[bcc:Michael, Petr, Lukasz] Many thanks to all who replied!
Obviously I haven't been paying enough attention. I knew about the relinking process, and I thought that the relinking was only done for the kernel in memory, and was not written out to the /bsd file itself. With your encouragement, I skimmed through rc, and the reorder_kernel script and can see how it works now. Most of my paranoia was triggered by having recently seen in Slashdot that there were evil versions of Windows or MacOS of "Putty" ssh (client) around that suggested, if connecting (maybe even to an OpenBSD box?) might result in compromised passwords. Already I was feeling guilty enough about not keeping all my systems running the latest stable version of OpenBSD, much more deigning to use Windoze, last month, to connect to home base. Austin FOOTNOTE: Wow, I love reading those shell scripts, just in terminal mode with "joe -rdonly", and a big wide screen. First of all they seem so beautifully written, indented just right. Seems to me, last time I looked, many years ago, such scripts were much harder to follow, and joe (and probably some other editors), recognizes the (scripting/programming) language, and colorizes the varying syntactical contexts just right. It's also a pleasure having a lighted lettering on a black background for a change. Gosh, how I hate the glare of the white background for text. And, with the big screen, my 80 year old eyes scarcely need the 2.00 diopter reading glasses. THANKS AGAIN!! On Sun, 18 Sep 2022, Michael Stolovitzsky wrote: > New kernels are generated on every boot by relinking. Check your uptimes; > they're likely to match kernel timestamps. > > Get BlueMail for Android > > On Sep 18, 2022, 9:58 AM, at 9:58 AM, Austin Hook <aus...@hook.org> wrote: > > > >I noticed recently that some if my /bsd files are changing dates: > > > >First the data, then below, I note my guess as to what's happening... > > > >An Internet facing server: > > > >ls -lT /bsd* > >-rwx------ 1 root wheel 20956100 Aug 14 09:54:46 2022 bsd > >-rwx------ 1 root wheel 20954372 Jul 31 01:17:13 2022 bsd.booted > >-rw------- 1 root wheel 10393418 Nov 3 18:53:52 2020 bsd.rd > > > > > >Mailserver on a LAN > > > > ls -lT /bsd* > >-rwx------ 1 root wheel 20959252 Sep 4 09:01:26 2022 /bsd > >-rwx------ 1 root wheel 20953780 Sep 4 08:24:53 2022 /bsd.booted > >-rw------- 1 root wheel 10393418 Jan 18 21:32:51 2021 /bsd.rd > > > > > > > >Internet facing server > > > >-rwx------ 1 root wheel 20961836 Sep 17 11:29:23 2022 bsd > >-rwx------ 1 root wheel 20954668 Aug 28 15:21:24 2022 bsd.booted > >-rw------- 1 root wheel 10393418 Oct 21 08:02:57 2020 bsd.rd > > > >The above three are version 6.8 > > > >In each case the sha256 checksums for /bsd do not seem to match the > >distributed versions. Luckily those are still in the pub/openbsd > >mirrors. > > > >And I also have a laptop running a very old version of OpenBSD, for > >which > >the /bsd seemed to have been corrupted by the time I was signing in > >from a > >hotel recently. It complained that it could not randomize the > >libraries > >on boot up. So it would not boot, although I could boot it up from an > >external bootable hard drive containing a really old 5.3 image > > > >I also signed into one of my systems with "putty" which I loaded onto a > > > >friend's windows machine -- some time in August I think it was. > > > >I note: > > > >1) the /bsd.rd files were installed when I last updated the systems > >above, > >and the dates of these all correspond with other important files of the > > > >last upgrade or install. So at least most of those, have apparently > >not > >been touched. > > > >2) There seems to be a progression of date changing events in the /bsd > >file images, in the different machines. > > > >Anyone know of another explanation other than someone sneakily hacking > >at > >my machines. > > > >Somehow, in some machine, I think my ssh sessions are being hacked. > > > >Looks like I have a lot of work to do. > > > > > >Austin > On Sun, 18 Sep 2022, Petr Ro?kai wrote: > On Sun, Sep 18, 2022 at 12:56:13AM -0600, Austin Hook wrote: > > 1) the /bsd.rd files were installed when I last updated the systems above, > > and the dates of these all correspond with other important files of the > > last upgrade or install. So at least most of those, have apparently not > > been touched. > > > > 2) There seems to be a progression of date changing events in the /bsd > > file images, in the different machines. > > The most likely explanation is kernel relinking, which happens on every boot. > > M. > > -- > id' Ash = Ash; id' Dust = Dust; id' _ = undefined > On Sun, 18 Sep 2022, Michael Stolovitzsky wrote: > New kernels are generated on every boot by relinking. Check your uptimes; > they're likely to match kernel timestamps. > > Get BlueMail for Android > > On Sep 18, 2022, 9:58 AM, at 9:58 AM, Austin Hook <aus...@hook.org> wrote: > > > >I noticed recently that some if my /bsd files are changing dates: > > > >First the data, then below, I note my guess as to what's happening... > > > >An Internet facing server: > > > >ls -lT /bsd* > >-rwx------ 1 root wheel 20956100 Aug 14 09:54:46 2022 bsd > >-rwx------ 1 root wheel 20954372 Jul 31 01:17:13 2022 bsd.booted > >-rw------- 1 root wheel 10393418 Nov 3 18:53:52 2020 bsd.rd > > > > > >Mailserver on a LAN > > > > ls -lT /bsd* > >-rwx------ 1 root wheel 20959252 Sep 4 09:01:26 2022 /bsd > >-rwx------ 1 root wheel 20953780 Sep 4 08:24:53 2022 /bsd.booted > >-rw------- 1 root wheel 10393418 Jan 18 21:32:51 2021 /bsd.rd > > > > > > > >Internet facing server > > > >-rwx------ 1 root wheel 20961836 Sep 17 11:29:23 2022 bsd > >-rwx------ 1 root wheel 20954668 Aug 28 15:21:24 2022 bsd.booted > >-rw------- 1 root wheel 10393418 Oct 21 08:02:57 2020 bsd.rd > > > >The above three are version 6.8 > > > >In each case the sha256 checksums for /bsd do not seem to match the > >distributed versions. Luckily those are still in the pub/openbsd > >mirrors. > > > >And I also have a laptop running a very old version of OpenBSD, for > >which > >the /bsd seemed to have been corrupted by the time I was signing in > >from a > >hotel recently. It complained that it could not randomize the > >libraries > >on boot up. So it would not boot, although I could boot it up from an > >external bootable hard drive containing a really old 5.3 image > > > >I also signed into one of my systems with "putty" which I loaded onto a > > > >friend's windows machine -- some time in August I think it was. > > > >I note: > > > >1) the /bsd.rd files were installed when I last updated the systems > >above, > >and the dates of these all correspond with other important files of the > > > >last upgrade or install. So at least most of those, have apparently > >not > >been touched. > > > >2) There seems to be a progression of date changing events in the /bsd > >file images, in the different machines. > > > >Anyone know of another explanation other than someone sneakily hacking > >at > >my machines. > > > >Somehow, in some machine, I think my ssh sessions are being hacked. > > > >Looks like I have a lot of work to do. > > > > > >Austin > On Sun, 18 Sep 2022, ?ukasz Moska?a wrote: > > > Dnia 18 wrze?nia 2022 08:56:13 CEST, Austin Hook <aus...@hook.org> napisa?/a: > > > >I noticed recently that some if my /bsd files are changing dates: > > > >First the data, then below, I note my guess as to what's happening... > > > >An Internet facing server: > > > >ls -lT /bsd* > >-rwx------ 1 root wheel 20956100 Aug 14 09:54:46 2022 bsd > >-rwx------ 1 root wheel 20954372 Jul 31 01:17:13 2022 bsd.booted > >-rw------- 1 root wheel 10393418 Nov 3 18:53:52 2020 bsd.rd > > > > > >Mailserver on a LAN > > > > ls -lT /bsd* > >-rwx------ 1 root wheel 20959252 Sep 4 09:01:26 2022 /bsd > >-rwx------ 1 root wheel 20953780 Sep 4 08:24:53 2022 /bsd.booted > >-rw------- 1 root wheel 10393418 Jan 18 21:32:51 2021 /bsd.rd > > > > > > > >Internet facing server > > > >-rwx------ 1 root wheel 20961836 Sep 17 11:29:23 2022 bsd > >-rwx------ 1 root wheel 20954668 Aug 28 15:21:24 2022 bsd.booted > >-rw------- 1 root wheel 10393418 Oct 21 08:02:57 2020 bsd.rd > > > >The above three are version 6.8 > > > >In each case the sha256 checksums for /bsd do not seem to match the > >distributed versions. Luckily those are still in the pub/openbsd mirrors. > > > >And I also have a laptop running a very old version of OpenBSD, for which > >the /bsd seemed to have been corrupted by the time I was signing in from a > >hotel recently. It complained that it could not randomize the libraries > >on boot up. So it would not boot, although I could boot it up from an > >external bootable hard drive containing a really old 5.3 image > > > >I also signed into one of my systems with "putty" which I loaded onto a > >friend's windows machine -- some time in August I think it was. > > > >I note: > > > >1) the /bsd.rd files were installed when I last updated the systems above, > >and the dates of these all correspond with other important files of the > >last upgrade or install. So at least most of those, have apparently not > >been touched. > > > >2) There seems to be a progression of date changing events in the /bsd > >file images, in the different machines. > > > >Anyone know of another explanation other than someone sneakily hacking at > >my machines. > > > >Somehow, in some machine, I think my ssh sessions are being hacked. > > > >Looks like I have a lot of work to do. > > > > > >Austin > > > > > > Hi, > > Near end of boot process you can see "relinking to create unique kernel". > > Modifying kernel changes modification date and checksum. > > If you want to learn more about this feature, it's called KARL. > -- > ?ukasz Moska?a > On Sun, 18 Sep 2022, Petr Ro?kai wrote: > On Sun, Sep 18, 2022 at 12:56:13AM -0600, Austin Hook wrote: > > 1) the /bsd.rd files were installed when I last updated the systems above, > > and the dates of these all correspond with other important files of the > > last upgrade or install. So at least most of those, have apparently not > > been touched. > > > > 2) There seems to be a progression of date changing events in the /bsd > > file images, in the different machines. > > The most likely explanation is kernel relinking, which happens on every boot. > > M. > > -- > id' Ash = Ash; id' Dust = Dust; id' _ = undefined > On Sun, 18 Sep 2022, ?ukasz Moska?a wrote: > > > Dnia 18 wrze?nia 2022 08:56:13 CEST, Austin Hook <aus...@hook.org> napisa?/a: > > > >I noticed recently that some if my /bsd files are changing dates: > > > >First the data, then below, I note my guess as to what's happening... > > > >An Internet facing server: > > > >ls -lT /bsd* > >-rwx------ 1 root wheel 20956100 Aug 14 09:54:46 2022 bsd > >-rwx------ 1 root wheel 20954372 Jul 31 01:17:13 2022 bsd.booted > >-rw------- 1 root wheel 10393418 Nov 3 18:53:52 2020 bsd.rd > > > > > >Mailserver on a LAN > > > > ls -lT /bsd* > >-rwx------ 1 root wheel 20959252 Sep 4 09:01:26 2022 /bsd > >-rwx------ 1 root wheel 20953780 Sep 4 08:24:53 2022 /bsd.booted > >-rw------- 1 root wheel 10393418 Jan 18 21:32:51 2021 /bsd.rd > > > > > > > >Internet facing server > > > >-rwx------ 1 root wheel 20961836 Sep 17 11:29:23 2022 bsd > >-rwx------ 1 root wheel 20954668 Aug 28 15:21:24 2022 bsd.booted > >-rw------- 1 root wheel 10393418 Oct 21 08:02:57 2020 bsd.rd > > > >The above three are version 6.8 > > > >In each case the sha256 checksums for /bsd do not seem to match the > >distributed versions. Luckily those are still in the pub/openbsd mirrors. > > > >And I also have a laptop running a very old version of OpenBSD, for which > >the /bsd seemed to have been corrupted by the time I was signing in from a > >hotel recently. It complained that it could not randomize the libraries > >on boot up. So it would not boot, although I could boot it up from an > >external bootable hard drive containing a really old 5.3 image > > > >I also signed into one of my systems with "putty" which I loaded onto a > >friend's windows machine -- some time in August I think it was. > > > >I note: > > > >1) the /bsd.rd files were installed when I last updated the systems above, > >and the dates of these all correspond with other important files of the > >last upgrade or install. So at least most of those, have apparently not > >been touched. > > > >2) There seems to be a progression of date changing events in the /bsd > >file images, in the different machines. > > > >Anyone know of another explanation other than someone sneakily hacking at > >my machines. > > > >Somehow, in some machine, I think my ssh sessions are being hacked. > > > >Looks like I have a lot of work to do. > > > > > >Austin > > > > > > Hi, > > Near end of boot process you can see "relinking to create unique kernel". > > Modifying kernel changes modification date and checksum. > > If you want to learn more about this feature, it's called KARL. > -- > ?ukasz Moska?a >
