Updating AD DNS server

[Peter Bako]

I'm looking for a script that I can run on my OpenBSD boxes that would allow
them to register their DHCP assigned IP addresses with my Windows 2003 DNS
server.  My windows boxes do this automatically and its convenient to be
able to just ping them by name regardless of what IP they have been given,
but for my BSD boxes I don't have this.  It would be nice to find a script
that could be called as part of the boot process with which they could also
register their name and IP addresses to the Server 2003 DNS server.

Thanks,
Peter

VPN on firewall device?

[Peter Bako]

What is the general consensus on using your firewall device as a VPN host as
well?  Let me explain a bit more...

Until recently I ran a pair of older Soekris boxes with OpenBSD on them.
One was my firewall while the other was an OpenVPN host.  This worked quite
well, other than having to deal with maintenance and upkeep of two different
devices.  However I just upgraded my firewall to a much more powerful device
and am wondering if I should stick with having another unit for my VPN
gateway or just install OpenVPN directly on the firewall.

At work we use a Cisco device which is both our firewall and VPN host, so
obviously Cisco considers this a valid and safe configuration, but I'm
curious to the thoughts of a group more dedicated to security then corporate
America is...

Thanks,
Peter

Packet overload?

[Peter Bako]

I have a Soekris net4801 box running as a firewall for a friend of mine that
runs a small business (about 5 employees).  The ruleset is quite simple in
that he does not run any internal servers, so I pretty much block all
inbound traffic and allow all traffic back out.  For inbound traffic I have
the scrub command enabled and for outbound traffic (tcp and udp) I have keep
state flag on.
 
However I've noticed that if more than one or two people are getting email
from their ISP (standard pop3), then the third person to try to get email
will get an error that the server could not be reached.  Until recently they
have not received enough email for the email check and subsequent downloads
to take long, so whenever anyone got this error they would just wait a few
seconds and try again.  However lately they have been getting a larger
volume of email (expected due to an upturn in business), so this problem is
getting much more noticed and annoying.
 
Anyone have any idea as to the cause and a solution for this?  I've though
it might be that the Soekris box is underpowered, but the processor is
basically a PII/266 with 128M of RAM, which should be enough for such a
small site.
 
Thanks,
Peter

Re: Packet overload?

[Peter Bako]

Well it is a simple ruleset (see below).  As for the ISP blocking stuff -
not likely, since the email server is run by me at another location.  Since
I have more users connecting to this server from other locations I've ruled
the problem out from that end.  It is only from this one location that this
problem occurs

-
#
# cat /etc/pf.conf
#
# pf.rules
#
#-Interfaces---
#
#  sis0 - external
#  sis1 - internal
#  sis2 - not used
#
#-Variables
#
ExtIF="sis0"
IntIF="sis1"
IntRange="192.168.22.0/24"
table  persist file "/etc/scanners"

#
#-Options--
#

#
#-Normalize Traffic
#

scrub in  on $ExtIF all
#scrub out on $ExtIF all random-id

#
#-NAT Rules
#
nat on $ExtIF from $IntRange to any -> $ExtIF
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $IntIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#
#-Antispoof
#
antispoof for { $ExtIF, $IntIF}

#
#-Firewall Rules---
#

# Drop IPv6 packets immediately
block in  quick inet6 all
block out quick inet6 all

# Drop SSH port scanners immediately
block quick from 

# Block in all inbound and outbound packets
block in  on $ExtIF all
block out on $ExtIF all

# Anchor for FTP Proxy
anchor "ftp-proxy/*"

# Drop hackers
block in  quick on $ExtIF inet proto tcp from any to any flags /SFRA
block in  quick on $ExtIF inet proto tcp from any to any flags F/SFRA
block in  quick on $ExtIF inet proto tcp from any to any flags U/SFRAU
block in  quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
block in  quick on $ExtIF inet proto tcp from any to any flags SAFRU/SAFRU
block in  quick on $ExtIF inet proto tcp from any to any flags SF/SF
block in  quick on $ExtIF inet proto tcp from any to any flags SR/SR
block in  on $ExtIF inet proto tcp from any to any flags S/SFRA
block in  on $ExtIF inet proto tcp from any to any flags SA/SFRA

# Allow SSH in
pass in  quick log on $ExtIF inet proto tcp from any to any port 22 modulate
state (max-src-conn-rate 3/15, overload  flush global)

# Allow normal traffic out
pass out on $ExtIF inet proto tcp from any to any modulate state
pass out on $ExtIF inet proto udp from any to any keep state
pass out on $ExtIF inet proto icmp from any to any keep state
-

That's it!
Peter

-Original Message-
From: Alexander Hall [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 19, 2006 9:07 PM
To: Peter Bako
Cc: misc@openbsd.org
Subject: Re: Packet overload?

Peter Bako wrote:
> I have a Soekris net4801 box running as a firewall for a friend of 
> mine that runs a small business (about 5 employees).  The ruleset is 
> quite simple in that he does not run any internal servers, so I pretty 
> much block all inbound traffic and allow all traffic back out.  For 
> inbound traffic I have the scrub command enabled and for outbound 
> traffic (tcp and udp) I have keep state flag on.
>  
> However I've noticed that if more than one or two people are getting 
> email from their ISP (standard pop3), then the third person to try to 
> get email will get an error that the server could not be reached.  
> Until recently they have not received enough email for the email check 
> and subsequent downloads to take long, so whenever anyone got this 
> error they would just wait a few seconds and try again.  However 
> lately they have been getting a larger volume of email (expected due 
> to an upturn in business), so this problem is getting much more noticed
and annoying.
>  
> Anyone have any idea as to the cause and a solution for this?  I've 
> though it might be that the Soekris box is underpowered, but the 
> processor is basically a PII/266 with 128M of RAM, which should be 
> enough for such a small site.

Now, I have not seen your pf.conf, but only using a simple ruleset that you
describe, my bet is that it is not the firewall that is causing the problem.
Does the ISP/mailserver have restrictions by any chance?

I cannot imagine that the 4801 would have ANY performance problem in the
situation you describe, unless it is en/de-crypting stuff that passes
through it. Even so, it would just make stuff go slower - not block stuff.

/Alexander

Serial control of LCD display

[Peter Bako]

I am trying to get a CrystalFontz 632 serial display to work with an OpenBSD
box.  Under Windows I can just connect the display to a com port, run
Hyperterminal and send text directly to it, so I assumed that I could just
send a data stream to /dev/tty00 under OpenBSD and make it work as well.
Unfortunately it is not turning out to be anywhere that simple.

If I use cu or tip and connect to /dev/tty00 and 19200 then I can send data
to the display, but eventually I need to be able to send data to it from a
shell script.  Any attempt I make to send data to it (such as cat test >
/dev/tty00) results in an error of "sh: Cannot create /dev/tty00:
Interrupted system call".  

I've tried to mess with the stty command to setup the serial port (open it
up, set the speed, etc), but no luck, that error always comes up.  Can
anyone point me to the right direction on this?

Thanks,
Peter

SH programming

[Peter Bako]

Ok, so this is not really an OpenBSD question but I am doing this on an
OpenBSD system and I am about to lose my mind...

I have done some basic shell scripting before but I've not had to deal with
actual integer math before and now it is killing me.  The script takes a
parameter in (year number) and is supposed to subtract 1900 from it and then
multiply the result by 365.  (This is part of a larger script that deal with
converting dates to a single numeric value, but this one problem is an
example of the problems I am having with this entire script.)  So, this is
what I have:

#!/bin/sh
month=$1 
day=$2
year=$3

dayscount=$(expr ($year - 1900) * 365)
echo $dayscount
exit

This will generate a "syntax error: `$year' unexpected" error.  I have tried
all sorts of variations and I am not getting it!!!  HELP!!!

BTW, obviously I need a good book on SH programming.  Any suggestions?

Thanks,
Peter

Re: SH programming

[Peter Bako]

Hum, I get a "syntax error: '*' unexpected"

-Original Message-
From: Michael Erdely [mailto:[EMAIL PROTECTED] 
Sent: Sunday, June 26, 2005 6:20 PM
To: Peter Bako
Cc: misc@openbsd.org
Subject: Re: SH programming


On 6/26/05, Peter Bako <[EMAIL PROTECTED]> wrote:
> dayscount=$(expr ($year - 1900) * 365)

Try:
dayscount=$((($year - 1900) * 365))

-- 
http://erdelynet.com/

Support OpenBSD! http://www.openbsd.org/orders.html

Dynamically update DNS info in DHCPD.CONF

[Peter Bako]

Is there any way to get the DHCPD.CONF file be set to use the DNS
information from the resolv.conf file?

Specifically I have a case where my firewall's outside interface gets its IP
address via DHCP from the ISP.  When I initially setup the firewall I put
their DNS IP numbers into my conf file and have been working without any
issues for quite a while now.  However they just sent out a letter to all of
their customers asking them to make sure they have their system setup to use
the DNS numbers that are pushed down via DHCP or possibly lose connectivity
due to changes in their DNS server assignments.  I supposed I could wait
until the old DNS servers no longer respond and then update my DHCPD.CONF
file with whatever I find in the resolv.conf file, but I would prefer to
make this a bit more automated...

Thanks,
Peter

OpenBSD 3.8 on HP NC6000

[Peter Bako]

I've recently acquired a NC6000 laptop from HP, which I was going to setup
with OpenBSD. My first attempt worked perfectly, had X configured and
running as well as a few apps under it. However when I tried to get APM to
read the battery status, it simply was not able to do so. I figured the
problem had to do with the older BIOS on the laptop, so I download and
installed the latest version from the HP web site. The new BIOS now has a
battery info page whereas it did not before. 

This is where things get fun... I tried to boot up my system but OpenBSD
crashed almost immediately after the initial boot prompt. Obviously I
figured that the BIOS update had something to do with it, but as a test I
tried to boot with single user mode - still crashed. Ok, big deal I can just
reinstall it... Even when booting off the install CD gives me a crash nearly
immediately after startup

I don't have any way of capturing the screen, but here are the last few
lines:

Uhub1 at usb1
Uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
Uhub1: 2 ports with 2 removable, self powered
Uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x03: irq 10
Uvm_fault(0xd0gga340, 0x0, 0, 1) -> e Fatal page fault in supervisor mode
Trap type 6 code 0 eip d02ceebf cs 50 eflags 10202 cr2 4 cpl 40
Panic: trap type 6, code=0, pc=d02ceebf
The operating system has halted.
Press any key to reboot.

The hardware is fine, I've done a test install of Windows XP and Fedora Core
5 on it both of which installed and ran fine... I've been meaning to play
with and learn Fedore, so I suppose I could live with it, but frankly I'd
rather run OpenBSD... Any ideas as to what this error means and what caused
it? Better yet, is there any way to work around it?

Thanks,
Peter

Re: OpenBSD 3.8 on HP NC6000

[Peter Bako]

Actually I did mention to you in my email that I am using the F.14 BIOS
update, but you are correct I did not provide the URL to where I downloaded
it from, so here it is:

http://h18007.www1.hp.com/support/files/hpcpqnk/us/download/22830.html

Thanks to Jeff's info on the serial setup, here is the results of my boot:
---
boot> >> OpenBSD/i386 CDBOOT 1.04
boot> 
booting cd0a:/3.8/i386/bsd.rd: /4369156+828044+151072+137381=0x53b600
entry point at 0x100120
}
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2005 OpenBSD. All rights reserved.
http://www.OpenBSD.org

OpenBSD 3.8 (RAMDISK_CD) #794: Sat Sep 10 15:58:32 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Pentium(R) M processor 1400MHz ("GenuineIntel" 686-class) 598
MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,ACPI,MMX,F
XSR,SSE,SSE2,TM,SBF,EST,TM2
real mem  = 536256512 (523688K)
avail mem = 483438592 (472108K)
using 4278 buffers containing 26914816 bytes (26284K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(c3) BIOS, date 06/23/05, BIOS32 rev. 0 @ 0xf
apm0 at bios0: Power Management spec V1.2
apm0: flags 130102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x2000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0840/160 (8 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf6360/160 (8 entries)
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: no compatible PCI ICU found: ICU vendor 0x8086 product 0x24cc
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0x1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82855PE Hub" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82855PE AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility M10 NP" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x03: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x03: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x03: irq 10
uvm_fault(0xd055a340, 0x0, 0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 eip d02ceebf cs 50 eflags 10202 cr2 4 cpl 40
panic: trap type 6, code=0, pc=d02ceebf

The operating system has halted.
Please press any key to reboot.

--
Date: Sat, 1 Apr 2006 19:24:29 -0500
From: "Jeff Quast" <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: Re: OpenBSD 3.8 on HP NC6000
Message-ID: <[EMAIL PROTECTED]>

On 4/1/06, Bachman Kharazmi <[EMAIL PROTECTED]> wrote:
> Do you have any possibility to debug the freeze using a null-modem 
> cable and redirect all output from boot> to serial? This can be done 
> with a serial cable and by typing:
> "set tty com0" at bootprompt.
>
> I'm afraid your worst problem is that your lappy don't have com port.. 
> /bkw

it has one.

> On 31/03/06, Peter Bako <[EMAIL PROTECTED]> wrote:
> > read the battery status, it simply was not able to do so. I figured 
> > the problem had to do with the older BIOS on the laptop, so I 
> > download and installed the latest version from the HP web site. The 
> > new BIOS now has a battery info page whereas it did not before.
> >
> > This is where things get fun... I tried to boot up my system but 
> > OpenBSD crashed almost immediately after the initial boot prompt. 
> > Obviously I figured that the BIOS update had something to do with 
> > it, but as a test I tried to boot with single user mode - still 
> > crashed.

I have an HP NC6000 I would be more than happy to reproduce the problem with
and record over a serial cable -- * if I could only get the same BIOS
upgrade that Peter used * --. I traded two emails with him and he failed to
see the importance of linking me to the bios upgrade he used.

DHCP range question

[Peter Bako]

A question to the DHCP gods
 
Within the dhcpd.conf file, if I have a defined range and then define a
single host to be always assigned by MAC address and use an IP address that
is normally within the DHCP range, is that number automatically excluded
from the range, or do I have to make sure that the address given out by the
host statement is outside of the normal DHCP pool?  For example:
-
shared-network LOCAL-NET {
option  domain-name "xyz.org";
option  domain-name-servers 192.168.14.2;
 
subnet 192.168.14.0 netmask 255.255.255.0 {
option routers 192.168.14.1;
 
range 192.168.14.25 192.168.14.254;
}
}
 
host box1 {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address 192.168.14.35;
}
-

Thanks,
Peter

b/g wifi card on wi list?

[Peter Bako]

I was looking through the list of wireless PCMCIA cards known to be
supported from the man page for wi(4), but it appears that all of those are
just 802.11b cards.  I'd prefer to get one that also supports g mode
Any recommendations?

Thanks,
Peter

PPTP client

[Peter Bako]

I have a situation where I need to connect an OpenBSD box to a MS Windows
PPTP server (yep, I know it is not secure, but in this case I have no choice
in the matter).

After looking around the net I found myself at
http://pptpclient.sourceforge.net/.  So I downloaded, complied and installed
the program and tried to connect to my test box.  (Also complied a custom
kernel using the GENERIC files with only the pseudo-device GRE line
commented out.)  There aren't any OpenBSD specific instructions on the site,
but reading the generic docs, as well as the docs for NetBSD, the PPTP man
pages, etc. I think I have enough to get started.  However when I try to
connect up I get nothing but a list of errors (connection timed out, could
not open connection, etc.)  I know the path from my OpenBSD box to the test
server is correct, because if I plug my Win2k laptop in it is able to
successfully connect to the server.

As far as I can tell the problem is a lack of MPPE support either in the
Kernel or in PPP.  However I cannot find any information on how to get this
support onto an OpenBSD system.

Has anyone gotten PPTP-client to work on an OpenBSD box and if yes, would
you be kind enough to send me some steps or any other info on how you did
it?

Thanks,
Peter

Remove all password restrictions?

[Peter Bako]

I have an internal OpenBSD 3.8 system that I use as a data dump, internal
source for PXE installs and the like.  It is not accessible to the outside
world, so security is not exactly critical.  In fact I would like to setup a
user with a very minimal password (four characters and all lower case
letters), but passwd is not letting me.  I've already found the
"minpasswordlen" option in login.conf, and set it appropriately, but when I
try to change this account's password to an all lower case password, I get a
warning back to make the password more secure and it does not accept it.

How do I change this so I can use any generic password?  While for this case
I want to dumb down the rules, for other more exposed servers I would like
to do the opposite so I really would like to know how/where to modify this.

Thanks,
Peter

What are p0 files?

[Peter Bako]

While browsing through the packages directory out on the OpenBSD ftp server,
I noticed that a number of the packages had two versions, the only
difference that one of the files had a p0 on the file name.  For example:

-rw-r--r--1 1114 1114  1478454 Nov 03 07:07 php4-core-4.4.1.tgz
-rw-r--r--1 1114 1114  1478444 Nov 12 09:02
php4-core-4.4.1p0.tgz

My first though was that it denoted a patch level, but in this particular
case the file sizes are close enough that there cannot be that much of a
difference.  Also if it were patch levels there would also be p1, p2, and so
on versions

Thanks,
Peter

manual vs. crontab execution

[Peter Bako]

I have a weird problem I cannot find a solution to.  I've written a small
script (attached below) that I put on the dozen or so systems that I
maintain for friends and clients, that daily sends some basic information to
my web server.  This data is then stored in a MySQL database and viewed via
another script.  All the systems are running OpenBSD version 3.5 to 3.8, and
the one in question here is 3.8.

The problem is this.  On one remote system (identical in every respect to
about 8 others out there), the script when executed manually (either as root
or as a non-privileged user) runs normally and uploads its data as it
should.  However when the cron job hits at midnight the script always fails
and without any error message that I can get.  As you can see the script is
quite simple, the only active component is a call to CURL which hits a
specific address.  The local log entry lists my error message but $result is
always empty so I have no specific error to go by.  By looking through the
logs of my own web server at the same time that the local log entry is made,
I know that the connection to my system is never established.

Here is the script:
--
#!/bin/sh
name=`uname -n`
ip=`ifconfig sis0 | grep 'inet ' | awk '{ print $2 }'`
space=`df | tail -1 | awk '{ print $4 }'`
ver=`uname -r`

data="http://xxx.yyy.com/fw/fwin.php?NAME=$name&IP=$ip&FREE=$space&VER=$ver";

result=`/usr/local/bin/curl -s $data`
case $result in
good)
`logger Info sucessfully logged!`
exit 0
;;

*)
`logger Unable to log system info!  Error: $result`
exit 1
;;
esac
-
The cron job that launches it is added to root's crontab (crontab -u root
-e) and looks like this:
-
@daily/usr/local/fwreport
-

I've tried leaving the -s flag off of the CURL call to get some kind of an
error out, but whatever might come back does not make it out to the $result
variable.  Again this identical script works on over a dozen other systems,
most totally identical to this unit down to the hardware and OS version, so
it has to be more or less correct.

Any suggestion, ideas, etc. are appreciated.
Peter

Re: manual vs. crontab execution

[Peter Bako]

Thanks to everyone who sent me suggestions on this problem.  Many dealt with
environment related variables, all of which matched and were not the cause
of the issue.  While I still am not 100% sure as the cause I have found a
workaround, but one that is weird enough (at least to me) that I though I'd
share with everyone.

While troubleshooting the problem I got disconnected from the remote unit do
to a stupid typo on my local system.  Upon reconnecting I noticed that the
script was not running even from direct command line execution and was
returning (once I removed the -s switch) an error of "failed to connect to
host".  Surprised by that (since the host it is trying to find is the
outside interface of my firewall, one that I was actively using to connect
to it), I did a ping to verify that the name would resolve correctly.  As
expected it did and when I tried the script again it worked!  Rather
surprised by this, I duplicated the situation by manually disconnecting,
reconnecting trying the script, which failed, pinging my host and trying the
script again which now works!  

I again verified all the settings on this machine with the many others just
like it that I have out there and found no differences.  Except for this one
connection I have normal access, other users can access other resources
through it, and so on.  

So in short I do not fully understand the cause but for a solution I simply
put a one count ping command into my script and not it works!

Peter

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Saturday, February 25, 2006 4:56 PM
To: Peter Bako
Subject: Re: manual vs. crontab execution


>>>>> "p" == Peter Bako <[EMAIL PROTECTED]> writes:
p> I have a weird problem I cannot find a solution to.  I've written a 
p> small script (attached below) that I put on the dozen or so systems 
p> that I maintain for friends and clients, that daily sends some basic 
p> information to my web server.  This data is then stored in a MySQL 
p> database and viewed via another script.  All the systems are running 
p> OpenBSD version 3.5 to 3.8, and the one in question here is 3.8.

  I'm sure you've checked the obvious differences.

  One way to troubleshoot the problem is to ensure that the root
  crontab has MAILTO set to a valid email address (see crontab(5) for
  more detail).  Then use one of the following cron entries in place
  of the problematic cron entry to gather more data:

next_minute * * * *   sh -x /usr/local/fwreport
next_minute * * * *   ktrace -di -f /tmp/myktrace.out

  The emailed results of the first example may lead to the solution.
  Otherwise, use "kdump -f /tmp/myktrace.out" to examine the results
  from the second example.  If there's still a problem, the results
  from those examples would help troubleshooting.

Regards, Bob

One wire rain gauge

[Peter Bako]

Has anybody gotten the uow* driver to work with the Hobby Boards rain gauge?
Specifically RG1-R1-A
(http://www.hobby-boards.com/catalog/product_info.php?cPath=22&products_id=8
1).  I've gotten my temp boards to read, but I do not have any counter
devices to test with.

Thanks,
Peter

PTY allocation error

[Peter Bako]

I'm setting up (well, trying to I guess :-) ) a read-only OpenBSD system to
run off a small CF card.  Never having done this before, I found an
excellent article written by Daniele Mazzocchio
(http://www.kernel-panic.it/openbsd/embedded/) to use as my guide.  I had a
few minor issues crop up, but have been able to work my way through them.
However I finally got to one that I am stumped with.

Basically once I boot of my new image, I am able to log into it on the
serial console and things look ok.  I can also ping the IP address of the
unit, but when I try to SSH into it I get the following message: 

  "Server refused to allocate pty"

I've checked over my setup and all seems fine as per the instructions.  I
have all the pty* devices from /dev (which is RO) linked to /var/run/dev
(which is in memory), so the problem cannot be that these devices are not
writeable.  (Actually /var is linked to /tmp/var, where the /tmp directory
is in memory and populated by the image from a directory called /template.)

Unfortunately this goes a bit beyond my current skill set, so if anyone has
any suggestions I really would appreciate the help.

BTW, in case it matters.  I'm using OpenBSD 4.6 as both the host on which I
setup the image and OS on the CF card.  The card in question is a 64M
SanDisk CF and is being plugged into a Soekris Net4801 box.  None of these
should make a difference, but you never know... :-)

Thanks,
Peter

Re: PTY allocation error

[Peter Bako]

I have been following the discussion on this list regarding the wear-ability
of CF cards, and in the past have done non-Read Only installs, using both CF
and microdrives.  There are two primary reasons why I am interested in doing
this:

1) To learn more about OpenBSD itself.  Solving all of the issues that have
come up so far has been very beneficial and I've enjoyed the process
2) Setting up a RO system gives a level of redundancy in the case of power
outages (or more likely in my neck of the world) or brownouts.  I've had a
case in the past where a normal OpenBSD install, on a micro-drive, was in a
situation where due to an electrical storm, in the span of about 15 minutes
the power blinked a number of times (and who knows how many brownouts).
This caused the system to repeatedly reboot and then get shutdown suddenly.
I was out of the house at the time and could not pull the plug on the
system, and due to an oversight this unit was not plugged into a UPS.  The
next morning, when I tried to bring it back up the system was badly
scrambled.  Both the hardware and the micro-drive were not damaged, but the
OS needed a lot of help.  I would like to be able to deploy systems away
from my personal control, where having a system be able to came back up in a
similar situation would be useful.

Peter

-Original Message-
From: Philip Guenther [mailto:guent...@gmail.com]
Sent: Sunday, July 11, 2010 6:22 PM
To: Peter Bako
Cc: misc@openbsd.org
Subject: Re: PTY allocation error

On Sun, Jul 11, 2010 at 4:31 PM, Peter Bako  wrote:
> I'm setting up (well, trying to I guess :-) ) a read-only OpenBSD system
to
> run off a small CF card.  Never having done this before, I found an
> excellent article written by Daniele Mazzocchio
> (http://www.kernel-panic.it/openbsd/embedded/) to use as my guide.  I had
a
> few minor issues crop up, but have been able to work my way through them.
> However I finally got to one that I am stumped with.

Since this problem doesn't occur in a normal installation that just
followed the instructions from OpenBSD itself, perhaps you should take
this up with the author of the instructions that you followed, because
1) they should understand why their directions include whatever step is
causing
   the problem, and therefore can consider the effect of changing it, and
2) they'll want to integrate whatever fix is necessary into their
directions.

If the author of the instructions can't help you (or isn't
responsive), then you should consider the wisdom of following
unsupported directions that apparently have a bug.

The question also arises of why you are using these extra instructions
instead of doing a normal install.  "What problem are you trying to
solve?"  What makes you think that these steps solve that problem?


Philip Guenther

GPIO crash with Alix 3D3 board

[Peter Bako]

I'm trying to get access to the three front LED's of my new ALIX3D3 (VGA
version, BIOS 2/11/2009-AMD-LX800-6A43EAM1C-00), using OpenBSD 4.8.  I have
been able to get the left and right LED's working, but the middle one is
causing problems.

Basically the problem is during startup, before the securelevel is raised
from 0 to 1, I have to activate the GPIO module for the LED's.  The commands
for the left and right LED's works just great, but when I execute the
command to activate the middle LED, it causes OpenBSD to just crash and shut
down.  To make it worse, it does not leave a stack dump, any messages in any
logs or even anything on screen, it just shuts down.  The commands in my
rc.securelevel file are:


/usr/sbin/gpioctl gpio0 6 set out iout led1
/usr/sbin/gpioctl gpio0 25 set out iout led2
/usr/sbin/gpioctl gpio0 27 set out iout led3


According to the 3D3 documentation, the three LED's are attached to pins 6,
25 and 27 respectively, and this backed up by other documentation I have
found on the subject. 

I get the crash/shutdown if I have this command in rc.securelevel, or if I
go into single user mode and enter that middle line by hand.

Anyone have any experience with this board and have had the same problem?

Thanks,

Peter