Re: Extended paging bug in Athlon affect FreeBSD?
Raman Ng wrote: > I don't know what mailing list this mail should be > posted to, sorry if it is posted to the wrong mailing > list. > > Recently I found Linux 2.4 kernel is affected by the > bug of extended paging in AMD Athlon through the > following link. I don't know if FreeBSD is also > affected. > > http://linuxtoday.com/news_story.php3?ltsn=2002-01-21-001-20-NW-KN I am well aware of this bug. It does not affect FreeBSD, which only uses 4M pages for the first 4M of the kernel itself. I've worked on code that enables 4M pages on other memory used in FreeBSD, that had this problem, but only if you were really stupid in your allocation mechanism. There's a workaround for this problem which is fairly trivial to implement in software, and should probably be done when 4M pages are enabled, if you are using an Athlon, and are adding 4M pages. The problem didn't bite my own application, since I knew about it and used the TLBs in a very specific way to get around the problem, but I'm told that after I left the company, someone went in and used them a different way, not knowing about the problem or the workaround, and broke things. This resulted in about a 14% performance loss. If you are doing heavy networking on a machine with a lot of memory, it's reasonable to move your mbufs into 4M pages, which nets you a 4-14% improvement (depending on whether or not you also change your allocator: 14% if you do). If you do that, knowing how to work around the problem nets you a pretty big win in overall performance, for about 6-10 more machine instructions at startup time. 8-). In any case, this will not be a problem for FreeBSD, and is only a problem for Linux because of the strange way they initialize things. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
On Sun, Jan 20, 2002 at 11:55:13PM -0800, Julian Elischer wrote: > > > On Mon, 21 Jan 2002, Emiel Kollof wrote: > > > > > Julian Elischer heeft op maandag 21 januari 2002 om 08:34 het volgende > > geschreven: > > > > > > > > Lots of my old programs get: > > > /usr/libexec/ld-elf.so.1: /usr/local/lib/libpng.so.3: Undefined symbol > > > "__stderrp" > > > > > > this is NOT the error in UPDATING > > [...] > > > > It isn't? It's related. I've seen it before. Setting COMPAT4X worked for > > me... Are you sure you made the FreeBSD compat libraries? Setting it in > > make.conf is one thing, but the libraries must be there too :-) > > > > Either a make world with COMPAT4X set, or building the 4.x compat libs > > (for location, see UPDATING), but I guess you knew that. > Here is my make.conf.. > [...] > #COMPAT20= yes > #COMPAT21= yes > #COMPAT22= yes > COMPAT4X= yes > # > # > [...] > > and I've "made world" a lot of times like that. > and if I do it by hand as sugested, it doesn;t make any difference either. > Does ``ldconfig -elf -r'' show the /usr/lib/compat stuff? If it doesn't, you might have screwed the `ldconfig_paths' setting in /etc/rc.conf. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, [EMAIL PROTECTED] Sunbay Software AG, [EMAIL PROTECTED] FreeBSD committer, +380.652.512.251Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Questions about -current
Hello, I just upgraded to -current today to get a couple of features including devfs working. In the process I have run into a few questions (mainly things to do with the fact that up until a few days ago I was only using linux 2.4.x): 1) Will either the in kernel or oss sound driver for an SBLive! in FreeBSD be updated to allow multiple accesses to /dev/dsp at the same time and time in the near future? I know that the oss driver have /dev/dsp1..7 or so but they still seem to not like having multiple accesses to any of them at the same time. In linux both the oss/free and alsa drivers fully supported playing multiple (I know I had tried up to six at a time before) streams to /dev/dsp concurrently. 2) Will frame buffers for eithe VESA or more specifically radeon be added and/or documented any time soon to use a frame buffer at a reasonable resolution for the virtual consoles? 3) Will USB keyboards work as the system console keyboard any time soon, right now I can't seem to get my Sun Type 6 USB keyboard to work even though it shows up in dmesg. 4) Is there anyone actively maintaining dri for XFree86 on FreeBSD, I couldn't get my Radeon 7500 to work with dri using a fresh pull of XFree86 CVS, so I ended up making a trivial patch to allow my Radeon to be detected and set up. But this led me to notice that there have been one or two performance and lock up related changes to the linux kernel dri code and wondered whether these fixes would ever make it to FreeBSD? 5) In -current would it be possible to have a few command line switches added to certain userland utilities? I noticed -h made it into `ls` now, but `cp` still doesn't have -a or -x which I used to use all the time in Linux. I know -a isn't a big deal but - x was definitely nice from time to time. `date` having a --date option to tell you when a specified date is in Linux is also very nice. Just some thoughts. 6) I have found the pages for hardware monitoring support in the FreeBSD kernel and have a few questions about it: Will the updated code which supports newer AMD and VIA monitoring chips be rolled into -current soon? And if so what userland utility does one use in FreeBSD to pull values from the driver like lm-sensors does for Linux? Thanks if anyone can help me figure out answers to any of the above questions or provide feedback on any of my comments. So far I love FreeBSD and find it much more efficient and intuitive than Linux, keep up the good work. Please Cc: me as I am not on this list yet. Jordan Breeding To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Questions about -current
First off, you sent this to the wrong list. Most of the questions you bring up in here should have been directed at -questions. On Mon, Jan 21, 2002 at 09:22:08AM +, [EMAIL PROTECTED] wrote: > I just upgraded to -current today to get a couple of > features including devfs working. In the process I > have run into a few questions (mainly things to do with > the fact that up until a few days ago I was only using > linux 2.4.x): If you are new to FreeBSD, -CURRENT might not be a wise place to start. > 1) Will either the in kernel or oss sound driver for an ... > 3) Will USB keyboards work as the system console > keyboard any time soon, right now I can't seem to get > my Sun Type 6 USB keyboard to work even though it shows > up in dmesg. If you have both a PS/2 and USB keyboard, you need to make use of `kbdcontrol -k`. > 4) Is there anyone actively maintaining dri for XFree86 > on FreeBSD, I couldn't get my Radeon 7500 to work with See /usr/ports/graphics/drm-kmod or http://gladstone.uoregon.edu/~eanholt/dri/ ... > 6) I have found the pages for hardware monitoring > support in the FreeBSD kernel and have a few questions > about it: Will the updated code which supports newer > AMD and VIA monitoring chips be rolled into -current > soon? And if so what userland utility does one use in > FreeBSD to pull values from the driver like lm-sensors > does for Linux? I've got /usr/ports/sysutils/xmbmon/ working perfectly with my setup. -- Sean Kelly | PGP KeyID: 77042C7B [EMAIL PROTECTED] | http://www.zombie.org For PGP key, send e-mail with subject "send pgp key" msg33724/pgp0.pgp Description: PGP signature
Re: Extended paging bug in Athlon affect FreeBSD?
> I am well aware of this bug. > > It does not affect FreeBSD, which only uses 4M pages > for > the first 4M of the kernel itself. > > I've worked on code that enables 4M pages on other > memory > used in FreeBSD, that had this problem, but only if > you > were really stupid in your allocation mechanism. > > There's a workaround for this problem which is > fairly > trivial to implement in software, and should > probably be > done when 4M pages are enabled, if you are using an > Athlon, > and are adding 4M pages. The problem didn't bite my > own > application, since I knew about it and used the TLBs > in a > very specific way to get around the problem, but I'm > told > that after I left the company, someone went in and > used > them a different way, not knowing about the problem > or the > workaround, and broke things. This resulted in > about a > 14% performance loss. > > If you are doing heavy networking on a machine with > a lot > of memory, it's reasonable to move your mbufs into > 4M pages, > which nets you a 4-14% improvement (depending on > whether or > not you also change your allocator: 14% if you do). > If you > do that, knowing how to work around the problem nets > you a > pretty big win in overall performance, for about > 6-10 more > machine instructions at startup time. 8-). > > In any case, this will not be a problem for FreeBSD, > and is > only a problem for Linux because of the strange way > they > initialize things. > > -- Terry Glad to know FreeBSD is not affected. Thanks a lot. Cheers, Raman __ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step5, pam_opie OPIE auth fix for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > Please explain two moments: > > 1) What is stack reaction on this option? Is it the same like PAM_AUTH_ERR > reaction or not? Yes. > 2) Can PAM_SYSTEM_ERR be returned by pam_authenticate() ? If yes. login.c > and ftpd.c must be fixed to add this code. All PAM library calls can return PAM_SYSTEM_ERR. ...but I just realized it's the wrong code in this case - modules should return PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step5, pam_opie OPIE auth fix for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > 1) When OPIE turned on in the system, not neccessary all users are > OPIE-ed, only those who listed in /etc/opiekeys. It means that > pam_opieaccess() module must do something only for valid OPIE users > listed in /etc/opiekeys and do nothing for others. I use opiechallenge() > check for it, and if it fails, return PAM_IGNORE. Umm, you can't use opiechallenge() for that. You're not supposed to call opiechallenge() without also calling opieverify() (plus, I think opiechallenge() "consumes" a challenge). Use opielookup() instead. > 2) opiealways() return just opposite to what you might expect, see > /usr/src/contrib/opie/libopie/accessfile.c comment about it. Fixed by > removing "!" Right, thanks. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step5, pam_opie OPIE auth fix for review
Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes:
> Umm, you can't use opiechallenge() for that. You're not supposed to
> call opiechallenge() without also calling opieverify() (plus, I think
> opiechallenge() "consumes" a challenge). Use opielookup() instead.
Even better, opie_haskey() (which is a wrapper around opielookup()).
New patch attached.
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
Index: Makefile
===
RCS file: /home/ncvs/src/lib/libpam/modules/Makefile,v
retrieving revision 1.15
diff -u -r1.15 Makefile
--- Makefile 5 Dec 2001 15:55:14 - 1.15
+++ Makefile 21 Jan 2002 00:46:54 -
@@ -34,6 +34,7 @@
.endif
SUBDIR+= pam_nologin
SUBDIR+= pam_opie
+SUBDIR+= pam_opieaccess
SUBDIR+= pam_permit
SUBDIR+= pam_radius
SUBDIR+= pam_rootok
Index: pam_opie/pam_opie.8
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.8,v
retrieving revision 1.4
diff -u -r1.4 pam_opie.8
--- pam_opie/pam_opie.8 14 Jul 2001 08:38:24 - 1.4
+++ pam_opie/pam_opie.8 21 Jan 2002 01:18:58 -
@@ -1,5 +1,13 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" Portions of this software were developed for the FreeBSD Project by
+.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
+.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
@@ -9,6 +17,9 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"notice, this list of conditions and the following disclaimer in the
.\"documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"products derived from this software without specific prior written
+.\"permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -47,6 +58,13 @@
.Dq Li auth
feature.
It also provides a null function for session management.
+.Pp
+Note that this module does not enforce
+.Xr opieaccess 5
+checks.
+There is a separate module,
+.Xr pam_opieaccess 8 ,
+for this purpose.
.Ss OPIE Authentication Module
The OPIE authentication component
provides functions to verify the identity of a user
Index: pam_opieaccess/Makefile
===
RCS file: pam_opieaccess/Makefile
diff -N pam_opieaccess/Makefile
--- /dev/null 1 Jan 1970 00:00:00 -
+++ pam_opieaccess/Makefile 21 Jan 2002 00:53:49 -
@@ -0,0 +1,10 @@
+# $FreeBSD$
+
+LIB= pam_opieaccess
+SHLIB_NAME= ${LIB}.so
+SRCS= ${LIB}.c
+DPADD= ${LIBOPIE}
+LDADD= -lopie
+MAN= pam_opieaccess.8
+
+.include
Index: pam_opieaccess/pam_opieaccess.8
===
RCS file: pam_opieaccess/pam_opieaccess.8
diff -N pam_opieaccess/pam_opieaccess.8
--- /dev/null 1 Jan 1970 00:00:00 -
+++ pam_opieaccess/pam_opieaccess.8 21 Jan 2002 13:07:06 -
@@ -0,0 +1,116 @@
+.\" Copyright (c) 2001 Mark R V Murray
+.\" All rights reserved.
+.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
+.\" All rights reserved.
+.\"
+.\" Portions of this software were developed for the FreeBSD Project by
+.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
+.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+.\" ("CBOSS"), as part of the DARPA CHATS research program.
+.\"
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"notice, this list of conditions and the following disclaimer in the
+.\"documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote
+.\"products derived from this software without specific prior written
+.\"permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREM
Re: Step5, pam_opie OPIE auth fix for review
On Mon, Jan 21, 2002 at 13:54:29 +0100, Dag-Erling Smorgrav wrote: > > Umm, you can't use opiechallenge() for that. You're not supposed to > call opiechallenge() without also calling opieverify() (plus, I think No, it is possible, when opieunlock() called afterwards (as I do). BTW, the same way pam_opie does, see opieunlock() inside prompts loop. > opiechallenge() "consumes" a challenge). No, it is opieverify() who consumes it. You can call opiechallenge() several times with appropriate opieunlock()'s and challenge will not changed. In fact our ftpd does it, first opiechallenge() called to generate prompt in the form pam_opie can't generate and the second is opiechallenge() called from pam_opie (invisible). > Use opielookup() instead. Ok. It will be faster then opiechallenge() for this case. I'll send modified patch. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step5, pam_opie OPIE auth fix for review
This is looking good!
Please keep a close eye on style (there is at least one assignment in
an if () statement that needs to move out. :-)
M
> --=-=-=
>
> Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes:
> > Umm, you can't use opiechallenge() for that. You're not supposed to
> > call opiechallenge() without also calling opieverify() (plus, I think
> > opiechallenge() "consumes" a challenge). Use opielookup() instead.
>
> Even better, opie_haskey() (which is a wrapper around opielookup()).
> New patch attached.
>
> DES
> --
> Dag-Erling Smorgrav - [EMAIL PROTECTED]
>
>
> --=-=-=
> Content-Type: text/x-patch
> Content-Disposition: attachment; filename=pam_opieaccess.diff
>
> Index: Makefile
> ===
> RCS file: /home/ncvs/src/lib/libpam/modules/Makefile,v
> retrieving revision 1.15
> diff -u -r1.15 Makefile
> --- Makefile 5 Dec 2001 15:55:14 - 1.15
> +++ Makefile 21 Jan 2002 00:46:54 -
> @@ -34,6 +34,7 @@
> .endif
> SUBDIR+= pam_nologin
> SUBDIR+= pam_opie
> +SUBDIR+= pam_opieaccess
> SUBDIR+= pam_permit
> SUBDIR+= pam_radius
> SUBDIR+= pam_rootok
> Index: pam_opie/pam_opie.8
> ===
> RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.8,v
> retrieving revision 1.4
> diff -u -r1.4 pam_opie.8
> --- pam_opie/pam_opie.8 14 Jul 2001 08:38:24 - 1.4
> +++ pam_opie/pam_opie.8 21 Jan 2002 01:18:58 -
> @@ -1,5 +1,13 @@
> .\" Copyright (c) 2001 Mark R V Murray
> .\" All rights reserved.
> +.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
> +.\" All rights reserved.
> +.\"
> +.\" Portions of this software were developed for the FreeBSD Project by
> +.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
> +.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
> +.\" ("CBOSS"), as part of the DARPA CHATS research program.
> +.\"
> .\"
> .\" Redistribution and use in source and binary forms, with or without
> .\" modification, are permitted provided that the following conditions
> @@ -9,6 +17,9 @@
> .\" 2. Redistributions in binary form must reproduce the above copyright
> .\"notice, this list of conditions and the following disclaimer in the
> .\"documentation and/or other materials provided with the distribution.
> +.\" 3. The name of the author may not be used to endorse or promote
> +.\"products derived from this software without specific prior written
> +.\"permission.
> .\"
> .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> @@ -47,6 +58,13 @@
> .Dq Li auth
> feature.
> It also provides a null function for session management.
> +.Pp
> +Note that this module does not enforce
> +.Xr opieaccess 5
> +checks.
> +There is a separate module,
> +.Xr pam_opieaccess 8 ,
> +for this purpose.
> .Ss OPIE Authentication Module
> The OPIE authentication component
> provides functions to verify the identity of a user
> Index: pam_opieaccess/Makefile
> ===
> RCS file: pam_opieaccess/Makefile
> diff -N pam_opieaccess/Makefile
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ pam_opieaccess/Makefile 21 Jan 2002 00:53:49 -
> @@ -0,0 +1,10 @@
> +# $FreeBSD$
> +
> +LIB= pam_opieaccess
> +SHLIB_NAME= ${LIB}.so
> +SRCS=${LIB}.c
> +DPADD= ${LIBOPIE}
> +LDADD= -lopie
> +MAN= pam_opieaccess.8
> +
> +.include
> Index: pam_opieaccess/pam_opieaccess.8
> ===
> RCS file: pam_opieaccess/pam_opieaccess.8
> diff -N pam_opieaccess/pam_opieaccess.8
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ pam_opieaccess/pam_opieaccess.8 21 Jan 2002 13:07:06 -
> @@ -0,0 +1,116 @@
> +.\" Copyright (c) 2001 Mark R V Murray
> +.\" All rights reserved.
> +.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
> +.\" All rights reserved.
> +.\"
> +.\" Portions of this software were developed for the FreeBSD Project by
> +.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
> +.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
> +.\" ("CBOSS"), as part of the DARPA CHATS research program.
> +.\"
> +.\"
> +.\" Redistribution and use in source and binary forms, with or without
> +.\" modification, are permitted provided that the following conditions
> +.\" are met:
> +.\" 1. Redistributions of source code must retain the above copyright
> +.\"notice, this list of conditions and the following disclaimer.
> +.\" 2. Redistributions in binary form must reproduce the above copyright
> +.\"notice, this list of conditions and the following disclaimer in the
> +.\"documentation and/or other materials provided with the distribution.
> +.\" 3
Re: Step5, pam_opie OPIE auth fix for review
On Mon, Jan 21, 2002 at 14:07:48 +0100, Dag-Erling Smorgrav wrote: > Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes: > > Umm, you can't use opiechallenge() for that. You're not supposed to > > call opiechallenge() without also calling opieverify() (plus, I think > > opiechallenge() "consumes" a challenge). Use opielookup() instead. > > Even better, opie_haskey() (which is a wrapper around opielookup()). > New patch attached. Yes, this patch works as expected, but I doubt about opie_haskey() status. It looks like non-standard FreeBSD addition since it is in the local opieextra.c file and not in contrib/opie. If you care about machine independance, better use opielookup() directly. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: NEWCARD and Xircom (RBEM56G-100)
Hi Tom, No, I have this same card running on a Toshiba Tecra 8100, and it does indeed use the dc driver, and the ethernet part of it does indeed work (I'm running Current, last updated yesterday). The dc driver needs the miibus device configured in the kernel in order to work correctly, and it appears as if you haven't configured your kernel with this device- your dmesg is showing: dc0: port 0x1000-0x107f mem 0x8400-0x84ff,0x84000100-0x8400017f irq 11 at device 0.0 on cardbus0 dc0: Ethernet address: 00:00:00:00:00:00 dc0: MII without any PHY! while you should in fact be seeing something like: dc0: port 0x1000-0x107f mem 0x84002000-0x840020ff,0x84002100-0x8400217f irq 11 at device 0.0 on cardbus0 dc0: Ethernet address: 2e:29:21:02:06:00 miibus0: on dc0 tdkphy0: on miibus0 tdkphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto I haven't been able to get the modem part of this to work since October. Warner had given us some hints on how to get this working early last year, and it actually did work up until the 'sio' code was broken out from isa and put under sys/dev/sio/. This hadn't really been a problem until yesterday, as I had been using an Alcatel usb ADSL modem with the pppoa port to connect to the internet, but yesterday's cvsup (or most likely earlier- before yesterday, I last upgraded on 11/20/01) broke that as well- now I have no way of connecting :-( Warner, do you have any clues on how to get the modem half of this card working again? best regards, tom [EMAIL PROTECTED] Tom Skoglund wrote: > I'll try contacting him as well if I cannot find a solution "soon". > Thanks, anyway! > > -Tom > > > "Greg Smith" <[EMAIL PROTECTED]> wrote: > > >>Tom, >> >>OK, but I am doubtful. >> >>My feeling was that dc is for some old Dec cards and related, not even >>available in pcmcia/cardbus; and that xe was for various Xircom cards >>and related. I think the same driver often supports 16 and 32 bit >>cards. You might want to ask [EMAIL PROTECTED] who seems to try >>single-handedly to keep the xe driver up to date. >> >>Best of luck. >> >>Greg >> >>-Original Message- >> >> >>>This encoded message has been converted to an attachment. >>> >>>Remember that this is a cardbus card, and AFAIK it should use the dc >>>driver. Think I actually tried the xe driver by mistake also, but I >>> >>have >> >>>not really played around with it. >>> >>>-Tom >>> >>>- Original Message - >>>From: "Greg Smith" <[EMAIL PROTECTED]> >>>To: "Tom Skoglund" <[EMAIL PROTECTED]> >>> >>> Tom, I'm a little surprised that card is using the dc driver instead of >>the >> xe driver. I thought all the Xircom ..em56 cards used xe. Is that >>how >> it was set up in pccard.conf? Greg -Original Message- >Hi, >I have been eager to get my Xircom pcmcia nic to work under > >>FreeBSD, >> and >have been reading up on the mailing list an so on. My system is a > Compaq >Armada E500 running 20020119-CURRENT. This weekend I gave it a try, > with >not >so good results I might add. I made a new kernel (I have tried many > this >weekend) built on NEWCARD. I have been fooling around with all the >different >config files and kernel parameters I can imagine. > >Basically I'm trying to get the dc driver working. I have attached > some >logs >(dmesg, kldstat, sysctl, pciconf) for you to look at. When the > >>driver >> >module >fails it also screws up my screen by dividing it in 3 and adding > >>som >> random >"graphics", so I have to reboot to see anything again. This > >>behaviour >> is >the >same if I boot with the card or try to insert it runtime. > >What I see in the logs makes me belive it doesn't read the > >>registers >> right. >So before I start hacking the cardbus/if_dc files can anyone see if > there >is >something else I might try? > > >-Tom > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-mobile" in the body of the message > > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step5, pam_opie OPIE auth fix for review
> On Mon, Jan 21, 2002 at 14:07:48 +0100, Dag-Erling Smorgrav wrote: > > Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes: > > > Umm, you can't use opiechallenge() for that. You're not supposed to > > > call opiechallenge() without also calling opieverify() (plus, I think > > > opiechallenge() "consumes" a challenge). Use opielookup() instead. > > > > Even better, opie_haskey() (which is a wrapper around opielookup()). > > New patch attached. > > Yes, this patch works as expected, but I doubt about opie_haskey() status. > It looks like non-standard FreeBSD addition since it is in the local > opieextra.c file and not in contrib/opie. If you care about > machine independance, better use opielookup() directly. No, that is OK. :-) The FreeBSD PAM modules are all written from scratch as BSD PAM modules. M -- o Mark Murray \_ FreeBSD Services Limited O.\_Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step5, pam_opie OPIE auth fix for review
On Sun, Jan 20, 2002 at 11:43:28PM -0800, Terry Lambert wrote: > Once you guys have this all hammered out, are you going to > integrate PAM and Kerberos? 8-) 8-) 8-). In what way do you mean? -- Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
pam_opie(8) prompt
Does anybody mind if I change the pam_opie(8) prompt from "Password:" to "Response:"? I think users might be slightly confused when they enter an incorrect or empty response twice and get a new "Password:" prompt and don't realize it's the pam_unix(8) prompt. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Step6, corresponding /etc/pam.d/* fixes for review
This fixes reflects pam_opieaccess addition. Few comments: ftpd: fallback was a hack and not needed now with new pam_opieaccess login: I believe that there is no authtok change service provided by pam_opie module, so remove #password sufficient pam_opie.so no_warn line --- ftpd.bakSat Jan 19 21:29:49 2002 +++ ftpdMon Jan 21 17:11:27 2002 @@ -9,10 +9,9 @@ #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn #auth sufficient pam_ssh.so no_warn try_first_pass -# Uncomment either pam_opie or pam_unix, but not both of them. -# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback -auth requiredpam_opie.so no_warn -#auth requiredpam_unix.so no_warn try_first_pass +#auth sufficient pam_opie.so no_warn +#auth requisite pam_opieaccess.so no_warn +auth requiredpam_unix.so no_warn try_first_pass # account #account requiredpam_kerberosIV.so --- login.bak Sat Jan 19 21:29:49 2002 +++ login Mon Jan 21 17:11:27 2002 @@ -6,10 +6,11 @@ # auth auth requiredpam_nologin.so no_warn -#auth sufficient pam_opie.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth requiredpam_ssh.so no_warn try_first_pass +#auth sufficient pam_opie.so no_warn +#auth requisite pam_opieaccess.so no_warn auth requiredpam_unix.so no_warn try_first_pass # account @@ -24,7 +25,6 @@ sessionrequiredpam_unix.so # password -#password sufficient pam_opie.so no_warn #password sufficient pam_kerberosIV.so no_warn try_first_pass #password sufficient pam_krb5.so no_warn try_first_pass password requiredpam_unix.so no_warn try_first_pass --- su.bak Sat Jan 19 21:29:49 2002 +++ su Mon Jan 21 17:11:27 2002 @@ -9,13 +9,15 @@ auth requisite pam_wheel.sono_warn auth_as_self noroot_ok #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self -#auth requiredpam_opie.so no_warn #auth requiredpam_ssh.so no_warn try_first_pass +#auth sufficient pam_opie.so no_warn +#auth requisite pam_opieaccess.so no_warn auth requiredpam_unix.so no_warn try_first_pass nullok #auth sufficient pam_rootok.so no_warn ##auth sufficient pam_kerberosIV.so no_warn ##auth sufficient pam_krb5.so no_warn -#auth requiredpam_opie.so no_warn auth_as_self +##auth sufficient pam_opie.so no_warn auth_as_self +##auth requisite pam_opieaccess.so no_warn #auth requiredpam_unix.so no_warn try_first_pass auth_as_self # account -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
On Mon, Jan 21, 2002 at 03:18:32PM +0100, Dag-Erling Smorgrav wrote: > Does anybody mind if I change the pam_opie(8) prompt from "Password:" > to "Response:"? I think users might be slightly confused when they > enter an incorrect or empty response twice and get a new "Password:" > prompt and don't realize it's the pam_unix(8) prompt. > Why not "OPIE password:" then? Cheers, -- Ruslan Ermilov Oracle Developer/DBA, [EMAIL PROTECTED] Sunbay Software AG, [EMAIL PROTECTED] FreeBSD committer, +380.652.512.251Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
On Mon, Jan 21, 2002 at 15:18:32 +0100, Dag-Erling Smorgrav wrote: > Does anybody mind if I change the pam_opie(8) prompt from "Password:" > to "Response:"? I think users might be slightly confused when they > enter an incorrect or empty response twice and get a new "Password:" > prompt and don't realize it's the pam_unix(8) prompt. Wait... First of all, there (I mean original OPIE) must be 2 prompts in worst case, not 3 prompts: 1) One prompt without echo. 2) One prompt with echo. Thats all. It looks like pam_unix option should be changed from "try_first_pass" to "use_first_pass" to avoid 3rd prompt. Back to your subj.: It breaks, at least, M$ Windows OPIE/Skey generators which do auto-paste when keyword (Password) is found. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
> Does anybody mind if I change the pam_opie(8) prompt from "Password:" > to "Response:"? I think users might be slightly confused when they > enter an incorrect or empty response twice and get a new "Password:" > prompt and don't realize it's the pam_unix(8) prompt. Nope - that sounds good! M -- o Mark Murray \_ FreeBSD Services Limited O.\_Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
> and I've "made world" a lot of times like that. > and if I do it by hand as sugested, it doesn;t make any difference > either. Just a guess - have you removed existing old libraries from /usr/lib? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
Some -current binaries can have this, but recompiling usually fixes it. Also, I have some older 3.x binaries that I had to install COMPAT3 to get working. Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
On Mon, Jan 21, 2002 at 17:29:01 +0300, Andrey A. Chernov wrote: > > enter an incorrect or empty response twice and get a new "Password:" > > prompt and don't realize it's the pam_unix(8) prompt. > > Wait... First of all, there (I mean original OPIE) must be 2 prompts in > worst case, not 3 prompts: I can't reproduce your 3 prompts situation (or may I misread what you try to say?) I got only 2 prompts in login and su. > Back to your subj.: It breaks, at least, M$ Windows OPIE/Skey generators > which do auto-paste when keyword (Password) is found. I mean, I object to changing prompt which have well-known for scripts form. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 15:18:32 +0100, Dag-Erling Smorgrav wrote: > > Does anybody mind if I change the pam_opie(8) prompt from "Password:" > > to "Response:"? I think users might be slightly confused when they > > enter an incorrect or empty response twice and get a new "Password:" > > prompt and don't realize it's the pam_unix(8) prompt. > Wait... First of all, there (I mean original OPIE) must be 2 prompts in > worst case, not 3 prompts: > > 1) One prompt without echo. > 2) One prompt with echo. I know, I just want to replace "Password" with "Response" in those prompts. > It looks like pam_unix option should be changed from "try_first_pass" to > "use_first_pass" to avoid 3rd prompt. I'll try that, but I'm not convinced it'll help. > Back to your subj.: It breaks, at least, M$ Windows OPIE/Skey generators > which do auto-paste when keyword (Password) is found. Good point. "OPIE Password" might be more appropriate, then. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > I can't reproduce your 3 prompts situation (or may I misread what you try > to say?) I got only 2 prompts in login and su. des@des ~% login des otp-md5 496 de6973 ext Password: otp-md5 496 de6973 ext Password [echo on]: Password: Last login: Mon Jan 21 15:12:03 on ttypj Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.0-CURRENT (DES) #124: Sat Jan 12 19:11:47 CET 2002 You have new mail. des@des ~% des@des ~% login des otp-md5 496 de6973 ext Password: Password: Last login: Mon Jan 21 16:12:16 on ttypi Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.0-CURRENT (DES) #124: Sat Jan 12 19:11:47 CET 2002 You have new mail. des@des ~% DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > This fixes reflects pam_opieaccess addition. Augh, I just spent about an hour doing just that (and fixing some other stuff too). Thanks anyway, I'll compare your patches to mine to see if we disagree anywhere. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
On Mon, Jan 21, 2002 at 16:13:54 +0100, Dag-Erling Smorgrav wrote: > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > I can't reproduce your 3 prompts situation (or may I misread what you try > > to say?) I got only 2 prompts in login and su. > > des@des ~% login des > otp-md5 496 de6973 ext > Password: > otp-md5 496 de6973 ext > Password [echo on]: > Password: Yes, I see it too now. It is definitely some bug here. When I say "in login" I mean I test it through: telnet -X SRA localhost (only 2 prompts on 2 ) -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
On Mon, Jan 21, 2002 at 16:11:47 +0100, Dag-Erling Smorgrav wrote: > > > Back to your subj.: It breaks, at least, M$ Windows OPIE/Skey generators > > which do auto-paste when keyword (Password) is found. > > Good point. "OPIE Password" might be more appropriate, then. We don't know, what exact pattern they may use. What if it is something like \nPassword? BTW, example of such program is NetNTerm www.securenetterm.com -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > This fixes reflects pam_opieaccess addition. OK, comments: 1) there's no reason to have pam_opie commented out now, it won't do anything unless OPIE is enabled for the target user. With my patch, any user can use OPIE by simply running opiekey(1), without admin intervention. 2) there are several other PAM config files that refer to pam_opie and need fixing. Patch attached. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] Index: csshd === RCS file: /home/ncvs/src/etc/pam.d/csshd,v retrieving revision 1.2 diff -u -r1.2 csshd --- csshd 5 Dec 2001 21:26:00 - 1.2 +++ csshd 21 Jan 2002 13:55:24 - @@ -5,4 +5,5 @@ # # auth -auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn Index: ftp === RCS file: /home/ncvs/src/etc/pam.d/ftp,v retrieving revision 1.2 diff -u -r1.2 ftp --- ftp 5 Dec 2001 21:26:00 - 1.2 +++ ftp 21 Jan 2002 14:05:45 - @@ -8,7 +8,8 @@ auth required pam_nologin.so no_warn #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass Index: ftpd === RCS file: /home/ncvs/src/etc/pam.d/ftpd,v retrieving revision 1.12 diff -u -r1.12 ftpd --- ftpd 19 Jan 2002 18:29:49 - 1.12 +++ ftpd 21 Jan 2002 14:05:17 - @@ -9,10 +9,9 @@ #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn #auth sufficient pam_ssh.so no_warn try_first_pass -# Uncomment either pam_opie or pam_unix, but not both of them. -# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback -auth required pam_opie.so no_warn -#auth required pam_unix.so no_warn try_first_pass +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn +auth required pam_unix.so no_warn try_first_pass # account #account required pam_kerberosIV.so Index: imap === RCS file: /home/ncvs/src/etc/pam.d/imap,v retrieving revision 1.2 diff -u -r1.2 imap --- imap 5 Dec 2001 21:26:00 - 1.2 +++ imap 21 Jan 2002 14:04:44 - @@ -6,6 +6,7 @@ # auth #auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn +#auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass Index: kde === RCS file: /home/ncvs/src/etc/pam.d/kde,v retrieving revision 1.2 diff -u -r1.2 kde --- kde 5 Dec 2001 21:26:00 - 1.2 +++ kde 21 Jan 2002 14:04:21 - @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth sufficient pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth required pam_ssh.so no_warn try_first_pass Index: login === RCS file: /home/ncvs/src/etc/pam.d/login,v retrieving revision 1.5 diff -u -r1.5 login --- login 19 Jan 2002 18:29:49 - 1.5 +++ login 21 Jan 2002 15:14:37 - @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth sufficient pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth required pam_ssh.so no_warn try_first_pass @@ -24,7 +25,6 @@ session required pam_unix.so # password -#password sufficient pam_opie.so no_warn #password sufficient pam_kerberosIV.so no_warn try_first_pass #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass Index: other === RCS file: /home/ncvs/src/etc/pam.d/other,v retrieving revision 1.2 diff -u -r1.2 other --- other 5 Dec 2001 21:26:00 - 1.2 +++ other 21 Jan 2002 14:03:48 - @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn auth required pam_unix.so no_warn try_first_pass # account Index: pop3 === RCS file: /home/ncvs/src/etc/pam.d/pop3,v retrieving revision 1.2 diff -u -r1.2 pop3 --- pop3 5 Dec 2001 21:26:00 - 1.
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 16:33:57 +0100, Dag-Erling Smorgrav wrote: > > 1) there's no reason to have pam_opie commented out now, it won't do One reason still exist: all users (i.e. non-OPIE too) will see OTP responses when pam_opie will be uncommented. It may leads to confusion or wrong automated scripts processing. I have idea to solve it adding "no_fake_prompts" option to pam_opie to control that per admin choice. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > Yes, I see it too now. It is definitely some bug here. When I say "in > login" I mean I test it through: The bug is quite simply that pam_opie(8) never sets the AUTHTOK item, so pam_unix(8) doesn't know that the user already entered a password. I believe pam_get_pass() should set PAM_AUTHTOK. Any objections? DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes: > The bug is quite simply that pam_opie(8) never sets the AUTHTOK item, > so pam_unix(8) doesn't know that the user already entered a password. > > I believe pam_get_pass() should set PAM_AUTHTOK. Any objections? OK, now I'm really off my rocker; pam_conv_pass() (called by pam_get_pass()) does set PAM_AUTHTOK. I still don't understand why it's NULL by the time pam_unix(8) calls pam_get_pass(). I'll investigate further. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 16:33:57 +0100, Dag-Erling Smorgrav wrote: > > Patch attached. I already comment "always turning opie on" in previous message, besides that I don't understand one thing in your patch: why you not enable pam_opie for "su" and not add pam_opieaccess there? It is enough useful for sysadmin logging in as user via unencrypted telnet and then do "su" for root. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > One reason still exist: all users (i.e. non-OPIE too) will see OTP > responses when pam_opie will be uncommented. It may leads to confusion or > wrong automated scripts processing. Ah, I thought pam_opie(8) ignored users that didn't have OPIE set up. Silly me for making assumptions :) > I have idea to solve it adding "no_fake_prompts" option to pam_opie to > control that per admin choice. Yep, excellent idea. I'll get right on it. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > I already comment "always turning opie on" in previous message, besides > that I don't understand one thing in your patch: why you not enable > pam_opie for "su" and not add pam_opieaccess there? It is enough useful > for sysadmin logging in as user via unencrypted telnet and then do "su" > for root. Hmm? Simple oversight, sorry. I'll post a new patch when I've fixed the "no_fake_prompts" thingy. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
> On Mon, Jan 21, 2002 at 16:33:57 +0100, Dag-Erling Smorgrav wrote: > > > > 1) there's no reason to have pam_opie commented out now, it won't do > > One reason still exist: all users (i.e. non-OPIE too) will see OTP > responses when pam_opie will be uncommented. It may leads to confusion or > wrong automated scripts processing. > > I have idea to solve it adding "no_fake_prompts" option to pam_opie to > control that per admin choice. Yes. That would be a good move. :-) M -- o Mark Murray \_ FreeBSD Services Limited O.\_Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
> "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > Yes, I see it too now. It is definitely some bug here. When I say "in > > login" I mean I test it through: > > The bug is quite simply that pam_opie(8) never sets the AUTHTOK item, > so pam_unix(8) doesn't know that the user already entered a password. > > I believe pam_get_pass() should set PAM_AUTHTOK. Any objections? Not from me :-) M -- o Mark Murray \_ FreeBSD Services Limited O.\_Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
On Mon, Jan 21, 2002 at 09:45:21AM -0500, Alexander Kabaev wrote: > > and I've "made world" a lot of times like that. > > and if I do it by hand as sugested, it doesn;t make any difference > > either. > Just a guess - have you removed existing old libraries from /usr/lib? > lib/compact/Makefile.inc takes care of this. Cheers, -- Ruslan Ermilov Oracle Developer/DBA, [EMAIL PROTECTED] Sunbay Software AG, [EMAIL PROTECTED] FreeBSD committer, +380.652.512.251Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes: > OK, now I'm really off my rocker; pam_conv_pass() (called by > pam_get_pass()) does set PAM_AUTHTOK. I still don't understand why > it's NULL by the time pam_unix(8) calls pam_get_pass(). I'll > investigate further. I found the bug: login(1) only sets PAM_RHOST if the user is logging in from a remote host, but it should be set to the local hostname if the user is logging in locally. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 16:54:56 +0100, Dag-Erling Smorgrav wrote: > Ah, I thought pam_opie(8) ignored users that didn't have OPIE set up. In fact, there is no consensus about that among standalone OPIE applications, some acts with fake prompts, some - without. One (among others) argument _for_ "no fake prompts" is that standalone application once compiled with OPIE support can't dynamically turn off fake prompts using some configuration. For PAM case it means that pam_opie can't be always turned on without confusion just because its fake prompts and _nothing_else_. The arguments _against_ "no fake prompts" was explained by markm in our previous discussion. > > I have idea to solve it adding "no_fake_prompts" option to pam_opie to > > control that per admin choice. > > Yep, excellent idea. I'll get right on it. Ok, I'll make patch for review. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
On Mon, Jan 21, 2002 at 16:45:41 +0100, Dag-Erling Smorgrav wrote: > The bug is quite simply that pam_opie(8) never sets the AUTHTOK item, > so pam_unix(8) doesn't know that the user already entered a password. > > I believe pam_get_pass() should set PAM_AUTHTOK. Any objections? No objections. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 16:54:56 +0100, Dag-Erling Smorgrav wrote: > One (among others) argument _for_ "no fake prompts" is that standalone > application once compiled with OPIE support can't dynamically turn off > fake prompts using some configuration. For PAM case it means that pam_opie > can't be always turned on without confusion just because its fake prompts > and _nothing_else_. > > The arguments _against_ "no fake prompts" was explained by markm in our > previous discussion. Yes, information leakage. We have two options: - enable OPIE by default, with the no_fake_prompts option, leaving it up to the admin to enable fake prompts if he so wishes - disable OPIE by default, but do fake prompts by default if it is enabled I think the first alternative increases security in a default installation, because it allows any user to choose to use OPIE without admin intervention. If we go for the second alternative, users can use OPIE only if the admin decides to enable it. > > > I have idea to solve it adding "no_fake_prompts" option to pam_opie to > > > control that per admin choice. > > Yep, excellent idea. I'll get right on it. > Ok, I'll make patch for review. Please, I'm getting paid to do this :) Make yourself a cup of tea or something and put your feet up on the desk for a couple of minutes. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
On Mon, Jan 21, 2002 at 17:14:24 +0100, Dag-Erling Smorgrav wrote: > Dag-Erling Smorgrav <[EMAIL PROTECTED]> writes: > > OK, now I'm really off my rocker; pam_conv_pass() (called by > > pam_get_pass()) does set PAM_AUTHTOK. I still don't understand why > > it's NULL by the time pam_unix(8) calls pam_get_pass(). I'll > > investigate further. > > I found the bug: login(1) only sets PAM_RHOST if the user is logging > in from a remote host, but it should be set to the local hostname if > the user is logging in locally. Yes. It seems that PAM wants some form of PAM_RHOST in many places. "su", for example, does needed trick here. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 17:24:28 +0100, Dag-Erling Smorgrav wrote: > - enable OPIE by default, with the no_fake_prompts option, leaving it >up to the admin to enable fake prompts if he so wishes I vote for this one. > Please, I'm getting paid to do this :) Make yourself a cup of tea or > something and put your feet up on the desk for a couple of minutes. Ok, ok. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: sudo redu
The problem(s) with sudo have been fixed in the latest sudo CVS release.
This works for me on -CURRENT as of December 16th, 2001 and RELENG_4
--- /tmp/sudo-1.6.5p1/auth/pam.c Mon Dec 31 12:18:12 2001
+++ /home/ancient/test/sudo/auth/pam.c Mon Jan 21 06:54:37 2002
@@ -66,7 +66,7 @@
#include "sudo_auth.h"
#ifndef lint
-static const char rcsid[] = "$Sudo: pam.c,v 1.23 2001/12/31 17:18:12
millert Exp $";
+static const char rcsid[] = "$Sudo: pam.c,v 1.25 2002/01/20 19:21:33
millert Exp $";
#endif /* lint */
static int sudo_conv __P((int, PAM_CONST struct pam_message **,
@@ -163,7 +163,6 @@
struct pam_conv pam_conv;
pam_handle_t *pamh;
const char *s;
-int error;
/* We need to setup a new PAM session for the user we are changing
*to*. */
pam_conv.conv = sudo_conv;
@@ -176,16 +175,19 @@
if (strcmp(user_tty, "unknown"))
(void) pam_set_item(pamh, PAM_TTY, user_tty);
-/* Set credentials (may include resource limits, device ownership,
etc). */
-if ((error = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
- if ((s = pam_strerror(pamh, error)))
- log_error(NO_EXIT|NO_MAIL, "pam_setcred: %s", s);
-}
+/*
+ * Set credentials (may include resource limits, device ownership,
etc).
+ * We don't check the return value here because in Linux-PAM 0.75
+ * it returns the last saved return code, not the return code
+ * for the setcred module. Because we haven't called pam_authenticate
(),
+ * this is not set and so pam_setcred() returns PAM_PERM_DENIED.
+ */
+(void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
-if (pam_end(pamh, error) != PAM_SUCCESS)
+if (pam_end(pamh, PAM_SUCCESS) == PAM_SUCCESS)
+ return(PAM_SUCCESS);
+else
return(AUTH_FAILURE);
-
-return(error == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
}
/*
@@ -219,7 +221,9 @@
/* Read the password. */
pr->resp = estrdup((char *) tgetpass(p,
def_ival(I_PASSWD_TIMEOUT) * 60, tgetpass_flags));
- if (pr->resp == NULL || *pr->resp == '\0')
+ if (pr->resp == NULL)
+ pr->resp = "";
+ if (*pr->resp == '\0')
nil_pw = 1; /* empty password */
break;
case PAM_TEXT_INFO:
>
> FYI: pam_setcred() call seems used in OpenSSH, ftpd, rshd, login, and
> su already included in FreeBSD source code.
>
> http://snapshots.jp.freebsd.org/tour/current/cgi-bin/global.cgi?
pattern=pam_setcred&id=&type=reference>
>
> imp> OK. This looks like a problem in 1.6.4p1 of sudo. It isn't a
> problem imp> with 1.6.3p7_2. 1.6.4 works on -stable, but not -current.
>
> I've checked about new sudo's behavior on some OSes:
>
> Debian (woody)sudo-1.6.4.1OK (tested on 1 machine)
> FreeBSD 2.2.8-RELEASE sudo-1.6.5.1OK (tested on 1 machine)
> FreeBSD 3.4-stablesudo-1.6.5.1NG (tested on 1 machine)
> FreeBSD 4-stable sudo-1.6.5.1OK (tested on some machines)
> FreeBSD 5-current sudo-1.6.5.1OK / NG (tested on some machines)
>
> "OK / NG" means that "some machines work fine, but some machines goes
> wrong".
>
> ***
>
> I don't know what's the real problem, but it seems that sudo doesn't
> have the problem IMHO. Anyone has a solution about this problem?
>
> -- -
> Makoto `MAR' Matsushita
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-current" in the body of the message
Gary Stanley
Network Security Engineer
PRECISIONet, Inc.
(877) 595-8570
Tickle us, do we not laugh? Prick us, do we not bleed? Wrong us, shall we
not revenge?" (Merchant of Venice II i 56-63, paraphrase)
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> On Mon, Jan 21, 2002 at 17:24:28 +0100, Dag-Erling Smorgrav wrote:
> > - enable OPIE by default, with the no_fake_prompts option, leaving it
> >up to the admin to enable fake prompts if he so wishes
> I vote for this one.
I agree, for the reasons stated previously. Mark?
> > Please, I'm getting paid to do this :) Make yourself a cup of tea or
> > something and put your feet up on the desk for a couple of minutes.
> Ok, ok.
Here are the patches. Comments:
1) if pam_get_pass(), if the current token is non-null but empty,
ignore it. This allows a user to just press enter at an OPIE
prompt and still get a Unix prompt.
2) in pam_opie(8), clear the previous token before generating a
challenge, and ignore use_first_pass or try_first_pass instead of
returning PAM_AUTH_ERR if they are set.
3) in pam_opie(8), return PAM_AUTH_ERR if no_fake_prompts was
specified and the user hasn't set up OPIE.
4) in pam.d(5), enable OPIE by default (with the no_fake_prompts
option) in all policies, and use pam_opieaccess(8) to enforce
opieaccess and opiealways checks.
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
Index: libpam/pam_get_pass.c
===
RCS file: /home/ncvs/src/lib/libpam/libpam/pam_get_pass.c,v
retrieving revision 1.3
diff -u -r1.3 pam_get_pass.c
--- libpam/pam_get_pass.c 30 Sep 2001 22:10:58 - 1.3
+++ libpam/pam_get_pass.c 21 Jan 2002 16:40:40 -
@@ -1,6 +1,13 @@
/*-
* Copyright 1998 Juniper Networks, Inc.
* All rights reserved.
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software was developed for the FreeBSD Project by
+ * ThinkSec AS and NAI Labs, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -10,6 +17,9 @@
* 2. Redistributions in binary form must reproduce the above copyright
*notice, this list of conditions and the following disclaimer in the
*documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *products derived from this software without specific prior written
+ *permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -78,6 +88,8 @@
retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
if (retval != PAM_SUCCESS)
return retval;
+ if (item != NULL && *(const char *)item == '\0')
+ item = NULL;
}
if (item == NULL) {
Index: modules/pam_opie/pam_opie.8
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.8,v
retrieving revision 1.5
diff -u -r1.5 pam_opie.8
--- modules/pam_opie/pam_opie.8 21 Jan 2002 13:43:52 - 1.5
+++ modules/pam_opie/pam_opie.8 21 Jan 2002 17:00:51 -
@@ -8,7 +8,6 @@
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
.\" ("CBOSS"), as part of the DARPA CHATS research program.
.\"
-.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
@@ -94,7 +93,21 @@
where the user's ability to retype
their own password
might be deemed sufficient.
+.It Cm no_fake_prompts
+Do not generate fake challenges for users who do not have an OPIE key.
+Note that this can leak information to a hypothetical attacker about
+who uses OPIE and who doesn't, but it can be useful on systems where
+some users want to use OPIE but most don't.
.El
+.Pp
+Note that
+.Nm
+ignores the standard options
+.Cm try_first_pass
+and
+.Cm use_first_pass ,
+since a challenge must be generated before the user can submit a valid
+response.
.Sh FILES
.Bl -tag -width ".Pa /etc/opiekeys" -compact
.It Pa /etc/opiekeys
Index: modules/pam_opie/pam_opie.c
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v
retrieving revision 1.15
diff -u -r1.15 pam_opie.c
--- modules/pam_opie/pam_opie.c 20 Jan 2002 20:56:47 - 1.15
+++ modules/pam_opie/pam_opie.c 21 Jan 2002 16:34:09 -
@@ -4,6 +4,8 @@
* Based upon code Copyright 1998 Juniper Networks, Inc.
* Copyright (c) 2001 Networks Associates Technologies, Inc.
* All rights reserved.
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
@@ -53,10 +55,14 @@
#include
#include "pam_mod_misc.h"
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 18:01:45 +0100, Dag-Erling Smorgrav wrote:
> 3) in pam_opie(8), return PAM_AUTH_ERR if no_fake_prompts was
> specified and the user hasn't set up OPIE.
We can speed up pam_opie by saving one opielookup() call in this way:
/*
* Don't call the OPIE atexit() handler when our program exits,
* since the module has been unloaded and we will SEGV.
*/
opiedisableaeh();
/*
* If the no_fake_prompts option was given, and the user
* doesn't have an OPIE key, just fail rather than present the
* user with a bogus OPIE challenge.
*/
/* XXX generates a const warning because of incorrect prototype */
if (opiechallenge(&opie, (char *)user, challenge) != 0 &&
pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL))
PAM_RETURN(PAM_AUTH_ERR);
/*
* It doesn't make sense to use a password that has already been
* typed in, since we haven't presented the challenge to the user
* yet, so clear the stored password.
*/
pam_set_item(pamh, PAM_AUTHTOK, NULL);
for (i = 0; i < 2; i++) {
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 18:01:45 +0100, Dag-Erling Smorgrav wrote: > > 1) if pam_get_pass(), if the current token is non-null but empty, > ignore it. This allows a user to just press enter at an OPIE > prompt and still get a Unix prompt. I am not sure I understand this fully, could you please send two typescripts (in the manner you do for login testing) with and without this change? -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > We can speed up pam_opie by saving one opielookup() call in this way: True, except you forgot to call opieunlock() :) DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 18:33:22 +0100, Dag-Erling Smorgrav wrote: > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > We can speed up pam_opie by saving one opielookup() call in this way: > > True, except you forgot to call opieunlock() :) No, when opiechallenge() return != 0, no opieunlock() needed because nothing is locked. Look at opiechallenge() sources, it not makes lock on error. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > I am not sure I understand this fully, could you please send two > typescripts (in the manner you do for login testing) with and without this > change? Assuming no ~des/.opiealways, - without the change: des@des ~% login des otp-md5 496 de6973 ext Password: otp-md5 496 de6973 ext Password [echo on]: Login incorrect login: - with the change: des@des ~% login des otp-md5 496 de6973 ext Password: otp-md5 496 de6973 ext Password [echo on]: Password: Last login: Mon Jan 21 17:10:55 on ttypk Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.0-CURRENT (DES) #124: Sat Jan 12 19:11:47 CET 2002 You have new mail. One nit, BTW: pam_opieaccess(8) should return PAM_SERVICE_ERR rather than PAM_USER_UNKNOWN if it can't getpwnam() the user; otherwise, logging in with a nonexistent user name will fail without a fake password prompt. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: "Current & Etherboot"
Robert Watson <[EMAIL PROTECTED]> wrote: > Most people I know of that netboot boxes on Intel platforms now use > PXE. But well, there are only two NICs that support PXE, aren't there? In particular, there's nothing cheap (i. e. <= USD 10) you could use in conjunction with an old junk ISA NIC people often have in their bit-bucket (i. e. with an NE2k clone or 3C509). -- cheers, J"org .-.-. --... ...-- -.. . DL8DTL http://www.sax.de/~joerg/NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
i4b driver broken for -current?
Hello, anyone running a recent -current successfuly with the i4b ISDN drivers? I built -current around christmas, and had to applay a patch posted here in October to make a kernel with i4b drivers. However I don't manage to establish a kernel ppp connection to my provider since then. Regards, Marc To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: NEWCARD and Xircom (RBEM56G-100)
In message: <[EMAIL PROTECTED]> Tom Fischer <[EMAIL PROTECTED]> writes: : Warner, do you have any clues on how to get the modem half of this : card working again? You'd have to a) fix the pci attachment or b) wait until the puc driver hits the tree. Chances are fixing the pci attachment in the short run would be easy enough. Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> No, when opiechallenge() return != 0, no opieunlock() needed because
> nothing is locked. Look at opiechallenge() sources, it not makes
> lock on error.
Oh, you're right. I wasn't thinking.
Here are the (hopefully) final patches. Any final objections before I
commit the lot?
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
Index: libpam/pam_get_pass.c
===
RCS file: /home/ncvs/src/lib/libpam/libpam/pam_get_pass.c,v
retrieving revision 1.3
diff -u -r1.3 pam_get_pass.c
--- libpam/pam_get_pass.c 30 Sep 2001 22:10:58 - 1.3
+++ libpam/pam_get_pass.c 21 Jan 2002 17:52:24 -
@@ -1,6 +1,13 @@
/*-
* Copyright 1998 Juniper Networks, Inc.
* All rights reserved.
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software was developed for the FreeBSD Project by
+ * ThinkSec AS and NAI Labs, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -10,6 +17,9 @@
* 2. Redistributions in binary form must reproduce the above copyright
*notice, this list of conditions and the following disclaimer in the
*documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *products derived from this software without specific prior written
+ *permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -78,6 +88,8 @@
retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
if (retval != PAM_SUCCESS)
return retval;
+ if (item != NULL && *(const char *)item == '\0')
+ item = NULL;
}
if (item == NULL) {
Index: modules/pam_opie/pam_opie.8
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.8,v
retrieving revision 1.5
diff -u -r1.5 pam_opie.8
--- modules/pam_opie/pam_opie.8 21 Jan 2002 13:43:52 - 1.5
+++ modules/pam_opie/pam_opie.8 21 Jan 2002 17:00:51 -
@@ -8,7 +8,6 @@
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
.\" ("CBOSS"), as part of the DARPA CHATS research program.
.\"
-.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
@@ -94,7 +93,21 @@
where the user's ability to retype
their own password
might be deemed sufficient.
+.It Cm no_fake_prompts
+Do not generate fake challenges for users who do not have an OPIE key.
+Note that this can leak information to a hypothetical attacker about
+who uses OPIE and who doesn't, but it can be useful on systems where
+some users want to use OPIE but most don't.
.El
+.Pp
+Note that
+.Nm
+ignores the standard options
+.Cm try_first_pass
+and
+.Cm use_first_pass ,
+since a challenge must be generated before the user can submit a valid
+response.
.Sh FILES
.Bl -tag -width ".Pa /etc/opiekeys" -compact
.It Pa /etc/opiekeys
Index: modules/pam_opie/pam_opie.c
===
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v
retrieving revision 1.15
diff -u -r1.15 pam_opie.c
--- modules/pam_opie/pam_opie.c 20 Jan 2002 20:56:47 - 1.15
+++ modules/pam_opie/pam_opie.c 21 Jan 2002 17:49:51 -
@@ -4,6 +4,8 @@
* Based upon code Copyright 1998 Juniper Networks, Inc.
* Copyright (c) 2001 Networks Associates Technologies, Inc.
* All rights reserved.
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
@@ -53,10 +55,14 @@
#include
#include "pam_mod_misc.h"
-enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX };
+enum {
+ PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
+ PAM_OPT_NO_FAKE_PROMPTS
+};
static struct opttab other_options[] = {
{ "auth_as_self", PAM_OPT_AUTH_AS_SELF },
+ { "no_fake_prompts", PAM_OPT_NO_FAKE_PROMPTS },
{ NULL, 0 }
};
@@ -78,15 +84,6 @@
PAM_LOG("Options processed");
- /*
- * It doesn't make sense to use a password that has already been
- * typed in, since we haven't presented the challenge to the user
- * yet.
- */
- if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) ||
- pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL))
- PAM_RETURN(PAM_AUTH_ERR);
-
user = NULL;
if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
if ((pwd = getpwnam(getlogin())) == NULL)
@@ -107,7 +104,23 @@
*/
opiedisableaeh(
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 18:46:37 +0100, Dag-Erling Smorgrav wrote: > > Assuming no ~des/.opiealways, > > - without the change: > > des@des ~% login des > otp-md5 496 de6973 ext > Password: > otp-md5 496 de6973 ext > Password [echo on]: > Login incorrect > login: It looks like right variant. _By_default_ OPIE user is unable to enter Unix password. You need to add permit 255.255.255.255 line to /etc/opieaccess to _allow_ Unix passwords on your machine. > > - with the change: > > des@des ~% login des > otp-md5 496 de6973 ext > Password: > otp-md5 496 de6973 ext > Password [echo on]: > Password: It looks like wrong variant: 3 prompts instead of 2 ones. There is only 2 prompts for all possible cases in OPIE. Unix password can be entered on first or on second prompt (i.e. with [echo on]), if _allowed_. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 18:53:34 +0100, Dag-Erling Smorgrav wrote: > > Here are the (hopefully) final patches. Any final objections before I > commit the lot? Excepting get_pass() thing cause 3 prompts again, all looks right. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 21:13:19 +0300, Andrey A. Chernov wrote: > On Mon, Jan 21, 2002 at 18:46:37 +0100, Dag-Erling Smorgrav wrote: > > > > Assuming no ~des/.opiealways, > > > > - without the change: > > > > des@des ~% login des > > otp-md5 496 de6973 ext > > Password: > > otp-md5 496 de6973 ext > > Password [echo on]: > > Login incorrect > > login: > > > It looks like right variant. _By_default_ OPIE user is unable to enter > Unix password. You need to add > permit 255.255.255.255 > line to /etc/opieaccess to _allow_ Unix passwords on your machine. Moreover, you can't do any special processing of "" because "" is valid Unix password. If OPIE is configured to allow Unix passwords on the machine, and you have "" as Unix password, you can login just pressing two times (two instead of one because first time OPIE will think that echo must be on and repeat prompt). -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
> Here are the (hopefully) final patches. Any final objections before I > commit the lot? According to EyeBall Mk1, this is fine! :-) I haven't extensively tested the code, but the methods used and the design are very sound, I believe. M -- o Mark Murray \_ FreeBSD Services Limited O.\_Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
this machine has never been 3.x. the binaries worked fine up until about 5 months ago. On Mon, 21 Jan 2002, M. Warner Losh wrote: > Some -current binaries can have this, but recompiling usually fixes > it. Also, I have some older 3.x binaries that I had to install > COMPAT3 to get working. > > Warner > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
no, should I? On Mon, 21 Jan 2002, Alexander Kabaev wrote: > > and I've "made world" a lot of times like that. > > and if I do it by hand as sugested, it doesn;t make any difference > > either. > Just a guess - have you removed existing old libraries from /usr/lib? > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-current" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
> no, should I? Only if you have older libraries with the same names as as ones installed in /usr/lib/compat. As Ruslan pointed out, existing Makefiles in lib/compat should take care of that automatically. The change was added in last September. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 21:24:25 +0300, Andrey A. Chernov wrote: > > > - without the change: > > > > > > des@des ~% login des > > > otp-md5 496 de6973 ext > > > Password: > > > otp-md5 496 de6973 ext > > > Password [echo on]: > > > Login incorrect > > > login: > > If OPIE is configured to allow Unix passwords on the machine, and you have > "" as Unix password, you can login just pressing two times (two > instead of one because first time OPIE will think that echo must be on and > repeat prompt). I want to say that your example above have correct meaning: I want to enter with Unix password "" -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > It looks like right variant. _By_default_ OPIE user is unable to enter > Unix password. You need to add > permit 255.255.255.255 > line to /etc/opieaccess to _allow_ Unix passwords on your machine. Which I do... # grep '^[^#]' /etc/opieaccess permit 127.0.0.1 255.255.255.255 permit 10.0.0.1 255.255.255.0 > It looks like wrong variant: 3 prompts instead of 2 ones. There is only 2 > prompts for all possible cases in OPIE. Unix password can be entered on > first or on second prompt (i.e. with [echo on]), if _allowed_. I understand your point, but I'm still unsure. I'll just leave that part of the patch out for now. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
On Mon, Jan 21, 2002 at 19:40:40 +0100, Dag-Erling Smorgrav wrote: > > Which I do... > > # grep '^[^#]' /etc/opieaccess > permit 127.0.0.1 255.255.255.255 > permit 10.0.0.1 255.255.255.0 Really there must be only address resolved from gethostname() call, what f.e. "su" sets for PAM_RHOST on localhost. In that case you try to enter with empty Unix password (see my other message) -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step6, corresponding /etc/pam.d/* fixes for review
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > On Mon, Jan 21, 2002 at 19:40:40 +0100, Dag-Erling Smorgrav wrote: > > # grep '^[^#]' /etc/opieaccess > > permit 127.0.0.1 255.255.255.255 > > permit 10.0.0.1 255.255.255.0 > Really there must be only address resolved from gethostname() call, > what f.e. "su" sets for PAM_RHOST on localhost. Sure, but the other hosts on my home LAN (one server, another workstation, and two to three laptops) are considered "trusted" too :) > In that case you try to enter with empty Unix password (see my other > message) Agreed. I didn't see it that way, but you're right. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: i4b driver broken for -current?
Marc Ernst Eddy van Woerkom <[EMAIL PROTECTED]> wrote: > However I don't manage to establish > a kernel ppp connection to my provider > since then. You're using the correct version of sppp? We recently abandoned the private sys/i4b/driver/i4b_ispppsubr.c (finally), and have i4b use sys/net/if_spppsubr.c. This means that you now need to throw away ispppcontrol(8), and use spppcontrol(8) again. Unfortunately, Warner is somewhat offline due to personal matters right now, so my submitted entries for UPDATING aren't commited yet. -- cheers, J"org .-.-. --... ...-- -.. . DL8DTL http://www.sax.de/~joerg/NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: i4b driver broken for -current?
On 21 Jan, Marc Ernst Eddy van Woerkom wrote:
> anyone running a recent -current
> successfuly with the i4b ISDN drivers?
Yes.
> I built -current around christmas,
> and had to applay a patch posted here
> in October to make a kernel with i4b
> drivers.
I think it was my patch. Something with "mtx_initialized()"?.
If yes, it's in the tree now.
> However I don't manage to establish
> a kernel ppp connection to my provider
> since then.
You have to use rev. 1.60 of /sys/netinet/in.c ("cd
/sys/netinet; cvs update -r 1.60 in.c" if you use cvs instead of CVSup).
The author of rev 1.61 (brian, CCed) knows already about it, but I don't
know what he wants to do and when he has time to do it.
If you can't get rev 1.60 (either via cvs or from the web interface at
freebsd.org or any other source) you have to use the userland ppp.
Bye,
Alexander.
--
"One world, one web, one program" -- Microsoft promotional ad
"Ein Volk, ein Reich, ein Fuehrer" -- Adolf Hitler
http://www.Leidinger.net Alexander @ Leidinger.net
GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
On Mon, Jan 21, 2002 at 18:32:43 +0300, Andrey A. Chernov wrote: > On Mon, Jan 21, 2002 at 16:11:47 +0100, Dag-Erling Smorgrav wrote: > > > > > Back to your subj.: It breaks, at least, M$ Windows OPIE/Skey generators > > > which do auto-paste when keyword (Password) is found. > > > > Good point. "OPIE Password" might be more appropriate, then. > > We don't know, what exact pattern they may use. What if it is something > like \nPassword? BTW, example of such program is NetNTerm > www.securenetterm.com The second argument against this change follows: On Password: or Password [echo on]: prompts user can type either OPIE exchange or Unix password (if allowed to do it). If this will be changed to: OPIE Password: or OPIE Password [echo on]: it gives impression that no normal Unix password can be typed at this point. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > it gives impression that no normal Unix password can be typed at this > point. ...which I initially thought was the case, but it's not. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Step7, Conclusion
Well, now almost all things work as they expected to be, only one thing left is promised by Mark srandomdev() fix. Thanks to all, especially to Dag-Erling. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
In message: <[EMAIL PROTECTED]> Julian Elischer <[EMAIL PROTECTED]> writes: : this machine has never been 3.x. : the binaries worked fine up until about 5 months ago. All bets are off if it ran -current. You need to rebuild everything. Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
On Mon, Jan 21, 2002 at 12:54:38PM -0700, M. Warner Losh wrote: > In message: <[EMAIL PROTECTED]> > Julian Elischer <[EMAIL PROTECTED]> writes: > : this machine has never been 3.x. > : the binaries worked fine up until about 5 months ago. > > All bets are off if it ran -current. You need to rebuild everything. > Ah yes, I remember this problem with -current. Something changed and I had to rebuild everything including ports or install the 4.x compat libs. -- David W. Chapman Jr. [EMAIL PROTECTED] Raintree Network Services, Inc. [EMAIL PROTECTED] FreeBSD Committer To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
In message: <[EMAIL PROTECTED]> "David W. Chapman Jr." <[EMAIL PROTECTED]> writes: : On Mon, Jan 21, 2002 at 12:54:38PM -0700, M. Warner Losh wrote: : > In message: <[EMAIL PROTECTED]> : > Julian Elischer <[EMAIL PROTECTED]> writes: : > : this machine has never been 3.x. : > : the binaries worked fine up until about 5 months ago. : > : > All bets are off if it ran -current. You need to rebuild everything. : > : : Ah yes, I remember this problem with -current. Something changed and : I had to rebuild everything including ports or install the 4.x compat : libs. If you are using 4.x compat libraries they needed to be reinstalled. If you are using libc from -current, you must rebuild all binaries that use them. Those are the breaks. Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
We forget STATIC_MODULES, patch included
--- libpam/Makefile.old Thu Dec 13 12:26:56 2001
+++ libpam/Makefile Mon Jan 21 23:09:16 2002
@@ -80,6 +80,7 @@
.endif
STATIC_MODULES+= ${MODOBJDIR}/pam_nologin/libpam_nologin.a
STATIC_MODULES+= ${MODOBJDIR}/pam_opie/libpam_opie.a
+STATIC_MODULES+= ${MODOBJDIR}/pam_opieaccess/libpam_opieaccess.a
STATIC_MODULES+= ${MODOBJDIR}/pam_permit/libpam_permit.a
STATIC_MODULES+= ${MODOBJDIR}/pam_radius/libpam_radius.a
STATIC_MODULES+= ${MODOBJDIR}/pam_rootok/libpam_rootok.a
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: Step7, Conclusion
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > Thanks to all, especially to Dag-Erling. Thanks to *you* for pointing out and explaining the issues, submitting patches, and reviewing and testing mine. I'm sorry we got off on such a bad foot this weekend; I feel that the exchanges we've had yesterday and today have been very constructive and productive. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: i4b driver broken for -current?
Alexander Leidinger <[EMAIL PROTECTED]> wrote:
> You have to use rev. 1.60 of /sys/netinet/in.c ("cd
> /sys/netinet;
No, you're wrong. This bug has been fixed as one of the first of my
series of committs that brought the i4b version of sppp back into the
mainstream version. Otherwise i could not have worked at all. ;-)
RCS file: /home/ncvs/src/sys/net/if_spppsubr.c,v
Working file: /sys/net/if_spppsubr.c
head: 1.91
revision 1.74
date: 2001/12/26 20:28:41; author: joerg; state: Exp; lines: +3 -2
For SIOCSIFADDR, don't call if_up() since it would attempt to add the
route to the destination twice. Now that brian has fixed route.c to no
longer accept this second route, this long-standing nuisance became a
showstopper bug for sppp users.
In retrospect, this is the same fix as the one in rev 1.78 of if_sl.c;
most likely the original version of sppp has been cloned from SLIP. ;-)
--
cheers, J"org .-.-. --... ...-- -.. . DL8DTL
http://www.sax.de/~joerg/NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
I reinstalled the 4.x compat libs but it didn't make any difference.:-( On Mon, 21 Jan 2002, M. Warner Losh wrote: > In message: <[EMAIL PROTECTED]> > "David W. Chapman Jr." <[EMAIL PROTECTED]> writes: > : On Mon, Jan 21, 2002 at 12:54:38PM -0700, M. Warner Losh wrote: > : > In message: <[EMAIL PROTECTED]> > : > Julian Elischer <[EMAIL PROTECTED]> writes: > : > : this machine has never been 3.x. > : > : the binaries worked fine up until about 5 months ago. > : > > : > All bets are off if it ran -current. You need to rebuild everything. > : > > : > : Ah yes, I remember this problem with -current. Something changed and > : I had to rebuild everything including ports or install the 4.x compat > : libs. > > If you are using 4.x compat libraries they needed to be reinstalled. > If you are using libc from -current, you must rebuild all binaries > that use them. Those are the breaks. > > Warner > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: We forget STATIC_MODULES, patch included
Thanks, I'll commit that right away. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step7, Conclusion
On Mon, Jan 21, 2002 at 09:19:50PM +0100, Dag-Erling Smorgrav wrote: > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > Thanks to all, especially to Dag-Erling. > > Thanks to *you* for pointing out and explaining the issues, submitting > patches, and reviewing and testing mine. I'm sorry we got off on such > a bad foot this weekend; I feel that the exchanges we've had yesterday > and today have been very constructive and productive. hear hear! Good stuff folks.. -- | / o / /_ _ email: [EMAIL PROTECTED] |/|/ / / /( (_) Bulte Arnhem, the Netherlands To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step7, Conclusion
* Dag-Erling Smorgrav <[EMAIL PROTECTED]> [020121 12:20] wrote: > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > Thanks to all, especially to Dag-Erling. > > Thanks to *you* for pointing out and explaining the issues, submitting > patches, and reviewing and testing mine. I'm sorry we got off on such > a bad foot this weekend; I feel that the exchanges we've had yesterday > and today have been very constructive and productive. Truly commendable the way you all settled and solved the issue, the project is better for it. thank you, -Alfred To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step7, Conclusion
step 8 a summary for the rest of us? I got lost there in the middle soemwhere. On 21 Jan 2002, Dag-Erling Smorgrav wrote: > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > Thanks to all, especially to Dag-Erling. > > Thanks to *you* for pointing out and explaining the issues, submitting > patches, and reviewing and testing mine. I'm sorry we got off on such > a bad foot this weekend; I feel that the exchanges we've had yesterday > and today have been very constructive and productive. > > DES > -- > Dag-Erling Smorgrav - [EMAIL PROTECTED] > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-current" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step7, Conclusion
Julian Elischer <[EMAIL PROTECTED]> writes: > step 8 > a summary for the rest of us? > I got lost there in the middle soemwhere. http://people.freebsd.org/~des/diary/2002.html#2002-01-21 DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step5, pam_opie OPIE auth fix for review
"Jacques A. Vidrine" wrote: > > On Sun, Jan 20, 2002 at 11:43:28PM -0800, Terry Lambert wrote: > > Once you guys have this all hammered out, are you going to > > integrate PAM and Kerberos? 8-) 8-) 8-). > > In what way do you mean? In the way that the author of the PAM architecture from Sun spoke at the Silicon Valley BSD User's Group meeting, and there are just some things that can't be wedged into the PAM framework until the framework is changed. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step5, pam_opie OPIE auth fix for review
On Mon, Jan 21, 2002 at 12:48:39PM -0800, Terry Lambert wrote: > "Jacques A. Vidrine" wrote: > > > > On Sun, Jan 20, 2002 at 11:43:28PM -0800, Terry Lambert wrote: > > > Once you guys have this all hammered out, are you going to > > > integrate PAM and Kerberos? 8-) 8-) 8-). > > > > In what way do you mean? > > In the way that the author of the PAM architecture from Sun > spoke at the Silicon Valley BSD User's Group meeting, Do you have a reference, or do we have to guess what you are talking about? :-) > and > there are just some things that can't be wedged into the > PAM framework until the framework is changed. That is certainly true. It's also true if s/PAM/foo/ for most values of foo. Cheers, -- Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX .Heimdal Kerberos [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step7, Conclusion
On Mon, Jan 21, 2002 at 12:24:44 -0800, Julian Elischer wrote: > step 8 > a summary for the rest of us? > I got lost there in the middle soemwhere. Most shortest one, I think: 1) OPIE auth now works as required. 2) OPIE is turned on by default. Both cases affects only users registered in OPIE and not affects normal users. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
Dag-Erling Smorgrav wrote: > Does anybody mind if I change the pam_opie(8) prompt from "Password:" > to "Response:"? I think users might be slightly confused when they > enter an incorrect or empty response twice and get a new "Password:" > prompt and don't realize it's the pam_unix(8) prompt. See my patch to the login code to use a string from the /etc/login.conf file for the "Password: " prompt for getty and login. Making yet another string, that was not under the control of the configuration files would damage the ability to rebadge the system. I think unconfusing the user is an administrative problem, and since the confusion would arise as the result of an administrative decision, this only reaffirms my opinion that it should live in the local "policies and how to use this system" documents. Remember that the intent of systems design is to *avoid* dictating policy. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: pam_opie(8) prompt
Ruslan Ermilov wrote: > On Mon, Jan 21, 2002 at 03:18:32PM +0100, Dag-Erling Smorgrav wrote: > > Does anybody mind if I change the pam_opie(8) prompt from "Password:" > > to "Response:"? I think users might be slightly confused when they > > enter an incorrect or empty response twice and get a new "Password:" > > prompt and don't realize it's the pam_unix(8) prompt. > > > Why not "OPIE password:" then? If you must do it, then make it an "OPIE " prefix, and let whatever string is there show up. I would really prefer that this be controllable with a policy option (e.g. via pam.conf), assuming it has to be there at all. Presumably, the admin will know the system is using OPIE (having configured it to do so), and the admin will tell the users about this at the time the accounts are granted. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Step5, pam_opie OPIE auth fix for review
"Jacques A. Vidrine" wrote: > > In the way that the author of the PAM architecture from Sun > > spoke at the Silicon Valley BSD User's Group meeting, > > Do you have a reference, or do we have to guess what you are talking > about? :-) I have my memory of the talk he gave, which included the idea that Sun was not supporting work to modify the PAM architecture to support Kerberos in the future. Basically, you can use it for authentication and password change, but for little else, and even those uses require going through incredible hoops (e.g. abusing the authentication module API to implement a credential cache). Did you need more? Are you really just fishing for Paul Fronberg's email address? Maybe this release note from HP will explain the limitations satisfactorily: http://docs.hp.com/hpux/onlinedocs/J5849-90001/J5849-90001.html NB: This is just for authentication, mostly preauthentication. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
OPIE little speedup patch for review
memset() in opiechallenge() really is not needed because it is the very
first thing opielookup() does being entered, i.e. look at this:
int opielookup FUNCTION((opie, principal), struct opie *opie AND char *principal)
{
int i;
memset(opie, 0, sizeof(struct opie));
...
And then the patch included:
--- challenge.c.bak Tue Apr 11 16:52:01 2000
+++ challenge.c Tue Jan 22 01:07:06 2002
@@ -52,8 +52,6 @@
{
int rval = -1;
- memset(mp, 0, sizeof(*mp));
-
rval = opielookup(mp, name);
#if DEBUG
if (rval) syslog(LOG_DEBUG, "opiechallenge: opielookup(mp, name=%s) returned %d",
name, rval);
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: Questions about -current
On 2002-01-21 09:22:08, [EMAIL PROTECTED] wrote:
> 5) In -current would it be possible to have a few command line
> switches added to certain userland utilities? I noticed -h made it
> into `ls` now, but `cp` still doesn't have -a or -x which I used to
> use all the time in Linux. I know -a isn't a big deal but - x was
> definitely nice from time to time.
What does the -a or -x option do for the ls(1) command of Linux?
Perhaps equivalent options do already exist in FreeBSD ls(1).
> `date` having a --date option to tell you when a specified date is
> in Linux is also very nice. Just some thoughts.
If I haven't misunderstood you on this, FreeBSD's date(1) can already
do what you want, although I have to admit that it works a bit
differently than Linux's date(1).
I've recently used date(1) -j and -f options to convert arbitrary
dates to the local timezone in a script I wrote to print the
modification date of problem reports. You might want to check the
scripts at:
http://people.FreeBSD.org/~keramida/pr/feedback/
for samples of using date(1) to convert between timezones and date
representations. A small example that will probably help you
understand how this is done (combined with the description of the -j
and -f options in the date(1) manual page) is shown below:
hades!charon:[/home/charon]% date '+%s => %T %Z'
1011645430 => 22:37:10 EET
hades!charon:[/home/charon]% TZ=UTC date -j -f '%s' 1011645328 '+%s => %T %Z'
1011645328 => 20:35:28 GMT
Cheers,
--
Giorgos Keramidas . . . . . . . . . keramida@{ceid.upatras.gr,freebsd.org}
FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/
FreeBSD: The power to serve . . . . http://www.freebsd.org/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
48bit ATA addressing problems / Promise TX2 ata133 problem?
I'm running -current and have a Maxtor 160GB hdd hooked to the promise ata133 card that came with it it will flake out for no apparent reason. any clues? maybe bad hardware? anyone else getting these? ad4: READ command timeout tag=0 serv=0 - resetting ata2: resetting devices .. done ad4: READ command timeout tag=0 serv=0 - resetting ata2: resetting devices .. done ad4: READ command timeout tag=0 serv=0 - resetting ata2: resetting devices .. done ad4: READ command timeout tag=0 serv=0 - resetting ad4: trying fallback to PIO mode ata2: resetting devices .. done mike To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
On Sun, 20 Jan 2002, Julian Elischer wrote: > has NO effect whatsoever. > > The only thign I can do is recompile any package that has thos problem. > but sometimes it's hard finding which package needs to be recomiled. > > thoughts? You might also need compat3. I was quite surprised at the set of 3.x binaries I had installed :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project [EMAIL PROTECTED] NAI Labs, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: __stderrp error
In message: <[EMAIL PROTECTED]> Julian Elischer <[EMAIL PROTECTED]> writes: : I reinstalled the 4.x compat libs but it didn't make any difference.:-( Then you must have -current binaries that are too old. You will have to rebuild them. Warner To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
making a large RAMdisk?
I've got a machine with 4G of RAM, and I'm trying to test all the RAM out to make sure it's okay. I've tried doing buildworlds, but never end up using more than 1G of RAM on cache, etc. I've got -current and -stable on it, and I've tried making an MFS filesystem under -stable. I can't seem to get more than a 512M MFS filesystem allocated under -stable. (I've got two 2G swap partitions.) I tried using md to make a swap-backed filesystem under -current, but the problem is that it actually seems to back it with swap. (pstat -s shows disk space used, unlike MFS under -stable) Is there a way, under -current or -stable, to make a true RAMdisk that is around 2GB in size? Ken -- Kenneth Merry [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: making a large RAMdisk?
On Monday 21 January 2002 10:20 pm, Kenneth D. Merry wrote: > I've got a machine with 4G of RAM, and I'm trying to test all the RAM out > to make sure it's okay. > > I've tried doing buildworlds, but never end up using more than 1G of RAM on > cache, etc. > > I've got -current and -stable on it, and I've tried making an MFS > filesystem under -stable. I can't seem to get more than a 512M MFS > filesystem allocated under -stable. (I've got two 2G swap partitions.) > > I tried using md to make a swap-backed filesystem under -current, but the > problem is that it actually seems to back it with swap. (pstat -s shows > disk space used, unlike MFS under -stable) > > Is there a way, under -current or -stable, to make a true RAMdisk that is > around 2GB in size? > > Ken If all you want to do is test the RAM: http://www.teresaudio.com/memtest86/ (download the Windows version and use dd to put the binary on a floppy) As far as your other questions, well Sam To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: making a large RAMdisk?
On Tue, Jan 22, 2002 at 22:18:51 -0700, Samuel J.Greear wrote:
> On Monday 21 January 2002 10:20 pm, Kenneth D. Merry wrote:
> > I've got a machine with 4G of RAM, and I'm trying to test all the RAM out
> > to make sure it's okay.
> >
> > I've tried doing buildworlds, but never end up using more than 1G of RAM on
> > cache, etc.
> >
> > I've got -current and -stable on it, and I've tried making an MFS
> > filesystem under -stable. I can't seem to get more than a 512M MFS
> > filesystem allocated under -stable. (I've got two 2G swap partitions.)
> >
> > I tried using md to make a swap-backed filesystem under -current, but the
> > problem is that it actually seems to back it with swap. (pstat -s shows
> > disk space used, unlike MFS under -stable)
> >
> > Is there a way, under -current or -stable, to make a true RAMdisk that is
> > around 2GB in size?
> >
> > Ken
>
>
> If all you want to do is test the RAM:
> http://www.teresaudio.com/memtest86/
> (download the Windows version and use
> dd to put the binary on a floppy)
Thanks for the pointer. Unfortunately it doesn't work with more than 2G of
RAM. (The test just hangs up, numlock doesn't work, keyboard input doesn't
seem to do anything.)
> As far as your other questions, well
For the archives, Paul Saab pointed out that I need to increase MAXDSIZ.
That did the trick, and I now have a ~2G MFS partition: (on -stable)
{nargothrond:/usr/home/ken:62:0} df -k /mnt
Filesystem 1K-blocks UsedAvail Capacity Mounted on
mfs:340 2015918 604986 124966033%/mnt
Ken
--
Kenneth Merry
[EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: 48bit ATA addressing problems / Promise TX2 ata133 problem?
It seems Mike Brancato wrote: > I'm running -current and have a Maxtor 160GB hdd hooked to the promise > ata133 card that came with it it will flake out for no apparent > reason. any clues? maybe bad hardware? anyone else getting these? > > ad4: READ command timeout tag=0 serv=0 - resetting > ata2: resetting devices .. done > ad4: READ command timeout tag=0 serv=0 - resetting > ata2: resetting devices .. done > ad4: READ command timeout tag=0 serv=0 - resetting > ata2: resetting devices .. done > ad4: READ command timeout tag=0 serv=0 - resetting > ad4: trying fallback to PIO mode > ata2: resetting devices .. done I know that the 48bit code works, but the support code for the Promise ATA133 controller hasn't been tested much (I dont have such an animal). However if you move the disk to another controller, does the problem persist ? -Søren To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Questions about -current
Giorgos Keramidas wrote:
> On 2002-01-21 09:22:08, [EMAIL PROTECTED] wrote:
>
>>5) In -current would it be possible to have a few command line
>>switches added to certain userland utilities? I noticed -h made it
>>into `ls` now, but `cp` still doesn't have -a or -x which I used to
>>use all the time in Linux. I know -a isn't a big deal but - x was
>>definitely nice from time to time.
>>
>
> What does the -a or -x option do for the ls(1) command of Linux?
> Perhaps equivalent options do already exist in FreeBSD ls(1).
>
Sorry for the confusion there :-) The -a and -x options are meant
for cp(1). The -a (--archive) option in cp(1) for linux (which I am
fairly certain is the gnu version) is essentially an easy way to safely
do -dpR automatically. So effectively -a (--archive) preserves links,
tries to preserve permissions, and also does a recursive copy. The -x
(--one-file-system) option in cp(1) for linux says that if you have
multiple file systems mounted on top of / and you do a `cp -ax /
/mnt/copy/of/root/.` it should only copy the directory stubs for the
mounts instead of the mounts themselves. I have found both of these
options to be extremely useful at times.
>
>>`date` having a --date option to tell you when a specified date is
>>in Linux is also very nice. Just some thoughts.
>>
>
> If I haven't misunderstood you on this, FreeBSD's date(1) can already
> do what you want, although I have to admit that it works a bit
> differently than Linux's date(1).
>
> I've recently used date(1) -j and -f options to convert arbitrary
> dates to the local timezone in a script I wrote to print the
> modification date of problem reports. You might want to check the
> scripts at:
>
> http://people.FreeBSD.org/~keramida/pr/feedback/
>
> for samples of using date(1) to convert between timezones and date
> representations. A small example that will probably help you
> understand how this is done (combined with the description of the -j
> and -f options in the date(1) manual page) is shown below:
>
> hades!charon:[/home/charon]% date '+%s => %T %Z'
> 1011645430 => 22:37:10 EET
> hades!charon:[/home/charon]% TZ=UTC date -j -f '%s' 1011645328 '+%s =>
%T %Z'
> 1011645328 => 20:35:28 GMT
>
Again, sorry for the misunderstanding and not providing enough
information upfront. In linux date(1) is the gnu version of date, which
means you can do the following `date --date 'Jan 22 2002'` and it would
output the following:
Tue Jan 22 00:00:00 CST 2002
Or I could do a `date --date '2 days ago'` and it would output:
Sun Jan 20 00:46:30 CST 2002
Again, this option might not be the most useful thing in the world
but I know that I have used it many times at home and at work to make
scripts less complicated.
> Cheers,
>
> --
> Giorgos Keramidas . . . . . . . . .
keramida@{ceid.upatras.gr,freebsd.org}
> FreeBSD Documentation Project . . . http://www.freebsd.org/docproj/
> FreeBSD: The power to serve . . . . http://www.freebsd.org/
>
>
Thank you for the response and let me know if you need any further
information to be able to tell what the options I was refering to for
cp(1) and date(1) actually do.
Jordan
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: making a large RAMdisk?
In message <[EMAIL PROTECTED]>, "Kenneth D. Merry" writes: >Is there a way, under -current or -stable, to make a true RAMdisk that is >around 2GB in size? Possibly. If you take the detour around a preloaded image for the md(4) driver it should be possible. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Questions about -current (Linuxism's)
While I realize you can't emulate the switches on any command on any os, I found a few "linuxism's" missing. Eg: I find it illogical, that "route" can change, and also display the route to a single host, but route can not display the entire route table. In linux it is simply "route", in windows it is "route print", but in FreeBSD it is "netstat -r" It is simple to add an information "Sorry Dave, I can not do that. Try netstat -r instead" for "route print" (I just did), or adding similar information when no proper keyword is given. Similarly on linux "netstat -ap"; the p gives the pid which has the connection open. On FreeBSD, this option is not available, instead sockstat provides similar (better; it shows the path to the command) information. As the -p is not used for netstat, it could print "use sockstat instead". It could help in heterogenious environments. Or perhaps this would just start a slide down a slippery slope... There is always diffence between commands on different os's. Some are even "dangerous". Eg. if you type "hostname -f" on a sun, you change the hostname to "-f"... Leif To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
