Re: elementary opensmtpd setting on rental server

[koko]

On Sat, 25 Jul 2015 11:22:09 +0900
Tuyosi Takesima  wrote:

> for me  , nsd is too hard .
> so i  make a tryal to build intranet mail server
> with  unbound ,  opensmtpd and dovecot  without nsd or bind .
> 
nsd if for authoritative only, if you need recursive and
cache dns server, use unbound or bind/named.

> see http://aoiyuma.mydns.jp/unbound+opensmtpd.html by using proper
> translation URL .
> 
there a lot of how to for this purposes if you search on
goole... http://blather.michaelwlucas.com/archives/580

ipv6 kernel pppoe + slaac problem

[Holger Glaess]

hi

i allready read the threads here in this list because my problem is 
similar but

not the the same.

the environment.

dsl provider in germany "NetCologne" they offer an full working /64 ipv6 
net through slaac config.



i use an openbsd 5.8 beta 8 build a couple of day before )

physical interface are intel em

net.inet6.ip6.forwarding = 1
net.inet6.icmp6.nd6_debug=1



# cat /etc/hostname.em2
inet 192.168.0.2 255.255.255.252 NONE
up

# cat /etc/hostname.em0
inet 192.168.131.251 255.255.255.0 NONE
inet6 autoconf

!echo "setup ipv4 on NetCologene pppoe"
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev em2 authproto pap authname 'nc-y...@netcologne.de' authkey 
'' up

dest 0.0.0.1
!echo "setup ipv6 on NetCologne pppoe"
inet6 autoconf
!/sbin/route add -inet default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 ::0.0.0.1


# ifconfig pppoe0
pppoe0: flags=208851 
mtu 1492

priority: 0
dev: em2 state: session
sid: 0x508f PADI retries: 16 PADR retries: 0 time: 01:28:15
sppp: phase network authproto pap authname 
"nc-glaesz...@netcologne.de"

groups: pppoe egress
status: active
inet6 fe80::214:b7ff:fe00:6163%pppoe0 ->  prefixlen 64 scopeid 0xb
inet 84.44.157.221 --> 195.14.226.82 netmask 0x
inet6 2001:4dd0:af10:d604:214:b7ff:fe00:6163 -> prefixlen 64 
autoconf pltime 604786 vltime 2591986
inet6 2001:4dd0:af10:d604:747a:f5e2:c201:b278 -> prefixlen 64 
autoconf autoconfprivacy pltime 80714 vltime 599505


# route -n show
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu Prio Iface
default195.14.226.82  UGS1 2046 - 8 pppoe0
84.44.157.221  84.44.157.221  UHl00 - 1 lo0
127/8  127.0.0.1  UGRS   00 32768 8 lo0
127.0.0.1  127.0.0.1  UHl10 32768 1 lo0
192.168.0.0/30 192.168.0.2UC 00 - 8 em2
192.168.0.200:14:b7:00:61:66  UHLl   00 - 1 lo0
192.168.0.3192.168.0.2UHb00 - 1 em2
192.168.131/24 192.168.131.251UC 20 - 8 em0
192.168.131.101e8:03:9a:b4:f6:48  UHLc   2  767 - 8 em0
192.168.131.10300:1d:7d:02:5a:e4  UHLc   00 - 8 em0
192.168.131.25100:14:b7:00:61:63  HLl00 - 1 lo0
192.168.131.255192.168.131.251UHb00 - 1 em0
195.14.226.82  84.44.157.221  UH 00 - 8 pppoe0
224/4  127.0.0.1  URS00 32768 8 lo0

Internet6:
DestinationGateway Flags   Refs  Use   Mtu  
Prio Iface
::/104 ::1 UGRS   00 32768 8 
lo0
::/96  ::1 UGRS   00 32768 8 
lo0
default::1 UGS0   12 - 8 
pppoe0
defaultfe80::90:1a00:41a4:ecb0%pppoe0 
UG 00 -56 pppoe0
::1::1 UHl   150 32768 1 
lo0
::127.0.0.0/104::1 UGRS   00 32768 8 
lo0
::224.0.0.0/100::1 UGRS   00 32768 8 
lo0
::255.0.0.0/104::1 UGRS   00 32768 8 
lo0
:::0.0.0.0/96  ::1 UGRS   00 32768 8 
lo0
2001:4dd0:af10:d604:214:b7ff:fe00:6163 
2001:4dd0:af10:d604:214:b7ff:fe00:6163 UHl00 - 1 lo0
2001:4dd0:af10:d604:747a:f5e2:c201:b278 
2001:4dd0:af10:d604:747a:f5e2:c201:b278 UHl00 - 1 lo0
2002::/24  ::1 UGRS   00 32768 8 
lo0
2002:7f00::/24 ::1 UGRS   00 32768 8 
lo0
2002:e000::/20 ::1 UGRS   00 32768 8 
lo0
2002:ff00::/24 ::1 UGRS   00 32768 8 
lo0
fe80::/10  ::1 UGRS   00 32768 8 
lo0
fe80::%em0/64  fe80::214:b7ff:fe00:6163%em0 
UC 10 - 4 em0
fe80::214:b7ff:fe00:6163%em0   00:14:b7:00:61:63 HLl0
0 - 1 lo0
fe80::ea03:9aff:feb4:f648%em0  e8:03:9a:b4:f6:48 UHLc   0   
40 - 4 em0
fe80::%lo0/64  fe80::1%lo0 U  00 
32768 4 lo0
fe80::1%lo0fe80::1%lo0 UHl00 
32768 1 lo0
fe80::%pppoe0/64   fe80::214:b7ff:fe00:6163%pppoe0 
U  00 - 4 pppoe0
fe80::90:1a00:41a4:ecb0%pppoe0 pppoe0 UHL10 
- 4 pppoe0
fe80::214:b7ff:fe00:6163%pppoe0fe80::214:b7ff:fe00:6163%pppoe0 
Hl 00 - 1 lo0
fec0::/10  ::1 UGRS   00 32768 8 
lo0
ff01::/16

Re: Sluggish/laggy browser behaviour

[Marc Espie]

On Fri, Jul 24, 2015 at 10:22:14AM -0700, Nathan Van Ymeren wrote:
> Hi,
> 
> I'm running the 19 July snapshot and am experiencing laggy tab
> behaviour in both Chromium and Firefox.  Specifically, when opening and
> closing tabs I regularly experience noticeable and irritating pauses.
> 
> The system is a thinkpad X220T with an i7 and 8 GB of memory, and under
> different operating systems tabbing performance is acceptable.
> 
> Has anyone experienced similar?

Do you have tabs that use sounds ? There was a bug where sndiod could hang.
I did notice it precisely because tabs were behaving strangely.
Said bug has been fixed. Newer snapshot will be fine.

Re: "Alleged" OpenSSH bug

[Marc Espie]

There's one obvious thing I totally forgot to mention, but the initial spin
put on this issue is *all wrong*.

Calling that an "OpenSSH bug" is, pure and simple, slander.

If anything, it is a PAM bug.

Or you can say it's a system integration bug on FreeBSD.


Calling that an OpenSSH bug just because OpenSSH does not take all the
necessary paranoid measures required by an insane auth system is an
over-simplification that goes in one specific direction.  To throw mud
in openssh direction.

But yeah, it's SO SIMPLE to try to blame the openssh team (because you know,
they're full of ubris)  instead of putting the blame where the blame is.

- treat passwords hashing as something mundane (FreeBSD). For sure it's not
your task to make it hard to brute force password.
- treat authentication as a maze (PAM). For sure, it's not your task to make
things clear and simple so that configuration mistakes HAPPEN ALL THE TIME.
- put all the blame on openssh, because you know, they're the only guys
who have a clue about what's going on.
- forget to mention this specific issue happens on ONE particular system
due to ONE specific set of conditions. Do not EVERY try it everywhere. Publish
first. Leaving it to the OpenBSD developers to reassert that this ONLY affects
one *specific* deployment of OpenSSH.


Here, I'll give you my root password. You can now exploit my machine.

dovecot startup failure (5.7-stable)

[Tor Houghton]

Hi,

It appears that the dovecot package won't start at boot time unless the
ulimit is raised for open files:

..
Jul 25 13:39:53 duck dovecot: master: Error: 
open(/var/dovecot/login-master-notifyda2290c6851a9f03) failed: Too many open 
files
..

If I add the following to /etc/login.conf --

dovecot:\
:openfiles-cur=1024:\
:tc=daemon:

it starts OK. I suppose it's either do the above, or change the defaults in
/etc/dovecot/conf.d/10-master.conf .. ?

Regards,

Tor

Re: dovecot startup failure (5.7-stable)

[Henrik Friedrichsen]

Hey!

This is known:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/mail/dovecot/pkg/README-server?rev=1.2

Henrik

Patching OpenBSD 5.7

[Monah Baki]

Hi All,

I upgraded my server from 5.6 to 5.7 using the bsd.rd, all was successful.

OpenBSD 5.7 (GENERIC) #738: Sun Mar  8 10:59:31 MDT 2015
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz ("GenuineIntel"
686-class) 3.60 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,NXE,PAGE1GB,LONG,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
real mem  = 267862016 (255MB)
avail mem = 251109376 (239MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 07/31/13, BIOS32 rev. 0 @ 0xfd780, SMBIOS rev.
2.4 @ 0xe0010 (364 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 07/31/2013
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3)
S10F(S3) S11F(S3) S12F(S3) S13F(S3) [...]




I went and downloaded
http://ftp.openbsd.org/pub/OpenBSD/patches/5.7.tar.gz so I can patch
it.


Followed the instruction per the OpenBSD site

Apply patch using:

signify -Vep /etc/signify/openbsd-57-base.pub -x 003_openssl.patch.sig \
-m - | (cd /usr/src && patch -p0)

Then build and install libcrypto and libssl

cd /usr/src/lib/libcrypto/crypto
make obj (Success)


make

cc -O2 -pipe -g -Wall -Werror -DDSO_DLFCN -DHAVE_DLFCN_H
-DHAVE_FUNOPEN -DLIBRESSL_INTERNAL -DTERMIOS -DOPENSSL_NO_HW_PADLOCK
-I/usr/src/lib/libcrypto/crypto/../../libssl/src
-I/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto
-I/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/modes
-I/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1
-I/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/evp
-I/usr/src/lib/libcrypto/crypto/obj -DAES_ASM -DVPAES_ASM
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_GF2m -DMD5_ASM -DGHASH_ASM -DRMD160_ASM -DSHA1_ASM
-DSHA256_ASM -DSHA512_ASM -DWHIRLPOOL_ASM -DOPENSSL_CPUID_OBJ   -c
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c -o
a_time.o
cc1: warnings being treated as errors
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:88:
warning: return type defaults to 'int'
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:
In function 'IMPLEMENT_ASN1_FUNCTIONS':
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:90:
error: expected '=', ',', ';', 'asm' or '__attribute__' before '{'
token
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:96:
error: expected '=', ',', ';', 'asm' or '__attribute__' before '{'
token
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:116:
error: expected '=', ',', ';', 'asm' or '__attribute__' before '{'
token
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:127:
error: expected '=', ',', ';', 'asm' or '__attribute__' before '{'
token
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:164:
error: expected '=', ',', ';', 'asm' or '__attribute__' before '{'
token
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:185:
error: expected '=', ',', ';', 'asm' or '__attribute__' before '{'
token
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:74:
error: parameter name omitted
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/asn1/a_time.c:204:
error: expected '{' at end of input
*** Error 1 in /usr/src/lib/libcrypto/crypto (:40
'a_time.o': @cc -O2 -pipe -g -Wall -Werror -DDSO_DLFCN -DHAVE_DLFCN_H
-DHAVE_F...)



Any guidance will be greatly appreciated.


Thank you

Monah

Re: dovecot startup failure (5.7-stable)

[Stuart Henderson]

On 2015-07-25, Tor Houghton  wrote:
> Hi,
>
> It appears that the dovecot package won't start at boot time unless the
> ulimit is raised for open files:
>
> ..
> Jul 25 13:39:53 duck dovecot: master: Error: 
> open(/var/dovecot/login-master-notifyda2290c6851a9f03) failed: Too many open 
> files
> ..
>
> If I add the following to /etc/login.conf --
>
> dovecot:\
> :openfiles-cur=1024:\
> :tc=daemon:
>
> it starts OK. I suppose it's either do the above, or change the defaults in
> /etc/dovecot/conf.d/10-master.conf .. ?
>
> Regards,
>
> Tor
>
>

When you "pkg_add dovecot", it says "Look in /usr/local/share/doc/pkg-readmes
for extra documentation", and the dovecot file in there explains that you need
to do just this.

Purchase/download a CD-ROM web page

[Richard Thornton]

This page still references version 5.6;  just letting you know.

Re: ipv6 kernel pppoe + slaac problem

[Stuart Henderson]

On 2015-07-25, Holger Glaess  wrote:
> # ifconfig pppoe0
> pppoe0: flags=208851 
> mtu 1492
>  priority: 0
>  dev: em2 state: session
>  sid: 0x508f PADI retries: 16 PADR retries: 0 time: 01:28:15
>  sppp: phase network authproto pap authname 
> "nc-glaesz...@netcologne.de"
>  groups: pppoe egress
>  status: active
>  inet6 fe80::214:b7ff:fe00:6163%pppoe0 ->  prefixlen 64 scopeid 0xb
>  inet 84.44.157.221 --> 195.14.226.82 netmask 0x
>  inet6 2001:4dd0:af10:d604:214:b7ff:fe00:6163 -> prefixlen 64 
> autoconf pltime 604786 vltime 2591986
>  inet6 2001:4dd0:af10:d604:747a:f5e2:c201:b278 -> prefixlen 64 
> autoconf autoconfprivacy pltime 80714 vltime 599505

So you are showing that you are receiving the SLAAC address here.

> so if i start the rtadvd -d em0 without counfg  i see that he receive 
> the RA from ppoe but he dont deploy
> the offered /64 network,

The offered /64 is on the pppoe interface. This seems to all be working
exactly as expected.

As you're trying to request a /64 for use on a different interface than
the one you're sending the request from, you'll need a different mechanism,
normally DHCPv6 Prefix Delegation (PD) is used for that.

There's nothing in base that handles DHCPv6 PD, but a couple of packages
do support it. The ISP I currently use for v6 only does static config so
I can't test this, however if you "pkg_add dhcpcd", you can try
something like this in /etc/dhcpcd.conf:

-- -- -- -- --
ipv6only
duid
persistent
option rapid_commit
slaac private
nohook lookup-hostname

interface pppoe0
  ipv6rs
  ia_na 1
  ia_pd 2
-- -- -- -- --

"dhcpcd -d -B" will run it in the foreground with debug messages.

Re: IPV6 routing issue

[Stuart Henderson]

On 2015-06-26, Christian Weisgerber  wrote:
> On 2015-06-26, Giancarlo Razzolini  wrote:
>
>>  I've recently changed my ISP and they have native IPv6. My customer 
>> premises equipment, which is a GPON, supports both stateless as DHCPv6 
>> on it's LAN interface. I want to put a OpenBSD firewall between this CPE 
>> and my internal network.
>
> So you have TWO networks.  One between the CPE and your OpenBSD
> firewall, and one containing the firewall and your internal machines.
>
>> I'm using OpenBSD 5.7 stable. My CPE receive a 
>> /64 prefix delegation from my ISP.
>
> So you get ONE network address.
>
> You can't use a single network address for two networks.  This has
> nothing to do with IPv6.  It's the same with IPv4.

Actually that's fine, a point-to-point interface can be unnumbered,
or in the case of IPv6, it can just have a link-local address.

So PPP can *only* configure a link-local address. To get a globally
routable address you must use another method, either SLAAC, DHCPv6 PD,
or static configuration.

SLAAC would only give you an address on a /64 for use on the PPP
interface itself.

DHCPv6 PD would give you a /64 or (if allowed by the ISP) a larger
prefix to assign to interfaces as you choose. Normally you would
assign this to "internal" interface/s, but assuming the ISP allows
more than a /64, you *can* apply part of that delegation to the
PPP interface if you would like it to have a globally routable
address.

Re: dovecot startup failure (5.7-stable)

[Tor Houghton]

On Sat, Jul 25, 2015 at 02:01:09PM +, Stuart Henderson wrote:
> 
> When you "pkg_add dovecot", it says "Look in /usr/local/share/doc/pkg-readmes
> for extra documentation", and the dovecot file in there explains that you need
> to do just this.
> 

It probably did. I was adding a bunch of packages in one go, so it scrolled
past. Sorry for the waste.

Tor

Re: Patching OpenBSD 5.7

[Michael McConville]

Likely related:

https://marc.info/?t=14319191082&r=1&w=2

We never figured it out. Building the entire system from source and
reinstalling fixed it for me.

Re: ipv6 kernel pppoe + slaac problem

[Holger Glaess]

Am 25.07.2015 um 16:35 schrieb Stuart Henderson:

On 2015-07-25, Holger Glaess  wrote:

# ifconfig pppoe0
pppoe0: flags=208851
mtu 1492
  priority: 0
  dev: em2 state: session
  sid: 0x508f PADI retries: 16 PADR retries: 0 time: 01:28:15
  sppp: phase network authproto pap authname
"nc-glaesz...@netcologne.de"
  groups: pppoe egress
  status: active
  inet6 fe80::214:b7ff:fe00:6163%pppoe0 ->  prefixlen 64 scopeid 0xb
  inet 84.44.157.221 --> 195.14.226.82 netmask 0x
  inet6 2001:4dd0:af10:d604:214:b7ff:fe00:6163 -> prefixlen 64
autoconf pltime 604786 vltime 2591986
  inet6 2001:4dd0:af10:d604:747a:f5e2:c201:b278 -> prefixlen 64
autoconf autoconfprivacy pltime 80714 vltime 599505

So you are showing that you are receiving the SLAAC address here.


so if i start the rtadvd -d em0 without counfg  i see that he receive
the RA from ppoe but he dont deploy
the offered /64 network,

The offered /64 is on the pppoe interface. This seems to all be working
exactly as expected.

As you're trying to request a /64 for use on a different interface than
the one you're sending the request from, you'll need a different mechanism,
normally DHCPv6 Prefix Delegation (PD) is used for that.

There's nothing in base that handles DHCPv6 PD, but a couple of packages
do support it. The ISP I currently use for v6 only does static config so
I can't test this, however if you "pkg_add dhcpcd", you can try
something like this in /etc/dhcpcd.conf:

-- -- -- -- --
ipv6only
duid
persistent
option rapid_commit
slaac private
nohook lookup-hostname

interface pppoe0
   ipv6rs
   ia_na 1
   ia_pd 2
-- -- -- -- --

"dhcpcd -d -B" will run it in the foreground with debug messages.



hi

if i start dhcpcd i got


dhcpcd[26307]: version 6.4.2 starting
dhcpcd[26307]: IPV6CTL_ACCEPT_RTADV: Operation not supported
dhcpcd[26307]: kernel does not report IPv6 address flag changes
dhcpcd[26307]: polling tentative address flags periodically instead
dhcpcd[26307]: IPV6CTL_ACCEPT_RTADV: Operation not supported

it is an current ( 5.8-beta ) system.

Holger

Re: Alleged OpenSSH bug

[mancha]

On Thu, Jul 23, 2015 at 11:38:27PM +0200, Marc Espie wrote:
> On Thu, Jul 23, 2015 at 12:29:37PM -0400, Garance A Drosehn wrote:
> > On 23 Jul 2015, at 10:06, Emilio Perea wrote:
> >
> > >To me it looks like a mistimed April Fools' joke, but hope somebody
> > >more knowledgeable will respond:
> > >
> >
>https://kingcope.wordpress.com/2015/07/16/openssh-keyboard-interactive-authe
ntication-brute-force-vulnerability-maxauthtries-bypass/
> >
> > It is a real issue.  Your servers might not see the issue depending
> > on what options have been set for sshd_config.  My freebsd boxes do
> > *not* have the problem, but that's because I have set
> > 'ChallengeResponseAuthentication no'.  I don't even remember why I
> > set that on my freebsd boxes.  I change very few settings, but for
> > some reason I decided to change that one.
> >
> > I can reproduce the problem on my Macs, because they are setup with
> > 'ChallengeResponseAuthentication yes', and I do not turn it off.
> >
> > I'm told that another way to avoid the problem is to set
> > 'KbdInteractiveAuthentication no'.
> >
> > I'm also told that there is a patch for the oversight in OpenSSH's
> > code, and that can be seen at:
> >
> > https://anongit.mindrot.org/openssh.git/patch/?id=5b64f85bb811246c59ebab
>
> Not surprisingly, as the patch clearly shows, the problem is right
> smack in the middle of USE_PAM code.
>
> I wouldn't call that an OpenSSH bug. I would call it a systemic design
> flaw in PAM. As usual. LOTS of security holes in authentication
> systems stem from PAM. Why ? Because that stuff is over designed.
> Difficult to configure. Gives you MORE than you need to hang yourself
> several times over.  It's been that way for as long as I can remember.
>
> I recall discussing things with one of the authors of PAM, about ten
> years ago (forgive me for not remembering names at this point).  What
> struck me is that it looks as if PAM wasn't designed to be secure.
> It's an authentication system, yet it's surprisingly easy to get it to
> fail open. Yet it's complex enough that there are bad interactions all
> over the place. Heck, you have to write software defensively if you
> want PAM to not fuck you over.
>
> I really don't see why it's still used. Why the systems that think
> they must have PAM haven't scraped that pile of goo and tried to put
> something sensible in its stead.
>
> (I have some hypothesis about that. That some kids love complexity,
> and think that more complex is more shiny, hence better)
>
> Okay, let's admit that the *portable* version of openssh wasn't
> programmed in a way that's paranoid enough about the failure modes of
> pam.
>

Hi Marc et al.

The flaw is orthogonal to PAM. In a nutshell, the OpenSSH server queries
a specific keyboard-interactive device as many times as it's listed in
the submethod field of a given userauth request (likely never the
intent). The portable version can support three such devices: pam,
bsdauth, and skey. OpenBSD supports bsdauth.

So, a client could trigger three queries to the foo device per userauth
request with:

 -oKbdInteractiveDevices="foo,foo,foo"

MaxAuthTries is a constraint on userauth requests (not device queries)
so assuming the default value of 6, the above client-supplied device
list results in 18 queries to foo (not 6). A brute-force attack can
leverage this to be more economical in terms of the number of
connections used and that might prove to be of some benefit. For
example, against an ips/ids that uses connection-based heuristics.

In any event, contrary to what's being reported regarding this flaw in
"technical" news sites and blogs, the sky's not falling. No need to
stock up on canned tuna and bottled water just yet.

Below's an example of the flaw on OpenBSD 5.6.

--mancha

===
 mancha@fugu:~$ uname -a
 OpenBSD fugu 5.6 GENERIC.MP#333 amd64

 mancha@fugu:~$ ssh -oNumberOfPasswordPrompts=6 mancha:skey@localhost
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 Received disconnect from 127.0.0.1: 2: Too many authentication failures
 for mancha from 127.0.0.1 port 34310 ssh2

 mancha@fugu:~$ ssh -oNumberOfPasswordPrompts=6
-oKbdInteractiveDevices="bsdauth,bsdauth" mancha:skey@localhost
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 otp-sha1 99 fugu79734
 S/Key Password:
 Received disconnect from 127.0.0.1: 2: Too many authentication failures
 for mancha from 127.

Re: Purchase/download a CD-ROM web page

[Ingo Schwarze]

Hi Richard,

Richard Thornton wrote on Sat, Jul 25, 2015 at 09:18:25AM -0500:

> This page still references version 5.6;  just letting you know.

Fixed, thanks for the report.
  Ingo


P.S.
In general, mentioning the URI helps when reporting an issue
with a web page, even if you don't send a patch...  ;-)
In this case, it was http://www.openbsd.org/ftp.html.

Re: rdomain with BGP dynamic route

[Alexander Salmin]

Hey,

man 5 bgpd.conf

See section "Routing Domain Configuration" and parameters 
"export-target" and "import-target". I suspect that is what you want.


Alexander Salmin

On 2015-07-24 13:47, XU, YANG (YANG) wrote:

Let me describe it in another way. Can I create a new rdomain as a VRF and use 
the rdomain to import/export customer's prefix through BGP?

I will greatly appreciate it if you can provide any information. I have seen 
some information online, but prefix is either from static configuration or 
connected network. In my case, I need to support dynamic routes from BGP in VRF.

Thanks,
-Yang




From: owner-m...@openbsd.org [owner-m...@openbsd.org] On Behalf Of XU, YANG  
(YANG)
Sent: 23 July 2015 08:06
To: misc@openbsd.org
Subject: rdomain with BGP dynamic route

Hi all,

I am configuring OpenBSD bgpd so that it can relay the routes learned from 
customer BGP servers to a route reflector (RR). Customer BGP servers only speak 
IPv4 BGP, so my OpenBSD bgpd needs to add different route-distinguisher and 
route-target to the dynamic routes learned from each customer BGP neighbor 
before forwarding to RR. As I understand, I should be able to use rdomain to 
implement this. What I really need conceptually is to attach a BGP neighbor to 
a rdomain, so that dynamic routes learned from that BGP neighbor are added to 
the specified rdomain.  But I failed to find a way to do this in OpenBSD. Does 
anyone know if this is possible and give me an BGP configure example?

Many thanks in advance,

-Yang

Re: [OBORONA-SPAM] Re: Patching OpenBSD 5.7

[Артур Истомин]

On Sat, Jul 25, 2015 at 12:03:50PM -0400, Michael McConville wrote:
> Likely related:
> 
>   https://marc.info/?t=14319191082&r=1&w=2
> 
> We never figured it out. Building the entire system from source and
> reinstalling fixed it for me.

Is it possible that old source code was not removed from /usr/src?
I upgraded two machines last night (desktop amd64 and router i386)
and all went well.

Some softraid (RAID-1, not crypto) Q's.

[Matthew Martin]

I'm looking at grabbing a couple of 1TB disks and putting them under
raid 1 for storage. Of course there will be actual backups as well,
probably to a separate 2TB disk for a daily/weekly 'snapshot' with
checksums via mtree or such, anything uber important will be on a
removable disk as well. I'm mostly concerned with not winding up with
backups of corrupt data. The box will be something with ECC ram,
Lenovo TS140 is looking good at the moment.

I'd probably just throw fbsd + zfs at it but fbsd scares the hell out
of me especially for _my_ data, and especially since I *do* intend to
occasionally access it remotely via VPN. Last time I tried using fbsd
for anything I wound up with total hosage via portmaster or something,
plus the mmap/ptrace thing, screwing up openssh lately...  I'd just
much rather use open. I've had exactly zero problems ever with
softraid's crypto and nothing compares to pf.

Q1: TLER, does it matter for softraid? I assume yes and have no
problem paying a few extra bucks for more suitable drives, but
assumptions always cause problems. I can't seem to find an answer on
this via man or google.

Q2: Is there a benefit to putting 3 drives under raid-1, beyond some
read speed and I presume less risk of another disk failing during a
rebuild?

Q3: Scrubbing. It seems it isn't there, at least not explicitly in the
manual. Will the nightly/weekly copy be sufficient or should I just
use a script to occasionally compare checksums of the more important
bits since I'll have them anyway?

Q4: Should I just piss on it and use dump or rsync + mtree? I'm not at
all concerned with speed, ISP's the bottleneck there. I'm only
thinking RAID to give the system a chance to notice there's a
discrepancy when whatever it is first gets written or at least when
it's read, and having a copy newer than the last backup if possible
when a disk fails especially if I'm not around at the time. I'm pretty
sure a hard drive's entire purpose in life is to fail spectacularly,
dragging as much data as they can with them to the bit bucket.

TIA. :)