manpage for gpioctl(8) missing?
gpioctl(8) seems to be missing from the web version: http://www.openbsd.org/cgi-bin/man.cgi?query=gpioctl it is present in 4.4-current on i386 and 4.3 on i386 Regards, -Lars Lars NoodC)n ([EMAIL PROTECTED])
securelevel(7) and gpioctl(8)
On Mon, 8 Dec 2008, Marc Balmer wrote: NB: not all arches have GPIO. Thanks. Ok. I see now. The online pages return a result only for items present in all architectures. The need for Securelevel 0 was mentioned. Does that mean the device must operate in securelevel 0 in order to turn on and off one of the JP5 pins? Or just that they must be attached and then can be used for IO after switching to securelevel 1? Also, can a custom kernal be avoided? One appears to be needed in this note: http://www.vnode.ch/reworking_gpio Regards, -Lars Lars Nooden
Re: Capturing kernel debugger output without serial console
On Wed, 17 Dec 2008, Stuart Henderson wrote: Are your userland and kernel in sync? I update bsd and bsd.rd along with the other sets from each snapshot, so if that works, then yes. Regards, -Lars
Re: Capturing kernel debugger output without serial console
Thanks! On Wed, 17 Dec 2008, Josh Grosse wrote: ... * ddb> boot crash The ddb output can be found in the dmesg saved in the core dump. See the -M and -N options of dmesg(8). That puts the dumps in /var/crash. crash(8) mentions a little about how to retrieve information from the dump: http://www.openbsd.org/cgi-bin/man.cgi?query=crash e.g. ps -N /var/crash/bsd.0 -M /var/crash/bsd.0.core -O paddr e.g. dmesg -N /var/crash/bsd.1 What is the expected (if any) output of dmesg -M core ? I'm getting only a one liner: dmesg: kvm_read: (d09cd000) How is ddb "trace" output retrieved from the saved kernel and core? Regards, -Lars
Re: Capturing kernel debugger output without serial console
On Wed, 17 Dec 2008, Josh Grosse wrote: ... * ddb> boot crash The ddb output can be found in the dmesg saved in the core dump. ... It may be useful to add that setting systctl ddb.panic=0 will automatically save the core dump, saving a step and some time. Regards, -Lars
jails in openbsd
I'd like to look at some virtualization options for openbsd. The ultimate goal would be to get several isolated Debian systems running inside some kind of enironment for virtualization. Can you point me to an openbsd package, port or source code for the freebsd jail or an equivalent? -Lars Lars Noodin ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: jails in openbsd
Yes. I want to run several separate instances of Debian under OpenBSD. I've started looking at sysjail and can look at qemu. Would there be any special reasons to choose qemu over others, besides that it's available in ports? -Lars Lars Nooden ([EMAIL PROTECTED]) On the Internet, nobody knows you're a dog ... ... until you start barking. On Thu, 1 Mar 2007, Joachim Schipper wrote: What do you want to do? - Run a different OS (e.g., Debian) under OpenBSD? Install emulators/qemu.
Mounting ext2 in a loopback device
How does OpenBSD handle mounting ext2 filesystems? What's wrong or missing from the attempt below? $ sudo vnconfig svnd0 debian.img $ sudo vnconfig -l vnd0: covering debian.dmg on wd0h, inode 41670 vnd1: not in use vnd2: not in use vnd3: not in use $ mkdir debian $ sudo mount -t ext2 /dev/svnd0c debian mount: no mount helper program found for ext2: No such file or directory Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Mounting ext2 in a loopback device
On Fri, 2 Mar 2007, Paul de Weerd wrote: > [snip] You might want to check out chapter 9 of the very nice FAQ > OpenBSD has, find it on http://www.openbsd.org/faq/faq9.html ... [snip] Thanks. It's useful, but neither ch 9 nor ch 14 explicitly show an OpenBSD analog to this from the other system: sudo mount -o loop debian.dmg debdir; > How is the debian.img formatted ? Ext3. Here is the exact sequence. Only the last line, which provides the content, is important as I am trying to migrate a few things to sysjail. dd if=/dev/zero of=debian.dmg bs=512k count=500; # mkfs.ext3 debian.dmg; mkdir debdir; sudo mount -o loop debian.dmg debdir; sudo debootstrap etch debdir http://ftp.de.debian.org/debian/; > Was it originally partitioned ? No. I am all thumbs with fdisk. (Can follow recipes, though) How essential is partitioning in this case? For my part, it's probably not so important how or where the disk image is made, only that I would prefer a disk image that can be mounted and used on OpenBSD, Debian || Ubuntu and OS X. It is, however, intended primarily for use in sysjail on OpenBSD. > Note that the linux partitions (stored in MBR and so on) are different > from the OpenBSD partitions (stored in a disklabel, see the manpage to > the program of the same name) [snip] Regards, -Lars PS. disklabel and fdisk output below disklabel svnd0 # /dev/rsvnd0c: type: SCSI disk: vnd device label: fictitious flags: bytes/sector: 512 sectors/track: 100 tracks/cylinder: 1 sectors/cylinder: 100 cylinders: 5120 total sectors: 512000 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] c:512000 0 unused 0 0 # Cyl 0 - 5119 disk svnd0 fdisk: sysctl(machdep.bios.diskinfo): Device not configured Disk: svnd0 geometry: 5120/1/100 [512000 Sectors] Offset: 0 Signature: 0x0 Starting Ending LBA Info: #: idC H S -C H S [ start: size ] 0: 000 0 0 -0 0 0 [ 0: 0 ] unused 1: 000 0 0 -0 0 0 [ 0: 0 ] unused 2: 000 0 0 -0 0 0 [ 0: 0 ] unused 3: 000 0 0 -0 0 0 [ 0: 0 ] unused Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Mounting ext2 in a loopback device
On Fri, 2 Mar 2007, [EMAIL PROTECTED] wrote: > A "See fstab(5) for types of supported filesystems" in the already > excellent man page would have been helpful. Or is this seen as > already overly obvious? It was one of the first things I checked. From fstab's man page: "ext2fs A local Linux compatible ext2fs filesystem." So, it is, in principle, supported. But maybe there is a package missing? See the context below in which newfs gives the error. $ dd if=/dev/zero of=floppy.img bs=512 count=2880 $ vnconfig svnd0 floppy.img $ vnconfig -l vnd0: covering floppy.img on wd0h, inode 41221 vnd1: not in use vnd2: not in use vnd3: not in use $ newfs -t ext2 -f 1440 /dev/svnd0c newfs: newfs_ext2 not found: No such file or directory $ newfs -t ext2fs -f 1440 /dev/svnd0c newfs: newfs_ext2fs not found: No such file or directory -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
qemu disk images
How can I create disk images that I can use in qemu on OpenBSD to install debian as a guest system? I've got qemu installed on openbsd and have been trying to install some guest systems but there is difficulty mounting any of the disk images. The installation process seems to progess nicely, regardless of which guest system I start installling, and when it comes to partitioning, the partitioning tool can see the images and appears to be able to write a new partition map. I can boot a variety of installer CDs (xubuntu and debian) and get the same problem. Here is how I am firing up qemu: qemu -k fi -cdrom debian-testing-i386-netinst.iso -boot d \ -hda debian.ext2.dmg-hdb debian.swap.dmg However, the guest system is unable to mount the images or their partitions seemingly regardless of how I create them. I have tried creating the images on a linux system with an ext2 filesystem and a swap filesystem and using them as is. And I've tried letting the install process partition these. And I have tried using qemu-image and letting the install do the partitioning: qemu-img create -f raw d3.debian.ext2.dmg 300M They mount manually outside of qemu. Lars Nooden ([EMAIL PROTECTED]) On the Internet, nobody knows you're a dog ... ... until you start barking.
Re: qemu disk images
How do you start qemu AFTER the install is completed? Something like this? qemu -k fi -hda debian.ext2.dmg -hdb debian.swap.dmg I can't get that far: It's not possible to complete the installation because the drives used in -hda -hdb cannot be partitioned or mounted by the installtion process. I can mount them manually outside of qemu, butI'm not sure how to benefit from that in this task. I can boot from any of the the install CD images (debian, kubuntu, xubuntu) I have tried. qemu -k fi -cdrom debian-testing-i386-netinst.iso -boot d \ -hda debian.ext2.dmg-hdb debian.swap.dmg The partitioning tool finds the two images, appears to let me make and save a partition table, and format the partition, but cannot seem to actually save any changes. -Lars
Re: qemu disk images -- resolved
Ok. I figured out how to resolve the problem, but through a work-around. One main difference was I had to use qemu-img instead of dd to create the disk images. The other was during the guest system install to make logical partitions *not* primary partitions. qemu-img create -f qcow d4.debian.ext2.qcow 400M qemu-img create -f qcow d4.debian.swap.qcow 200M Then I fire up a vncserver and connect. Inside the vnc client I could then boot the install CD and go through the installation: qemu -k fi -cdrom debian-testing-i386-netinst.iso -boot d \ -hda debian2.ext2.dmg-hdb debian.swap.dmg Once the installation was done, I can then boot the new system in d4.debian.ext2.qcow : qemu -k en-us -boot c \ -hda d4.debian.ext2.qcow \ -hdb d4.debian.swap.qcow \ -cdrom debian-testing-i386-netinst.iso I'm not quite sure how to ssh to the guest system, but since I seem to be able to initiate outbound connections, it should be within reach to solve that, too. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
ssh in to a qemu guest
qemu is now running on an OpenBSD host, with Debian as the guest system. I can reach the net from inside the guest systems. What changes must be made to the networking on the host so that I can ssh *into* the guest systems from outside? -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
tun/tap + bridge (was: ssh in to a qemu guest)
On Mon, 5 Mar 2007, Tobias Weisserth wrote: > You are posting to the wrong list. This is OpenBSD misc, not qemu users. What > you are trying to solve is perfectly described on the qemu homepage in the > qemu manual... It looks from the qemu docs (which mostly use linux in their examples) like I have to set up a bridge or use tuntap. Networking is generally handled by the host system which in my case is OpenBSD. ifconfig(8) mentions that it is possible to create a bridge device or a tun device. I've looked at a great number of pages regarding TUN/TAP and bridges and would like to find out how to use it to create the situation described below: HOST GUEST1 +--+ +--+ | | | | LAN ---+-+| | | | | +--+ | | |GUEST2 | +---eth0 | +-+---+ nic0 | +--+ | | tap0---+ | | 10.0.0.11 | | | | | tap1---+ | +--+ | | | +--+ | | | | | br0+-+--+ nic0 | | 10.0.0.10 | | 10.0.0.12 | +--+ +--+ ASCII art Source: http://kidsquid.com/cgi-bin/moin.cgi/QemuAndTuntap Regards, -Lars (Note 1: I've been using OpenBSD for all of a few days.) (Note 2: The -redir option in qemu, according to the qemu manual, is for redirecting only one port on the host to only one on the guest or vice versa rather than for making the whole quest visible.) Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Patching and/or updating
I've the stable branch of OpenBSD 4.0 on an i386 and am searching for a concise description of how to apply a patch and how to upgrade a specific application. Currently the FAQ[1] and "Following Stable"[2] have no concrete examples. (At least nothing that jumps out and bites me.) So what steps would I take to do the following? 1) Apply the time zone patch http://www.openbsd.org/errata40.html#timezone 2) Upgrade OpenSSH from 4.4 to 4.6? (If 4.6 is not in the stable branch, what is way with lowest maintenance possible to mix in individual applications?) Regards, -Lars [1] http://www.openbsd.org/faq/faq10.html#Patches [2] http://www.openbsd.org/stable.html Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Patching and/or updating
Thanks. On Sat, 10 Mar 2007, Nico Meijer wrote: > Read release(8) and follow that procedure. Build once, deploy at will. Building my own release looks useful when I deal with more machines later. I didn't this time so, so there is no /usr/src directory to work with. ie. The first step in that document fails: cd /usr/src && cvs up -r OPENBSD_4_0 ksh: cd: /usr/src - No such file or directory However, it looks like the only way: "Patches for the OpenBSD Operating System are ... NOT distributed in binary form. This means that to patch your system you must have the source code from the RELEASE version of OpenBSD readily available. In general, you should have the entire source tree available" - http://www.openbsd.org/faq/faq10.html#Patches > If it's not in the stable branch, you don't want it. Stick to -stable. Works for me. :) > IIRC from a thread earlier this week, 4.6 will probably be merged with > 4.0-stable, but you'll have to check the archives. Very nice. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
OpenSSH ciphers
Hopefully this is not too off topic, but I wonder where I can find the authoritative 'homepages' for the ciphers used in OpenSSH: AES, 3DES, Blowfish, Arcfour, and CAST128 The search engines turn out lame references to wikipedia or wikipedia clones or to marketeering non-information. I'm looking for the specs or, better, the web page for the specs maintainers. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Patching and/or updating
On Sun, 11 Mar 2007, Nico Meijer wrote: > To speed things up, download src.tar.gz and sys.tar.gz from a local > mirror; cd *into* /usr/src/ and untar: tar zxf /path/to/both/files.tar.gz. Yeah, I noticed that it would take a long time and a lot of disk space to download the whole works. So, I just looked at the patches and then used CVS to check out the smallest unit possible. Seems to have worked so far... Thanks -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Contradictory statement on vulnerability
On Fri, 16 Mar 2007, Tobias Weisserth wrote: > A nice newbie site explaining this with examples is www.openbsd101.com, if you > don't understand the OpenBSD FAQ. Thanks for posting that one. It hadn't turned up in any of my searches and if it was in any documents I already looked at, I must have missed it. Anyway, it's exactly the type of material I was hoping to be able to point others to. While we're on the topic of patches, I found them reasonably straight forward to install though I'm not by any stretch of the imagination a programmer. My take on the whole thing is that the patches are small enough that a person or even small team who has the skill and inclination, can audit the changes. On the shallow end of the pool, the content of 009_timezone.patch was something that even I could follow and understand and (by my interpretations) demonstrates the principle behind the patches. Anyway, I can see that a lot of coordination went into them and I am quite happy about that aspect, which IMHO should not go overlooked. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
verification of downloads - signature, checksums, fingerprints
What's the best practice for ensuring that the correct files are downloaded and that they are unmodified either at the mirror, in transit, or by someone masquerading as a mirror? The CD images seem to come with some checksums, but is there some certificate or key that can be acquired to ensure that the initial image, and thus subsequent patches, packages and ports, is correct? Like many people, I'm 10 hops (and 4 networks) away from the nearest mirror. And I see that the distribution takes place largely through cleartext (ftp, http, cvs, etc) -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: No Blob without Puffy
On Mon, 19 Mar 2007, Dave Anderson wrote: > You've left out the extremely important fact that many vendors > interpret acceptance of blobs by any "free" OS as validating their > position of not releasing adequate documentation -- so accepting blobs > (even when "there's no other choice") actively harms the anti-blob > campaign. It harms more than just the campaign, it harms anyone wanting to maintain a modicum of options further down the road in regards to hardware lifecycles, operating system and kernel lifecycles, and last but not least security. One anecdote regarding insecurity of mysterious binaries / BLOBs: A local privilege escation has been known to exist, unfixed, for several years in nvidia's binary drivers: http://lwn.net/Articles/204541/ However, if you can't audit (and subsequently compile) all the code, including the applications, libraries, compilers and OS, then you've got nothing secure and nothing that can be made secure - regardless of anecdotes, no amount of assurances, claims, hand waving, shouting, smoke, noise etc. from vendors. Don't take my word for it, read what the ACM had to say about it: http://www.acm.org/classics/sep95/ But it's not just 'security' that is at risk. The lifecycle of both the operating system/kernel and the hardware that rely on the continued availability of the BLOBs become dependent on the BLOBs producers. Those are groups which may or may not continue to have interests and motivations which overlap yours. If your hardware or system needs a BLOB to run, then the BLOB-maker has you on a leash. Endorsing BLOBs puts *all* hardware, systems, and security at risk through active effort, which is reprehensible. To have one system accepting them, makes it all that much harder to keep them off. Think digital scab. Tolerating BLOBs or failing to eliminate BLOBs, are simply balless passive means of putting the above at risk. To put it another way, it's possible to gain control (political, economical, technical) of systems that get locked into BLOBs either passively or actively and encroachment into one system/distro can be used to marginalize the others. So to put it as kindly as I can, only people somewhere on the spectrum between stupid and troll would be advocating acceptance or tolerance of BLOBs. It's an act of harm that affects more than just the system with the BLOB. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
adding X11 libraries after the fact
I excluded X11 from an installation of OpenBSD 4.0 and now find that some packages I would use seem to depend on some of the X11 libraries. What is the best way to resolve package dependencies and/or install X11? I recall in the installation there were some sets that could be chosen. Or else, how can that process be revisited without going through the whole install? -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: adding X11 libraries after the fact
Thanks. That's it. I was even looking in right part (#4) of the FAQ, but needed that direct pointer. -Lars On Tue, 20 Mar 2007, Josh Grosse wrote: > FAQ 4.10, "Adding a fileset after install" is what you're looking for. > Here's a handy link: http://openbsd.rt.fm/faq/faq4.html#AddFileSet On Tue, 20 Mar 2007, Chris Kuethe wrote: > sudo tar -C / -zxpPf /path/to/xbase41.tgz Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Does anyone know a good file manager for OpenBSD?
Others have recommended wget. I strongly recommend it as well, there are loads of ways to use it: http://www.die.net/doc/linux/man/man1/wget.1.html curl also is quite useful. I also highly recommend ncftp. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Microsoft gets the Most Secure Operating Systems award
On Thu, 22 Mar 2007, RedShift wrote: > Siju George wrote: >> http://www.internetnews.com/security/article.php/3667201 >> Just for some entertainment, no troll :-) > > IMHO it's not a fair comparison, most linux distributions ship with alot more > software than microsoft windows does, and most bugreports indicate an issue > with third-party software. It's even more bullshit than that. Among other things, it compares the number of 'patches', which for non-MS systems tend to be 1:1 or close to it whereas MS has be making a point of rolling as many vulnerabilities into a single patch as possible. The metrics are not described. Terms like 'patch', 'vulnerability', 'advisory' are intermingled in a most unclear manner. Patch 'development time' seems undefined as well. Symantic makes its living selling paper bailing cups in a leaky boat. The media actively participates in obfuscating the issues, the causes and the solutions by publicizing such crap from Symantic and MS. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: VPN
Is the VPN using IPsec or SSL? -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: sshd.config and AllowUsers
Others have mentioned the correct syntax already. One suggestion which helps administration is to assign or revoke access (or other privileges) based on groups rather than individual users. In otherwords, make the users members of a group and grant that group access. It helps scalability, maintenance, and testing. Regards, -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: VPN
It may not be the wisest thing to be trying PPTP. In addition to the technical problems you are encountering, there seem to be some grave issues with the protocol itself, http://www.schneier.com/pptp-faq.html which are apparently not resolved entirely even in later versions. IPsec and SSL are both standards and, as such, supported even by legacy platforms. It might be useful to phase out PPTP in favor of IPsec. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: cron doesn't run commands in /etc/crontab?
Feel free to laugh if this is a stupid question, but have you made sure to leave an extra empty line at the end of the crontab? Are you in /var/cron/cron.allow ? Also, I usually pack everything into a script and then have cron call the script. It makes verbose comments and multi-line commands less obtrusive. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute On Wed, 28 Mar 2007, Will Maier wrote: > According to cron(8), cron should be able to read commands from a > properly formatted and chmoded /etc/crontab file. I've created such > a file, but I can't seem to get cron to run the test command in it. > ># cat < /etc/crontab >*/1 * * * * /usr/bin/touch /tmp/crontest >EOF ># chmod 0600 /etc/crontab > > cron then successfully loads the changes made to that file: > >Mar 28 07:23:01 lass cron[11652]: (*system*) RELOAD (/etc/crontab) > > I can also verify that the system file is loaded by watching the > output of `cron -x load`. The command is valid per crontab(5) and > works when inserted in root's tab using `crontab -e`. > > After the system tab is reloaded, cron fails to run any commands > listed there: no CMD messages are logged (or seen in the debugging > output) and the file is never touched. > > I've tried to get this to work on a semi-recent -current/i386 as > well as the latest snapshot (also i386) with no luck. I browsed the > code, but didn't see any obvious problems. > > Any ideas?
Audio for OpenAFS presentations
While we're on the topic of OpenAFS ... are there any good conference workshops, presentations or interviews online (MP3 / Vorbis / AAC) covering OpenAFS on OpenBSD? Or failing that, on OpenAFS security or OpenAFS in general? -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Openbsd ipsec with cisco vpn client
On Fri, 20 Apr 2007, Claer wrote: > On Thu, Apr 19 2007 at 53:12, carlopmart wrote: >> Somebody have tried to use cisco vpn client to connect to openbsd ipsec >> gateway using user and pass or x509 certificates? Can somebody sends me >> some examples ? > It's explicitely forbidden in the license. So I didn't took time to try > it, sorry. Do you mean that the license forbids using a Cisco vpn client with an OpenBSD ipsec gateway? If so, can you point to the URL for the license? -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Openbsd ipsec with cisco vpn client
IANAL, but sounds quite suspiscious. IPsec is an IETF standard and such a restriction doesn't make sense unless there are shortcomings to be hidden. -Lars On Fri, 20 Apr 2007, Claer wrote: > Exactly. The license obliges Cisco VPN Clients to connect to Cisco > equipments only. > It is written on the License agreement (EULA) you accept when installing the > client. Here is the interesting part : > > "2. Cisco Systems hereby grants you the right to install and use the > Software on an unlimited number of computers, provided that each of > those computers must use the Software only to connect to Cisco Systems > products, and subject to export restrictions in Paragraph 4 hereof." [snip] Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: OT: GUI programming languages
> On Mon, May 07, 2007 at 11:34:55AM -0500, Jacob Yocom-Piatt wrote: ... >> the applications in question are "click here, prints something in a text >> box, etc" ones that are not very complex. a language that allows me to >> generate GUIs quickly and securely would be nice. Python and ruby are getting a lot of positive attention these days, so you might look in that direction. Java is now open source and has been used for a while in teaching, so that's an option, too. However, it's not so much the language as the tools (modules, libraries, etc) available. For those, I'd suggest looking at Qt http://www.trolltech.com/products/qt It's available under a dual license. It's available for C++. If you look around, you can also find APIs for python, perl, java and maybe even ruby. Two other options in about the same category as Qt are GTK+ and wxWidgets: GTK+ http://www.gtk.org/ wxWidgets http://wxwidgets.org/ -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Chances of this hardware running OpenBSD?
It's been an awfully long time since the last model. What's the expected timeline on the release date for the hardware? It looks interesting. I'd be even more interested in a PPC-based equivalent of the MacMini. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: vpn in OBSD 4.1
On Fri, 11 May 2007, Adam Hawes wrote: > You're well advised to go do some reading on your own. If you had > you would have discovered that OpenVPN ahs a tutorial page for > configuring the server, as does the readily available PPTP server. It's not a funny joke to be recommending PPTP to anybody. Some may miss the sarcasm and actually try to deploy it. Any further amount of reading (if done) would reveal that PPTP can't really be called secure and should be avoided. Its successor, L2TP, can be improved somewhat, at least the connections, by tunnelling over SSL. But then why not cut out the middleman and use SSL to begin with? Fewer parts that way. IPsec and SSL are your two options: http://www.vpnc.org/vpn-standards.html I'm wondering that since IPsec is part fo IPv6, the equivalent to an IPsec-on-IPv4 VPN could be made using IPv6 instead. Maybe that would be smarter in the long run. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: vpn in OBSD 4.1
On Fri, 11 May 2007, sonjaya wrote: > so i must using ipsec for security reason , IPsec or SSL. You may wish to try IPsec with IPv6. That will future-proof your VPN, at least in theory, and raise the bar slightly for intrusion. > how about the client ( such us Microsoft ) can they use ipsec too. I asked around a few weeks ago and have heard that MS systems can use IPsec. However, you will want to avoid any clients built into MS Windows and use instead the ones that come with the VPN or maybe third party ones. KVpnc is supposed to work with OpenVPN. However, by connecting MS Windows machines into your VPN you neutralize many of the security benefits that you may have in place. Not counting the holes resulting from the design and production flaws permeating the entire brand, apparently the EULAs now grant remote admin rights to third parties. Joachim mentions the archives. It would be nice to have an 'official' archive using the openbsd.org domain. As it stands, the contents of the existing archives seems to vary from site to site: http://www.openbsd.org/mail.html#Archives regards, -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Linux and Novell article in Linux Journal
Admirable sentiment. However, problem is with the methods, which are in the US governed by software patents. Don't get that confused with copyright which governs distribution. In the case of the software patents, it doesn't matter how the code is made or even if the code is visisble, only what the resulting software does or how it is used. e.g. encrypted harddrives, xml-serialization, web shopping carts, breakpoints, verb conjugation, firewalls, etc. The code could well originate completely independently, but if it *does* something covered by software patents or is *used for* something covered by software patents, then in the US and its subsidiaries you are SOL unless you have a few million on hand and a few months of staff time to spend in court. If we're going to tease or feel smug, let's at least do so for the right reasons. ;) In this case, OpenBSD is actually no more or less vulnerable than any other closed or open source software. That will be the case until the US brings some sensible aspects back to patent law, such as Europe has for the time being. Unfortunately, the current regime (I say junta) has been piggybacking them to trade agreements. Solution? Easier said than done: Stomp US-style patent laws. regards, -Lars Lars NoodC)n ([EMAIL PROTECTED]) Swedish Native-Lang co-lead http://sv.openoffice.org
Re: alternatives to sendmail
Exim and postfix are probably your two easiest options. http://www.postfix.org/ http://www.exim.org/ -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute On Mon, 4 Jun 2007, Douglas Allan Tutty wrote: > Hello, > > I'm totally new to OBSD and have it installed on my 486 which acts > basically like a slim client allowing me to ssh in to my main box. > > OBSD comes with sendmail which I have never knowingly used before and > while it works as-is for local mail delivery, I thought I'd set it up to > send non-local mail to my main box as a smarthost. > > However, sendmail is a very steep and tall learning curve. I'm coming > from Debian (which no longer installes with 32 MB ram) so I'm used to > exim. I know that exim is GPL. I'm wondering if there are other > BSD-licensed MTAs. > > While in this case, setting up outgoing mail isn't important, I'm using > the box also as a test-bed to see how well OBSD would work instead of > Debian on my main box. Being able to configure mail in that case is > quite important, since without it I can't ask for help :) > > Thanks, > > Doug.
Comments inside /etc/pf.conf
Since pf.conf must be in a specific order, it might help to have comments marking out this order in the sample confguraton file. Below is a diff from the current file. Regards, -Lars 6a7,9 ## ## MACROS 9a13,15 ## ## TABLES 11a18,20 ## ## OPTIONS 13a23,25 ## NORMALIZATION 15a28,33 ## ## QUEUEING ## ## TRANSLATION 23a42,44 ## ## FILTERS
Re: ssh-keygen not reading stdin as expected
On Sun, 15 Jun 2008, Philip Guenther wrote: > ssh-keygen's -l option is not designed for operation with pipes. In > particular, depending on the key type in the file, it generally needs > to open and read the file multiple times. That is, it first passes > the filename to the "read file as RSA1 private key" routine; if that > fails then it passes the filename to the "read file as RSA1 public > key" routine, etc. Out of curiosity why not have ssh-keygen buffer the key and then work on it? That would be one way to have it work with pipes. Regards, -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: developer laptop choices
On Mon, 16 Jun 2008, Michiel van Baak wrote: > On 09:33, Mon 16 Jun 08, Michael Gale wrote: >> I just picked up a IBM Thinkpad T61p. > I have the same and really love it. How were either of you able to get one without the Windows tax? EU reports last autumn showed that is about half the cost. I've had small handful of ThinkPad's but stopped in 2002 when I got stuck with a bad unit and burned by a local dealer. The specs are attractive and I figure is about time look at them again, but only if they University are available with an open source system pre-installed. I'm looking at the lenovo shop pages and don't see the open source models available. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: developer laptop choices
On Mon, 16 Jun 2008, Ted Unangst wrote: > Woah. I can get a two grand notebook for only one grand without windows? Varies depending on overall prices, and only if the savings are not pocketed entirely. http://www.cybersource.com.au/users/conz/why_the_unbundling_windows_sceptics_ are_wrong.html For a 600 EUR notebook, a refund (or avoidance) of the Windows tax is significant: http://www.heise.de/english/newsticker/news/96581 Anyway, why send money to a group that causes so much trouble for open source system? Regards, -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: bundling the speed of two ADSL lines with OpenBSD
On Thu, 3 Jul 2008, Vinicius Vianna wrote: > ... take a look at > http://www.openbsd.org/faq/faq6.html#Multipath ... > ... Remember that you will be splitting the outgoing connections > between the two gateways (adsl lines in your case), so a single > connection will have the bandwidth of only one of the adsl ... What is needed for a single connection to send packets over more than one line? Changes to mygate(5) ? -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.com/about_us/contribute
