > On 1/6/24 7:35 PM, Adriano Barbosa wrote: >> > > > On Thu, Jan 04, 2024 at 06:57:10PM -0800, Paul Pace wrote: >> > > > > On 1/4/24 10:22 AM, Adriano Barbosa wrote: >> > > > > > Hi! >> > > > > > I'm trying to use relayd with multiple FQDNs mixing remote servers >> > > > > > with and without tls: >> > > > > > >> > > > > > relayd -- fqdn1 --> 127.0.0.1 (no tls) >> > > > > > -- fqdn2 --> x.x.x.x (with tls) >> > > > > > >> > > > > > I wrote my relayd.conf like this: >> > > > > > >> > > > > > table { 127.0.0.1 } >> > > > > > table { x.x.x.x } >> > > > > > >> > > > > > http protocol https { >> > > > > >tls keypair fqdn1 >> > > > > >tls keypair fqdn2 >> > > > > > >> > > > > >match request header "Host" value "fqdn1" tag "fqdn1" >> > > > > >pass request tagged "fqdn1" forward to >> > > > > > >> > > > > >match request header "Host" value "fqdn2" tag "fqdn2" >> > > > > >pass request tagged "fqdn2" forward to >> > > > > > } >> > > > > > >> > > > > > relay wwwtls { >> > > > > >listen on egress port 443 tls >> > > > > >protocol https >> > > > > >forward to port 80 >> > > > > >forward with tls to port 443 >> > > > > > } >> > > > > >> > > > > With one forward requiring TLS in a relay block, relayd will require >> > > > > TLS for >> > > > > all forward statements in the relay block. >> > > > > >> > > > > > >> > > > > > I have fqdn2 working and fqdn1 giving a "curl: (52) Empty reply >> > > > > > from >> > > > > > server". >> > > > > > Removing "with tls" on the second forward, fqdn1 works and fqdn2 >> > > > > > gives >> > > > > > a "Client sent an HTTP request to an HTTPS server." >> > > > > > >> > > > > > Is it possible to have relayd working on this scenario? What am I >> > > > > > missing here? >> > > > > > >> > > > > > Obrigado! >> > > > > > -- >> > > > > > Adriano >> > > > > >> > > > >> > > > Thank you for the response. >> > > > >> > > > Digging a little more, I found that if I change the listen port from >> > > > 443 to values other than 443 and 80, the "match request host" filter >> > > > stops working. The behaviour is the same with or without "with tls" on >> > > > the relay. >> > > > >> > > > With port 443: >> > > > stable# curl --insecure https://fqdn1 >> > > > Server 1 >> > > > stable# curl --insecure https://fqdn2 >> > > > Server 2 >> > > > >> > > > With port 4430 and allegedly any port other than 80 and 443: >> > > > stable# curl --insecure https://fqdn1:4430 >> > > > Server 1 >> > > > stable# curl --insecure https://fqdn2:4430 >> > > > Server 1 >> > > > >> > > What does curl -vk show? >> > > >> > >> > Unfortunately, no difference. Follows: >> > >> > $ curl --insecure -vk https://fqdn2 >> > * Host fqdn2:443 was resolved. >> > * IPv6: (none) >> > * IPv4: 127.0.0.1 >> > * Trying 127.0.0.1:443... >> > * Connected to fqdn2 (127.0.0.1) port 443 >> > * ALPN: curl offers h2,http/1.1 >> > * TLSv1.3 (OUT), TLS handshake, Client hello (1): >> > * TLSv1.3 (IN), TLS handshake, Server hello (2): >> > * TLSv1.3 (IN), TLS handshake, Unknown (8): >> > * TLSv1.3 (IN), TLS handshake, Certificate (11): >> > * TLSv1.3 (IN), TLS handshake, CERT verify (15): >> > * TLSv1.3 (IN), TLS handshake, Finished (20): >> > * TLSv1.3 (OUT), TLS handshake, Finished (20): >> > * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF >> > * ALPN: server did not agree on a protocol. Uses default. >> > * Server certificate: >> > * subject: C=BR; ST=MS; L=DOU >> > * start date: Jan 6 20:12:43 2024 GMT >> > * expire date: Jan 5 20:12:43 2025 GMT >> > * issuer: C=BR; ST=MS; L=DOU >> > * SSL certificate verify result: self signed certificate (18), continuing >> > anyway. >> > * Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed >> > using sha256WithRSAEncryption >> > * using HTTP/1.x >> > > GET / HTTP/1.1 >> > > Host: fqdn2 >> > > User-Agent: curl/8.5.0 >> > > Accept: */* >> > > >> > < HTTP/1.1 200 OK >> > < Connection: keep-alive >> > < Content-Length: 18 >> > < Content-Type: text/html >> > < Date: Sun, 07 Jan 2024 21:23:24 GMT >> > < Last-Modified: Sun, 07 Jan 2024 21:19:24 GMT >> > < Server: OpenBSD httpd >> > < >> > Server 2 >> > * Connection #0 to host fqdn2 left intact >> > >> > and >> > >> > $ curl --insecure -vk https://fqdn2:4430 >> > * Host fqdn2:4430 was resolved. >> > * IPv6: (none) >> > * IPv4: 127.0.0.1 >> > * Trying 127.0.0.1:4430... >> > *
Re: cwm on wayland
Please keep woke bs out of technical development. Am 16. Dezember 2023 00:22:51 MEZ schrieb Anders Andersson : >On Fri, Dec 15, 2023 at 7:01 PM David Coppa wrote: >> >> On Fri, Dec 15, 2023 at 6:29 PM wrote: >> > >> > So they're putting a Wayland in our BSD. >> > >> > I've never used that before. >> > >> > Is a port of cwm planned? >> >> I really don't think so. >> >> But there's hikari, a stacking Wayland compositor heavily inspired by >> cwm: https://hikari.acmelabs.space/ >> >> We might probably have a port of it in our ports tree in the future. >> >> Ciao, >> David >> > >I'm not sure their "Geekfeminism Code of Conduct" >(https://hikari.acmelabs.space/coc.html) works well with OpenBSD. > -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
Re: 2FA VPNs
On 02 Nov 02:05, Stuart Henderson wrote: > If anyone's got any good suggestions on how to do VPNs with 2FA > on an OpenBSD gateway for non-technical users to access (iOS, Android, > Windows clients) I'd love to hear them. > > I could bodge something together with openvpn and TOTP but it doesn't > exactly spark joy. > > Two possible solutions are coming to my mind. Use OpenVPN with bsd-auth and configure login_totp from package login_oath. So one has the client certificate plus totp. Or configure L2TP/IPsec with certificates and configure npppd to use radius. Either use then radiusd with bsdauth or use freeradius for mfa. -- wq: ~uw
Re: Sharing desktop with Jitsi and pledge
Not with jitsi but with Nextcloud Talk I got it working in Chrome. Am 29. Juni 2021 19:30:57 GMT+00:00 schrieb Jonathan Drews : >Hi Folks: > >I am running OpenBSD 6.9 GENERIC.MP#4 amd64 and have Jitsi working >well here on OpenBSD. The audio and video work fine. So do the typing >of comments in Jitsi > >However when I attempt to share my desktop, through Jitsi, then >Firefox crashes. I get this message in my dmesg output: > >firefox[17370]: pledge "", syscall 289 > >It looks like pledge is stopping Jitsi, as it should. Any suggestions >at to how I could share a presentation through OpenBSD? I've tried >Zoom but it doesn't work as well as Jitsi. > >Kind regards, >Jonathan -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
Re: ssl/libssl certificate validation broken?
On 22 Oct 22:59, Daniel Jakots wrote: > On Thu, 22 Oct 2020 21:49:20 -0500, "Rafael Possamai" > wrote: > > > >Hi Bob, it was in the middle of the night and I got quite kinda > > >stressed because all services depending on our ldap proxy stopped > > >working after the upgrade and it took me a while to figure the > > >problem out. > > > > Perhaps this is unsolicited advice, but maybe you can setup a test > > system first, perform major upgrade on it to make sure everything > > works. If so, then do it in production. > > > > Even better, try -current a few weeks before release (a possible hint > is -beta). This way you can get any encountered bug fixed in time for > -release. Your prod but also every one else will benefit from it. > > Cheers, > Daniel > That's a very good advice. I have for most services a very similiar setup at home (even with ldap). I run always -current at my workstations - one workstation is updated more or less daily and if that works I upgrade the 2nd one (important for ports too). At home I regularly install snapshots (~ every 2nd week) - because before I implement something at work I usually try and test that also at home - often with "cutting edge" features. When upgrading at work I always upgrade dev first. And all infrastructure critical services are "carped" so even when upgrading prod then node by node***. But exactly in this ssl case this failed for me with this bug. At home I use letsencrypt certs so that means ssl used /etc/ssl/cert.pem. The same for my dev landscape where I stored the L2 ca also in /etc/ssl/cert.pem (without remembering that I did that once). So unfortunately dev and prod were not 100% identical :( But lesson learned. I did already tons of automatization (salt/git) so I will focus more on that again (when I have the time ...). ***Also the latest bug in carp load balancing couldn't be properly detected in this way because in a mixed setup 6.7/6.8 it worked :/ -- wq: ~uw
Re: ssl/libssl certificate validation broken?
On 22 Oct 21:49, Rafael Possamai wrote: > >Hi Bob, it was in the middle of the night and I got quite kinda stressed > >because all services depending on our ldap proxy stopped working after the > >upgrade and it took me a while to figure the problem out. > > Perhaps this is unsolicited advice, but maybe you can setup a test system > first, perform major upgrade on it to make sure everything works. If so, then > do it in production. > That's a very good advice and I have such a setup. But unfortunately exactly in this case this didn't work because in my dev/test landscape I have other ssl certs (different domain name) which were stored in /etc/ssl/cert.pem :/ -- wq: ~uw
Re: ssl/libssl certificate validation broken?
On 20 Oct 20:21, Bob Beck wrote: > On 20 Oct 21:01, Uwe Werler wrote: > > Hi folks, > > > > before opening a bug report I'll ask here because I want to make sure that I > > have not missed something. > > You should probably submit a real bug report instead of jumping to > conclusions on misc@ Hi Bob, it was in the middle of the night and I got quite kinda stressed because all services depending on our ldap proxy stopped working after the upgrade and it took me a while to figure the problem out. But as in 99.9% of the cases I wanted to be sure that the problem sits not between screen and keyboard because I missed or misconfigured something. Will open a proper bug report now. > > > > > With the upgrade to 6.8 my cert validation seems to be broken because the > > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl > > certhash". > > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > > certs to /etc/ssl/cert.pem works. > > > > Did I miss something? I guess something changed during k2k20 in "certificate > > chain validation in libcrypto"? > > > > Thanks and with kind regards. > > > > Uwe > > > ... > >Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my > >openldap proxies were screwed too. I configured explicitely > > > >olcTLSCACertificatePath: /etc/ssl/certs > > > >But that broke so I had to change to: > > "Broke".. how? The certificate chain can't be verified anymore so ldap connections (server - server and client - server) can't be established anymore. > > > >olcTLSCACertificateFile: /etc/ssl/cert.pem > > > >... and I had to change also /etc/openldap/ldap.conf from: > > > >TLS_CACERTDIR /etc/ssl/certs > > > >to > > > >TLS_CACERT /etc/ssl/cert.pem > > > >to keep syncrepl running. > > You are a little bit thin on details here. The changes in the validator > should not affect the loading of your certificates. slapd acts as a ldap client for syncreplication to work and is therefore configured via /etc/openldap/ldap.conf. But because the validation stopped working syncrepl also stopped working. > > Are you using openldap from packages or something else? Yes, always from ports. > > So please pass on some details and perhaps a succint way to reproduce > and include the error messages you see. Probably as a real bug report > instead of misc discussions. > Yes, I open now a bug report. mbk Uwe
Re: CARP load balancing problems under KVM
On 21 Oct 07:12, Carlos Lopez wrote: > Hi all, > > Before upgrade from OpenBSD 6.7 to OpenBSD 6.8, my pair firewalls was using > carp in IP balance mode without problems from several months. These firewalls > are installed in a RHEL 8.2 (fully patched) KVM host. > > After upgrading to OpenBSD 6.8, carp ip balance mode doesn’t works. I have > tested reconfiguring balance mode for ip-stealth and ip-unicast also and the > result is always the same: network packets are not processed by firewalls. > But if I configure CARP using “the simple configuration” and one node is > master and the other is backup all it is working without problems. > > Since the configuration is exactly the same for version 6.8 as it was for > version 6.7, could there be some kind of problem with the virtio driver on > the network interfaces in version 6.8? > > Regards, > C. L. Martinez Hi folks, I run into exactly the same issue with my ldap proxy. When one node is master for both carp nodes it responds to packets addressed to the carp ip. In load balancing mode it sometimes responds depending on the source ip. Please open a bug report. -- wq: ~uw
Re: ssl/libssl certificate validation broken?
On 20 Oct 21:01, Uwe Werler wrote: > Hi folks, > > before opening a bug report I'll ask here because I want to make sure that I > have not missed something. > > With the upgrade to 6.8 my cert validation seems to be broken because the > hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our > L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash". > That worked for all my machines until 6.7 but broke with 6.8. Adding the ca > certs to /etc/ssl/cert.pem works. > > Did I miss something? I guess something changed during k2k20 in "certificate > chain validation in libcrypto"? > > Thanks and with kind regards. > > Uwe > Mmh, it seems to me that libssl is broken. After the upgrade to 6.8 my openldap proxies were screwed too. I configured explicitely olcTLSCACertificatePath: /etc/ssl/certs But that broke so I had to change to: olcTLSCACertificateFile: /etc/ssl/cert.pem ... and I had to change also /etc/openldap/ldap.conf from: TLS_CACERTDIR /etc/ssl/certs to TLS_CACERT /etc/ssl/cert.pem to keep syncrepl running. -- wq: ~uw
ssl/libssl certificate validation broken?
Hi folks, before opening a bug report I'll ask here because I want to make sure that I have not missed something. With the upgrade to 6.8 my cert validation seems to be broken because the hashed certs in /etc/ssl/certs are not honored anymore. I usually stored our L1 and L2 ca certs in /etc/ssl/certs and hashed them with "openssl certhash". That worked for all my machines until 6.7 but broke with 6.8. Adding the ca certs to /etc/ssl/cert.pem works. Did I miss something? I guess something changed during k2k20 in "certificate chain validation in libcrypto"? Thanks and with kind regards. Uwe
Re: iwm0: fatal firmware error on Dell Latitude E5570
On 24 Sep 12:24, Jan Stary wrote: > On Sep 24 11:36:24, h...@stare.cz wrote: > > This is 6.8-beta/amd64 on a Dell Latitude E5570 (dmesg below). > > iwm stopped working, saying > > > > iwm0: hw rev 0x200, fw ver 34.0.1, address e4:a4:71:40:21:08 > > iwm0: fatal firmware error > > iwm0: could not remove MAC context (error 35) > > iwm0: fatal firmware error > > iwm0: could not remove MAC context (error 35) > > iwm0: fatal firmware error > > iwm0: could not remove MAC context (error 35) > > [etc] > > > > This is after sysupgrade and a fw_update. > > Is anyone seeing the same? > > > > Last changes to sys/dev/pci/*iwm* are months ago, > > and I have seen it work this week ... > > After recompiling current, everything works again. Note that > it's GENERIC.MP now, as opposed to GENERIC installed by the sysupgrade. > (Can that be related to a iwm error?) > > Jan > Hi Jan, I have a similiar problem when using sysupgrade on Dell 7400 and on one Dell 7280 - installer switches to bsd.sp. I tried to debug that but when I boot into ramdisk it properly detects MP cpu. Checked that several times. I have another 7280 with exact the same config (dd'ed the hd) where it doesn't happen. That's strange. -- wq: ~uw
Re: ideas needed for password management
On 24 Sep 10:55, Uwe Werler wrote: > On 23 Sep 20:52, Hakan E. Duran wrote: > > Dear all, > > > > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and > > Dovecot. The users will be the Unix users on the VPS for simplicity. > > However, I now have the problem of allowing users setting and modifying > > their own passwords (perhaps even their usernames) without giving them ssh > > access to the host. I don't have technical background and training for this > > type of work; however, I love doing this, please be gentle with me. The > > mail server is a hobby that is intended for family and a few friends, and > > is not mission critical. > > > > I thought something like Webmin could work for this purpose, but without > > root access of course. However, I am not sure if such a tool exists. Any > > other ideas are welcome. > > > > Thank you so much in advance for your suggestions. > > > > Hakan > > > > Hi Hakan, > > I had a similiar problem which I solved with Rainloop (as an app in Nextcloud) > with the POPPASSD plugin and the local poppassd daemon (pkg_add openpoppassd). > > -- > wq: ~uw > But as Stuart suggested - I would rather use a db backend for that. I plan myself to finally use ldapd for that. Most applications allow e.g. password changes against ldap. In my setup I complicated things more than making it easier. For example I separated my system user from my "virtual" user for mail etc. That could have been done in the end simpler with ldap. -- wq: ~uw
Re: ideas needed for password management
On 23 Sep 20:52, Hakan E. Duran wrote: > Dear all, > > I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP and > Dovecot. The users will be the Unix users on the VPS for simplicity. However, > I now have the problem of allowing users setting and modifying their own > passwords (perhaps even their usernames) without giving them ssh access to > the host. I don't have technical background and training for this type of > work; however, I love doing this, please be gentle with me. The mail server > is a hobby that is intended for family and a few friends, and is not mission > critical. > > I thought something like Webmin could work for this purpose, but without root > access of course. However, I am not sure if such a tool exists. Any other > ideas are welcome. > > Thank you so much in advance for your suggestions. > > Hakan > Hi Hakan, I had a similiar problem which I solved with Rainloop (as an app in Nextcloud) with the POPPASSD plugin and the local poppassd daemon (pkg_add openpoppassd). -- wq: ~uw
Re: Web based document / spredsheet editor
On 22 Sep 15:37, Martin Sukany wrote: > Hi colleges, > > I need to set up some kind of collaborative environment (rich text > docjuments, basic tables) — request is „something like google docs“. > > As I’m almost working in shell I have to say that I’m little bit lost in this > area. > > Could you recommend me some web-based application (idealy something which is > „easily“ deployed on OpenBSD)? If it wouldn’t have behind some of the ‚big > frameworks‘, it would be great. > > Any hints welcomed … > > Thanks > M> > > > S pozdravem / Kind regards > > Martin Sukaný > UNIX Engineer, Developer, DevOps specialist > xmpp: mar...@sukany.cz > phone: +420 776 275 713 > email: mar...@sukany.cz > l: https://www.linkedin.com/in/martins6 > > > Hi Martin, we have at work nextcloud plus collabora online dev edition. Works so far. The latter one I used the container from them - it's debian based - and run it on kvm. -- wq: ~uw
Re: Troubleshooting pf congestion
Without seeing a rule set what should one say? Am 14. September 2020 15:19:46 GMT+00:00 schrieb Scott Reese : >Greetings: > >I am troubleshooting an issue: users complaining about network >performance. The firewall >is an OpenBSD 6.7 system with patches applied. I've traced the issue >and I'm seeing the >congestion counter incrementing on system. The problems that we're >seeing fit with what >I have been able to find about congestion - when the firewall is >congested it continues >passing packets that match existing state entries but it will not >create any new state >entries until the congestion clears. > >I'm having trouble troubleshooting it beyond that point because I have >not been able to >find any additional information about what the congestion counter is >counting. There is >the information in the pfctl man page: "congestion: network interface >queue congested", >but beyond that I can't really find any information about exactly what >network interface >queue is congested. > >I'm not seeing packets being dropped, either on the switch side or >firewall side that >correspond with the congestion counter going up. The average on the >congestion counter >stays around 10/s, but what it's really doing is going up by 100-300/s >for short periods >and then not moving for longer periods. > >If anyone could spare a couple of sentences or a share a link to a page >detailing what >state causes the system to consider itself contested, I would >appreciate it. > >Thanks for your time. > >-Scott > > >System dmesg: > >OpenBSD 6.7 (GENERIC.MP) #6: Thu Sep 3 14:08:18 MDT 2020 >r...@syspatch-67-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP >real mem = 8386699264 (7998MB) >avail mem = 8119902208 (7743MB) >mpath0 at root >scsibus0 at mpath0: 256 targets >mainbus0 at root >bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7fb76000 (62 entries) >bios0: vendor American Megatrends Inc. version "2.2" date 05/23/2018 >bios0: Supermicro X11SSL-F >acpi0 at bios0: ACPI 5.0 >acpi0: sleep states S0 S4 S5 >acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG HPET LPIT SSDT SSDT >SSDT DBGP DBG2 SSDT SSDT UEFI SSDT DMAR EINJ ERST BERT HEST >acpi0: wakeup devices PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) >PEGP(S4) RP09(S4) PXSX(S4) RP10(S4) PXSX(S4) RP11(S4) PXSX(S4) RP12(S4) >PXSX(S4) RP13(S4) PXSX(S4) [...] >acpitimer0 at acpi0: 3579545 Hz, 24 bits >acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >cpu0 at mainbus0: apid 0 (boot processor) >cpu0: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3901.62 MHz, 06-9e-09 >cpu0: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN >cpu0: 256KB 64b/line 8-way L2 cache >cpu0: smt 0, core 0, package 0 >mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges >cpu0: apic clock running at 24MHz >cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1, IBE >cpu1 at mainbus0: apid 2 (application processor) >cpu1: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3900.01 MHz, 06-9e-09 >cpu1: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN >cpu1: 256KB 64b/line 8-way L2 cache >cpu1: smt 0, core 1, package 0 >cpu2 at mainbus0: apid 4 (application processor) >cpu2: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3900.01 MHz, 06-9e-09 >cpu2: >FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN >cpu2: 256KB 64b/line 8-way L2 cache >cpu2: smt 0, core 2, package 0 >cpu3 at mainbus0: apid 6 (application processor) >cpu3: Intel(R) Xeon(R) CPU E3-1280 v6 @ 3.90GHz, 3900.01 MHz, 06-9e-09 >cpu3:
Re: Cleaning system's old ibraries/files after update to next -release or -current
On 14 Jul 15:44, Stuart Henderson wrote: > On 2020-07-14, Christian Weisgerber wrote: > > Old versions of libraries are innocuous. They will simply be > > ignored. > > Until you run out of disk space, which is fairly easy in /usr if you > installed a couple of releases ago and took the auto disklabel defaults. If that happens during upgrade I usually ^C; umount /mnt/usr/local; umount /mnt/usr/X11R6; umount /mnt/usr; newfs what-dev-usr-is; mount what-dev-usr-is /mnt/usr; mkdir /mnt/usr/{local,X11R6} and restart upgrade. That happens more or less regularly on my APU but never had any problems with that. -- Uwe
Re: How did it happen?
Am 31. Januar 2020 18:48:51 GMT+00:00 schrieb gil...@poolp.org: >January 30, 2020 4:44 PM, gil...@poolp.org wrote: > >> It depends on your configuration, not all setups are vulnerable. >> >> I think I recall your name from the comments on my tutorial and this >is a >> setup that would not be vulnerable for example. The bug still exists, >but >> it can't be used to exploit the same code path. >> >> You should update, this is not something you want to rely on. >> >> I'm writing a _very_ detailed post-mortem which will go into the >details, >> I just want to give it a few days to make sure it is as informative >as it >> should. >> > > >As promised, I have written a (too much ?) detailed write-up about the >recent event: > >https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ > >Hope it clarifies what happened and plans for the future. > >Gilles Thank you very much Gilles for the insights. It's not really your fault because it's how our brain works. If we want to get things working we are concentrating to get them working - not how to break them. It's amazing that the code worked like "intended" - that means you are a very good dev. Logical fallacies hit us every day - we are human. I would give +1 to not to deliver mails directly to root.
Re: ksh complete_command for commands with "-" in name
On 18 Jan 00:27, Andreas Kusalananda Kähäri wrote: > On Fri, Jan 17, 2020 at 10:41:30PM +0000, Uwe Werler wrote: > > On 17 Jan 22:32, Ottavio Caruso wrote: > > > On Fri, 17 Jan 2020 at 22:03, Uwe Werler wrote: > > > > > > > > Hi misc, > > > > > > > > I use heavily the feature to set command completion in ksh. > > > > Unfortunately > > > > this doesn't work for commands with "-" (like ssh-add, salt-call etc.) > > > > in > > > > command name because the parameter name for the array is invalid. > > > > > > I'm not sure if I'm getting what you're saying. I have a barebone > > > plain-vanilla OpenBSD 6.6 installation and I have ksh as my login > > > shell. I can do command and file completion with [TAB] on any commands > > > with a hyphen (pkg-config, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan > > > and so on). > > > > >From man 1 ksh: > > > > Custom completions may be configured by creating an array named > > ‘complete_command’, optionally suffixed with an argument number > > to complete only for a single argument. So defining an array > > named ‘complete_kill’ provides possible completions for any > > argument to the kill(1) command, but ‘complete_kill_1’ only > > completes the first argument. For example, the following > > command > > makes ksh offer a selection of signal names for the first > > argument to kill(1): > > > >set -A complete_kill_1 -- -9 -HUP -INFO -KILL -TERM > > > > This of course can't work for commands with a hyphen because the parameter > > name > > of the array is then invalid. > > > > Uwe > > A somewhat ugly workaround would be to define aliases for the commands > that you want te install these completions for. The aliases would have > no dashes in their names. > > alias ssh_add=ssh-add > set -A complete_ssh_add_1 -- -D -l -L -v Yeah, that's what I came up with too.
Re: ksh complete_command for commands with "-" in name
On 17 Jan 22:32, Ottavio Caruso wrote: > On Fri, 17 Jan 2020 at 22:03, Uwe Werler wrote: > > > > Hi misc, > > > > I use heavily the feature to set command completion in ksh. Unfortunately > > this doesn't work for commands with "-" (like ssh-add, salt-call etc.) in > > command name because the parameter name for the array is invalid. > > I'm not sure if I'm getting what you're saying. I have a barebone > plain-vanilla OpenBSD 6.6 installation and I have ksh as my login > shell. I can do command and file completion with [TAB] on any commands > with a hyphen (pkg-config, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan > and so on). >From man 1 ksh: Custom completions may be configured by creating an array named ‘complete_command’, optionally suffixed with an argument number to complete only for a single argument. So defining an array named ‘complete_kill’ provides possible completions for any argument to the kill(1) command, but ‘complete_kill_1’ only completes the first argument. For example, the following command makes ksh offer a selection of signal names for the first argument to kill(1): set -A complete_kill_1 -- -9 -HUP -INFO -KILL -TERM This of course can't work for commands with a hyphen because the parameter name of the array is then invalid. Uwe
ksh complete_command for commands with "-" in name
Hi misc, I use heavily the feature to set command completion in ksh. Unfortunately this doesn't work for commands with "-" (like ssh-add, salt-call etc.) in command name because the parameter name for the array is invalid. Any idea to work around that or plans to allow at least "-" when parameter name starts with "complete_"? I'm not a developer and don't really understand the code for ksh :/ Thanks in advance. Uwe
Re: tinc on openBSD?
On 27. Apr 7:51:18, Harald Dunkel wrote: > Hi folks, > > AFAICS tinc is included in the packages for 6.1, but surely > that doesn't mean its safe to use without looking. > > Are there security concerns against running tinc on an OpenBSD > gateway as an alternative to IPsec and openvpn in a +50 road > warriors setup? What is your impression of this tool in daily > usage? Which VPN solution would you prefer? > > > Every helpful comment is highly appreciated > Harri > Hi Harri, running tinc now since ~2 years for my private vpn solution - especially via proxy out of my company from my OpenBSD vm to my OpenBSD router. Runs like a charme. It's much easier to configure than e.g. OpenVPN. There are already some networks running with tinc like https://dn42.net/Home e.g. Regards Uwe --
Re: tmux, option allow-rename off allows renaming
That's exactly the reason why I wrote this little wrapper script: https://github.com/uwerler/tmux_ssh Am 17. März 2017 12:12:52 MEZ schrieb "Andreas Kusalananda Kähäri": >Hi, > >I'm doing some development on a Linux machine over SSH from a tmux >shell >session. > >Whenever I log into the Linux host, it renames the current tmux window >(what's displayed to the right at the bottom) to "user@host /path" >(with >those words replaced by the actual user etc.). > >This window name stays around even after I log out of the Linux host, >which is annoying. > >This happens even though I have the following in my .tmux.conf file: > >set-window-option -g allow-rename off >set-window-option -g automatic-rename off > >I'm running OpenBSD-current (updated weekly) on amd64. > >How may I disallow the renaming of the tmux window? > > >Regards, >Kusalananda > >[demime 1.01d removed an attachment of type application/pgp-signature >which had a name of signature.asc] -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
Re: APCu/Memcached/Redis - OwnCloud/Nextcloud memory caching - which OpenBSD package?
27. Februar 2017 17:09, "Florian Viehweger"schrieb: > Hey, > >> I use php56 and nginx from ports. Any other idea? > > try to upgrade to PHP 7. I've experienced a significant performance > improvement, albeit on Arch Linux. > > -- > greetings, > > Florian Viehweger Mmh, but there's no redis package for php7 yet.
Re: APCu/Memcached/Redis - OwnCloud/Nextcloud memory caching - which OpenBSD package?
> make sure your SQL encoding is set to unicode/UTF8, I recently did a fresh > install and the encoding ended up as SQL_ASCII and performance was abysmal. > Switching to UTF-8 and performance was as expected. (this was with postgresql) Mmh, I checked my mysql settings and they are still utf8 - and I have a really poor performance anyway. At the same machine also tine20 is running quite much much faster. For caching I use redis (also for tine20) and tried all the performance tips from owncloud/nextcloud. I use php56 and nginx from ports. Any other idea?
httpd rewrite
Hello guys, I try to move from nginx to httpd. But I have a problem with rewrite. I try to use this nginx-rule: rewrite ^/Microsoft-Server-ActiveSync?(.*)$ /tine20/index.php?frontend=activesync$1; with httpd: location "/Microsoft-Server-ActiveSync" { block return 302 "/tine20/index.php?frontend=activesync$QUERY_STRING" } The redirect seems to work - but no auth takes place. Is it generally possible what I try to do? And if yes - what I'm missing? The output looks not bad at a first glance: webtest.local 192.168.176.12 - - [03/Feb/2017:01:01:01 +0100] "POST /Microsoft-Server-ActiveSync?Cmd=Sync%26User=USER%26DeviceId=DEVICEID%26DeviceType=SAMSUNGSMG930F HTTP/1.1" 302 0 server webtest.local, client 64 (3 active), 192.168.176.12:60819 -> 192.168.177.100:443, /tine20/index.php?frontend=activesyncCmd=Sync%26User=USER%26DeviceId=DEVICEID%26DeviceType=SAMSUNGSMG930F (302 Found) webtest.local 192.168.176.12 - - [03/Feb/2017:01:01:02 +0100] "GET /tine20/index.php?frontend=activesyncCmd=Sync%2526User=USER%2526DeviceId=DEVICEID%2526DeviceType=SAMSUNGSMG930F HTTP/1.1" 200 0 Thanks in advance. Uwe
Re: spreed server
Hi Stephen, did You get the spreed server built? -- View this message in context: http://openbsd-archive.7691.n7.nabble.com/spreed-server-tp300701p311543.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: rdomain incompatible with NSD ? (OpenBSD 6)
You have to start nsd in rdomain 1. Von meinem Samsung Galaxy Smartphone gesendet. Ursprüngliche Nachricht Von: Bob JonesDatum: 03.09.16 20:13 (GMT+01:00) An: misc@openbsd.org Betreff: rdomain incompatible with NSD ? (OpenBSD 6)
Re: DigitalOcean and OpenBSD
On 25. Aug 12:02:37, Daniel Winters wrote: > Hi, > > > Hetzner customer here. Hetzner doesn't support OpenBSD natively. The > > only instructions I could find are kind of dated, in German, seem to > > apply only to dedicated servers (as opposed to VMs), and overall look > > like a giant hack. Anyone had luck getting things running recently? > > I have a VM at Hetzner running amd64 current flawlessly as my mail/web > server since 2013 on what Hetzner calls a VQ7 vServer. I dd'ed a basic > OpenBSD file system image on the disc via the Debian rescue system, > worked like a charm. > > I recently got a new CX10 VM as well, but current will hang after a few > minutes, this seems to be related to virtio disc(?) drivers that are > used in the newer VMs. FreeBSD runs flawlessly on this and I did not > have time to investigate this yet. > > So long story cut short, Hetzner is a good choice for hosting, but their > current VM offerings seem to be incompatible with OpenBSD amd64 current > + 5.9, this can probably be fixed though. I have also several VM running at Hetzner. Now they offer a rescue boot with OpenBSD 5.9 too. It's quite easy to install a new machine now. And a very plus it their support.
ksh, PS1 and PWD
Hello list, maybe this can be done better (~/.kshrc): _pwd(){ local _len="25" local _sym="/<.." [[ ${PWD} == ${HOME}* ]] && { PWD="~${PWD#${HOME}}"; _sym="~${_sym#/}"; } [[ ${#PWD} -gt $_len ]] && { typeset -R"$_len" local _pwd=$PWD; PWD="${_sym}/${_pwd#*/}"; } print $PWD } PS1='\h:$(_pwd)\\$ ' Any hints? Thanks in advance. --
Re: PF and interface changing IP
pass in on pppoe0 inet proto tcp to (pppoe0) port ssh keep state Von meinem Samsung Gerät gesendet. Ursprüngliche Nachricht Von: Gabriele TozziDatum: 12.05.2016 09:45 (GMT+01:00) An: misc@openbsd.org Betreff: PF and interface changing IP
Re: openbsd vs freebsd NAT performance
On 16. Apr 5:10:56, bluesun08 wrote: > Hi, > > beside OpenBSD 5.8 i installed FreeBSD 10.3 on my router-pc. For routing i > use pf. > I noticed that the routing/NAT-performance is in FreeBSD noticeable higher > than in OpenBSD. I think that is due to the SMP-support of pf in FreeBSD. > > Is there also a SMP support (intended) in OpenBSD? > > Regards > > Alex > > > > -- > View this message in context: > http://openbsd-archive.7691.n7.nabble.com/openbsd-vs-freebsd-NAT-performance-tp294095.html > Sent from the openbsd user - misc mailing list archive at Nabble.com. > https://calomel.org/network_performance.html --
Re: LibreNMS chroot issues
Why not pointing the socket to chroot? Von meinem Samsung Galaxy Smartphone gesendet. Ursprüngliche Nachricht Von: Ax0nDatum:27.12.2015 18:58 (GMT+01:00) An: cou...@gmail.com, punoseva...@gmail.com Cc: misc@openbsd.org Betreff: Re: LibreNMS chroot issues
Re: Highest Speed Network Packet Generator?
tcpbench in base or iperf from ports. Ursprüngliche Nachricht Von: Mohammad BadieZadeganDatum:26.12.2015 09:15 (GMT+01:00) An: misc@openbsd.org Cc: Betreff: Highest Speed Network Packet Generator?
resize crypto raid
Hello list, is it currently possible to resize/increase a crypto raid anyhow? I tested it with a virtual disk image via vnconfig - created an image file, attached it via vnconfig, created a raid partition and configured a raid with crypto discipline. Later I increased the image and adopted the partitoin size at the vnd image. Softraid starts properly but still with the old size - disk boundaries didn't change too. Background: I think about full disk encryption for my virtual machine. In the hindsight maybe that I let the disk size increase by my cloud provider. Any hints? Any ideas? Thanks in advance! Regards Uwe
Re: resize crypto raid
Hello Karel, exactly this I guessed :( Mmh, any idea how can be dealt with crypto raid and a kinda ccd? Regards Uwe On 21. Dec 22:58:27, Karel Gardas wrote: > Hello Uwe, > > IIRC softraid0 also saves disk size as a part of its metadata. I'm not > sure if metadata gets updated when you change just partition/disklabel > size, but I would not expect it. > > On Mon, Dec 21, 2015 at 10:49 PM, Uwe Werler <uwe.wer...@retiolum.eu> wrote: > > Hello Ted, > > > > this is exactly my problem - i can't change the disk boundaries at the > > softraid disk. I tried it with saving the disklabel of softraid0/sd0 and > > editing manually - with no success. Any ideas? > > > > Regards Uwe > > > > On 21. Dec 16:05:28, Ted Unangst wrote: > >> Uwe Werler wrote: > >> > Hello list, > >> > > >> > is it currently possible to resize/increase a crypto raid anyhow? I > >> > tested it > >> > with a virtual disk image via vnconfig - created an image file, attached > >> > it > >> > via vnconfig, created a raid partition and configured a raid with crypto > >> > discipline. Later I increased the image and adopted the partitoin size > >> > at the > >> > vnd image. Softraid starts properly but still with the old size - disk > >> > boundaries didn't change too. > >> > >> run disklabel on the softraid disk, use 'b' to change the area. > > > > -- > --
Re: resize crypto raid
Hello Ted, this is exactly my problem - i can't change the disk boundaries at the softraid disk. I tried it with saving the disklabel of softraid0/sd0 and editing manually - with no success. Any ideas? Regards Uwe On 21. Dec 16:05:28, Ted Unangst wrote: > Uwe Werler wrote: > > Hello list, > > > > is it currently possible to resize/increase a crypto raid anyhow? I tested > > it > > with a virtual disk image via vnconfig - created an image file, attached it > > via vnconfig, created a raid partition and configured a raid with crypto > > discipline. Later I increased the image and adopted the partitoin size at > > the > > vnd image. Softraid starts properly but still with the old size - disk > > boundaries didn't change too. > > run disklabel on the softraid disk, use 'b' to change the area. --
Re: Playing with rdomains and bridge on 5.8 and current
Take a look at pair(4). On 17. Dec 12:19:42, Claer wrote: > Hello, > > I'm trying a "strange" setup with rdomains, bridge and vether. As there is > something I don't understand, I'd like to know if the behavior is normal or if > it is an issue. This is not a production system, just experimentations. > > Here is what I'm trying to do. With 1 NIC connected to a "physical" network, I > wish to have several rdomains connected to the same uplink VLAN. > As this uplink VLAN provides DHCP, it facilitates the configuration. > > When everything is up, I can ping the default router from either rdomain but I > can't ping rdomain 1 from rdomain 2 or vice versa. Arp is failing to resolve > the IP addresses eventhough the arp packet is received on vether interface. > With 2 NICs, the communication succeeds. > > The results are the same with 5.8 and current (snapshot downloaded yesterday) > > Here is the setup : > > 1/ configure the interfaces > testhost:~ # cat /etc/hostname.em0 > dhcp > > testhost:~ # cat /etc/hostname.em1 > rdomain 1 > !route -T 1 exec dhclient em1 > testhost:~ # > > testhost:~ # cat /etc/hostname.vether2 > rdomain 2 > !route -T 2 exec dhclient vether2 > up > testhost:~ # > > 2/ Build the bridge : > testhost:~ # cat /etc/hostname.bridge0 > add em1 > add vether2 > up > testhost:~ # > > 3/ Verify configuration : > testhost:~ # ifconfig bridge0 > bridge0: flags=41> groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > designated: id 00:00:00:00:00:00 priority 0 > em1 flags=3 > port 2 ifpriority 0 ifcost 0 > vether2 flags=3 > port 5 ifpriority 0 ifcost 0 > Addresses (max cache: 100, timeout: 240): > 08:00:27:2c:87:f2 em1 1 flags=0<> > 00:50:b6:67:9c:82 em1 1 flags=0<> > [...] > testhost:~ # ifconfig em0 > em0: flags=8843 mtu 1500 > lladdr 08:00:27:2c:87:f2 > priority: 0 > groups: egress > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet 192.168.79.39 netmask 0xff00 broadcast 192.168.79.255 > testhost:~ # ifconfig em1 > em1: flags=8b43 > rdomain 1 mtu 1500 > lladdr 08:00:27:36:20:e8 > priority: 0 > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet 192.168.79.159 netmask 0xff00 broadcast 192.168.79.255 > testhost:~ # ifconfig vether2 > vether2: flags=8943 rdomain 2 > mtu 1500 > lladdr fe:e1:ba:d0:45:3b > priority: 0 > groups: vether > media: Ethernet autoselect > status: active > inet 192.168.79.193 netmask 0xff00 broadcast 192.168.79.255 > testhost:~ # route -n show -inet > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default192.168.79.254 UGS0 788 - 8 em0 > 127/8 127.0.0.1 UGRS 00 32768 8 lo0 > 127.0.0.1 127.0.0.1 UHl00 32768 1 lo0 > 192.168.79/24 192.168.79.39 UC 412990 - 4 em0 > 192.168.79.39 08:00:27:2c:87:f2 UHLl 0 22 - 1 em0 > 192.168.79.123 70:5a:b6:af:a0:42 UHLc 1 6503 - 4 em0 > 192.168.79.159 08:00:27:36:20:e8 UHLc 011027 - 4 em0 > 192.168.79.193 fe:e1:ba:d0:45:3b UHLc 011795 - 4 em0 > 192.168.79.254 2c:76:8a:30:2b:00 UHLc 1 1192 - 4 em0 > 192.168.79.255 192.168.79.39 UHb0 5764 - 1 em0 > 224/4 127.0.0.1 URS0 195 32768 8 lo0 > > testhost:~ # route -nT1 show > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default192.168.79.254 UGS0 1752 - 8 em1 > 192.168.79/24 192.168.79.159 UC 115026 - 4 em1 > 192.168.79.159 08:00:27:36:20:e8 UHLl 00 - 1 em1 > 192.168.79.254 2c:76:8a:30:2b:00 UHLc 1 1167 - 4 em1 > 192.168.79.255 192.168.79.159 UHb0 734 - 1 em1 > > testhost:~ # route -nT2 show > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default192.168.79.254 UGS0 2215 - 8 > vether2 > 192.168.79/24 192.168.79.193 UC 1 5334 - 4 > vether2 > 192.168.79.193 fe:e1:ba:d0:45:3b UHLl 00 - 1 > vether2 > 192.168.79.254 2c:76:8a:30:2b:00 UHLc 1 399 - 4 > vether2 > 192.168.79.255
Re: authentication infra structure
On 09. Dec 17:25:14, Friedrich Locke wrote: > If you had about 10k users and 5k machine how would you manage > authenticating issues? Keep in mind that this is a very heterogenous > environment with ldap, ftp, smtp, pop3, traditional unix boxes etc > LDAP is Your friend. You can even combine OpenLDAP with saslauthd for pass trough authentication to different other backends. --
Re: Empty MFS on root
Am 08.12.2015 16:03:14, schrieb Tati Chevron: > Currently, it's possible, (as root), to do something like: > > # mount_mfs -s 1g swap / > > which succeeds, and mounts the empty filesystem as the root filesystem. > > This makes the machine inoperable and requires a physical reset, without a clean shutdown, as no system binaries are available. > > Shouldn't we make mount_mfs error out in this case? > > -- > Tati Chevron > Perl and FORTRAN specialist. > SWABSIT development and migration department. > http://www.swabsit.com > Hehe, You can even shutdown the machine as root. Should there be a warning too? Windoof-like? Or a bunch of questions if You're really really sure?
Re: relayd ssl interception and certificate subject
On 25. Nov 8:02:17, Stuart Henderson wrote: > On 2015-11-24, Uwe Werler <uwe.wer...@retiolum.eu> wrote: > > Hello, > > > > I'm just testing ssl interception and noticed the following problem. > > Sometimes the Subject/Subject Alternative Name of the cert is altered with > > a different name than the one the original cert has: > > When relayd connects to the server to find out what names to use in > the subject/SAN, it doesn't send the requested hostname (SNI) in > the ClientHello, so it only has the information from the server's > "default" certificate to include in the new generated certificate. > > You can see this for yourself with openssl s_client -connect hostname:443 > compared with openssl s_client -connect hostname:443 -servername hostname. > Hello Stuart, thanks! Ok, got it. Only for my understanding: is there a reason (probably security related?) for not using the host name from ClientHello in relayd for fetching the target cert? And if not - is it planned to implement it in relayd? Thanks in advance! Regards Uwe
Re: relayd ssl interception and certificate subject
Thank You very much for the explanation Stuart! I'll check this. On 25. Nov 8:02:17, Stuart Henderson wrote: > On 2015-11-24, Uwe Werler <uwe.wer...@retiolum.eu> wrote: > > Hello, > > > > I'm just testing ssl interception and noticed the following problem. > > Sometimes the Subject/Subject Alternative Name of the cert is altered with > > a different name than the one the original cert has: > > When relayd connects to the server to find out what names to use in > the subject/SAN, it doesn't send the requested hostname (SNI) in > the ClientHello, so it only has the information from the server's > "default" certificate to include in the new generated certificate. > > You can see this for yourself with openssl s_client -connect hostname:443 > compared with openssl s_client -connect hostname:443 -servername hostname. > --
Re: TLS intercepting proxy [MitM]
Am 24.11.2015 14:52:58, schrieb Jiri B: > > With a little bit pf-magic this works like this: > > pass out log on $ext_if proto tcp to any port 443 route-to lo0 > > pass out log on > > $ext_if proto tcp to any port 443 user _relayd > > pass in log on lo0 proto tcp to > > any port 443 divert-to 127.0.0.1 port 8443 > Have you actually tested this? The traffic source is the > box itself, don't forget, thus not forwarding between two > ifaces. > > Yep. 'cause I tested relayd from within my box itself.
relayd ssl interception and certificate subject
Hello, I'm just testing ssl interception and noticed the following problem. Sometimes the Subject/Subject Alternative Name of the cert is altered with a different name than the one the original cert has: The faked cert: # X.509 Certificate Information: Version: 3 Serial Number (hex): 051f332aed0c96 Issuer: C=DE,ST=Saxony,L=Dresden,O=Retiolum,OU=WEB,CN=SUB_CA,EMAIL=uwe.wer...@retiolum.eu Validity: Not Before: Wed Jan 28 03:58:40 UTC 2015 Not After: Fri Jan 29 14:31:49 UTC 2016 Subject: C=DE,CN=blog.b1-systems.de,EMAIL=postmas...@b1-systems.de Subject Public Key Algorithm: RSA Algorithm Security Level: High (4096 bits) ... Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE Key Usage (not critical): Digital signature. Key encipherment. Key agreement. Key Purpose (not critical): TLS WWW Server. Subject Key Identifier (not critical): 47c3adafb6c9b8d26507975d444b07c30a85f020 Authority Key Identifier (not critical): eb4234d098b0ab9ff41b6b08f7cc642eef0e2c45 Subject Alternative Name (not critical): --> DNSname: blog.b1-systems.de --> DNSname: b1-systems.de Certificate Policies (not critical): 2.23.140.1.2.1 1.3.6.1.4.1.23223.1.2.3 URI: http://www.startssl.com/policy.pdf Note: This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. CRL Distribution points (not critical): URI: http://crl.startssl.com/crt1-crl.crl Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) Access Location URI: http://ocsp.startssl.com/sub/class1/server/ca Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers) Access Location URI: http://aia.startssl.com/certs/sub.class1.server.ca.crt Issuer Alternative Name (not critical): URI: http://www.startssl.com/ Signature Algorithm: RSA-SHA1 # The original cert: X.509 Certificate Information: Version: 3 Serial Number (hex): 0813002129d4f6 Issuer: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 2 Primary Intermediate Server CA Validity: Not Before: Thu Sep 24 15:20:33 UTC 2015 Not After: Sun Sep 24 23:00:39 UTC 2017 Subject: C=DE,ST=Bayern,L=Vohburg,O=B1 Systems GmbH,CN=www.b1-systems.de,EMAIL=postmas...@b1-systems.de Subject Public Key Algorithm: RSA Algorithm Security Level: High (4096 bits) Modulus (bits 4096): ... Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE Key Usage (not critical): Digital signature. Key encipherment. Key agreement. Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Subject Key Identifier (not critical): 2c6fafda29839f35c51c0ccde681e036168b10a9 Authority Key Identifier (not critical): 11db2345fd54cc6a716f848a03d7bef7012f2686 Subject Alternative Name (not critical): --> DNSname: www.b1-systems.de --> DNSname: b1-systems.de Certificate Policies (not critical): 2.23.140.1.2.2 1.3.6.1.4.1.23223.1.2.3 URI: http://www.startssl.com/policy.pdf Note: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. CRL Distribution points (not critical): URI: http://crl.startssl.com/crt2-crl.crl Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) Access Location URI: http://ocsp.startssl.com/sub/class2/server/ca Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers) Access Location URI: http://aia.startssl.com/certs/sub.class2.server.ca.crt Issuer Alternative Name (not critical): URI: http://www.startssl.com/ Signature Algorithm: RSA-SHA256 # In this case the DNS name www.b1-systems.de is removed from the cert what leads to an error message in the webbrowser. apu01$ dig @8.8.8.8 +short www.b1-systems.de b1-systems.de. 84.200.69.202 apu01$ dig @8.8.8.8 +short blog.b1-systems.de spacelords.systems.b1-systems.de. 84.200.69.202 apu01$ dig
Re: TLS intercepting proxy [MitM]
Am 24.11.2015 14:17:41, schrieb Lampshade: > Ok, I know that relayd can decrypt traffic, then log, then encrypt. The thing is that I want to > send decrypted traffic to another process (privoxy), and then re-encrypt it. > I have also problem with Reyk's config because I can not divert outgoing traffic using pf. > I have tried with rdr-to and nat-to, but it removes destination IP address in packets. > I want to intercept and alter traffic on the same box that I run Firefox. > Is this possible using pf and relayd or I must use something else? > With a little bit pf-magic this works like this: pass out log on $ext_if proto tcp to any port 443 route-to lo0 pass out log on $ext_if proto tcp to any port 443 user _relayd pass in log on lo0 proto tcp to any port 443 divert-to 127.0.0.1 port 8443
Kerberos disabled in SSH now?
Kerberos is disabled per default in SSH now? Revision 1.60: download - view: text, markup, annotated - select for diffs Wed Jun 19 05:27:06 2013 UTC (5 weeks, 5 days ago) by deraadt Branches: MAIN Diff to: previous 1.59: preferred, coloured Changes since revision 1.59: +2 -1 lines stop doing kerberos in ssh and sshd the code bloat makes that no longer trustworthy functionality ok guenther Any plans to enable it again?
Re: Internet Connection - Load Balancing and Failover
-Ursprüngliche Nachricht- An: OpenBSD-misc list misc@openbsd.org; Von:Imre Oolberg i...@auul.pri.ee Gesendet: Di 13.11.2012 09:05 Betreff:Re: Internet Connection - Load Balancing and Failover On 11/13/12 08:57, Tomas Bodzar wrote: On Mon, Nov 12, 2012 at 11:09 PM, Walter Netowsouz...@gmail.com wrote: Hello guys, I have two internet connections, and I want to make load balancing and failover service, I had read about pf load balancing and multi-path route, what is the difference between them. Which is the better to use in my scenario? And for failover, the best solution is ifstated(8)? One of the possible approaches, but maybe easier for you will be http://www.openbsd.org/cgi-bin/man.cgi?query=trunkapropos=0sektion=0manpath=O penBSD+Currentarch=i386format=html I have been under impression that man trunk is for L2 redundancy. Could you elaborate how it would help to load balance and fail over between two different ISPs uplinks (one link per isp, i assume they have different ip configurations)? Imre thanks in advance. Walter Neto Hi Imre, take a look at the router section of relayd.conf: http://www.openbsd.org/cgi-bin/man.cgi?query=relayd.confapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html Regards Uwe
Re: Ipsec tunnel between 2 sites with same network addressing
-Urspr|ngliche Nachricht- Von: open...@e-solutions.re Gesendet: Mo 15.02.2010 09:15 An: misc@openbsd.org; Betreff: Ipsec tunnel between 2 sites with same network addressing Hi, It is very simple to do a tunnel ipsec with 2 sites when they have different network addressing. But if site A use this : 192.168.0.0/24 and Site B use the same address, how can we do ipsec tunnel ? I suppose, we need to use binat rules in pf.conf... I don't understand how to build that. If someone can explain me ... Thank's http://undeadly.org/cgi?action=articlesid=20090127205841
Re: Maximizing File/Network I/O
* Iqigo Ortiz de Urbina tarom...@gmail.com [2010-01-05 11:24]: On Tue, Jan 5, 2010 at 9:13 AM, Tomas Bodzar tomas.bod...@gmail.com wrote: There is much more to do. You can find some ideas eg. here http://www.openbsd.org/papers/tuning-openbsd.ps . It's good idea to follow outputs of systat, vmstat and top for some time to find bottlenecks. I recall a message in misc (which I am not able to find on the archives) about someone posting here the results of his research on optimizing and improving OpenBSD overall performance (fs, network, etc). Among the links he posted on his comprehensive compilation, he sent tuning-openbsd.ps. I'm one of the two authors of this paper. ignore it. it is obsolete. I remember one reply of a developer stating that some of those tuning measures are not needed anymore as OpenBSD has grown quite a bit since that time. Which are the recommended -always working- directions, then, to tune a system for its particular needs? there isn't really all that much needed these days, defaults are good. some very specific situations benefit from some specific things, but usually, you are wasting time trying to tune. My point is we all have to be careful and not follow guides or try values on sysctls blindly (although experimenting is welcome and healthy) as we can harm more than benefit we can get. Still, some enviroments will need adjustment to push much more traffic than GENERIC can, and this is a really hard task to accomplish unless you are a @henning or @claudio :) heh :) I really like the 275 - 420MBit/s change for 4.6 - current with pf. Oh cool! There's this explained a little bit deeper? Sounds VERY interesting.
Re: What does your environment look like?
On Sun, 3 Jan 2010 10:34:07 -0500 Anders Langworthy lagrang...@gmail.com wrote: On Sat, Jan 2, 2010 at 9:08 PM, Brynet bry...@gmail.com wrote: * Do you use one of the bundled window managers like cwm(1)/twm(1)/fvwm(1) or something else? I wasn't going to reply, but I couldn't believe that cwm hasn't received any love yet. It's glorious. Powerful keyboard control, neat features, and faster than you need it to be. Its minimalism is elegant (and absolute) with no window decoration crud to distract or waste valuable pixels. And it's in base. * Do you try to keep things uniform across other desktops? No, but net/rsync is excellent for that purpose. always -current + cwm + mrxvt + tmux = all what i need. at my netbook xfce or cwm.
rtable and pf
Hello list, I have an OpenBSD box with 4.5 connected to two carriers, to one per dhcp and to the other static configured. Now I tried to change my rule set from route-to/reply-to syntax to rtable usage. Up to now I added my static configured gateway with route add default $GW -mpath so the dhclient-script does only add an additional default route. The following rule worked: $ext1 = static configured as for $ext1_gw pass in on $ext1 reply-to ($ext1 $ext1_gw) inet proto tcp to ($ext1) port ssh flags S/SA keep state \ (max-src-conn-rate 3/30,overload ssh-bruteforce flush global, pflow) Now I moved the static gateway to routing table 1 with route -T 1 add default $GW and changed my rule to: pass in on $ext1 inet proto tcp to ($ext1) port ssh flags S/SA keep state \ (max-src-conn-rate 3/30,overload ssh-bruteforce flush global, pflow) rtable 1 But as soon as I make a dhclient $ext2 I can't logon via SSH to the static configured address so I guess the reply packets are not routed via rtable 1. What I'm missing or what I've disunderstood? Thanks for Your clearification. Regards Uwe
Re: automaticaly mount/umount encrypted $HOME or ...
Hi Maxim, Choosing bash was a quick solution for executing the job after I'v logged out, e.g. how else do you umount and vnconfig -u? I'd like to use default ksh, but quick google-search gave me an answer - ksh can not exec after logout. Here I hope someone can point me to the right direction. Using bash and shells at all isn't a clean solution, but the only I have found at the time. You can use something like this with ksh (.profile): if [[ -r ~/.ksh_logout ]]; then trap '. ~/.ksh_logout' EXIT TERM KILL fi Regards Uwe
Re: F5 FirePass SSL VPN on OpenBSD
Hi Mikolaj, You can connect to F5 with a little bit perl and ppp. I know a perl script with does the magic with pppd and openssl s_client: http://devcentral.f5.com/SDK/sslvpn.public.pl.txt . But in OpenBSD there is no pty option in pppd - that's why it should converted to use ppp. Regards Uwe Mikolaj Kucharski(mikolaj) wrote: On Fri, Apr 03, 2009 at 11:37:47AM +0100, Mikolaj Kucharski wrote: Hi, Anyone knows any open-source client so OpenBSD could connect to it? I'm looking for ppl who actually know how to do that, not ppl who are capable to read SERP without understanding the subject. I'm okay with zero replys for my question if no one has a clue. TIA. -- best regards q#
Re: PF and CLamAV Integration - how to do it?
Hi Sarah, try to make a search in ports tree for different kind of proxies: Port: havp-0.89 Path: www/havp Info: web proxy with antivirus filter Maint: Giovanni Bechis g.bec...@snb.it Index: www L-deps: clamav.=1::security/clamav B-deps: :devel/gmake R-deps: Archs: any For scanning mails there are a lot of tutorials right now... Regards Uwe Protocol Six Consulting(contact.us) wrote: Hi, I was wondering if anyone here knows how to integrate the PF firewall with ClamAV. I am planning on putting into production an OpenBSD firewall and would like to do virus scanning at the network perimeter. I am definitely interested in scanning email traffic, but also possibly Web and IRC (and any other traffic types that makes sense) for a group of 25 people. Unfortunately I've not seen any real discussion or howtos for this type of integration. I've also looked in the PF FAQ pages and in the archives of Openbsd-misc or Openbsd-PF. Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch on this topic either. I suspect my mental picture of how PF and ClamAV work together may be flawed or incomplete. I guess I'm assuming there is a way to have PF pass information directly to ClamAV, but perhaps some middle-ware glue is necessary. Any pointers and/or info would be greatly appreciated by this newbie. Thanks and best regards, :-) Sarah
Re: Can't get relayd to work for DNS + problem with relayctl reload
Hello Pierre, I noticed the same behavior on my box with current before I read this thread. That's why I sent a bug report: 6046/system (http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=6046). Regards Uwe Am Wed, 14 Jan 2009 15:53:50 +0100 schrieb BARDOU Pierre bardo...@mipih.fr: Hi, I tried to send a bug report with sendbug(1), but I am not very familiar with it. I hope someone will notice... -- Cordialement, Pierre BARDOU De : uday [mailto:umoorjani@gmail.com] Envoyi : mercredi 14 janvier 2009 15:52 @ : BARDOU Pierre Cc : misc@openbsd.org; Nigel J. Taylor Objet : Re: Can't get relayd to work for DNS + problem with relayctl reload pierre, i'm seeing the same result with relayctl i don't know where it's coming from. um On Wed, Jan 14, 2009 at 8:16 AM, BARDOU Pierre bardo...@mipih.fr wrote: Shame on me, it didn't worked because I allowed connexion to the real IP (10.60.0.10x) and no to relayd IP (10.31.33.254). Now it works, thanks for the help :) But I still have the issue I reported a few monthes ago : when I use a relay, relayctl reload fails saying command failed. The relayd logs says nothing. Will I be forced to pkill relayd and restart it each time ? -- Cordialement, Pierre BARDOU -Message d'origine- De : Nigel J. Taylor [mailto:njtay...@asterisk.demon.co.uk] Envoyi : mercredi 14 janvier 2009 02:22 @ : BARDOU Pierre Objet : Re: Can't get relayd to work for DNS I have this in my relayd.conf, it's just an extract, only a pass in in pf.conf you use either relay or redirect not both at once redirect requires an anchor in pf.conf, relay doesn't. dns protocol dnsudp tcp protocol dnstcp relay relaydnsudp { protocol dnsudp listen on $dns_int port domain forward to DNSSERVERS \ check script /usr/local/bin/dnscheck } relay relaydnstcp { protocol dnstcp listen on $dns_int port domain forward to DNSSERVERS \ check script /usr/local/bin/dnscheck } dnscheck script does a dig to check dns is up #!/bin/ksh dnsserver=$1 if ping -n -c1 -w 1 $dnsserver /dev/null 21 dig -x \ $dnsserver @$dnsserver /dev/null then exit 1 fi exit 0 Regards Nigel Taylor BARDOU Pierre wrote: Hello, I am trying to setup relayd for loadbalancing on my DNS servers. The problem is that relayd seems to handle only TCP connexions, UDP isn't taken into account. I found a known bug on openBSD 4.2, but I am using openBSD 4.4. I've tried the same setup with a relay, and still have the same problem. Where am I mistaking ? # pfctl -a relayd/DNS -s nat rdr inet proto tcp from any to 10.31.33.254 port = domain (tcp.established 600) - DNS port 53 round-robin # cat /etc/relayd.conf node1=10.60.0.101 node2=10.60.0.102 node3=10.60.0.103 squid_int=10.31.33.254 dns_int=10.31.33.254 # Global Options interval 5 log updates prefork 10 timeout 1500 table squid { $node1 , $node3 } table DNS { $node1 , $node3 } redirect squid { listen on $squid_int port 3128 forward to squid mode roundrobin check tcp } redirect DNS { listen on $dns_int port 53 forward to DNS mode roundrobin check tcp } Relay config : dns protocol dnsfilter { ### TCP performance options tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dns { ### listen and accept redirected connections from pf listen on $dns_int port 53 ### apply web filters protocol dnsfilter ### forward to web server(s) forward to DNS mode roundrobin check tcp } -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr -- Mit freundlichen Gruessen Uwe Werler OB3SI Open Source Software Solution Integration Hosterwitzer Str. 15 D-01259 Dresden Fon +49 351 41722902 http://www.o3si.de mailto:i...@o3si.de Sitz des Unternehmens: 01259 Dresden Der Austausch von Nachrichten mit OB3SI via E-Mail dient ausschliesslich Informationszwecken. RechtsgeschC$ftliche ErklC$rungen dCrfen auCerhalb gesonderter Vereinbarungen Cber dieses Medium nicht ausgetauscht werden. Angebote jeglicher Art verstehen sich freibleibend und unterliegen den allgemeinen GeschC$ftsbedingungen. This message is not intended to be relied upon without subsequent written confirmation of its contents OB3SI therefore cannot accept any liability of any kind which may arise from any person either acting upon the contents of the message without having had written confirmation. Any opinions expressed in the e-mail are those of the individual writer and not necessarily those of the Company unless specifically stated otherwise. This e-mail and any files transmitted with it are private and confidential and are solely
Re: LDAP and OpenBSD
Am Thu, 23 Oct 2008 01:02:18 +1100 schrieb Gavin Norman [EMAIL PROTECTED]: I attempted the steps based on your experience with ypldap. I downloaded a snapshot 2 days ago and setup a fresh install on a virtual machine. However I get the following after running ypldap: # ypldap -dv startup [debug mode] configuration starting applying configuration connecting to directories starting directory update starting directory update updates are over, cleaning up trees now flattening trees I never receive the pushing lines: ... output. Here is my ypldap.conf: interval 60 # how many seconds between retries domain domain.net.au # only one domain for now provide map passwd.byname provide map passwd.byuid provide map group.byname provide map group.bygid directory ldap server { binddn cn=Manager,dc=domain,dc=net,dc=au bindcred basedn ou=Users,dc=domain,dc=net,dc=au passwd filter (objectClass=posixAccount) attribute name maps to uid fixed attribute passwd * fixed attribute class ldap attribute uid maps to uidNumber attribute gid maps to gidNumber attribute gecos maps to cn attribute home maps to homeDirectory attribute shell maps to loginShell attribute change maps to shadowLastChange fixed attribute expire 0 group filter (objectClass=posixGroup) attribute groupname maps to cn fixed attribute grouppasswd * attribute groupgid maps to gidNumber list groupmembers maps to memberUid } Thanks. Hi Gavin, what says a ldapsearch -x -h ldap server -D cn=Manager,dc=domain,dc=net,dc=au -W -b ou=Users,dc=domain,dc=net,dc=au (objectClass=posixAccount) ? Regards Uwe
Re: perl and openbsd
Am Wed, 15 Oct 2008 09:28:06 +0200 (CEST) schrieb Holger Glaess [EMAIL PROTECTED]: hi which option i have to change that perl is able to ge more memory resoruces ? i an script that works on linux complete well but under openbsd , he start and then perl stop to work an left the memory. if i disable some internal modules than he works. if i see the the working script in top he allocate 4092k resource memory and 6216k size memory , but if i enable on more internal module he stop to work. i don have this problem under linux, but there is the limitation not so strict . any clue for it ? holger Hello Holger, I think You have to increase stacksize-cur in /etc/login.conf for login class default. Regards Uwe
Fw: LDAP and OpenBSD
On Sat, 11 Oct 2008, Uwe Werler wrote: SNIP 2. Add a line to /etc/rc.conf ypldap_flags= 3. Add lines to /etc/rc.local: or more appropriately /ect/rc.conf.local otherwise your local changes could get overwritten on a future upgrade. Hello Diana, You are right - it was a typo by me. It's necessary to comment out the following lines in /etc/rc too: snip #if [ -d /var/yp/binding ]; then # # YP client capabilities needed... # echo -n ' ypbind'; ypbind #fi snip ...and add these instead to /etc/rc.local so ypbind starts AFTER ypldap is started. If You don't ypbind hangs at system start and times out. Regards Uwe
Re: CARP multicast and ADSL bridge
Am Thu, 09 Oct 2008 19:45:01 -0700 schrieb Brian [EMAIL PROTECTED]: Hello, After much reading of man pages, FAQs and googling, I have come up against a dead end. I have a dual redundant CARP setup on 2 sparc64 boxes running 4.3, with an Ovislink OV303 ADSL bridge for internet connectivity. All ports are connected to the bridge with a procurve 1800-24g semi-intelligent switch. The problems are that the multicast CARP packets are getting forwarded over the bridge and running up my very limited bandwidth cap (which, of course, is no one's problem but my own) and more importantly is causing my ADSL connection to be dropped every 10-15 minutes. The tech at the ISP diagnosed the problem, and I wouldn't have believed it if I hadn't verified the behaviour myself. As soon as I disable CARP on the external interface and the CARP announce packets stop, the connection stays up for days. With CARP running, I would sometimes be down for hours, with the ADSL connection going up for a second, and dropping right away. I tried to do multicast filtering on the ADSL port, but my switch isn't intelligent enough, and the ADSL device won't filter in bridge mode. The only thing I could think to do is to put the 2 CARP ports on a seperate VLAN and route the CARP multicast packets through that, but my attempts to use pf to rdr the multicast packets to a separate vlan0 interface have not been successful. Is there a magical way to resolve my situation without buying a more expensive switch? I thought it would be worth asking before shutting up and hacking together a possibly stupid VLAN tagging solution in ip_carp. Thanks for your patience. -Brian Marshall Hi Brian, did You try to avoid multicast by setting up the carppeers directly? See man ifconfig: carppeer peer_address If the driver is a carp(4) pseudo-device, send the carp adver- tisements to a specified point-to-point peer or multicast group instead of sending the messages to the default carp multicast group. The peer_address is the IP address of the other host tak- ing part in the carp cluster. With this option, carp(4) traffic can be protected using ipsec(4) and it may be desired in networks that do not allow or have problems with IPv4 multicast traffic. Regards Uwe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: LDAP and OpenBSD
Am Fri, 10 Oct 2008 19:52:10 +0200 schrieb raven [EMAIL PROTECTED]: Hi misc :) I'm thinking how my users into an ldap db can login into my openbsd machine as users. I try to use google but no clue at all. Thanks guys :) Francesco Hello Francesco, there's a solution ;-). I've gotten my -current running to authenticate against my openldap server. As stated by the others there is usr.sbin/ypldap. It's not linked to the builds yet - but it works - together with the port sysutils/login_ldap. You can grab the users/groupsB9 from ypldap and then authenticate them against an ldap server - no matter if this is openldap or AD. I'll send a howto within the next days (hopely during this weekend). Please be patient. Regards Uwe B9Not fully working yet - ypldap only lists the first group for the user. But ypldap is still under developement. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: LDAP and OpenBSD
Ok guys... because I have beer yet I decided to write my experience down now: 1. Use -current. Grab the sources and go to /usr/src/usr.sbin/ypldap and make a cvs update; make depend; make; make install 2. Install the port sysutils/login_ldap 3. Configure /etc/ypldap.conf: EOF domain $OPENBSD interval 60 provide map passwd.byname provide map passwd.byuid provide map group.byname provide map group.bygid directory $USE_IP_HERE {# A attribute name maps to uid fixed attribute passwd * # B attribute uid maps to uidNumber attribute gid maps to gidNumber fixed attribute class ldap# Login class! fixed attribute expire 0 # USE_IP_HERE attribute change maps to shadowLastChange # D attribute gecos maps to gecos attribute home maps to homeDirectory fixed attribute shell /bin/ksh# E attribute groupname maps to cn fixed attribute grouppasswd * attribute groupgid maps to gidNumber attribute groupmembers maps to memberUid binddn cn=$ldapuser,dc=example,dc=com # F bindcred YourSecret basedn dc=example,dc=com group filter (objectclass=posixGroup) passwd filter (objectclass=posixAccount) } EOF A Name resolution not working yet - use IP instead B Passwords in NIS not needed - we use login_ldap # XXX C Problems with time format - account e usfor Linux users - but there's no bash ;-) F Not needed if anonymous searches are allowed - not yet in man XXX You could use other auth too - like krb5 against AD - should be tested! 4. Configure login_ldap: /etc/login.conf ldap:\ :auth=-ldap:\ :x-ldap-server=$USE_IP_HERE:\ :shell=/bin/ksh:\ # not mandatory :x-ldap-basedn=dc=example,dc=com:\ :x-ldap-filter=((objectclass=posixAccount)(uid=%u)):\ :x-ldap-groupdn=cn=group_users_should_reside_to,dc=example,dc=com:\ :x-ldap-groupfilter=((objectClass=posixGroup)(memberUid=%u)):\ :tc=default: 5. Test ypldap ~ # ypldap -dv startup [debug mode] configuration starting applying configuration connecting to directories trying directory: $IP starting directory update starting directory update updates are over, cleaning up trees now flattening trees pushing line: anonymous:*:4:3:ldap:0:/home/anonymous:/bin/ksh pushing line: uwerler:*:1000:1000:ldap:12011:0:Uwe Werler:/home/uwerler:/bin/ksh pushing line: user001:*:1001:1001:ldap:12011:0:Who' this?:/home/user001:/bin/ksh pushing line: admins:*:1000:uwerler pushing line: users01:*:1001:user001 That means You should see something like this ;-) 6. Start ypbind ypbind 7. Test the user ~ # id uwerler uid=1000(uwerler) gid=1000(admins) groups=1000(admins)* * as I already wrote - only the first group from ldap is used now OK, this is working so far. Now try to login. The problem is if You want to auth with passwords You should type Your password twice. Why - I've to ask the list myself. I've seen such messages in my auhlog: Oct 7 16:07:50 openbsd02 sshd[11261]: Failed password for uwerler from 10.0.0.127 port 36885 ssh2 Oct 7 16:07:52 openbsd02 sshd[11261]: Accepted password for uwerler from 10.0.0.127 port 36885 ssh2 !!! You've done !!! Regards Uwe To make Your changes permanent: 1. Find the lines and comment out in /etc/rc to avoid ypserv's startup snip if [ X`domainname` != X ]; then #if [ -d /var/yp/`domainname` ]; then # # YP server capabilities needed... # echo -n ' ypserv'; ypserv ${ypserv_flags} # #echo -n ' ypxfrd'; ypxfrd #fi snip 2. Add a line to /etc/rc.conf ypldap_flags= 3. Add lines to /etc/rc.local: if [ X${ypldap_flags} != XNO ]; then echo -n ' ypldap' /usr/sbin/ypldap ${ypldap_flags} 1 /dev/null fi
Re: LDAP and OpenBSD
Ok, it's quite late tonight - after some beer: # vipw ^G i +:* :wq # vi /etc/group ^G i +:*:: :wq # You've done.
Re: pf - queue filter directive sticky?
Am Tue, 30 Sep 2008 10:53:05 +0200 schrieb [EMAIL PROTECTED]: Am Mon, 29 Sep 2008 15:29:08 -0400 schrieb (private) HKS [EMAIL PROTECTED]: If the following two rules apply to a given packet in the order shown, will the packet be queued? pass in on $int_if from 10.0.0.1 queue tens pass in on $int_if I've not been able to find a clear answer in pf.conf(5) or the online PF documentation. If I overlooked it, please let me know. Thanks in advance for the help. -HKS imho normally this packet wouldn't be queued because the last count matches the packet so the last rule applies: from man pf.conf: For each packet processed by the packet filter, the filter rules are evaluated in sequential order, from first to last. The last matching rule decides what action is taken. If no rule matches the packet, the default action is to pass the packet. uw [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] on the other hand: During the filtering component of pf.conf, the last referenced queue name is where any packets from pass rules will be queued... that means because of the sequential order that the packet should be queued imho.
howto determine boot device?
hi, is it possible to determine, after the kernel has loaded, from which device it has booted? regards uwe -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse f|r Mail, Message, More +++
determine boot device after boot
hello, is it possible to determine the boot device after the kernel has loaded? i did'nt find any variable (with sysctl or an entry in logs) which contains this information. i want to boot from any device like floppy, cd etc. and the root will be a ramdisk. after boot i want to read some additional files from the boot device. is there a way to get this working? thanks in advance! -- Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl
Re: read-only storage media
hi matt, what is with an usb stick? that's my approach. regards uwe Is there any kind of storage media that can be set as read-only, and only reset to read and write by physical access? I'm thinking about something like the (seemingly ancient) 3.5 floppy disks that had that little switch you could use to set the disk to read only. Are there any hard drives that have a similar kind of feature? I'm thinking that this would be nice for a firewall machine: if the machine was compromised, it still couldn't be modified (i.e., volumes mounted read only can always be remounted read-write if the machine is root compromised). I'm thinking that I could burn a CD-R (and re-burn it whenever there's a configuration change), but it seems like the system might have a lot of latency and the CD-ROM drive might prematurely fail. Any thoughts? Thanks, Matt -- Matt Garman email at: http://raw-sewage.net/index.php?file=email -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse f|r Mail, Message, More +++