Re: ffs undelete was: Re: single user question
> you can write a shell script to move given parameters into a special folder > and make alias rm="that_script" > and a rc script which empty this folder at boot/shutdown. That is indeed the recommended approach for those who need it. An example was published in the O'Reilly book Unix Power Tools... back in the 1980's, among many other places. No kernel changes needed.
Interface between block/char device and driver handler functions
Hello, I'm writing a device-specific armv7 driver that should put up a block device in /dev. I have bdev_decl() in sys/arch/arm/arm/conf.c as well as an entry in the bdevsw array with corresponding major number (98). The open/close/etc functions bdev_decl() declare are defined in sys/arch/armv7/omap/tipru.c (my driver) and include panic() calls so I can ascertain whether or not they are being called. However, when I make a special file with mknod(8) using the proper major number and minor 0, I still don't trigger the panic()'s in the driver code. So my question is, how do I get a block device in /dev to connect to my driver open/close/ioctl/etc functions? And secondly, if I want this to happen automatically a la MAKEDEV, am I supposed to edit the m4 macro in etc/etc.armv7/MAKEDEV.md or is there a more proper way? Ian
Re: I have $300
Awesome - good deal. I have a Netra X1 running openbsd and it's rock solid. Good luck, -Ian On 11/30/05, Bob Ababurko <[EMAIL PROTECTED]> wrote: > > > I totally appreciate everybodies comments and I have in fact decided to > pass over the embedded solution. We just picked up a Sun Netra T105 > (440Mhz, 512MB)on ebay. It was about $135 shipped and have two onboard > NIC's. I have always like Sun hardware and it works well with OpenBSD, > it is some of the best in quality. Fits in one rack unit and will be > cheap to grab another to do a failover when the time comes. I can even > dd the drive to make a disk for the new unit when I implement it. > > I understand that running two cheap ones is better than running one > solid state machine. Plus the horsepower leaves little to work with in > some of these tiny contraptions(soekris comes to mind). Not to say that > they do not have their place, but I feel that this is the best answer. > > -Bob
Re: size of size_t
On Thu, Oct 12, 2017 at 12:58 PM, wrote: > Hi, > > I just discovered, to my dismay, that size_t is only 32 bits, even on > 64-bit processors. Is there a particular pressing reason for this? A > quick investigation reveals that even dd(1) is affected -- this is IMO > not good. > > I'd suggest, given modern file sizes, that we bump it to 64 bits on all > platforms. Comments? An important thing to ask yourself before suggesting things like this is "if this is such an obvious and trivial improvement, then why hasn't anyone already done it?". To put things in perspective, we had an entire release primarily predicated upon increasing the width of a similar type, time_t, from 32 -> 64 bits: https://www.openbsd.org/55.html
Re: More than 16 partitions
On Thu, Apr 23, 2020 at 04:42:53PM -0400, Allan Streib wrote: > > So, can I setup openBSD labels on x86_64 without legacy/GPT partition > > first ? > > IIRC yes you can, as long as you don't need to boot from that disk. Easily confirmed (a few false starts deleted from this transcript): $ uname -a OpenBSD foo.darwinsys.com 6.7 GENERIC.MP#145 amd64 # Here I plugged in a cheap USB device $ dmesg | tail -4 umass0: using SCSI over Bulk-Only scsibus4 at umass0: 2 targets, initiator 0 sd2 at scsibus4 targ 1 lun 0: removable serial.18a5023805270130 sd2: 3750MB, 512 bytes/sector, 768 sectors # Trash any existing fdisk and disklabel info # dd if=/dev/random of=/dev/rsd2c bs=512 count=100 100+0 records in 100+0 records out 51200 bytes transferred in 0.068 secs (742845 bytes/sec) # disklabel sd2 # /dev/rsd2c: type: SCSI disk: SCSI disk label: Store n Go Drive duid: flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 478 total sectors: 768 boundstart: 0 boundend: 768 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] c: 7680 unused i: 7679944 56 MSDOS # fdisk sd2 # confirm there is no fdisk table, just random rubbish Disk: sd2 geometry: 478/255/63 [768 Sectors] Offset: 0 Signature: 0x111 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- 0: 82 77157 27 55 - 172421 98 24 [ 1239528960: 1530420603 ] Linux swap 1: 64 10096 3 23 - 176047 141 26 [ 162192451: 2666011513 ] NetWare 2.xx 2: 6E 252409 74 42 - 209458 117 56 [ 4054955288: 3604962205 ] 3: A9 19978 12 42 - 22375 228 62 [ 320947367:38521434 ] NetBSD # disklabel -E sd2 Label editor (enter '?' for help at any prompt) sd2> p OpenBSD area: 0-768; size: 768; free: 768 #size offset fstype [fsize bsize cpg] c: 7680 unused sd2> a partition: [a] offset: [0] 64 size: [7679936] 100M FS type: [4.2BSD] sd2*> w sd2> q No label changes. # newfs /dev/rsd2a /dev/rsd2a: 101.9MB in 208768 sectors of 512 bytes 4 cylinder groups of 25.48MB, 1631 blocks, 3328 inodes each super-block backups (for fsck -b #) at: 32, 52224, 104416, 156608, # mount /dev/sd2a /mnt $ ls /mnt $ date | doas dd of=/mnt/date.txt 0+1 records in 0+1 records out 29 bytes transferred in 0.000 secs (322584 bytes/sec) $ ls /mnt date.txt $ cat /mnt/date.txt Thu Apr 23 18:55:35 EDT 2020 # fdisk sd2 # still no fdisk table Disk: sd2 geometry: 478/255/63 [768 Sectors] Offset: 0 Signature: 0x111 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- 0: 82 77157 27 55 - 172421 98 24 [ 1239528960: 1530420603 ] Linux swap 1: 64 10096 3 23 - 176047 141 26 [ 162192451: 2666011513 ] NetWare 2.xx 2: 6E 252409 74 42 - 209458 117 56 [ 4054955288: 3604962205 ] 3: A9 19978 12 42 - 22375 228 62 [ 320947367:38521434 ] NetBSD # So: I was able to newfs, mount, and use an OpenBSD partition which disklabel called 'a' and which had no trace of an fdisk partition around it. As Allan pointed out, this is not for booting from - none of those fdisk partitions looks very healthy.
_types.h: increase size of size_t
Following the revalations made by a misc@ poster, I am happy to present the following patch which increases the width of size_t from "long" to "long long", which is twice the width as before, on all platforms. This has the effect of doubling the amount of available memory regardless of the physical capacity installed memory hardware. Additionally, it enables PAE on all 32 bit platforms without incurring performance costs. Index: arch/alpha/include/_types.h === RCS file: /cvs/src/sys/arch/alpha/include/_types.h,v retrieving revision 1.24 diff -u -p -r1.24 _types.h --- arch/alpha/include/_types.h 5 Mar 2018 01:15:24 - 1.24 +++ arch/alpha/include/_types.h 24 Apr 2020 02:26:13 - @@ -120,7 +120,7 @@ typedef unsigned long __psize_t; typedef double __double_t; typedef float __float_t; typedef long __ptrdiff_t; -typedefunsigned long __size_t; +typedefunsigned long long__size_t; typedeflong__ssize_t; #if defined(__GNUC__) && __GNUC__ >= 3 typedef__builtin_va_list __va_list; Index: arch/amd64/include/_types.h === RCS file: /cvs/src/sys/arch/amd64/include/_types.h,v retrieving revision 1.17 diff -u -p -r1.17 _types.h --- arch/amd64/include/_types.h 5 Mar 2018 01:15:25 - 1.17 +++ arch/amd64/include/_types.h 24 Apr 2020 02:26:13 - @@ -120,7 +120,7 @@ typedef unsigned long __psize_t; typedefdouble __double_t; typedeffloat __float_t; typedef long __ptrdiff_t; -typedefunsigned long __size_t; +typedefunsigned long long__size_t; typedeflong__ssize_t; #if defined(__GNUC__) && __GNUC__ >= 3 typedef__builtin_va_list __va_list; Index: arch/arm/include/_types.h === RCS file: /cvs/src/sys/arch/arm/include/_types.h,v retrieving revision 1.19 diff -u -p -r1.19 _types.h --- arch/arm/include/_types.h 5 Mar 2018 01:15:25 - 1.19 +++ arch/arm/include/_types.h 24 Apr 2020 02:26:13 - @@ -120,7 +120,7 @@ typedef unsigned long __psize_t; typedef double __double_t; typedef float __float_t; typedef long __ptrdiff_t; -typedefunsigned long __size_t; +typedefunsigned long long__size_t; typedeflong__ssize_t; #if defined(__GNUC__) && __GNUC__ >= 3 typedef__builtin_va_list __va_list; Index: arch/arm64/include/_types.h === RCS file: /cvs/src/sys/arch/arm64/include/_types.h,v retrieving revision 1.4 diff -u -p -r1.4 _types.h --- arch/arm64/include/_types.h 5 Mar 2018 01:15:25 - 1.4 +++ arch/arm64/include/_types.h 24 Apr 2020 02:26:13 - @@ -121,7 +121,7 @@ typedef unsigned long __psize_t; typedefdouble __double_t; typedeffloat __float_t; typedeflong__ptrdiff_t; -typedefunsigned long __size_t; +typedefunsigned long long__size_t; typedeflong__ssize_t; #if defined(__GNUC__) && __GNUC__ >= 3 typedef__builtin_va_list __va_list; Index: arch/hppa/include/_types.h === RCS file: /cvs/src/sys/arch/hppa/include/_types.h,v retrieving revision 1.26 diff -u -p -r1.26 _types.h --- arch/hppa/include/_types.h 5 Mar 2018 01:15:25 - 1.26 +++ arch/hppa/include/_types.h 24 Apr 2020 02:26:13 - @@ -124,7 +124,7 @@ typedef unsigned long __psize_t; typedef double __double_t; typedef float __float_t; typedef long __ptrdiff_t; -typedefunsigned long __size_t; +typedefunsigned long long__size_t; typedeflong__ssize_t; #if defined(__GNUC__) && __GNUC__ >= 3 typedef__builtin_va_list __va_list; Index: arch/i386/include/_types.h === RCS file: /cvs/src/sys/arch/i386/include/_types.h,v retrieving revision 1.23 diff -u -p -r1.23 _types.h --- arch/i386/include/_types.h 5 Mar 2018 01:15:25 - 1.23 +++ arch/i386/include/_types.h 24 Apr 2020 02:26:13 - @@ -120,7 +120,7 @@ typedef unsigned long __psize_t; typedef long double__double_t; typedef long double__float_t; typedef long __ptrdiff_t; -typedefunsigned long __size_t; +typedefunsigned long long__size_t; typedef
Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog
On Thu, May 28, 2020 at 02:21:49PM +1000, Aaron Mason wrote: > On Thu, May 28, 2020 at 2:20 PM Quantum Robin > wrote: > > While surfing on the Google to learn more about OpenBSD, I encountered this > > one: "OpenBSD: Not Free Not Fuctional and Definetly Not Secure ( > > https://aboutthebsds.wordpress.com/2013/01/25/20/) > > > > Is the author telling the truth? Or just yet another anti-BSD thing? > > If it has to tell you it's "the truth" in its title, it probably isn't. If it can't spell "Functional", it probably isn't.
Re: Filling a 4TB Disk with Random Data
On Fri, Jun 05, 2020 at 12:49:41PM -0500, Ed Ahlsen-Girard wrote: > On Mon, 01 Jun 2020 13:38:55 -0400 > "Eric Furman" wrote: > > > On Mon, Jun 1, 2020, at 10:28 AM, Paul de Weerd wrote: > > [...] > > > > This is why if you are serious you use a degausser. > > > > The truly serious use a smelter. I am not making a joke. And, to reduce the impact of their being intercepted on the way to the smelter: https://prodevice.eu/media-destroyers-shredders/data-media-shredder/
armv7 on Asus Chromebook C100P
Has anybody installed OpenBSD on these chromebooks? Asus sold a lot of them, and they are losing Google's support next month so there should be a lot available cheaply if you just want something to travel with for email/web/chat.
Re: nsd Will Not Start At Boot
On Mon, Jul 06, 2020 at 04:57:20AM +, ken.hendrick...@l3harris.com wrote: > I have tried putting "rcctl enable nsd" in the /etc/rc.conf.local file. > That did not help. I presume you meant "using rcctl enable nsd to update /etc/rc.conf.local", not actually what you wrote. > If I try to start nsd the same way the scripts do, I get nsd(failed). > $ /etc/rc.d/nsd start > nsd(failed) Try doing it by the book, i.e., rcctl start nsd If it fails silently, try rcctl -d start nsd
Re: Microsoft's war on plain text email in open source
On Wed, Aug 26, 2020 at 02:37:24AM -0700, Greg Thomas wrote: > "... he had to set up an entirely new mail client which didn’t mangle his > email message to HTML-ise... That’s a barrier to entry that’s pretty > high..." > > Wow. Life's rough. Surely easier than RTFMing to find out how to send plain-text email in the existing client. > On Wed, Aug 26, 2020 at 2:31 AM Frank Beuth wrote: > > > "Linux kernel development which is driven by plain-text email > > discussion needs better or alternative collaborative tooling "to bring > > in new contributors and maintain and sustain Linux in the future," says > > Sarah Novotny, Microsoft's representative on the Linux Foundation board. > > > > Said tooling could be "a text-based, email-based patch system that can > > then also be represented in a way that developers who have grown up in > > the last five or ten years are more familiar with," she added. > > > > ... > > > > Should it migrate toward something more like, say, issues and pull > > requests on the Microsoft-owned GitHub? “I’m not saying that there will > > be a move in any time that I can see my crystal ball’s broken but I do > > think there needs to be expansions in the way people can enter that > > workflow,” said Novotny. > > > > “It is a fairly specific workflow that is a challenge for some newer > > developers to engage with. As an example, my partner submitted a patch > > to OpenBSD a few weeks ago, and he had to set up an entirely new mail > > client which didn’t mangle his email message to HTML-ise or do other > > things to it, so he could even make that one patch. That’s a barrier to > > entry that’s pretty high for somebody who may want to be a first-time > > contributor.”" > > > > https://www.theregister.com/2020/08/25/linux_kernel_email/ > > > >
Re: Can I boot without GPU ("headless")?
On Sat, Aug 29, 2020 at 01:37:35PM +, Henry W. Peterson wrote: > But then I would need to have every computer's serial port connected > the whole time, right? As far as I know serial ports are not > hot-swappable. Nope. I have two APUs and only one is ever connected, since I have only one USB-to-serial. I move it back and forth as needed (which isn't very often).
Re: Can I boot without GPU ("headless")?
On Sat, Aug 29, 2020 at 03:56:29PM +, Henry W. Peterson wrote: > It is not a problem for me to write commands on the boot prompt after every > turning on, that would eliminate the need to modify /etc/boot.conf, right? > Althogh I didn't know modifying that file affected the boot prompt itself. > Noted. > > I do have another computer, the one I planned to use to connect by ssh, but I > do not have COM port cards (only pins on the motherboard) nor the cables. > > It starts to feel pretty clear that I should try the following: > > After correctly typing the decryption password, type: > set tty com0 > stty com0 9600 > boot -c > disable vga > quit > > Would this be enough to boot, to then connect by ssh (without modifying > /etc/ttys or having even a COM port card connected to the motherboard's pins)? It should get you booted. In fact, it would probably work without the boot -c/disable vga/quit parts. Setting the baud rate to 115200 might save a few seconds, too. But then, if you have FDE, the mount will hang, as there's no way to enter the password, without a serial cable. "set tty com0" will tell init to read from the serial, not the physical keyboard When you say "pins", is that a double row of pins sticking up? There are somewhat standard cables you can buy that will plug into that and terminate in a DB9 male socket. On the other computer, you can buy a USB-to-serial adapter/cable that will plug into the DB9 socket. This is what I use, for example.
Re: home printer
On Thu, Sep 17, 2020 at 03:07:19PM -0700, Sean Kamath wrote: > > > > On Sep 17, 2020, at 09:48, Ingo Schwarze wrote: > > That answer [HP] used to be spot on until about the year 2000. > > I concur. I used to work at a printer company that competed directly with > them. Was that Imagen, by any chance? Anyway, I concur too. I have a mid-1990's HP6MP with 75,000 pages on its ticker (would be more but it was in storage for several years) and it still prints beautifully. The manual for it proudly talks about their BBS and how to set your comm sofware to 8-N-1; their internet site (FTP only) is mentioned (by IP address) almost as an afterthought.
Re: sysupgrade with latest snapshot: The directory '/home/_sysupgrade/' does not exist.
On Sun, Sep 27, 2020 at 08:14:13PM +0200, Why 42? The lists account. wrote: > > I am running: > kern.version=OpenBSD 6.8-beta (GENERIC.MP) #69: Tue Sep 15 12:34:41 MDT 2020 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > I just tried to use sysupgrade and I notice that its behaviour has > changed a bit since my last upgrade. Previously (last six months or so) > after the download of the new sets and the reboot, I would have been > prompted as to what to do i.e. Install, Upgrade, or Shell. Then for a > keyboard layout (e.g. de) and for the name of the disk containing OpenBSD > (i.e. the system root partition) or "/"). Something is wwrong here. That is not how sysupgrade works. Probably you didn't install updated boot blocks and it has been failing to "switch to bsd.upgrade" when rebooting after the download, and your latest change installed the updated boot blocks, and now it is working. > 1. Now on the console I see (post reboot): Here you describe how sysupgrade normally works. > 2. The upgrade then proceeds, however it fails to identify the location > of the newly downloaded sets. The error is: > "The directory '/home/_sysupgrade/' does not exist." > > 3. It then seems to abort the upgrade and reboot the system. Thus > leaving me back where I started. I've never tried using a symlink to /home. Can you mount /home properly and see if that works?
Wyse C90 (i386) early panic 'pci_make_tag bad request' after "acpi0: sleep states"
When trying to boot -current i386 from a clean install on the internal flash drive, this thing panics on the same line as the 'acpi sleep states' after 'S5'. As a workaround, I can load pxeboot with a boot.conf to boot bsd. My guess would be that pxeboot passes control to the kernel with some trivial and other"wyse" irrelevant bit or bits different. I made no changes in BIOS between the working and non-working boots, just unplugged the network cable. No serial cable, but pictures, full dmesg from booted with pxeboot, and acpidump, all stored at https://darwinsys.com/tmp/wyse. TIA for any help.
Re: handling snapshot installation in production environment
> The sysupgrade tool is a nice way to install the newest snapshot, never > had a problem. But what is the correct way to install a stable release > on snapshot? Using the standard bsd.rd upgrade way? >From man sysupgrade: -r Upgrade to the next release. The default is to find out if the system is running a release or a snapshot. In case of release sysupgrade downloads the next release. So when 6.6 is announced as released # sysupgrade -r
Merch
Hi, I am interested in buying an OpenBSD Tshirt. I live in Denmark. Can you help me? Kind Regards Ian
acme-client issue with domain w/ alternative name
Today acme-client renewed all but 2 of my domains; the two that have
"alternative names"
in the certificates. I cannot get it to renew those two. This is on amd64 on
6.6-current,
updated today.
My acme-config.conf is the latest example version, with the v2 URLs and with
example.com replaced by
my domains.
#
# $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
#
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "https://acme-staging-v02.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain androidcookbook.com {
alternative names { androidcookbook.net }
domain key "/etc/ssl/private/androidcookbook.com.key"
domain certificate "/etc/ssl/androidcookbook.com.crt"
domain full chain certificate
"/etc/ssl/androidcookbook.com.fullchain.pem"
sign with letsencrypt
}
domain annabot.org {
domain key "/etc/ssl/private/annabot.org.key"
domain certificate "/etc/ssl/annabot.org.crt"
domain full chain certificate
"/etc/ssl/annabot.org.fullchain.pem"
sign with letsencrypt
}
...
The first domain fails, the second one succeeded.
$ doas acme-client androidcookbook.com
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: 172.65.32.248: tls_close: EOF without close notify
$ echo $?
1
$
IDK what those EOF w/o notify are caused by, but the domains that worked
also gave a similar bunch of that message.
Running with -v does not give any useful info except it ends with -1:
$ doas acme-client -v -F androidcookbook.com
acme-client: /etc/ssl/androidcookbook.com.crt: certificate renewable: 29 days
left
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/882690343
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: challenge, token: 22zE2mRAquYtRmY0lMxiCVfYXcTLEUEm78rRa6Nt0So,
uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/882690343/im5q-Q,
status: 0
acme-client: /var/www/acme/22zE2mRAquYtRmY0lMxiCVfYXcTLEUEm78rRa6Nt0So: created
acme-client:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/882690343/im5q-Q: challenge
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: dochngreq:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/882690357
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: challenge, token: XQm6jdVi6yzlFJHP8ucI8d3AenQFl81KqfC4tNlaDsU,
uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/882690357/7cuNOw,
status: 0
acme-client: /var/www/acme/XQm6jdVi6yzlFJHP8ucI8d3AenQFl81KqfC4tNlaDsU: created
acme-client:
https://acme-v02.api.letsencrypt.org/acme/chall-v3/882690357/7cuNOw: challenge
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: 172.65.32.248: tls_close: EOF without close notify
acme-client: order.status -1
acme-client: bad exit: netproc(82984): 1
$
Any thoughts or more info? Thx.
Re: acme-client issue with domain w/ alternative name
On 10/21/19 19:38, Ian Darwin wrote: Today acme-client renewed all but 2 of my domains; the two that have "alternative names" in the certificates. I cannot get it to renew those two. This is on amd64 on 6.6-current, updated today. Just to follow up: Of my two problem domains, one was caused by pebkac (sorry) and the other, which I tried 5 or 6 times last night, worked like a charm this morning, with no config changes. I'll just blame transient network conditions for that one.
Re: Tools for writers
On Mon, Nov 04, 2019 at 02:06:35AM -0500, Steve Litt wrote: > > I know what you mean and you're right to a degree, but I'm currently > writing a couple of books with AsciiDoctor edited in Vim. And I use > VimOutliner for outlining. I'll try to remember and let you know when I > actually finish one of the books. I've used AsciiDoc and AsciiDoctor for two large O'Reilly Cookbooks which I proof locally in PDF. Their publishing sofware puts it through some arcane toolchain which formats to their house style &c, and generateds PDF, EPub, HTML, etc. But all the editing work is done, like Steve's, in vi and asciidoctor. I've also used adoc for magazine articles where the publisher "needs" the file in MS-Word format. For that I use pandoc (on another box) to convert adoc into docx.
Re: acme-client issue with domain w/ alternative name
On Thu, Nov 07, 2019 at 11:34:48PM +, Mik J wrote: > Hello, > What this does mean ?> Just to follow up: Of my two problem domains, one was > caused by pebkac pebkac = problem exists between keyboard and chair. In other words, user error
pvclock stability
Hi
Since the 6.6 release I've been experimenting with using pvclock as
the selected timecounter on a virtual machine running under vmm. Both
the host and guest are running 6.6-stable (the environment is provided
by openbsd.amsterdam).
With 6.5 and the tsc source, the clock would drift linearly by about 2
seconds per minute. This was too large a drift for ntpd to compensate
for and so I used a cron job to force-correct the clock at regular
intervals.
With 6.6 I have changed the timecounter source to pvclock. In
frequency terms this has proven to be much more stable, with minimal
drift. However, at irregular intervals the clock will step out of time
by a small whole number of seconds. Over 24 hours following a reboot
the clock now differs from real time (verified against multiple ntp
sources) by just over 23 seconds, it having stepped 9 times during
that time window
I ran the following command every 60s following a reboot of the guest
to log the output
echo -n `date` && rdate -pv time.cloudflare.com | tail -1 | awk
'{ print " " $6 }'
Note that the data points are not consistently 60s apart - I'm using
'sleep' to delay the loop.
Raw data and chart of the offset over the 24 hours is available in
this Google sheet: http://bit.ly/34NTaUh
Is this likely to point to a bug in the pvclock implementation or an
environment/configuration issue?
Thanks
Ian
dmesg (guest)
=
OpenBSD 6.6 (GENERIC) #0: Sat Oct 26 06:47:50 MDT 2019
r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 2130698240 (2031MB)
avail mem = 2053558272 (1958MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf3f40 (10 entries)
bios0: vendor SeaBIOS version "1.11.0p2-OpenBSD-vmm" date 01/01/2011
bios0: OpenBSD VMM
acpi at bios0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3062.26 MHz, 06-2c-02
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,CX8,SEP,PGE,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,HV,NXE,PAGE1GB,LONG,LAHF,ITSC,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
cpu0: using IvyBridge MDS workaround
pvbus0 at mainbus0: OpenBSD
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
viornd0 at virtio0
virtio0: irq 3
virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio1: address fe:e1:bb:d4:c4:03
virtio1: irq 5
virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio2
scsibus1 at vioblk0: 2 targets
sd0 at scsibus1 targ 0 lun 0:
sd0: 51200MB, 512 bytes/sector, 104857600 sectors
virtio2: irq 6
virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
vmmci0 at virtio3
virtio3: irq 7
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
com0: console
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (886e07e83005c94c.a) swap on sd0b dump on sd0b
dmesg (host)
OpenBSD 6.6 (GENERIC.MP) #0: Sat Oct 26 08:08:07 MDT 2019
r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34329825280 (32739MB)
avail mem = 33276682240 (31735MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xcf49c000 (84 entries)
bios0: vendor Dell Inc. version "6.4.0" date 07/23/2013
bios0: Dell Inc. PowerEdge R610
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET DMAR MCFG WD__ SLIC ERST HEST
BERT EINJ SRAT TCPA SSDT
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 32 (boot processor)
cpu0: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3325.38 MHz, 06-2c-02
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 1
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 1596.02 MHz, 06-2c-02
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PER
Re: urtwn(4) gets wedged periodically
On Wed, Nov 13, 2019 at 01:25:46PM -0500, Ted Unangst wrote: > > Can you give me the exact model of the one you bought recently? I have > > half a mind to just write > > off mine as a loss and buy something else. > > I am using this one: (the TL-WN725N N150 single band one) > > https://www.amazon.com/TP-Link-wireless-network-Adapter-SoftAP/dp/B008IFXQFU/ I have that one and it wedges occasionally (on a MacBook Pro with 6.6-current), though infrequently.
Re: pvclock stability
I continued to investigate this and added some debugging output to the
pvclock driver to attempt to work out what was going on.
In my most recent test I rebooted the client VM at 08:10 yesterday.
Over the following 24h, there were 16 "clock step" events which caused
the time to lag real time by a total of 21.3 seconds. In all but 3 of
the steps, the change in the offset was 1.0 seconds almost exactly.
During the test the VM was loaded with it's usual workload (running
net/zabbix) and ntpd was disabled.
I added a printf to the end of pvclock_get_timecount which outputs the
state of the variables within the function for each 10 steps
of system_time.
Here is an example of the output. The prefixed date is from syslog and
is the incorrect system time. The actual time of the log entry (as
reported from a reliable NTP source) was 09:05:23
Nov 15 09:05:02 starbug /bsd: pvclock:
tsc_timestamp=3627858654285868 rdtsc=3627858654563637 delta_1=277769
shift=-20 delta=0 mul_frac=342781 system_time=1573808723797914701
ctr=1573808723797914701
The ctr value is the return value of pvclock_get_timecount - the value
1573808723797914701 translates to Fri Nov 15 09:05:23.797
I'm no expert in kernel timekeeping internals (far from it), but it
seems that the pvclock driver is returning correct timestamps from
pvclock_get_timecount and thus I conclude both the pvclock device in
vmm and the pvclock driver in the kernel are working as designed.
Can anyone advise if I've missed something? Happy to provide further
data if needed.
Thanks
Ian
On Fri, 8 Nov 2019 at 13:53, Ian Gregory wrote:
>
> Hi
>
> Since the 6.6 release I've been experimenting with using pvclock as
> the selected timecounter on a virtual machine running under vmm. Both
> the host and guest are running 6.6-stable (the environment is provided
> by openbsd.amsterdam).
>
> With 6.5 and the tsc source, the clock would drift linearly by about 2
> seconds per minute. This was too large a drift for ntpd to compensate
> for and so I used a cron job to force-correct the clock at regular
> intervals.
>
> With 6.6 I have changed the timecounter source to pvclock. In
> frequency terms this has proven to be much more stable, with minimal
> drift. However, at irregular intervals the clock will step out of time
> by a small whole number of seconds. Over 24 hours following a reboot
> the clock now differs from real time (verified against multiple ntp
> sources) by just over 23 seconds, it having stepped 9 times during
> that time window
>
> I ran the following command every 60s following a reboot of the guest
> to log the output
> echo -n `date` && rdate -pv time.cloudflare.com | tail -1 | awk
> '{ print " " $6 }'
> Note that the data points are not consistently 60s apart - I'm using
> 'sleep' to delay the loop.
>
> Raw data and chart of the offset over the 24 hours is available in
> this Google sheet: http://bit.ly/34NTaUh
>
> Is this likely to point to a bug in the pvclock implementation or an
> environment/configuration issue?
>
> Thanks
> Ian
>
>
> dmesg (guest)
> =
>
> OpenBSD 6.6 (GENERIC) #0: Sat Oct 26 06:47:50 MDT 2019
> r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> real mem = 2130698240 (2031MB)
> avail mem = 2053558272 (1958MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf3f40 (10 entries)
> bios0: vendor SeaBIOS version "1.11.0p2-OpenBSD-vmm" date 01/01/2011
> bios0: OpenBSD VMM
> acpi at bios0 not configured
> cpu0 at mainbus0: (uniprocessor)
> cpu0: Intel(R) Xeon(R) CPU X5675 @ 3.07GHz, 3062.26 MHz, 06-2c-02
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,CX8,SEP,PGE,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,HV,NXE,PAGE1GB,LONG,LAHF,ITSC,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> cpu0: using IvyBridge MDS workaround
> pvbus0 at mainbus0: OpenBSD
> pvclock0 at pvbus0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
> virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
> viornd0 at virtio0
> virtio0: irq 3
> virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio1: address fe:e1:bb:d4:c4:03
> virtio1: irq 5
> virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Storage" rev 0x00
> vioblk0 at virtio2
> scsibus1 at vioblk0: 2 targets
> sd0 at scsibus1 targ 0 lun 0:
> sd0: 51200MB, 512 bytes/sector, 104857600 sectors
> virtio2: irq 6
> virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
> vmmci0 at virtio3
> vir
Re: vi in ramdisk?
On Fri, Nov 15, 2019 at 10:08:26AM -0700, Theo de Raadt wrote: > Christian Weisgerber wrote: > > > > I think, for editing config files, there are sure editors that > > > are simpler, smaller, not so powerful, but easier to use than ed. > > > > By all means, do not keep us in suspense and tell us the names of > > these editors. > > > > How large is a C implementation of TECO? > > he probably means cat plus the shell's redirection capability. > Who needs cat when you have echo?
Re: pvclock stability
As a final update to this (for now): I was unable to work out why the
correct timestamps from pvclock_get_timecount() were not being used to
correct the system clock. I suspect I don't have a full enough
understanding of how the return value from this function used by the
kernel timekeeping processes.
I did notice a thread on bugs@
(https://marc.info/?l=openbsd-bugs&m=157403970412386&w=2) which
included a patch with a correction to the shift parameter sent from
vmm to the pvclock driver. Although I couldn't test this particular
patch (I don't control the hypervisor) I was able to set the shift
parameter in pvclock.c to 12 to achieve the same net result. I can
confirm that change resolved the precision issue described in the
linked thread, but it also seems to have resulted in much improved
clock stability (4 steps in 24hr, 1.0s, 1.0s, 0.5s, 0.5s).
At this point ntpd is able to keep the clock synced so in the absence
of further lines of investigation I'm inclined to leave as-is and
continue to monitor. I will update the list if I discover anything
new.
Ian
On Fri, 15 Nov 2019 at 09:17, Ian Gregory wrote:
>
> I continued to investigate this and added some debugging output to the
> pvclock driver to attempt to work out what was going on.
>
> In my most recent test I rebooted the client VM at 08:10 yesterday.
> Over the following 24h, there were 16 "clock step" events which caused
> the time to lag real time by a total of 21.3 seconds. In all but 3 of
> the steps, the change in the offset was 1.0 seconds almost exactly.
> During the test the VM was loaded with it's usual workload (running
> net/zabbix) and ntpd was disabled.
>
> I added a printf to the end of pvclock_get_timecount which outputs the
> state of the variables within the function for each 10 steps
> of system_time.
>
> Here is an example of the output. The prefixed date is from syslog and
> is the incorrect system time. The actual time of the log entry (as
> reported from a reliable NTP source) was 09:05:23
>
> Nov 15 09:05:02 starbug /bsd: pvclock:
> tsc_timestamp=3627858654285868 rdtsc=3627858654563637 delta_1=277769
> shift=-20 delta=0 mul_frac=342781 system_time=1573808723797914701
> ctr=1573808723797914701
>
> The ctr value is the return value of pvclock_get_timecount - the value
> 1573808723797914701 translates to Fri Nov 15 09:05:23.797
>
> I'm no expert in kernel timekeeping internals (far from it), but it
> seems that the pvclock driver is returning correct timestamps from
> pvclock_get_timecount and thus I conclude both the pvclock device in
> vmm and the pvclock driver in the kernel are working as designed.
>
> Can anyone advise if I've missed something? Happy to provide further
> data if needed.
>
> Thanks
> Ian
>
>
>
> On Fri, 8 Nov 2019 at 13:53, Ian Gregory wrote:
> >
> > Hi
> >
> > Since the 6.6 release I've been experimenting with using pvclock as
> > the selected timecounter on a virtual machine running under vmm. Both
> > the host and guest are running 6.6-stable (the environment is provided
> > by openbsd.amsterdam).
> >
> > With 6.5 and the tsc source, the clock would drift linearly by about 2
> > seconds per minute. This was too large a drift for ntpd to compensate
> > for and so I used a cron job to force-correct the clock at regular
> > intervals.
> >
> > With 6.6 I have changed the timecounter source to pvclock. In
> > frequency terms this has proven to be much more stable, with minimal
> > drift. However, at irregular intervals the clock will step out of time
> > by a small whole number of seconds. Over 24 hours following a reboot
> > the clock now differs from real time (verified against multiple ntp
> > sources) by just over 23 seconds, it having stepped 9 times during
> > that time window
> >
> > I ran the following command every 60s following a reboot of the guest
> > to log the output
> > echo -n `date` && rdate -pv time.cloudflare.com | tail -1 | awk
> > '{ print " " $6 }'
> > Note that the data points are not consistently 60s apart - I'm using
> > 'sleep' to delay the loop.
> >
> > Raw data and chart of the offset over the 24 hours is available in
> > this Google sheet: http://bit.ly/34NTaUh
> >
> > Is this likely to point to a bug in the pvclock implementation or an
> > environment/configuration issue?
> >
> > Thanks
> > Ian
> >
> >
> > dmesg (guest)
> > =
> >
> > OpenBSD 6.6 (GENERIC) #0: Sat Oct 26 06:47:50 MDT 2019
> >
> > r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compil
Re: pvclock stability
On Tue, 19 Nov 2019 at 21:20, Ian Gregory wrote: > I can > confirm that change resolved the precision issue described in the > linked thread, but it also seems to have resulted in much improved > clock stability (4 steps in 24hr, 1.0s, 1.0s, 0.5s, 0.5s). Correction - there were actually 3 instances of 1.0s time steps (clock lags real time by 3.0s) Ian
Re: Hyperbola Gnu Linux changing to Bsd
On 12/30/19 15:02, Peter Nicolai Mathias Hansteen wrote: The TL;DR version is that taking code or any other body of work that is offered to you under a permissive license and making your changes to it available only under a more restrictive one may be legal in some or all jurisdictions, but it is most certainly a sign of an almost total lack of respect for the people who did the original work. Not to mention: putting code under a more restrictive license than previously, while calling it "more free", is hypocrisy, pure and simple. Nothing gnu here, folks.
Re: Hyperbola Gnu Linux changing to Bsd
On Mon, 30 Dec 2019 at 19:57, Nick Holland wrote: most of them are stupid words. I just spot checked one of the "license problems" they think they spotted in the OpenBSD tree. http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/arch/landisk/include/endian.h?rev=1.2 What exactly are they planning on licensing in that? I think they've scheduled a half-day committee meeting about that one file next week :-) Remember the history of /bin/false. History can repeat itself.
Awaiting a diff [was: Re: File systems...]
> - If we could clean-room implement a BSD-licensed > EXT3/EXT4/BTRFS/XFS/JFS/whatever, following style(8), would there be > interest in supporting that in OpenBSD? And which "we" are you referring to here? Did you mean yourself, or are you hoping that "somebody" will do it? > There's merit in the third option, OpenBSD already supports EXT2 (which > is also 90's vintage like ffs) as there are some platforms (e.g. > loongson) that require it. >... > EXT4 is also very widespread and stable, and seems to offer decent > performance. So send a diff that upgrades the code to ext3 and 4. > ZFS and BTRFS are much newer, and more complicated with software RAID > functionality built in. I think these would be harder to implement from > scratch. Persuade the owners to release under an ISC license. Then send a diff.
Re: Low throughput with 1 GigE interface
Peter wrote: > chi# iperf -c beta.internal.centroid.eu > > Client connecting to beta.internal.centroid.eu, TCP port 5001 > TCP window size: 17.0 KByte (default) > > [ 3] local 192.168.177.40 port 13242 connected with 192.168.177.2 port 5001 > [ ID] Interval Transfer Bandwidth > [ 3] 0.0-10.0 sec 536 MBytes 449 Mbits/sec > > ... on an APU1C4, could it be you have a slow switch or router? Any other > hardware that could slow yours down? > > I'm happy with this result, the APU1 is not really a powerhorse. That is pretty normal. From an older Intel-cpu laptop with a bge interface, to my APU2, both on a TP-Link gig switch, I get $ iperf -c gw-int Client connecting to gw-int, TCP port 5001 TCP window size: 32.5 KByte (default) [ 3] local 192.168.42.46 port 21653 connected with 192.168.42.254 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 502 MBytes 421 Mbits/sec $ Again, that's with no tuning. Did you try a different cable?
Re: suggestions for USB printer (maybe even with scanner)?
On Wed, Feb 05, 2020 at 01:50:41PM -0700, Raymond, David wrote: > I have had good luck on OpenBSD with a variety of HP printers using > the hplip package and cups. (To use the latter, put /usr/local/bin > before /usr/bin in your PATH to avoid confusion with lpr programs.) > The xsane package does scanning on HP printers that have this > function. I have connected them mainly via the network, but I don't > see why direct usb connections wouldn't work as well. If you go that route see the note in the readme about disabling ulpt in the kernel as cups wants to work with ugen.
Re: Web documentation available offline by default?
On Mon, Mar 02, 2020 at 12:28:25PM +0100, Wolfgang Pfeiffer wrote: > > It's also a pity the the faq are not available in a single html or pdf > > format. This would be handy for those who, like me, are studying for > > the BSD Specialist certification. Having a single document makes it > > easier to search for a specific command. > > Seems to work on Linux at least: to "wget" the pages one needs, and > then "wkhtmltopdf" them to a pdf file. > > Takes time to get it done nicely with the correct flags for > wkhtmltopdf - and the wget procedure might not get all pages needed, > so intervening manually might be an option to get those, too ... > > On OBSD ports there's textproc/wkhtmltopdf. Didn't test the latter > tho'. > How about if the people who want this would, instead of pitying the fact that it's not available in the format you want, create a port (with a build depends on wkthmltopdf) to generate the files. And keep the port updated regularly or it would be deleted.
Re: Time jumping forward issue under OpenBSD 6.6 VMM
On Tue, 3 Mar 2020 at 15:47, mabi wrote: > It looks like there is a time issue on that VM although I am running the > default ntpd of OpenBSD 6.6 and I have added the following parameter into my > /etc/sysctl.conf on that VM: > > kern.timecounter.hardware=tsc I've had similar issues with timekeeping within guests of VMM, although there are improvements in -current with the pvclock time source. Since the fix below I now see occasional instances of the clock stepping by a few whole seconds (typically less than 8s) but it's much less frequent and the magnitude is within the bounds of what ntpd can correct. See http://openbsd-archive.7691.n7.nabble.com/pvclock-stability-tp376946p377922.html for some backstory (aside: I see similar small occasional clock jumps of an integer number of seconds on OpenBSD-6.6 guests using tsc running on a VMware ESXi host) Regards Ian
Re: CD's arrived
Hello Syracuse, NY -- no CD, but poster has arrived. looks great! http://ce.gl/openbsd-5.8-poster.jpg ian On Wed, Oct 7, 2015 at 10:51 AM, M Wheeler <6f84c...@refn.co.uk> wrote: > CD's arrived today UK. Thanks again.
Re: Hellos from the Lands of ..Arkanaias
please do not use this list to test markov bots, it is for miscellaneous openbsd discussion, thanks
Re: OpenBSD Foundation on HTTPS
Hi, There is no need. There is nothing secret on those web servers, there is no logical reason to encrypt it. This issue has been discussed to death. Please check archives. Ian On Tue, Feb 6, 2018 at 4:03 AM, Hess THR wrote: > Hello, > > because HTTPS increases the authenticity, integrity, privacy: > https://en.wikipedia.org/wiki/HTTPS > > going to apache/iis/nginx/linux will not increase "security". since they have > very buggy code. > > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the code > in the base? > > >> Sent: Friday, December 15, 2017 at 12:11 PM >> From: "Vivek Vinod" >> To: "Hess THR" >> Subject: Re: OpenBSD Foundation on HTTPS >> >> 1) Why do you want https support? >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we shift >> to IIS as well? Wait, I guess more people use Linux, so we should stop using >> OpenBSD all together. >> >> >> -Original Message- >> From: on behalf of Hess THR >> Date: Friday, 15 December 2017 at 4:20 PM >> To: , >> Subject: OpenBSD Foundation on HTTPS >> >> Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't >> supports HTTPS, while in 2017 Dec, ~70% of the websites does: >> https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for >> the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got >> HTTPS yet? I whish you happy holidays and again, Thanks for all the work! >> BTW, wow: >> >> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3 >> >
VPN IKEv2 Traffic Flows Only One Direction
I’ve been a long time user of OpenBSD, but this is the first time I’m trying to
setup a VPN. I’m not sure what I’m doing wrong, or what should be the next step
to troubleshoot. I’ve probably reviewed every IKEv2 how-to I can find.
I need to end up with a configuration that will support several simultaneous
roaming users connecting from anywhere they happen to be.
Client:
macOS 10.15.7
Using builtin VPN client
Server:
OpenBSD 6.6
em1 = 23.X.X.128/29
em0 = 10.0.0.0/16
enc0 = 10.1.0.0.16
>From the client I can connect to 10.0.0.1 but anything outside that network
>traffic slows but does not return:
# --- client: curl -v ipinfo.io/ip ---
* Trying 216.239.36.21:80...
[ never connects ]
# --- server: iked -dv ---
ikev2 "vpn" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 23.30.51.129
peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1
auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.ipaperbox.com
lifetime 10800 bytes 536870912 psk 0x70617373776f7264 config address 10.1.0.0
config netmask 255.255.0.0 config name-server 10.0.0.1
[--- CLIENT CONNECTS ---]
spi=0x69f90afcc96f7600: recv IKE_SA_INIT req 0 peer 166.X.X.161:62140 local
23.X.X.129:500, 604 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_SA_INIT res 0 peer 166.X.X.161:62140 local
23.X.X.129:500, 432 bytes
spi=0x69f90afcc96f7600: recv IKE_AUTH req 1 peer 166.X.X.161:54501 local
23.X.X.129:4500, 544 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send IKE_AUTH res 1 peer 166.X.X.161:54501 local
23.X.X.129:4500, 272 bytes, NAT-T
spi=0x69f90afcc96f7600: sa_state: VALID -> ESTABLISHED from 166.X.X.161:54501
to 23.X.X.129:4500 policy 'vpn'
[--- CLIENT DICONNECT ---]
spi=0x69f90afcc96f7600: recv INFORMATIONAL req 2 peer 166.X.X.161:54501 local
23.X.X.129:4500, 80 bytes, policy 'vpn'
spi=0x69f90afcc96f7600: send INFORMATIONAL res 2 peer 166.X.X.161:54501 local
23.X.X.129:4500, 80 bytes, NAT-T
spi=0x69f90afcc96f7600: ikev2_ikesa_recv_delete: received delete
spi=0x69f90afcc96f7600: sa_state: ESTABLISHED -> CLOSED from 166.X.X.161:54501
to 23.X.X.129:4500 policy 'vpn'
# --- server: tcpdump -i em1 -n host ipinfo.io and port 80 ---
tcpdump: listening on em1, link-type EN10MB
03:37:34.210823 10.1.114.47.59349 > 216.239.36.21.80: SWE
3159801057:3159801057(0) win 65535 (DF)
03:37:35.228721 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:36.242039 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:37.254607 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:38.267900 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:39.330256 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:41.345983 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:45.424183 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:37:53.510541 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
03:38:10.364579 10.1.114.47.59349 > 216.239.36.21.80: S
3159801057:3159801057(0) win 65535 (DF)
# --- server: tcpdump -i enc0 -n host ipinfo.io and port 80 ---
tcpdump: listening on enc0, link-type ENC
[ no output ]
# --- server: iked.conf ---
# TODO: Change from psk authtication to user-based later.
ikev2 "vpn" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local egress peer any \
srcid vpn..com \
psk "password" \
config address 10.1.0.0/16 \
config netmask 255.255.0.0 \
config name-server 10.0.0.1 \
tag "IKED”
# server: pf.conf ---
doas cat pf.conf.vpn
int_if = "em0"
ext_if = "em1"
ext_net = "23.X.X.128/29"
gateway_ip_ext = "{ 23.X.X.129 }"
gateway_ip_int = "{ 10.0.0.1 }"
set skip on {lo, enc0}
block return# block stateless traffic
pass# establish keep-state
pass out on $ext_if from $int_if:network to any nat-to ($ext_if:0)
# --- server: sysctl net.inet.{ipcomp.enable,esp.enable,esp.udpencap} ---
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
net.inet.esp.udpencap=1
Re: Programmed wakeup from suspend/hibernate
On Thu, Dec 24, 2020 at 11:51:26AM +0100, Gabriel Hondet wrote: > Hi, > > How can I program my computer to automatically wake from suspend to ram > or suspend to disk at a certain time? > > My goal is to suspend a server every day from, say, 11 pm to 7am. For suspending at night, use see the cron man page. For waking up in the morning, of course, the OS isn't running so there is nothing it can do. Some but not all PC BIOSes have a scheduling feature. Otherwise a $10 mechanical timer to cut the power (well after the suspend is finished!) and turn it back on in the morning.
i386 "panic: pci_make_tag: bad request" after acpi sleep states
A03" at acpi0 not configured acpicmos0 at acpi0 acpicpu0 at acpi0: !C3(@800 io@0x4015), !C2(@80 io@0x4014), C1(@1 halt!), PSS acpitz0 at acpi0: critical temperature is 105 degC acpivideo0 at acpi0: VGA_ acpivout0 at acpivideo0: LCD_ bios0: ROM list: 0xc/0xc200 0xcc800/0x2000 cpu0: Enhanced SpeedStep 1001 MHz: speeds: 1000, 400 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 vendor "VIA", unknown product 0x0409 rev 0x03 pchb1 at pci0 dev 0 function 1 vendor "VIA", unknown product 0x1409 rev 0x00 pchb2 at pci0 dev 0 function 2 vendor "VIA", unknown product 0x2409 rev 0x00 pchb3 at pci0 dev 0 function 3 vendor "VIA", unknown product 0x3409 rev 0x00 pchb4 at pci0 dev 0 function 4 vendor "VIA", unknown product 0x4409 rev 0x00 vendor "VIA", unknown product 0x5409 (class system subclass interrupt, rev 0x00) at pci0 dev 0 function 5 not configured pchb5 at pci0 dev 0 function 6 vendor "VIA", unknown product 0x6409 rev 0x00 pchb6 at pci0 dev 0 function 7 vendor "VIA", unknown product 0x7409 rev 0x00 vga1 at pci0 dev 1 function 0 vendor "VIA", unknown product 0x5122 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pciide0 at pci0 dev 15 function 0 "VIA VX855 IDE" rev 0x00: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: <2GB ATA Flash Disk> wd0: 1-sector PIO, LBA, 1953MB, 4000752 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 ignored (disabled) uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0xa0: apic 1 int 20 uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0xa0: apic 1 int 22 uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0xa0: apic 1 int 21 ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x90: apic 1 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "VIA EHCI root hub" rev 2.00/1.00 addr 1 viapm0 at pci0 dev 17 function 0 "VIA VX855 ISA" rev 0x00: SMI iic0 at viapm0 admtemp0 at iic0 addr 0x4c: g781 spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL5 SO-DIMM pchb7 at pci0 dev 17 function 7 "VIA VX800 Host" rev 0x00 ppb0 at pci0 dev 19 function 0 "VIA VX800" rev 0x00 pci1 at ppb0 bus 1 vge0 at pci1 dev 3 function 0 "VIA VT612x" rev 0x11: apic 1 int 16, address 00:80:64:87:93:ad ciphy0 at vge0 phy 1: CS8201 10/100/1000TX PHY, rev. 2 azalia0 at pci0 dev 20 function 0 "VIA HD Audio" rev 0x20: apic 1 int 17 azalia0: codecs: VIA VT1702 audio0 at azalia0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "VIA UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 configuration 1 interface 0 "VIA UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 configuration 1 interface 0 "VIA UHCI root hub" rev 1.00/1.00 addr 1 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets root on wd0a (71279e1f58da9a16.a) swap on wd0b dump on wd0b ssh 192.168.42.245 doas fdisk wd0 Disk: wd0 geometry: 992/64/63 [4000752 Sectors] Offset: 0 Signature: 0xAA55 Starting Ending LBA Info: #: id C H S - C H S [ start:size ] --- 0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused 2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused *3: A6 0 1 2 -991 63 63 [ 64: 3999680 ] OpenBSD ssh wyse doas disklabel wd0 # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: 2GB ATA Flash Di duid: 71279e1f58da9a16 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 64 sectors/cylinder: 4032 cylinders: 992 total sectors: 4000752 boundstart: 64 boundend: 3999744 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 3869376 64 4.2BSD 2048 16384 12960 # / b: 130304 3869440swap# none c: 40007520 unused ian-wyse-acpi.tgz Description: application/tar-gz
Re: i386 "panic: pci_make_tag: bad request" after acpi sleep states
On Tue, Dec 29, 2020 at 09:42:59AM -0500, Bryan Steele wrote:
> On Mon, Dec 28, 2020 at 01:20:29PM -0500, Ian Darwin wrote:
> > Kernel is OpenBSD 6.8-current (GENERIC) #561: Sun Dec 27 18:29:43 MST 2020
> >
> > Machine is a Wyse C90 - orignially sold as a "thin client" - tiny machine,
> > no serial port (ps and trace typed in).
> > HW Info at https://www.parkytowers.me.uk/thin/wyse/cx0/
> > Was planning to use it as a wifi bridge, so tiny is fine.
> >
> > "Latest" BIOS (2012 edition). "BIOS reset" did not help.
> > cpu info: VIA Eden Processor 1000MHz ("CentaurHauls" 686-class) 1.01 GHz,
> > 06-0d-00
> > RAM: 1GB (despite reported as 3/4 of that)
>
> Long shot, but could you maybe show the output of "machine memory" for
> both boot/pxeboot? I'm curious if the memory map is reportedly
> differently between a working boot and a bad one.
Good suggestion, and indeed, it differs a little:
Using pxeboot:
CLIENT MAC ADDR: 00 80 64 xx xx xx GUID: C2020018-0403-0920-EE9A-0080648793AD
CLIENT IP: 192.168.42.245 MASK: 255.255.255.0 DHCP IP: 192.168.42.254
GATEWAY IP: 192.168.42.254
probing: pc0 pci pxe![2.1] mem[546K 765M a20-on]
disk: hd0+
net: nac 00:80:64:xx:xx:xx, ip 192.168.42.245, server 192.168.42.254
>> OpenBSD, i386 PXEBOOT 3.43 boot> machine mem
Region 0: type 1 at 0x0 for 546KB
Region 1: type 2 at 0x88800 for 94KB
Region 2: type 2 at Oxe for 128KB
Region 3: type 1 at 0x10 for 784192KB
Region 4: type 3 at Ox2fed for 28KB
Region 5: type 4 at 0x2fed7000 for 4KB
Region 6: type 2 at Ox2fed8000 for 160KB
Region 7: type 2 at Ox2ff0 for 1024KB
Region 8: type 2 at Ox3000 for 262144KB
Region 9: type 2 at Oxe000 for 262144KB
Region 10: type 2 at Oxfec0 for 64KB
Region 11: type 2 at Oxfee0 for 4KB
Region 12: type 2 at Oxfff0 for 1024KB
Low ram: 546KB High ram: 784192KB Total free nemory: 784738KB
boot>
Using /boot:
>> OpenBSD/i386 BOOT 3.44
boot> machine mem
Region 0: Type 1 at 0x0x for 631KB
Region 1: Type 2 at 0x9dc99 for 9KB
Region 2: type 2 at 0xe for 128kb
(remainder the same)
Could Region 1 being so microscopic cause problems? If it got used for anything?
Thx for looking.
> > Full dmesg below; full ACPI attached.
> >
> > Boot used Kernel FromResult
> > pxeboot bsd.rd tftpOK
> > pxeboot bsd hd0aOK (via
> > tftpboot/etc/conf)
> > bootbsd hd0apanic
> >
> > I.e., Boots fine with pxeboot "set device hd0a", but booting exact same
> > kernel off same disk via /boot causes panic.
> >
> > It's an older machine so it's likely a buggy acpi, not worth massive
> > investment of time, just wonder if there's an easy workaround.
> > Presume it's getting something different in some AML, based on where boot
> > code loaded from,
> > or else pxeboot vs boot setting environment slightly differently?
> >
> > On screen after panic:
> >
> > bios0: WYSE C CLASS
> > acpi0 at bios0: ACPI 3.0
> > acpi0: sleep states S0 S1 S3 s4 S5panic: pci_make_tag: bad request
> > Stopped at db_enter+0x4: popl %eb
> >
> > trace:
> >
> > db_enter(d0e5e189,d10f6704,2,0,0) at db_enter+0x4
> > panic(d0c3d47d,1,d10f6750,d0854f11,0) at panic+0xd3
> > pci_make_tag(0,0,11,0) at pci_make_tag+0x95
> > acpi_gasio(d2b1b400,0,2,6e,11,1,1,d10f67d8) at acpi_gasio+0x1f1
> > aml_opreg_pcicfg_handler(0,0,6e,11,1,d10f67d8) at
> > aml_opreg_pcicfg_handler+0x21
> > aml_rwgen(d2b338c4,373,1,d2b3f304,0,1) at aml_rwgen+0x571
> > aml_rwfield(d2b2bc04,0,1,d2b3f304,0) at aml_rwfield+0x37a
> > aml_eval(d2b40704,d2b2bc04,74,d10f692c,0) at aml_eval+0x17a
> > aml_parse(d2b40704,74,d2b2f804) at aml_parse+0x2b15
> > aml_parse(d2b40704,69,38) at aml_parse+0x351
> > aml_parse(d2b40704,54,9,d2b36518,d2b40704) at aml_parse+0x351
> > aml_eval(0,d2b36544,74,0,0) at aml_eval+0x277
> > aml_evalnode(d10f6b10,d2b36504,0,0,d10f6ac0) at aml_evalnode+0xae
> > aml_evalinteger(d1b1b400,d2b36a84,d0c17e38,0,0,d10f6b30) at
> > aml_evalinteger+0xae
> > acpi_foundprw(d2b36d04,d2b1b400) at acpi_foundprw+0x2f
> > aml_find_node(d2b36a84,d0b9299b,d0859b90,d2b1b400) at aml_find node+0x?2
> > aml_find_node(d2b336c4,d0b9299b,d0859b90,d2b1b400) at aml_find node+0x9b
> > aml_find_node(d2b296c4,d0b9299b,d0859b90,d2b1b400) at aml_find node+0x9b
> > aml_find_node(d2b31484,d0b9299b,d0859b90,d2b1b400) at aml_find node+0x9b
> > aml_find_node(d0eba1a8,d0b9299b,d0859b90,d2b1b400) at aml_find_node+0x9b
> > acpi_init_gpes (d2b1b400) at acpi_init_gpes+0x195
> >
Re: adding user to a group
On Fri, Jan 08, 2021 at 05:20:36PM +0100, Rudolf Sykora wrote: > > Todd C. Miller writes: > > > You need to login in again. Logging in via ssh, a virtual console, > > X11 or running su will set the groups list. Setting groups is a > > privileged operation so simply starting a new shell or opening a > > new xterm is not sufficient. > > Thanks, su helped. > (Although I do not understand the reasoning behind the need to log > out/in, i.e., why isn't the group membership just updated after the > usermod command...) Todd's message contains the explanation. If you did not understand it, please do some homework, like, read up on and understand how processes work on Unix.
IKEv2 on Windows 10
Hi, I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with macOS without issue. Changing to EAP MSCHAP for use with Windows results in the following error: "The network connection between your computer and the VPN server could not be established because the remote server is not responding. The could be because one of the network devices (e.g. firewalls, NAT, routers, etc.) between your computer and the remote server is not configured to allow VPN connections." I’ve worked through many examples online, but I’m not sure what's the next step to troubleshoot this? Thanks! # uname -rsv OpenBSD 6.8 GENERIC.MP#2 # # iked.conf # ikev2 "vpn-psk" passive esp \ from 0.0.0.0/0 to 0.0.0.0/0 \ local egress peer any \ srcid vpn.company.com \ eap "mschap-v2" \ config address 10.0.2.0/24 \ config netmask 255.255.0.0 \ config name-server 10.0.0.1 \ tag "$name-$id" # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for macOS. # # Generate certificates # pkg_add zip ikectl ca vpn create ikectl ca vpn install # CN should be same as srcid in iked.conf ikectl ca vpn certificate vpn.company.com create ikectl ca vpn certificate vpn.company.com install # CN should be same as client ip address ikectl ca vpn certificate 10.0.2.100 create ikectl ca vpn certificate 10.0.2.100 export # # Windows config # - VPN device - General tab - Server: vpn.company.com - Security tab - VPN type: IKEv2 - Authentication: Use machine certificates - Certs install - ca.crt --> Certificates (Local Computer)/Trusted Root Certification Authorities/Certificates - 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates # # iked log # doas iked -dvv create_ike: using signature for peer ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 childsa enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn srcid vpn.ipaperbox.com lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config address 10.0.2.0 config netmask 255.255.0.0 config name-server 10.0.0.1 /etc/iked.conf: loaded 2 configuration rules ca_privkey_serialize: type RSA_KEY length 1192 ca_pubkey_serialize: type RSA_KEY length 270 config_new_user: inserting new user windows user "windows" "password" config_getpolicy: received policy ca_privkey_to_method: type RSA_KEY method RSA_SIG config_getpfkey: received pfkey fd 3 ca_getkey: received private key type RSA_KEY length 1192 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getstatic: dpd_check_interval 60 config_getstatic: no enforcesingleikesa config_getstatic: no fragmentation config_getstatic: mobike config_getstatic: nattport 4500 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: loaded crl file ca.crl ca_reload: /C=US/ST=State/L=City/O=Company Name/OU=Information Systems/CN=vpn.company.com/emailAddress=t...@company.com ca_reload: loaded 1 ca certificate ca_reload: loaded cert file 10.0.0.1.crt ca_validate_cert: /C=US/ST=State/L=City/O=Company Name/OU=Information Systems/CN=vpn.company.com/emailAddress=t...@company.com subject issuer mismatch ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none tolerate 0 maxage -1 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 policy_lookup: setting policy 'vpn-eap' spi=0x804dbcb818c0c11e: recv IKE_SA_INIT req 0 peer 166.BBB.BBB.161:56819 local 23.AAA.AAA.129:500, 624 bytes, policy 'vpn-eap' ikev2_recv: ispi 0x804dbcb818c0c11e rspi 0x ikev2_policy2id: srcid FQDN/vpn.ipaperbox.com length 21 ikev2_pld_parse: header ispi 0x804dbcb818c0c11e rspi 0x nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 624 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MO
Re: IKEv2 on Windows 10
> On 13 Jan 2021, at 06:04, Cand Tec wrote: > > This is my first time responding to a post so forgive me if I violate any > protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, > all running on high-end repurposed desktops. Due to covid I've had to quickly > setup ikev for a very small number of home users, none of which are > roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't > chew me out, at the time it was just quicker. > Using the UI in Win10 is not the way to go. Apparently the Win10 default > parameters via UI does not provide the required ciphers. > I used powershell to modify the parameters first then use the vpn connection > properties to finalize the settings. It worked 100% of the times without > fail. When I duplicated using only the Win10 UI iand t failed in every > instance. > > Here are the powershell cmds I used to modify my default vpn settings which > has worked everytime - > PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com > -TunnelType "L2tp" > PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" > -AuthenticationTransformConstants None -CipherTransformConstants AES256 > -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup > Group14 -PassThru -Force Indeed that does not work for IKEv2: ikev1_recv: header ispi 0x94edd5a8931477d9 rspi 0x nextpayload 1 version 0x10 exchange 2 flags 0x00 msgid 0 length 256 ikev1_recv: IKEv1 not supported Looking at some of the other information provided, I tried this along with the registry edit below: PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -AllUserConnection -Force PS> Set-VpnConnectionIPsecConfiguration -ConnectionName "IPB2" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup None -PassThru -AllUserConnection But that doesn’t seem to help anything. > Here's some info I found helpful - > > > > > > L2TP issues with Win 10 – phase1 does not form due to insecure default > parameters > REGISTRY SOLUTION: > https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html > > Create a registry key that enforces modern cipher and transform sets. > > STEP 1: Edit Registry or create GPO: > > HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ > STEP 2: Create new DWORD value: > NegotiateDH2048_AES256 > STEP 3: Modify DWORD value: 2 > > > > One caveat, whenever a major Win10 update is installed it tends to reset the > Win10 vpn parameters you modified. It's not consistent, but I've had to reset > it a few times. Other than that it has been flawless so far...if you can call > it that. > > Hopefully this helps. >
Re: IKEv2 on Windows 10
> On 14 Jan 2021, at 01:28, Stuart Henderson wrote: > > On 2021-01-13, Ian Timothy wrote: >> Looking at some of the other information provided, I tried this along with >> the registry edit below: >> >> PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" >> -TunnelType IKEv2 -AuthenticationMethod MachineCertificate >> -AllUserConnection -Force > > "-AuthenticationMethod MachineCertificate" - I thought you were using > MSCHAP not machine certs? I’m just trying anything and everything at this point. I’ll do whatever works. > FWIW I'm adding the connection manually and then doing this: > > Set-VpnConnection -ConnectionName "vpn" -EncryptionLevel Maximum > -SplitTunneling $false -passthru > > Set-VpnConnectionIPsecConfiguration -ConnectionName "vpn" > -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants > GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup > ECP256 -PfsGroup ECP256 -passthru > > iked.conf (using the same config for Windows/Android/iOS cloents, and > for ease of client setup allowing the default Windows crypto as well as > better ones): > > ikev2 "vpn" passive esp from 0.0.0.0/0 to 0.0.0.0 \ > local xxx \ > peer any \ > ikesa enc aes-128 enc aes-256 prf hmac-sha2-256 prf hmac-sha1 auth > hmac-sha2-256 group curve25519 group ecp521 group ecp256 group modp2048 > group modp1024 \ > childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group > ecp256 group modp2048 \ > childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 \ > childsa enc aes-128-gcm enc aes-256-gcm \ > srcid "xxx" \ > eap "mschap-v2" \ > config address xxx/25 \ > config name-server xxx \ > tag "$name-$id" > > (plus the user config). I’m getting the following error on Windows upon connecting: “IKE failed to find valid machine certificate.” I’ve done a fresh install of Windows 10 Pro using a new download of the ISO, but still get the above error. # # Generate certificates # ikectl ca vpn delete # CN is “VPN" ikectl ca vpn create ikectl ca vpn install # CN is “vpn.company.com”, same as srcid in iked.conf ikectl ca vpn certificate 10.0.0.1 create ikectl ca vpn certificate 10.0.0.1 install # CN is 10.0.2.100, same is IP in following line ikectl ca vpn certificate 10.0.2.100 create ikectl ca vpn certificate 10.0.2.100 export # # Show certificates # $ ikectl show ca vpn certificates subject= /C=US/ST=State/L=City/O=Company/OU=Information Systems/CN=VPN/emailAddress=t...@company.com SHA256 Fingerprint=83:BE:37:FD:A9:B1:53:11:F6:7D:90:25:20:42:21:46:13:52:E1:C3:14:9B:F9:E1:74:C8:89:6A:3E:55:0F:FC notBefore=Jan 16 19:51:53 2021 GMT notAfter=May 13 19:51:53 2033 GMT subject= /C=US/ST=State/L=City/O=Company/OU=Information Systems/CN=vpn.company.com/emailAddress=t...@company.com SHA256 Fingerprint=9F:93:75:73:6A:F2:BE:59:4A:14:BD:C6:F3:1C:C0:DC:20:26:0D:B7:AE:1C:07:BC:FE:6A:04:C2:20:07:BC:6D notBefore=Jan 16 19:52:15 2021 GMT notAfter=Jan 16 19:52:15 2022 GMT subject= /C=US/ST=State/L=City/O=Company/OU=Information Systems/CN=10.0.2.100/emailAddress=t...@company.com SHA256 Fingerprint=BF:E5:C4:64:55:4D:4E:E7:BC:7F:D9:6E:90:C2:06:BD:66:9A:40:04:EB:C3:BE:A3:2A:DA:91:1A:E7:3D:42:A4 notBefore=Jan 16 19:52:41 2021 GMT notAfter=Jan 16 19:52:41 2022 GMT # # Install certificates on Windows # 1. scp 10.0.2.100.zip from vpn.company.com to Windows client 2. Unzip 3. Double click ca.pfx 1. Select “Local Machine” 2. Select “Place certificates in following store” 1. Select “Trusted Root Certificate Authorities” 4. Double click 10.0.2.100.pfx, repeat above except use “Personal” store Windows VPN device settings at the moment: Name: “VPN” General tab Server: vpn.company.com Security tab VPN type: IKEv2 Authentication: Use machine certificates PowerShell: PS> Set-VpnConnection -ConnectionName "VPN" -EncryptionLevel Maximum -SplitTunneling $false -passthru PS> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -DHGroup ECP256 -PfsGroup ECP256 -passthru # # iked.conf at the moment # ikev2 "vpn-eap" passive esp \ from 0.0.0.0/0 to 0.0.0.0 \ local egress peer any \ ikesa enc aes-128 enc aes-256 prf hmac-sha2-256 prf hmac-sha1 auth hmac-sha2-256 group curve25519 group ecp521 group ecp256 group modp2048 group modp1024 \ childsa enc aes-128-gcm enc aes-256-gcm group curve25519 group ecp521 group ecp256 group modp2048 \ childsa enc aes-128 enc aes-256 auth hmac-sha2-256 auth hmac-sha1 \ childsa enc aes-128-gcm enc a
Re: Installation overwritten... Accidental disklabel and newfs
> The device nodes don't exist until the install or upgrade program detects > the disk and creates them. > > Likewise for wd0 as although outdated for ahci disks. > > Dmesg identifies the disk as: > sd0 at scsibus0 targ0 lun0 ATA ST1000DM003... > sd0 953869mb > > This is why I had to run the install program and accidentally went too far. > > It would be helpful to be able to use disklabel and other tools such as > newfs, growfs without running through the installer. When booted into the installer, just do CTRL/C to kill the install script Then do: cd /dev; sh MAKEDEV sd0 wd0 sd1 # or whatever devices you need Porblem solved: you can now do "disklabel and other tools" without risk of destroying your filesystesms. At least, not having the installer do it. With these tools most people are quite capable of destroying filesystems.
Re: vmm/vmd disk issue
On Tue, Mar 09, 2021 at 09:52:03AM +0100, Jan Johansson wrote: > If I try to cp or dd the disk image on the host it fails > > dd if=disk.raw.old of=disk.raw.bak bs=1m > dd: disk.raw.old: Input/output error > 8858+0 records in > 8858+0 records out > 9288286208 bytes transferred in 102.048 secs (91018010 bytes/sec) > > The host show no other signs of failing hardware. > > Is this a software or a hardware error? Given that it gives an error outside the VM, it's likely hardware. > Is there some way to recover the guest disk image without a > complete reinstall? Depending on where the error is, you might get away with dd'ing with conv=noerror,sync, changing vm.conf to point to the new copy, and run fsck in the vm. And buy a new hard disk or SDD. Probably cheaper than your time to further diagnose it?
Re: 6.9 Current amd64 xfce seems to freeze and not respond to mouse clicks or keystrokes
On Sat, Apr 10, 2021 at 10:22:17PM +0100, Tom Smyth wrote: > Hello, > > 1) issue does not occur with fvwm or with chrome running in fvwm > > so the issue seems to be confined to xfce, and I was running just 1 > xfce terminal session > 2) (so the issue is not related to chromium) > > > > I'm running OpenBSD on an Oracle Virtualbox VM I run xfce all the time on -current on amd64 on real hardware and do not have any such issue.
Re: chroot x11 via Xephyr
On Mon, May 03, 2021 at 08:51:51PM +, Karsten Pedersen wrote: > It is worth noting that you can move (not copy) UNIX sockets (again, > so long as they are on the same filesystem). > > So, once Xephyr has started up, you can move the socket from > "/tmp/.X11-unix/X1" into "$CHROOT/tmp/.X11-unix/X1" and then your > chroot application can access it. Assuming root permissions, the above will "succeed" even if $CHROOT is not on the same filesystem as /tmp. Then fail to connect at runtime. Using ln (not ln -s) instead of mv will fail faster if the same-filesystem requirement is not met.
PF Rules for Dual Upstream Gateways
Hello, I have two ISPs where one connection is primary and the other is low-bandwidth for temporary failover only. ifstated handles the failover by simply changing the default gateway. But under normal conditions I want to be able to connect via either connection at any time without changing the default gateway. A long time ago under the old pf syntax I had this in /etc/pf.conf which worked fine, and as far as I can remember was the only thing needed to enable this desired behavior: pass in on $wan1_if reply-to ( $wan1_if $wan1_gw ) pass in on $wan2_if reply-to ( $wan2_if $wan2_gw ) But I’ve not been able to find the right way to do this under the new pf syntax. From what I’ve been able to find this is supposedly does the same thing, but no success so far: pass in on $wan1_if reply-to ($wan1_if:peer) pass in on $wan2_if reply-to ($wan2_if:peer) What am I missing? Or this there a better way to do this?
Re: ssh IPV6 link local through jumphost
> On Feb 23, 2024, at 10:33, Tom wrote: > > command `ssh user@fe80::262:bff::@em0` works just fine. > > `ssh -J user9001@jumpserver user@fe80::262:bff::%em0` Don’t know if this is the problem, but I notice your two addresses are different. Notice @em0 vs %em0.
dhcpd code options
In /etc/dhcpd.conf the line: option option-066 “…”; gives error: fatal in dhcpd: Configuration file errors encountered dhcp-options(5) states: Options ... may be defined by the name option-nnn where nnn is the decimal number of the option code. ... For example: option option-133 "my-option-133-text”; option option-129 1:54:c9:2b:47; I’ve also tried `option-66`, `66`, putting it in different sections of the .conf file. Am I missing something? Thanks, Ian
Patch for more fins(4) chips
Tested on an F71882 (at 0x2e; GENERIC only configs it at 4e).
The voltage dividers register is full of lies, so the part of this
patch that reads it can be ripped out (along with the temperature
diode offset bits, I guess). These chips also have a watchdog
timer. I can set it and watch it counting down, but reboot does
not happen, so it's evidently not wired on my board.
hw.sensors.kate0.temp0=6.50 degC
hw.sensors.kate0.temp1=-2.75 degC
hw.sensors.kate0.temp2=12.50 degC
hw.sensors.kate0.temp3=5.75 degC
hw.sensors.fins0.temp0=35.00 degC
hw.sensors.fins0.temp1=38.00 degC
hw.sensors.fins0.fan0=1718 RPM
hw.sensors.fins0.volt0=3.33 VDC (+3.3V)
hw.sensors.fins0.volt1=1.12 VDC (Vcore)
hw.sensors.fins0.volt2=1.78 VDC (Vram)
hw.sensors.fins0.volt3=1.08 VDC (Vchips)
hw.sensors.fins0.volt4=4.92 VDC (+5V)
hw.sensors.fins0.volt5=12.14 VDC (+12V)
hw.sensors.fins0.volt6=1.62 VDC (+1.5V)
hw.sensors.fins0.volt7=3.28 VDC (Vsb)
hw.sensors.fins0.volt8=3.14 VDC (Vbat)
OpenBSD 4.4-current (GENERIC.MP) #51: Thu Feb 5 15:48:59 EST 2009
but...@athrun.formicary.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ ("AuthenticAMD" 686-class,
512KB L2 cache) 2.22 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16
real mem = 3488968704 (3327MB)
avail mem = 3384877056 (3228MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/26/08, BIOS32 rev. 0 @ 0xf0010, SMBIOS
rev. 2.5 @ 0xfc2c0 (67 entries)
bios0: vendor American Megatrends Inc. version "080014" date 07/26/2008
bios0: FOXCONN RS690M2MA
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC MCFG OEMB HPET SSDT
acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4)
SBAZ(S4) PS2K(S4) PS2M(S1) P0PC(S4) WOL_(S4) AC97(S4) MC97(S4) USB1(S1)
USB2(S1) USB3(S1) USB4(S1) USB5(S1) EUSB(S1) PWRB(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 200MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ ("AuthenticAMD" 686-class,
512KB L2 cache) 2.21 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins
acpihpet0 at acpi0: 14318180 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus 1 (PCE2)
acpiprt3 at acpi0: bus -1 (PCE3)
acpiprt4 at acpi0: bus -1 (PCE4)
acpiprt5 at acpi0: bus -1 (PCE5)
acpiprt6 at acpi0: bus -1 (PCE6)
acpiprt7 at acpi0: bus -1 (PCE7)
acpiprt8 at acpi0: bus 2 (P0PC)
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0xf000
cpu0: PowerNow! K8 2210 MHz: speeds: 2200 2000 1800 1000 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "ATI RS690 Host" rev 0x00
ppb0 at pci0 dev 2 function 0 "ATI RS690M PCIE" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 vendor "ATI", unknown product 0x9490 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
azalia0 at pci1 dev 0 function 1 vendor "ATI", unknown product 0xaa38 rev 0x00:
apic 2 int 19 (irq 10)
azalia0: codecs: ATI/0xaa01
audio0 at azalia0
ahci0 at pci0 dev 18 function 0 "ATI SB600 SATA" rev 0x00: apic 2 int 22 (irq
11), AHCI 1.1
scsibus0 at ahci0: 32 targets, initiator 32
sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed
sd0: 152627MB, 512 bytes/sec, 312581808 sec total
ohci0 at pci0 dev 19 function 0 "ATI SB600 USB" rev 0x00: apic 2 int 16 (irq
5), version 1.0, legacy support
ohci1 at pci0 dev 19 function 1 "ATI SB600 USB" rev 0x00: apic 2 int 17 (irq
15), version 1.0, legacy support
ohci2 at pci0 dev 19 function 2 "ATI SB600 USB" rev 0x00: apic 2 int 18 (irq
10), version 1.0, legacy support
ohci3 at pci0 dev 19 function 3 "ATI SB600 USB" rev 0x00: apic 2 int 17 (irq
15), version 1.0, legacy support
ohci4 at pci0 dev 19 function 4 "ATI SB600 USB" rev 0x00: apic 2 int 18 (irq
10), version 1.0, legacy support
ehci0 at pci0 dev 19 function 5 "ATI SB600 USB2" rev 0x00: apic 2 int 19 (irq
10)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "ATI EHCI root hub" rev 2.00/1.00 addr 1
piixpm0 at pci0 dev 20 function 0 "ATI SBx00 SMBus" rev 0x14: SMI
iic0 at piixpm0
iic0: addr 0x2f 01=33 02=30 03=33 04=30 05=33 06=33 07=33 08=33 09=38 0a=38
0b=ab 0c=98 11=70 12=40 5a=05 5b=10 5c=10 5d=19 5e=34 f0=20 f1=20 f2=02 fa=00
ff=5e words 00= 01=33ff 02=30ff 03=33ff 04=30ff 05=33ff 06=33ff 07=33ff
spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-6400CL5
spdmem1 at iic0 addr 0x51: 2GB DDR2 SDRAM non-parity PC2-6400CL5
spdmem2 at iic0 addr 0x52: 2GB DDR2 SDRAM non-parity PC2-6400CL5
spdmem3 at iic0 addr 0x53: 2GB DDR2 SDRAM non-parity PC2-6400CL5
pciide0 at pci0 dev 20 function 1 "ATI SB600 I
upd packets dropped due to full socket buffers
Dear Misc, I have an issue with growth of UDP syslog outstripping performance of my box. Am running GENERIC#1368 amd64 as a VM on ESX. It is a task oriented box with no X/GUI & I can allocate more mem if required. # netstat -s -p udp udp: 797597485 datagrams received 0 with incomplete header 0 with bad data length field 30832 with bad checksum 1003 with no checksum 797565479 input packets hardware-checksummed 0 output packets hardware-checksummed 3988 dropped due to no socket 61584 broadcast/multicast datagrams dropped due to no socket 0 dropped due to missing IPsec protection 26521322 dropped due to full socket buffers 770979759 delivered 984188 datagrams output 797115636 missed PCB cache # Had a read of http://www.openbsd.org/faq/faq6.html#Tuning. And tried increasing net.inet.udp.recvspace=9216 -> 65536 which has had little or no positive impact. I suspect I am just increasing the size of UDP packet I can receive (which was probably fine to start with) instead of the total size of the UDP buffer - or do I need to increase the IP buffer. Can anyone clear this up for me? Doc at http://www.29west.com/docs/THPM/udp-buffer-sizing.html not openbsd specific and specifies FreeBSD, Darwin sysctl -w kern.ipc.maxsockbuf=8388608 which is not part of openbsd sysctl but looks to be along the lines of what I need to do. V lost in kernel land. Any advice/explanation most welcome. Thx in advance. IB Snowy Hydro: Confidential Communication. This email (which includes any attachments) may contain information that is confidential, legally privileged or protected by copyright. If this email has been sent to you by mistake, please inform us by reply and then delete the email and destroy any printed copy and do not disclose or use the information in it. There is no warranty that this email is error or virus free. If this is a private communication it does not represent the views of Snowy Hydro. Snowy Hydro collects personal information to provide our services. For more information about use, disclosure and access see our privacy policy at www.snowyhydro.com.au.
Anybody got an Acer Aspire One AOD250 running OpenBSD? Does suspend/resume work?
I just inherited this AOD250 and put 6.4 up on it. Got it to the point
where it mostly works, except suspend (zzz or lid close) doesn't resume
- it reboots instead when you press a keyboard key.
I'm unable to tell if the problem is hardware (eg specific to this one
unit) or software (old ACPI?). But there was at least one (years old)
report of issues with resume (lockup not reboot) on this same type model
(AOD250).
Battery is fine. CMOS battery appears OK, at least it holds the date
setting without main battery. Swapping RAM DIMMs doesn't help.
Running last available BIOS. Dmesg below for 6.4 stable, patched, but
-current behaves the same way. Tried a 6.2 kernel and it fails too. No
diagnostic info in dmesg.
Any similar reports (working or not working, preferably on 6.{4,3,2}),
but ONLY for AO D250, or suggestions to diagnose, would be appreciated.
Thanks for listening.
OpenBSD 6.4 (GENERIC.MP) #3: Thu Dec 20 18:20:58 CET 2018
r...@syspatch-64-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error 80
real mem = 1062182912 (1012MB)
avail mem = 1027678208 (980MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 12/18/10, SMBIOS rev. 2.4 @ 0xe8240 (31 entries)
bios0: vendor Acer version "V1.29" date 12/18/2010
bios0: Acer Aspire one
acpi0 at bios0: rev 2
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP SSDT HPET APIC MCFG ASF! SLIC BOOT
acpi0: wakeup devices UHC1(S3) UHC2(S3) UHC3(S3) UHC4(S3) ECHI(S3)
EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) AZAL(S0) MODM(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class)
1.60 GHz, 06-1c-02
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MOVBE,LAHF,PERF,SENSOR,MELTDOWN
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.0.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class)
1.60 GHz, 06-1c-02
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MOVBE,LAHF,PERF,SENSOR,MELTDOWN
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins, remapped
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (EXP1)
acpiprt2 at acpi0: bus 2 (EXP2)
acpiprt3 at acpi0: bus 3 (EXP3)
acpiprt4 at acpi0: bus 4 (EXP4)
acpiec0 at acpi0
acpicpu0 at acpi0: !C3(100@57 io@0x416), !C2(500@1 io@0x414), C1(1000@1
halt), PSS
acpicpu1 at acpi0: !C3(100@57 io@0x416), !C2(500@1 io@0x414), C1(1000@1
halt), PSS
acpipwrres0 at acpi0: FN00, resource for FAN_
acpitz0 at acpi0: critical temperature is 100 degC
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpibtn2 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model "13850828090658133" type Lion oem "PANASONIC "
acpiac0 at acpi0: AC unit online
acpicmos0 at acpi0
"SYN1B1C" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
acpivideo0 at acpi0: OVGA
acpivout0 at acpivideo0: LCD_
bios0: ROM list: 0xc/0xec00!
cpu0: Enhanced SpeedStep 1597 MHz: speeds: 1600, 1333, 1066, 800 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GME Host" rev 0x03
inteldrm0 at pci0 dev 2 function 0 "Intel 82945GME Video" rev 0x03
drm0 at inteldrm0
intagp0 at inteldrm0
agp0 at intagp0: aperture at 0x4000, size 0x1000
inteldrm0: apic 4 int 16
inteldrm0: 1024x600, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
azalia0: codecs: Realtek ALC272
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 4 int 16
pci1 at ppb0 bus 1
ath0 at pci1 dev 0 function 0 "Atheros AR5424" rev 0x01: apic 4 int 16
ath0: AR5424 14.2 phy 7.0 rf 10.2 eeprom 5.4, WOR5_ETSIC, address
00:24:2c:xx:xx:xx
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 4 int 17
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02: apic 4 int 18
pci3 at ppb2 bus 3
alc0 at pci3 dev 0 function 0 "Attansic Technology L2C" rev 0xc0: msi,
address 00:23:5a:xx:xx:xx
atphy0 at alc0 phy 0: F1 10/100/1000 PHY, rev. 11
ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: apic 4 int 19
pci4 at ppb3 bus 4
iwn0 at pci4 dev 0 function 0 "Intel WiFi Link 5100" rev 0x00: msi, MIMO
1T2R, MoW, address 00:21:5d:xx:xx:xx
uh
Re: [PATCH] Remove "Multibooting" in FAQ
On 4/6/19 1:45 PM, tfrohw...@fastmail.com wrote: I run a dual-boot with Windows 10 on the same partition and the section that you want removed was extremely helpful at the time. That is_with_ softraid encryption of the OpenBSD partition. Setting this up is not for the faint of heart and you have to have backups and a restore strategy before tinkering with multi-booting. Very true. Your removal request rests on the assumption that because you didn't managed to configure dual-booting nobody can (or should). How about instead you reach out to compare yours to other people's experience? Who knows, maybe a_useful_ addition to the FAQ might come out of it that can help reduce the risk of similar problems for others in the future? Most operating systems are not "designed" for multi-booting; they assume that they have the whole system. Yet somehow almost all of them can be made to work in a multi-booted environment. So that section of the doc is not going away just because one person wasn't careful enough in following it and lost their windows partition. That said, if you can find out exactly what he did wrong and it's not in the doc, as tfrowhwein said, send a patch to improve the document.
Re: user unable to log in xenodm / Xorg session | XIO fatal io error 35
On Thu, May 2, 2019 at 7:53 PM wrote: > > SYMPTOM: Soon after a fresh OpenBSD install intended to use as a > laptop / work engine, and consequently a few uses of a graphical > session, suddenly the X session cannot start anymore : logging > in with a correct user/passwd pair provokes a crash and restart of the > X Display Manager, displaying the xdm login screen anew. > But I can still log in xdm as root. > > Xorg.0.log https://pastebin.com/pZDf90TE > xenodm.log https://pastebin.com/abjyLCyU > dmesg.boot https://pastebin.com/T3UGucB1 (also attached) Hi, What is the contents of your ~/.xsession & ~/.xsession-errors files? I had this same issue, and was able to solve it by removing .xsession or replacing it with an empty file. Ian
Re: Installer sucks ! (Re: OpenBSD on VMware ESXi)
On 5/23/19 7:51 AM, Roderick wrote: I wonder that no one noted this bugs before: are there no new people installing OpenBSD? Or it is a problem only with VMWare? Yes, the fact that nobody else has run into your problem suggest that it might in fact be your problem. Or your provider may be doing something strange. It's great that you are exploring this, and may yet find an actual issue, but if you just wanted hosting in a hurry and cheap, vultr.com offers an entry-level vhost with OpenBSD 6.5 (or half a dozen others including BSDs and Linuxes) already installed (or you can use any ISO to install from) for US$2.50/month, with console access. I'm hosting my secondary DNS there and have had zero issues so far, though I didn't do a full reinstall.
Re: dmesg: 6.5 i386 GENERIC on 'Thinkpad R40 (type 2722)'
On Sat, May 25, 2019 at 12:07:40AM +0200, zeurk...@volny.cz wrote: > [not subscribed, please Cc, thanks.] > > OpenBSD 6.5 (GENERIC) #1338: Sat Apr 13 15:07:04 MDT 2019 > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC Hi, Thank you for your dmesg, however, in the future would you mind sending these to dm...@openbsd.org instead of the mailing lists? dmesg@ is a special mailbox that will automatically add your dmesg to our archives in a more helpful way. Thanks, ians
Re: Reboot and re-link (fwd) Maxim Bourmistrov: Re: Reboot and re-link (fwd) Maxim Bourmistrov: Re: Reboot and re-link (fwd) Maxim Bourmistrov: Re: Reboot and re-link
On 6/20/19 5:31 PM, Theo de Raadt wrote: It just doesn't stop. Maxim Bourmistrov wrote: I'd say this whole project is your milking cow.(Having a good times biking??) You really don't move froward much. Except poor guy trying to fix net stack. You move around vars, back and forward. But really - no progress. Community thinks their push money to dev stuff, in real - their push Theos bills forward. Nice illusion. I'm yet another one in this line. Disappointed, seen to much AND been rejected by Theos. One in line. This is why kill files were invented.
httpd: certificate files with prepended intermediates
httpd currently fails to serve over TLS if the certificate file specified in httpd.conf contains an intermediate certificate ahead of the site's certificate. httpd still starts with no error indication (with rcctl) but `httpd -d` shows: server_tls_init: failed to configure tls - failed to load private key I think this may be due to a fingerprint mismatch between the pub/private key on the server and the first cert found in the certfile (the intermediate in my case). No error is reported in error.log, and if this failure is indeed intended functionality, perhaps we should log an error as I imagine a lot of people will run into this. I'm getting this problem on the server at https://ce.gl with the compound certfile pasted below. I'm running the latest snapshot as of this mail. -BEGIN CERTIFICATE- MIIEtTCCA52gAwIBAgIQSOmUQNQ2SRy4uII9CUOUxzANBgkqhkiG9w0BAQsFADCB mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSAtIEczMB4XDTE0MDYxMDAwMDAwMFoXDTI0MDYwOTIzNTk1OVowRzELMAkG A1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlk U1NMIFNIQTI1NiBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAxJVjKNBOMEWvi5c0FEX4XFhK+jOObpxgq/OG/zR0siu+oYzVoqNgekC54fwi yme6YKrHmvkGf+73uoUFsAP/cq4VQUqYZNcXS1TvBcaYB5MnPk/cD8Z7i+fzBl6N 6LSuKbQeHi0WkNPqqueMO22vNln/xQr6x0y9NotkxEr1zjP5B75/RZCoCBSw0KVP 34KA2hvuwxOwmPUP+X52tea5XWi5XFCQiaQ2sXAW6rEQtWp23+G7/HjycpnPyaLU c1R3v8A5d+WuEsV4WhlF1EEZ03z1b5lr14u8LQmdSxBhwNpSw68iQ8brN35jdDAN anGO3l1bisjF15sp6K62JWGB6wIDAQABo4IBSTCCAUUwLgYIKwYBBQUHAQEEIjAg MB4GCCsGAQUFBzABhhJodHRwOi8vZy5zeW1jZC5jb20wEgYDVR0TAQH/BAgwBgEB /wIBADBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggrBgEFBQcCARYlaHR0 cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczA2BgNVHR8ELzAtMCug KaAnhiVodHRwOi8vZy5zeW1jYi5jb20vR2VvVHJ1c3RQQ0EtRzMuY3JsMA4GA1Ud DwEB/wQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRU3ltYW50ZWNQS0kt MS02OTcwHQYDVR0OBBYEFEz0v+g7vsIk8xtHO7VuSI4Wq68SMB8GA1UdIwQYMBaA FMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IBAQB6U7Xetu9S o1+K9YnxQsxeRoiupQiHUd4PDwLrDIJ443N9cb1D6cqKP+AlkpszM3RJXgDZcxQc C0Z2HIoNTYxsfkv3YNiBeKB40CViqxDKIugcGd1Sg2QF5Ydmrud6pDs+2HB6dqJn OdTJ+uW3HkHiCTmIHBhVCsRBr7Lz8w9CFGF0gePah1qaTYvTyY+JZhMpEeT/4t+O lgxaoaprm/38AztVDaaiJUgXH0Ko2mx+aW6g32fSbfQOahJ59XzIpTIcxDGy5ruo a2qiimBpwFd9svIxDJhlMuwIWs7GmOkhlz8seSkD9faUK1Mx85NoV+HXTzrRYaFg zrmrmK41VGOL -END CERTIFICATE- -BEGIN CERTIFICATE- MIIHSzCCBjOgAwIBAgIQW67ZVzRyTffPhd2TF72dcTANBgkqhkiG9w0BAQsFADBC MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MDgxOTAwMDAwMFoXDTE5MDgxOTIzNTk1 OVowEDEOMAwGA1UEAwwFY2UuZ2wwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC9DlvOyoljoevhSYkW7F0IctgaS2mFln0shcuKwF4Lp2U0bWygE9FuxZZe fEDGlQv+6SPchoyHJxtMNB4zZ53exud+aXWfXyP85J7f2dvuzxlpiqKSU8TV1dKv hzrPP9tKN5BAjfNjKtzSkPQbBb313BR+sIGj4pVRZlce25y6v4d1tXRbDN+lNf94 6DlMLMwAejwW8BT7HhgjN2y/kotrZc6dh/jAScbUCs+sW14bVX6z0H01mWomtnn1 7CmNnIGqzVF4ZYVeJwa7hKRnkPh3uZbV1eZLGME6qYyIw6Ip77GxP2Cq4UDrO6Cl ZcS0IyUfNo6bUwVKDUdCE5RxvCXoO1dD5Tnp7NEjntXv+bLxnYTCTWyStE6Lunn3 dgaUjAgrCMFX5EmlvKusVa/LjSibvgdWlJSV4LN+WpGuvcGWWIh/NLs1MdGxgQ8J JJPUD/JTOBwofvs0x9/JrQH0bHKri72kWtCj0Ldtt4z25J/w5YcVkyNsYGykzccu 0lnz7jVWJMCpVOP0mcuu3tElsK9NtEtFmpItPeSoneq7Fuer7fIFr0vl7Um3RsHi RmWdRE1o/+9YeC3mLmCZAdX+Vr9tUYZs/HZA7YxtPh4ulCqqq4VF9mPkEN22ugAG A2W4aSoV7eTn9VauYtszncw0ga2huYAHWn+DfUbKfE0xywezDwIDAQABo4IDbTCC A2kwGwYDVR0RBBQwEoIFY2UuZ2yCCXd3dy5jZS5nbDAJBgNVHRMEAjAAMCsGA1Ud HwQkMCIwIKAeoByGGmh0dHA6Ly9ncC5zeW1jYi5jb20vZ3AuY3JsMG8GA1UdIARo MGYwZAYGZ4EMAQIBMFowKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJhcGlkc3Ns LmNvbS9sZWdhbDAsBggrBgEFBQcCAjAgDB5odHRwczovL3d3dy5yYXBpZHNzbC5j b20vbGVnYWwwHwYDVR0jBBgwFoAUl8InUJ7CyewMiDLIfK3ipgFP2m8wDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBXBggrBgEF BQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9ncC5zeW1jZC5jb20wJgYIKwYB BQUHMAKGGmh0dHA6Ly9ncC5zeW1jYi5jb20vZ3AuY3J0MIIB9gYKKwYBBAHWeQIE AgSCAeYEggHiAeAAdQDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAA AVag+RhOAAAEAwBGMEQCIFiBRHgUzAy64XjT5bpJHwktFi48C7KiXukD/Grc0YSQ AiBN+6wQkrsiJ6Y+dvsAW3uNIr55ukslWvpWyXBealLmpAB3AKS5CZC0GFgUh7sT osxncAo8NZgE+RvfuON3zQ7IDdwQAAABVqD5Gg0AAAQDAEgwRgIhAKrbjgn2rp4Z A9xsflPrPdc//Lo8EVKgK7NhY01qrH8nAiEA5/xngKESqWXbUAjtAKr/rp7Gx67H 9l7zxskMqSSjYSkAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAA AVag+RoYAAAEAwBHMEUCIQCI5YuEx9Ncp3XRuvG86YjHuJt3owGb7objrT406HqA GgIgKD+/uXZrvGCeUO6WWMQ11JqXVaMKa5x564U1UHDDgboAdgDuS723dc5guuFC aR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVag+RznAAAEAwBHMEUCIQDQJEPmjKq9 xrYN8DK5N9v20GBt1Ew5qEa/KbFImShG+QIgGmLKCwOYRPbJ96Cyn6p3VRGBrOLy xPYFypeaPd2iE5wwDQYJKoZIhvcNAQELBQADggEBAIv9q86HrAvTl1EcjZRMWJPc es7HP91xh6Dk3J/jTtvd7FRNo33lv2jwW+7C0UaZBY5hREdfw7pysXehwXFv4hlE +eHS5PkSRep/xIFw656JTceP8BDBwkWnaq6A9Gj9zHpis6c/CcV/99JZWDsdbdOY qJnjm+LviYeSIdDZSDX5U8b8EZNTxuRvrNaUBWHLQ7UIlE1txAqkBZlJkolpe3Ca tGQ9g2iOExUWqseKfWW/8DjA3yGr6Nz3aNjc+E7mRCN0TMZ6/OfTGdW7FgDKtFA1 dSHL84J9uCwHY0GwO0
Re: httpd: certificate files with prepended intermediates
On Mon, Sep 12, 2016 at 11:40:08PM -0700, Philip Guenther wrote: > Hmm. What wording of the documentation suggested that multiple > certificates should or *could* be place in that file? The manpage Oops, I had incorrectly assumed that's how intermediates were provided a la nginx > It doesn't say how it behaves if there are multiple certificates in > the file, so why do you think the current behavior is wrong? More > precisely, since it *doesn't* say *which* cert in the file it would > use when there are multiple, it may use any of them. If the one it > chose didn't match the key that you provided the yeah, it'll fail. > So, as the old joke goes, "don't do that!" Now knowing intermediate cert prepending isn't supported, I don't think the current behavior is wrong. > Having looked at the source, I *think* I know which it'll use as the > server cert, and what it'll do with other certs in file, but > a) I haven't tested it and > b) more importantly, reyk@ hasn't documented a behavior and thereby > decided it's supported, in some sense. I'll try and see if I can implement it, I don't believe it's too complicated. Maybe adding an 'intermediate-cert ' option in httpd.conf Ian
Re: httpd: certificate files with prepended intermediates
On Tue, Sep 13, 2016 at 12:05:53AM -0700, Philip Guenther wrote: > See, here's where you're taking a wrong turn that I should have caught > earlier: your first post should answer this question: > What problem are you trying to solve? > > httpd may be able to do what you want *already*, but since you haven't > actually *told anyone* what you're trying to do, no one can help you > and say "oh yeah, that already works as documented in " Since my certificate isn't provided by a root CA, any clients would have to verify both my cert AND the certificates of the intermediate authorities between me and the root CA. I can provide this certificate stapled along with my own cert to save the client the trouble of fetching it, which Qualys informs me is "good practice". > Or maybe: "oh yeah, that can be done, but isn't documented because it > seemed clunky. Use this configuration, and I'm fixing the docs". > > Or maybe: "oh yeah, that would be useful. I was thinking it should be > done like but if you implement it send me the diff." If this is the case, I would like to know so I could try and implement it myself and atone for my apparant sins. > I suspect it's the middle case..but I'm not reyk@ and don't normally > work on httpd... > > > ...and I don't know why you took this thread off-list. This seems > like a discussion that would be useful to others. Forgot to cc the list ;)
Re: httpd: certificate files with prepended intermediates
On Tue, Sep 13, 2016 at 09:50:43AM +0200, Robert Klein wrote: > Did you try to /append/ the intermediate certificate(s) to the server > certificate? That worked for me on OpenBSD 6.0's httpd. Yes. Uncanny timing on your mail -- I just got it to work. httpd(8) needs the intermediate certificate to be at the *bottom* of the combined certificate, the opposite of what I'm used to. To clarify for future readers: if you want to provide an intermediate certificate with OpenBSD httpd, your /etc/ssl/server.crt files should look like this: -BEGIN CERTIFICATE- -END CERTIFICATE- -BEGIN CERTIFICATE- -END CERTIFICATE- > An explanation might be the documentation to the > SSL_CTX_use_certificate_chain_XXX functions used: > > The SSL_CTX_use_certificate_chain*() functions load a certificate > chain into ctx. The certificates must be in PEM format and must > be sorted starting with the subject's certificate (actual client > or server certificate), followed by intermediate CA certificates > if applicable, and ending at the highest level (root) CA. There > is no corresponding function working on a single SSL object. I (myopically) missed this. > Best regards > Robert
xenocara/radeon: incorrect AccelMethod assumption for TURKS card
Xenocara incorrectly selects "EXA" acceleration method instead of "glamor" for my Radeon HD 7670 (TURKS) video card, which results in bizzare, unusable display in Xorg. Adding the following config file, named "10-display.conf" in /usr/X11R6/share/X11/xorg.conf.d/ fixes the problem: Section "Device" Identifier "Card0" Option "AccelMethod" "glamor" EndSection Curiously, adding 'Option "ColorTiling" "False"' to the above fixes the graphical errors while still using EXA although this makes Xorg unusably slow. If anyone can point me in the right direction for fixing this, I can work on a patch. Here is my Xorg.0.log with no config specifying glamor (buggy): https://ce.gl/radeon-exa.txt Here is the same but with glamor-specifying config file: https://ce.gl/radeon-glamor.txt Here is my glxinfo(1) output from glamor session: https://ce.gl/radeon-glxinfo.txt Ian dmesg: OpenBSD 6.1 (GENERIC.MP) #19: Fri Mar 31 13:19:19 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 17162633216 (16367MB) avail mem = 16637812736 (15867MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9f400 (52 entries) bios0: vendor American Megatrends Inc. version "V1.13" date 01/12/2012 bios0: MSI MS-7642 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB HPET SSDT acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) PCE9(S4) PCEA(S4) SBAZ(S4) P0PC(S4) UHC1(S4) UHC2(S4) USB3(S4) UHC4(S4) USB5(S4) UHC6(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Phenom(tm) II X4 965 Processor, 3400.66 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache, 6MB 64b/line 48-way L3 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: AMD erratum 721 detected and fixed cpu0: TSC frequency 3400660940 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu0: mwait min=64, max=64, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Phenom(tm) II X4 965 Processor, 3400.21 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache, 6MB 64b/line 48-way L3 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu1: AMD erratum 721 detected and fixed cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD Phenom(tm) II X4 965 Processor, 3400.21 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache, 6MB 64b/line 48-way L3 cache cpu2: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu2: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu2: AMD erratum 721 detected and fixed cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD Phenom(tm) II X4 965 Processor, 3400.21 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,NODEID,ITSC cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache, 6MB 64b/line 48-way L3 cache cpu3: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu3: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu3: AMD erratum 721 detected and fixed cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318180 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at
softraid mirror & large drives (3T)
Hello, I'm planning on replacing an old fileserver that has a single 1T drive with something a little newer having 3T of space. I have two 3T drives and have installed OpenBSD 6.0 to both as a softraid mirror. Works well and I simulated a drive failure by shutting it down, removing a drive, and rebooting. The drive has been re-installed and it is now rebuilding the mirror. After 17 hours it is 24% complete, so it'll be about three days to complete. The system is: AMD E2-3200 2.40 GHz 4G RAM 2 x 3T Seagate Barracuda 7200rpm SATA With this much disk space, should I be looking at another way of achieving data redundancy? The goal is to increase redundancy of the data and the mirror would be periodically backed up to another server in a different building. My only concern here is the suitability of the softraid mirror for a large filesystem. I've thought of using the second drive as a backup and rsync'ing it nightly, but then failure of the primary drive would mean more downtime before it's operational again. A long rebuild time isn't a major problem; just want to make sure I'm not overlooking a more sensible option. FWIW, I used the following info to get set up: https://www.openbsd.org/faq/faq14.html#softraidDI http://openbsd-archive.7691.n7.nabble.com/Large-3TB-HDD-support-td95308.html Thanks, -- Ian
Re: softraid mirror & large drives (3T)
Thanks for the feedback, Karel, Allan, and Kamil. The motivation is long-term data storage reliability. For example, my wife creates graphical books, which involves large files, plus other work and personal files. Having a mirror is not terribly important, so doing a nightly sync to another machine is possible. Since it's been mentioned, what SATA RAID controller cards are recommended for OpenBSD on i386? I wonder if they would fit my budget. Has the "supported hardware" page been removed from the openbsd.org website? I only found such a page here: http://openbsd.das.ufsc.br/i386.html#hardware Thanks, -- Ian P.S., Karel, many Americans confuse loose/lose. :) On Tue, 18 Apr 2017, Karel Gardas wrote: > loose -> lose. Sorry not native English speaker here. > > On Tue, Apr 18, 2017 at 6:09 PM, Karel Gardas wrote: > > How much data can you loose on this mirror? The rebuild time is long > > and the chance of another drive dying is higher during rebuild so I > > would consider either increasing redundancy to 3-way mirror or > > decreasing time between backups. All depending on how much data you > > can loose when something goes wrong. > >
printf(3): extra parameters, %b token, and cpp antics
I noticed some strange code in src/sys/arch/armv7/omap/ommmc.c
This preprocessor define seems to map intr. state bit positions with
strings describing them:
149 #define MMCHS_STAT_FMT "\20" \
150 "\x09d_BADA" \
151 "\x09c_CERR" \
152 "\x098_ACE" \
153 "\x096_DEB" \
154 "\x095_DCRC" \
155 "\x094_DTO" \
156 "\x093_CIE" \
157 "\x092_CEB" \
158 "\x091_CCRC" \
159 "\x090_CTO" \
160 "\x08f_ERRI" \
161 "\x089_OBI" \
162 "\x088_CIRQ" \
163 "\x085_BRR" \
164 "\x084_BWR" \
165 "\x082_BGE" \
166 "\x081_TC" \
167 "\x080_CC"
It's used later as an extra printf() argument (edited for clarity):
1174 printf("%s: interrupt status=%b\n", DEVNAME(sc), status, MMCHS_STAT_FMT);
Whenever the above is called, the string counterpart to each interupt
bit set in 'status' is printed, for example:
mmmc0: interrupt status=20008000<_BADA,_ERRI>
Where BADA and ERRI are intr. status bits at positions 29 and 15
respectively.
So through some combination of:
* CPP multi-string define with unclear hex escapes prepended
* printf() call with one too many parameters
* undocumented %b printf() token
We get this handy functionality where names of intr. statuses are
derrived from their associated bit positions and conditionally printed
when set.
Does anyone have any idea of why this works the way it does?
Ian
Re: Contributing
If you are fluent in two or more languages you might be able to help out with translations. Bug-hunting (with proper reporting habits!) is always appreciated too. On Fri, Nov 14, 2014 at 6:33 PM, Jeremy wrote: > Hello, > > I very much believe the OpenBSD is important and needs support. I am not a > programmer, and I do not have money to donate. What other ways are there to > contribute? > > I remember the website used to list ways to contribute in various ways, but > I can only seem to find monetary donations on the website now. > > Could someone kindly steer me in the correct direction. > > -Jeremy
Re: AMD64 packages
whenever i grab a snapshot and get library version mismatches after a `pkg_add -u`, i've found the easiest way to get those objects is grab a fresh source tree and compile them manually. for example, libc: cd /usr/src/lib/libc edit 'shlib_version' to have the appropriate major/minor versions (pkg_add(1) will tell you which ones it wants. a good article on how these work here: http://www.tedunangst.com/flak/post/OpenBSD-version-numbers) make && make install the bsd.port.mk(5) build system is well thought out and allows for straightforward, helpful maneuvers like this pkg_check(8) is also an invaluable tool in helping deal with package issues. also, use the right $PKG_PATH! On Thu, Dec 11, 2014 at 3:13 PM, STeve Andre' wrote: > On 12/11/14 05:59, FRIGN wrote: > >> On Wed, 10 Dec 2014 21:27:46 -0500 >> "STeve Andre'" wrote: >> >> You might want to subscribe to the ports-changes changes list, >>> which will show you what's been changed. The source-changes >>> list will show you all the other cvs commits. Look at >>> >>> http://www.openbsd.org/mail.html >>> >> Btw, now that the topic has come up. Is there a way to view the >> diffs quickly on a source- or port-change? >> Just reading the titles is not very helpful and I also don't feel >> like pulling the entire OpenBSD CVS-tree just to view the recent >> code-changes. >> >> I'm subscribed to numerous mailing lists, and all of them provide >> diff-data in the mail itself. I'm sure more people would subscribe >> to such a list if it actually encouraged to read and check the >> source. >> >> Cheers >> >> FRIGN >> >> Have you looked at http://cvsweb.openbsd.org/cgi-bin/cvsweb/ ? > > You can get a diff of the change of any revision, which should > help out. > > --STeve Andre'
Re: AMD64 packages
On Fri, Dec 12, 2014 at 2:02 PM, Ingo Schwarze wrote: > > There are dragons. > ingo, theo: sorry to post toxic advice, and thanks for the knowledge. i did not realize how shlib_version worked. i must have gotten lucky with my build but i should go back and fix it properly now ian
Re: Interface between block/char device and driver handler functions
> So my question is, how do I get a block device in /dev to connect to > my driver open/close/ioctl/etc functions? And secondly, if I want this > to happen automatically a la MAKEDEV, am I supposed to edit the m4 macro > in etc/etc.armv7/MAKEDEV.md or is there a more proper way? I figured out the issue: Every block device in arm's conf.c has a corresponding character device, so I added a cdev_decl(), entry in cdevsw[], and entry in chrtoblktbl[]. I believe this was the crux of the issue. From there, I followed the instructions in etc/MAKEDEV.common and my device was properly created with the resultant MAKEDEV script. Ian
Re: OpenBSD GSoC 2014 accepted projects status
hi! i'm a student working on four DBus daemons that emulate the behavior of systemd ones as to allow porting code that depends on systemd less of a hassle i've set up gitweb to track my progress, you can find it here: https://uglyman.kremlin.cc/gitweb/gitweb.cgi?p=systemd-utl.git; the 'master' branch should always compile with strict flags, while the 'devel' one is more of my own day-to-day sandbox. very excited to be working with you all and hope to continue after GSoC ends! ian
Re: crowding out bsd using systemd?
> that bsd is being crowded out, a thought that had not crossed my mind. > I wanted to know, before assuming that it is the case everywhere, do > people really not like systemd and is it really hurting bsd? If so, > I'd be interested in doing something about it. Thanks, David yes, systemd has become a very polarizing subject due to its unportability (as it's written in pure C) and the mindset and actions of its authors. it is much, much more than an init daemon and while its prevalence has served to hurt other systems in the short-term, I guarantee you will we work around it and do systemd's job properly and safely just as (we) have done with other software in the past. i am not a long-term OpenBSD contributor and am admittedly a fledgling programmer, but from what I've witnessed much of the systemd/anti-systemd debate is rife with needless animosity and ego. > That said there is a GSOC project underway as we type to bring a much > slimmed down systemd look-alike functionality to OpenBSD to allow more > not-well written software to be ported. that's me :) soon, (by the end of gsoc) we will have perfect implementations of hostnamed, localed, and timedated as well as a framework for porting the logind behemoth. you can follow the progress at https://uglyman.kremlin.cc/gitweb/gitweb.cgi?p=systemd-utl.git ian
Re: crowding out bsd using systemd?
> that doesn't make the slightest sense. > > "pure C" can be and often is perfectly portable. those were not the right words, i meant to convey that because systemd uses its own DBus binding (and not an already-ported lib like GIO/GDbus) it would be difficult to port, as that binding is seemingly very specific to systemd and doesn't expose (or guarantee the reliability of) existing generic APIs. that, plus how complex and specific the low level DBus API is makes it much more painstaking and unnecessary. it would end up looking more like a fork than anything.
Re: crowding out bsd using systemd?
> https://uglyman.kremlin.cc/gitweb/gitweb.cgi?p=systemd-utl.git There > is either something wrong with the web page or firefox as it mentions > that the connection was reset while the page was loading. However, > I've used you probably caught me in the middle of a reboot > yet. But I wanted to know, (it's docs are unclear as to what it is > supposed to do,) is it intended to replace systemd? I was going to no. no, no, no it is not. it is meant to provide a few very basic DBus interfaces who expose an API similar to systemd ones. this is necessary for porting some GNOME components that depend on them. most of these DBus interfaces (hostnamed, localed, timedated) have method/properties that map straight to OpenBSD's standard library. the last one, logind, is quite complicated and most of my work will concern setting up a framework for future development. > propose, if nobody else had, to work to replace systemd. I've read a > lot about it and it's been sending chills up my spine. The devs are i am not personally a fan of systemd either, i don't intend to "bring systemd to openbsd" or anything like that. my code will still have to stand up to the usual caliber openbsd ports are subject to, there are no special guarantees because i am a gsoc student. thanks ian
Re: crowding out bsd using systemd?
> refering to http://www.openbsdfoundation.org/ does not contain, as far as http://www.openbsdfoundation.org/gsoc2014.html > software that you speak of be portable to Linux or is it BSD only? I've i am planning (post-GSOC) on writing an archlinux PKGBUILD and eventually a debian package.
Re: crowding out bsd using systemd?
> Umm, there are at least > 24 links on that page to various projects that need done, to which are if you don't have the time to look through a list of a couple dozen items for the subject of what you have been criticizing, then i don't have the time to reply to your petty, innocuous emails. i don't know what to tell you: i regularly publish snapshots which compile with strict compiler settings of my project. i pull a single library (GLib) and have written everything in straight C. i'm valgrinding the shit out of this bitch before i tag a release candidate and will check, line by line, every GLib function i call to guarantee i'm free()'ing everything i'm supposed to and that there are none of the common over/underflow you'd see in a lazy individual's code. i'm integrating checksums to guarantee each daemon is afforded the bare-minimum security policies it can operate under. i host all of this on my domain from money out of my college-student pockets. would you like to see what i sent to my mentors when requesting this project? it's got UNIX and blind sincerity out the wing-wang. i'm fervently passionate about staying the hell away from systemd and making its existence a non-issue for luckier operating systems. that's what this whole project is about; if you actually care about the direction it's taking, please feel free to read my code and mail me with whatever issues/bugs you can find -- i'll happily review and patch them in. ian
Re: Thanks for ksh
On Thu, Sep 25, 2014 at 8:50 PM, Andrew Lester wrote: > Would the /bin/sh shell in OpenBSD, which is a "reimplementation of bash" be > affected by either of these exploits? So happy to learn no action is needed > on my part for my OpenBSD sever :) /bin/sh is an implementation of *the bourne shell*, not the bourne-again shell (bash). in any case, neither /bin/sh nor ksh are vulnerable to the recent "shellshock" vulnerability.
Re: [Bulk] Re: Shadow TCP stacks
On Wed, Oct 15, 2014 at 4:47 PM, Kevin Chadwick wrote: > On Sat, 11 Oct 2014 13:38:49 -0400 > Ian Grant wrote: > >> No, the "pre-shared keys" are communicated over the VPN, as are the >> keys which encrypt the VPN's own data as it appears in the actual TCP >> packets which carry the tunnel through which the VPN operates. > > Perhaps I have missed something but if you have a ssh tunnel or > something then just put that in front of the service without increasing Moved to misc. Yes, you missed something: the point :-) The idea is that the existence of this entire 'ultranet' is undetectable by even someone snooping all national traffic. So a TCP port 80 connection looks to the snooper _exactly_ like an HTTP connection handshake. Only the ISN and the source address mark the connection as 'ultra' and take it into a back room where it connects to the real network. If the snooper tries to connecto to that port they the same HTTP service that all the other muggles see. Ian
Re: Shadow TCP stacks
On Fri, Oct 17, 2014 at 4:24 AM, Bret Lambert wrote: > On Thu, Oct 16, 2014 at 02:48:22PM +0200, Martin Schr??der wrote: >> 2014-10-16 13:16 GMT+02:00 Kevin Chadwick : >> The impossibility to scan for services - which the NSA/GHCQ/... do. > > It's a good thing that traffic analysis isn't a thing, then. Otherwise > they'd be able to check if traffic purporting to go to port 80/443 > doesn't look like HTTP traffic, or something. They don't have any clue which traffic to analyze though, so this traffic is a needle in a haystack. Also, the VPN could be tunneled over HTTP if necessary. Ian
Re: Shadow TCP stacks
On Fri, Oct 17, 2014 at 2:49 PM, Bret Lambert wrote: > Well, if, as Herr Schroeder seems to be implying, this is used to > avoid port scans, I'd look for traffic to/from address:port which > don't show up on scans. That's why I want to hide it behind an ordinary service. >> Also, the VPN could be tunneled >> over HTTP if necessary. > I know of at least one company which sells a product which doesn't > just read headers, but classifies traffic based upon behavior, e.g., > "small request receives large response -> bulk transfer", or > "series of tiny packets which receive a single, larger response -> > interactive session". I assume nation-states have developed similar > capabilities. That's fine. But they have to analyze all the traffic. This is a needle in a haystack. > The ability to use statistical methods to eavesdrop on encrypted > SIP sessions comes to mind as an example of traffic analysis as a > tool to defeat adversaries who are attempting to secure their > communications. Again, a needle in a haystack. Please read the OP before refuting stuff on the list. If you want to argue, and you aren't sure of your argument, e-mail me off the list. Otherwise it just adds to the general level of confusion, which is already higher than I'd expected on this list. Thanks, Ian
Re: LibreSSL 2.1.1 released.
On Thu, Oct 16, 2014 at 9:15 AM, Bob Beck wrote: > We have released LibreSSL 2.1.1- which should be arriving in the > LIbreSSL directory of an OpenBSD mirror near you very soon. If I clone the GitHub repo from Bolivia, do I have to cut my eyeballs out or stand guilty of re-exporting munitions from the USA? Ian
Re: Shadow TCP stacks
On Sun, Oct 19, 2014 at 1:40 AM, Giancarlo Razzolini wrote: > This tcp shadow stack would do no good in preventing > people from learning what you're doing. It's security > through obscurity, even though the authors of the paper try to say > that it ain't. On the contrary: it _will_ make it impossible for people to know what _we_ are doing. This is not one system I'm talking about: it's countless independent VPNs. No one person in the world will ever know what _we_ are doing. It's not security by obscurity, it's a one-time pre-shared key. > Believe me, this would only scream on their filters. Hell, > even someone capturing this with tcpdump and analyzing it later > would see something it's not right. You think someone can analyse all the HTTP traffic in a country? So what if they could? By the time they've analysed the dumps the service won't be on that host anymore. > The answer to most of our > privacy problems in today's internet is cryptography. Better yet, > properly implemented strong cryptography. The issue I am addressing is not privacy. You would know that if you had read the Foundation paper: http://livelogic.blogspot.com/2014/10/the-foundation-parts-iii-iii.html > I believe that > OpenBSD does that. But don't expect them to add > a security through obscurity layer to their kernel because I > guess they wont. Well, "they" don't have a choice, because OpenBSD is open source, or haven't you heard? Ian
Re: LibreSSL 2.1.1 released.
On Sat, Oct 18, 2014 at 11:36 AM, Reiner Jung wrote: > On Fri, 2014-10-17 at 16:52 -0400, Ian Grant wrote: >> On Thu, Oct 16, 2014 at 9:15 AM, Bob Beck wrote: >> > We have released LibreSSL 2.1.1- which should be arriving in the >> > LIbreSSL directory of an OpenBSD mirror near you very soon. >> >> If I clone the GitHub repo from Bolivia, do I have to cut my eyeballs >> out or stand guilty of re-exporting munitions from the USA? >> >> Ian >> > > From US point of view, when you download a software from a server > located in the US, it is a export. So I _do_ have to cut out my eye-balls, damn! What about the GitHub people, are they completely innocent? Ian
Security Engineering for Linux Users
"This is one way die-hard Linux users can find out what the word "engineering" really means. They can learn about OpenBSD without rebooting either their machines, or their minds. First read the man pages. OpenBSD man pages aren't documentation, they're literature, so you need to see them nicely formatted [...]" http://livelogic.blogspot.com/
Re: Shadow TCP stacks
On Mon, Oct 20, 2014 at 6:18 PM, john slee wrote: > On 20 October 2014 14:13, Worik Stanton wrote: >> Yes all traffic of a country can be analysed, fairly close to real time. >> With some basic statistics, smart sampling and a dedicated team >> crafting cleaver algorithms... That is what those big budgets are for! > > Can throw in some real-world experience here - worked on a project in > Malaysia that was doing near-realtime (no more than 5 minutes lag) > analytics of cellular and data traffic on that country's largest cellular > network. The kit fit in less than five 42U racks, including dev/test kit, > and four of those racks were an inefficiently-used Netezza appliance. > > It wasn't even that expensive - private industry budget. There's analysis, and there's analysis. None of this is particularly interesting without knowledge of what depth of analysis was being done. I doubt they were looking for steganographic transport encoding in audio and image data, for example. And I said before, using WiFi cells, they simply won't have access to all the traffic without snooping all the WiFi cells. And they would have a hard time dealing with USBstickNet traffic. high-latency, but massive bandwidth :-) Ian
Re: Shadow TCP stacks
On Mon, Oct 20, 2014 at 8:33 AM, Giancarlo Razzolini wrote: > On 19-10-2014 21:01, Ian Grant wrote: > > On the contrary: it _will_ make it impossible for people to know what > _we_ are doing. This is not one system I'm talking about: it's > countless independent VPNs. No one person in the world will ever know > what _we_ are doing. > > Except perhaps for the nations with mass surveillance capabilities. > > It's not security by obscurity, it's a one-time pre-shared key. > > Well, the need for a PSK doesn't change the fact that you're trying to > conceal something, but not making it inherently more secure. How else can one protect a system from DoS attacks, other than by concealing it some way? And what is cryptography if it's not concealing the meaning of a communication in some way? > You think someone can analyse all the HTTP traffic in a country? So > what if they could? By the time they've analysed the dumps the service > won't be on that host anymore. > > In what world do you live? Didn't you followed the news regarding Eduard > Snowden disclosures? Not only it is possible to analyze all HTTP traffic on > any given country, but it's also possible to analyze ALL traffic on any > given country. This is exactly what NSA is doing and perhaps others also. > Hell, even some companies such as akamai and others can see a great > chunk of the internet traffic. Sure they can see it, but that's not going to tell them where it went next. So they can analyse all the traffic and what they learn from that won't be worth knowing half an hour later. I live in Bolivia, and I want to implement something like this here, so that the Bolivian government can have secure communications within Bolivia, and across her borders. > The issue I am addressing is not privacy. You would know that if you > had read the Foundation paper: > > http://livelogic.blogspot.com/2014/10/the-foundation-parts-iii-iii.html > > Yes, you're not addressing just privacy. But your original post e-mail > subject of "shadow TCP stacks" is misleading. > > Well, "they" don't have a choice, because OpenBSD is open source, or > haven't you heard? > > Even if you did manage to create a nice patch, bug free, with great security > and all, I don't ever see this getting into the OpenBSD source tree. And, as > Henning, an OpenBSD developer, putted on a reply to you, you don't get to > decide what they put into their source code tree. As I said before, focus on > the proper development of good and strong cryptography, and you'll sure see > your contributions get into OpenBSD, provided they are in the project's > interest, of course. I can make and a maintain any modifications to OpenBSD that I please. Ian
Re: Shadow TCP stacks
On Mon, Oct 20, 2014 at 8:01 PM, Giancarlo Razzolini wrote: > On 20-10-2014 21:52, Ian Grant wrote: >> >> How else can one protect a system from DoS attacks, other than by >> concealing it some way? And what is cryptography if it's not >> concealing the meaning of a communication in some way? > > Oh my. DoS can be mitigated. You could never "protect" a system. Even if > there isn't any port open, they can flood you uplink, even if you stop > sending FIN or ACK. There is UDP. Cryptography is not just concealment. It's > integrity. It's authentication (in some cases). So it's the only way to be > sure your message wasn't modified because the math behind it is solid. >> >> Sure they can see it, but that's not going to tell them where it went >> next. So they can analyse all the traffic and what they learn from >> that won't be worth knowing half an hour later. > > Man, real time traffic analysis. We told you so many times. They'll learn it > right away. Because they can see ALL traffic in real time. Simple as that. You don't read what I write. I said the info won't be worth having half an hour later. Because the service access point will have moved. I didn't dispute the real-timeness of the traffic analysis. >> I live in Bolivia, and >> I want to implement something like this here, so that the Bolivian >> government can have secure communications within Bolivia, and across >> her borders. > > I live in Brazil. And I'm aware of the situation of many countries in South > America, ours included. If you want that, please tell them to use known and > proven cryptography solutions such as Tor, IPSEC, Off the record messaging, > etc. Do not reinvent the wheel, because it will only make their traffic > stand out even further. Thanks for your "advice" but I will do exactly what I think is the right thing to do. >> I can make and a maintain any modifications to OpenBSD that I please. > > Of course you can. But if you go along these lines of reinventing the wheel > and security through obscurity you'll never get your contributions into it. I am not trying to become an OpenBSD developer. I just want to use for a real project. Ian
Re: 5.6 arrived
5.6 arrived today in syracuse, new york. right on time, just as usual. :) On Wed, Oct 29, 2014 at 12:44 PM, Theo de Raadt wrote: >>Hopefully you agree that the file name "snapshots/amd64/install56.iso" >>is misleading? Looking at the file name I had assumed/hoped there is some >>kind of upgrade path from the "install56.iso" snapshot to the 5.6 release. >>My mistake. > > It is not misleading in any way. > > Those two digits are looked at by the matching bsd.rd install goo. > > There must be two digits there. You suggest using the ones from the > just-released version is wrong, and we should use the next one, > confusing other people. It is bad either way. > > All of which allows me to say that you are the kind of person who > can see something, make a wrong interpretation, get it explained, > then double down on the argument! But enough about you!
Re: Are there any protection againts heisting the "shell builtin"s?
On Wed, Sep 08, 2021 at 11:24:18AM +0200, jim hook wrote:
> test$ cd
> rmplayer
> test$
> test$ type cd
> cd is a function
> test$
> test$ tail -4 .profile
> cd()
> {
> echo rmplayer
> }
> test$
> test$ uname -mrs
> OpenBSD 6.9 amd64
> test$
>
> Thinking of that home dirs could be on a shared storage, that can be accessed
> by others and maliciously modify the ".profile", etc. files of the targeted
> user.
>
> ex.: "unset cd" would help, but any solution in general?
If your $HOME is on a shared drive that can be written by others, then
blocking people from redefining shell builtins would be like throwing
deck chairs off the Titanic, i.e., you have no security whatsoever.
The only general solution is to have your home directory under better control.
Re: nvme boot
On Fri, Oct 15, 2021 at 05:05:01PM +0200, Jan Stary wrote: > Does any of the OpenSBD-supported platforms boot off nvme storage? > So far, I have been able to use nvme storage as a disk, > but not boot from it; but my HW is far from recent. The Framework laptop (https://frame.work) boots fine off an internal NVME, so I suspect other modern laptops do too. Also the SiFive HiFive boots off NVME. So, yes.
Re: how to recover a corrupted disk
On Wed, Dec 01, 2021 at 01:39:39PM +0530, Sandeep Gupta wrote: > Hello, > All partitions except for /dev/rsd1c and /dev/rsd1i are clean. > For /dev/rsd1c , I get "BAD SUPER BLOCK: MAGIC NUMBER WRONG". > For /dev/rsd1i, I get "UNEXPECTED INCONSISTENCY". If that's the case, you are probably done! You could mount your 'a' partition manually on /mnt, look in /mnt/etc/fstab, and see which letter partitions belong where; use that info to make sure you have "found" all your partitions. BTW, in addition to scan_ffs in base, there is testdisk in ports, which I think does a better job ATM of finding FFS2 filesystems. As mentioned, DO NOT do anything with 'c' partition (be glad, be very glad, that it didn't find anything resembling a superblock when fsck'ing 'c'!). It's not a mountable partition but a 'wrapper' for the whole disk.
Re: Install latest package without prompts on OpenBSD 7.0
> > > I am working on OpenBSD 7.0, x86_64. I'm trying to script an install > > > of developer tools I use, like GCC and Git. When I attempt to install > > > GCC I am prompted: > > > > > > $ sudo pkg_add gcc g++ > > > quirks-4.54 signed on 2022-01-09T19:08:35Z > > > Ambiguous: choose package for gcc > > > a0: > > > 1: gcc-8.4.0p9 > > > 2: gcc-11.2.0p0 > > > > > > I've looked over the man page at https://man.openbsd.org/pkg_add, but > > > I don't see an option to tell pkg_add to install the latest version of > > > the package. > > > > Sure there is. > > > > Quoting the manpage: > > There is also an ambiguity related to ports with multiple branches. For > > instance ‘pkg_add python’ is ambiguous, as there are several versions of > > python in the ports tree. So is ‘pkg_add postfix’. The special form > > ‘pkgname%branch’ can be used to restrict matches to a branch matching > > the > > pkgpath(7). > > > > pkg_add gcc%11 g++%11 > > will do the trick In the context of the original post, I think he meant a way to invoke "pkg_add" and have it just install whatever the latest is, without having to know a priori that there is a version 11. "Just install gcc, dammit". There are many ports that have version choices and in the context of installing the latest of everything in a "scripted install", having to either stop mid-install and answer such a prompt, or sort out in advance what ports exist in multiple versions, is not what's wanted. It may be unwise, but it's what some people that do scripted installs want. I have wished for this too, but it never bothered me enough to send a query. :-)
Re: Install latest package without prompts on OpenBSD 7.0
On Mon, Jan 10, 2022 at 06:28:38PM -0300, Crystal Kolipe wrote: > On Mon, Jan 10, 2022 at 07:15:25PM +0100, Andreas Kusalananda Khri wrote: > > Which one is the "latest" here? > > > > $ doas pkg_add bogofilter > > doas (kk@box) password: > > quirks-4.92 signed on 2022-01-07T13:45:06Z > > Ambiguous: choose package for bogofilter > > a 0: > > 1: bogofilter-1.2.5 > > 2: bogofilter-1.2.5-db4 > > 3: bogofilter-1.2.5-lmdb > > 4: bogofilter-1.2.5-qdbm > > 5: bogofilter-1.2.5-sqlite3 > > Your choice: > > None of them is the 'latest', those are just different 'flavors' of the port. Agreed. The discussion was about different numbered versions, but has been hijacked to be about flavors. If a "simple automated scripted" pkg_add were desired, it would take choice #1 in this case or any where there are flavors AND where no flavor was specified.
Re: Please put vi in base
> Could we please get vi into base? Even the most basic version would do. um, vi has been in base for years. It has not been in the install media, which are chronically short out of room. I would not advise you to hold your breath for vi to appear there in the next week or so. It doesn't take that long to learn ed from the "bottom line" of vi, and the man pages are online if you have another computer (or even a phone) with internet access. Learn it in the good times, for use in the bad.
Re: How to track system changes?
On Mon, Apr 04, 2022 at 08:32:01AM -0700, Eric Thomas wrote: > I want to have a high degree of confidence in my system's state > (packages that have been added, configs that have changed, permissions > changed, etc). I've read about "read only filesystems" and the > pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). > > Aside from that, is there a way to... > > 1. ...hash the file system in some way and monitor for changes? OR > 2. ...somehow review changes that have taken place (a log somewhere)? > > The goal is to concretely know whether the state of the system has > changed, then point to what EXACTLY has changed. > > Anyone doing something similar? Yes, in fact, *everyone* else is. /etc/changelist lists files that are monitored. You will get an email if they change, e.g., if a program surprisingly becomes setuid. I imagine that this is documented someplace.
Re: Howto do "a detailed cleanup with the aid of the sysclean package"?
On Wed, Apr 20, 2022 at 08:39:09PM +0200, Harald Dunkel wrote: > Hi folks, > > the upgrade guide claims > > A detailed cleanup can be done with the aid of the sysclean package. > > sysclean lists 4180 files and directories on my home server, including mail > directories, config files of various external packages, generated files, .git > directories, etc. A lot of stuff I wouldn't like to lose. Apparently it also > lists a lot of old crap, but since it lists *so many* important files I don't > trust it at all. > > Could you please elaborate how sysclean is going to help me to keep my openbsd > hosts clean? How is the usage model of this tool? Like any base tool, start with its man page: man sysclean Add any directories you want to keep into /etc/sysclean.ignore (start with the sample provided to ensure you keep the include at the end).
Re: Favorite configuration and system replication tools?
On 5/7/24 1:09 PM, Страхиња Радић wrote:
Дана 24/05/07 04:08PM, Martin Kjær Jørgensen написа:
I was wondering which programs you use for
replicating/copying/syncing environments/configs on your openbsd
systems with between your desktops (home or work) and laptops?
git(1), rsync(1).
git push and git pull.
I keep important dotfiles (.profile etc) in an own rep, and in there
somewhere is a list of packages I want on {all,desktop,server}-type
machines. In my scripts repo is a script that installs them based on an
arg to say which kind of system it is. So:
new machine?
pkg_add git
git pull various repos
make -C dotfiles install
run "mystdpkgs" with -d for desktop, -s for server
Done!
(I think I have another script that runs all these).
