On Wed, Jul 24, 2019 at 02:56:47PM -0400, Robert Simmons wrote:
> The safer part of my speculation is specifically based on being less code
> to maintain overall. More resources devoted to a smaller code base.
Best of all is completly remove any code: no code -- no hole.
> On Wed, Jul 24, 2019 a
On Tue, Dec 05, 2017 at 01:13:25PM -0800, Yuri wrote:
> On 12/05/17 13:04, Eugene Grosbein wrote:
> > It is illusion that https is more secure than unencrypted http in a sense
> > of MITM
> > just because of encryption, it is not.
>
>
> It *is* more secure.
https don't work frequent than http
On Wed, Feb 01, 2017 at 05:31:28AM -0800, Roger Marquis wrote:
> > I believe FreeBSD should just have a slave port with OpenSSH 7.4, used only
> > for SSHv1. People using such port should know the consequences of it.
>
> This could be a good candidate for a new ports category,
>
>/usr/ports/
On Mon, Jul 18, 2016 at 12:39:46PM -0400, Jung-uk Kim wrote:
> On 07/18/16 08:12 AM, Mathieu Arnold wrote:
> > Hi,
> >
> > +--On 11 juillet 2016 22:56:00 +0300 Slawa Olhovchenkov
> > wrote:
> > | On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
&g
On Wed, Sep 14, 2016 at 10:07:15PM -0400, Garrett Wollman wrote:
> <
> said:
>
> > Well, it's definitely too late for 11, now.
>
> > But, Debian is preparing to remove their heimdal package entirely,
> > imminently: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837728
>
> The primary issue
On Wed, Jul 13, 2016 at 09:38:59AM +0200, Steve Clement wrote:
> Dear List,
>
> Not sure this has been shared here:
>
> https://vez.mrsk.me/freebsd-defaults.txt
>
> Some good points, others not so…
>
> Nevertheless a good read and food for thought and discussion.
Most points is just inconveni
On Mon, Jul 11, 2016 at 07:48:44PM +0300, Andrey Chernov wrote:
> On 11.07.2016 19:29, Slawa Olhovchenkov wrote:
> > On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote:
> >
> >>
> >>
> >> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrot
On Mon, Jul 11, 2016 at 03:00:39PM -0400, Jung-uk Kim wrote:
> On 07/11/16 02:41 PM, Slawa Olhovchenkov wrote:
> > On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
> >
> >> On 07/10/16 10:10 AM, Andrey Chernov wrote:
> >>> On 10.07.2016 16:30, S
On Mon, Jul 11, 2016 at 02:28:45PM -0400, Jung-uk Kim wrote:
> On 07/10/16 10:10 AM, Andrey Chernov wrote:
> > On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> >> I am surprised lack of support GOST in openssl-base.
> >> Can be this enabled before 11.0 released?
> &g
On Mon, Jul 11, 2016 at 11:04:33AM -0500, Mark Felder wrote:
>
>
> On Mon, Jul 11, 2016, at 05:29, Slawa Olhovchenkov wrote:
> >
> > I.e. GOST will be available in openssl.
> > Under BSD-like license.
> > Can be this engine import in base system and enabled a
On Sun, Jul 10, 2016 at 06:28:04PM +0300, Andrey Chernov wrote:
> On 10.07.2016 18:13, Andrey Chernov wrote:
> > On 10.07.2016 18:12, Andrey Chernov wrote:
> >> On 10.07.2016 18:01, Slawa Olhovchenkov wrote:
> >>> On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey
On Sun, Jul 10, 2016 at 05:10:04PM +0300, Andrey Chernov wrote:
> On 10.07.2016 16:30, Slawa Olhovchenkov wrote:
> > I am surprised lack of support GOST in openssl-base.
> > Can be this enabled before 11.0 released?
>
> AFAIK openssl maintainers says something like they can&
I am surprised lack of support GOST in openssl-base.
Can be this enabled before 11.0 released?
Subject: svn commit: r412619 - in head/dns: bind9-devel bind910 bind99
Author: mat
Date: Wed Apr 6 13:53:09 2016
New Revision: 412619
URL: https://svnweb.freebsd.org/changeset/ports/412619
Log:
Stop
nclude these settings in the deployed rc.conf.
This sound like "installer and default config not need, use ansible
for all"
> On 9 June 2016 at 14:37, Slawa Olhovchenkov wrote:
>
> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
> >
> > > I doubt that will
This manual editing will be required by every install on RPi, for
example.
Also, this issuse hard to dignostics by average user.
> On 9 June 2016 at 09:04, Slawa Olhovchenkov wrote:
>
> > On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote:
> >
> > > googles will be p
On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote:
> googles will be pretty static, but i would just use them as a one off, ie
> with ntpdate
i am talk about freebsd system/project.
>
> On 8 June 2016 at 10:48, Slawa Olhovchenkov wrote:
>
> > On Wed, Jun 08, 2016 at
On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote:
> Slawa Olhovchenkov writes:
> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
>
> https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> https://en.wikipedia.org/wiki
On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> Slawa Olhovchenkov writes:
>
> > Default install with local_unbound and ntpd can't be functional with
> > incorrect date/time in BIOS:
> >
> > Unbound requred correct time for DNSSEC check and
Default install with local_unbound and ntpd can't be functional with
incorrect date/time in BIOS:
Unbound requred correct time for DNSSEC check and refuseing queries
("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime trust
anchor -- DNSKEY rrset is not secure . DNSKEY IN")
ntpd
On Sun, Jan 24, 2016 at 04:21:17PM +0100, Dag-Erling Smørgrav wrote:
> Slawa Olhovchenkov writes:
> > OK, what about tcsh, zsh, fish and scp/sftp?
>
> I apologize for trying to help you out by suggesting a hack that works
> at least some of the time until I can get a permanent
On Sun, Jan 24, 2016 at 04:09:05PM +0100, Dag-Erling Smørgrav wrote:
> Slawa Olhovchenkov writes:
> > Dag-Erling Smørgrav writes:
> > > In the meantime, you can try something like this in .bashrc or
> > > whatever:
> > Imposible. For accessing .bashrc on kerb
On Sun, Jan 24, 2016 at 03:50:45PM +0100, Dag-Erling Smørgrav wrote:
> Slawa Olhovchenkov writes:
> > Can you do some small discurs about ssh+kerberos?
> > I am try to use FreeBSD with $HOME over kerberoized NFS.
> > For kerberoized NFS gssd need to find cache file &qu
On Fri, Jan 22, 2016 at 03:31:22PM +0100, Dag-Erling Smørgrav wrote:
> The HPN and None cipher patches have been removed from FreeBSD-CURRENT.
> I intend to remove them from FreeBSD-STABLE this weekend.
Can you do some small discurs about ssh+kerberos?
I am try to use FreeBSD with $HOME over kerb
On Wed, Nov 11, 2015 at 01:32:27PM -0800, Bryan Drewery wrote:
> On 11/10/2015 1:42 AM, Dag-Erling Smørgrav wrote:
> > I would also like to remove the NONE cipher
> > patch, which is also available in the port (off by default, just like in
> > base).
>
> Fun fact, it's been broken in the port fo
On Wed, Nov 11, 2015 at 03:58:35PM -0800, Bryan Drewery wrote:
> > Some for as ports version?
> > Or ports version different?
> > Or port mantainer have more time (this is not to blame for DES)?
> > I am just don't know what is different between port ssh and base ssh.
> > We need ssh 6.x in base,
On Wed, Nov 11, 2015 at 10:18:08AM -0800, Bryan Drewery wrote:
> On 11/11/2015 10:13 AM, Slawa Olhovchenkov wrote:
> > On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote:
> >
> >> Bryan Drewery writes:
> >>> Another thing that I did with
On Wed, Nov 11, 2015 at 07:18:31PM +0100, Dag-Erling Smørgrav wrote:
> Slawa Olhovchenkov writes:
> > Can you explain what is problem?
>
> Radical suggestion: read the first email in the thread.
I am read and don't understund (you talk about trouble of maintaining
the
On Wed, Nov 11, 2015 at 05:51:25PM +0100, Dag-Erling Smørgrav wrote:
> Bryan Drewery writes:
> > Another thing that I did with the port was restore the tcpwrapper
> > support that upstream removed. Again, if we decide it is not worth
> > keeping in base I will remove it as default in the port.
>
On Tue, Nov 10, 2015 at 11:59:30PM -0800, John-Mark Gurney wrote:
> Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800:
> > On Wednesday, 11 November 2015, Bryan Drewery wrote:
> >
> > > On 11/10/15 9:52 AM, John-Mark Gurney wrote:
> > > > My vote is to remove the HPN patches. Fir
On Tue, Nov 10, 2015 at 09:52:16AM -0800, John-Mark Gurney wrote:
> Dag-Erling Smrgrav wrote this message on Tue, Nov 10, 2015 at 10:42 +0100:
> > Therefore, I would like to remove the HPN patches from base and refer
> > anyone who really needs them to the openssh-portable port, which has
> > them
On Tue, Nov 10, 2015 at 10:42:49AM +0100, Dag-Erling Smørgrav wrote:
> Some of you may have noticed that OpenSSH in base is lagging far behind
> the upstream code.
>
> The main reason for this is the burden of maintaining the HPN patches.
> They are extensive, very intrusive, and touch parts of t
On Sat, Sep 19, 2015 at 12:10:36AM +0200, Dag-Erling Smorgrav wrote:
> Slawa Olhovchenkov writes:
> > freebsd-update builds is inreproducible by the freebsd-update-server bug[s].
>
> freebsd-update will most likely be gone in 11.
What is planed
On Fri, Sep 18, 2015 at 02:49:01PM +0200, Dag-Erling Smorgrav wrote:
> grarpamp writes:
> > Not to mention the irreproducible builds / pkgs / ISO's.
>
> The base system build is 99% reproducible. ISOs should be reproducible
> as well, modulo timestamps.
freebsd-update builds is inreproducible
On Thu, Jul 23, 2015 at 02:33:31PM -0700, Xin Li wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> (Bcc'ed some unnamed patch authors so they can correct me if I was wrong
> ).
>
> On 07/23/15 13:48, Slawa Olhovchenkov wrote:
> > On Thu, Jul 23,
On Thu, Jul 23, 2015 at 12:29:57PM -0700, Xin Li wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 07/22/15 06:18, Slawa Olhovchenkov wrote:
> > On Wed, Jul 22, 2015 at 02:57:46AM +, FreeBSD Security
> > Advisories wrote:
> >
> > This is
On Wed, Jul 22, 2015 at 02:57:46AM +, FreeBSD Security Advisories wrote:
This is correspondent to kern/25986?
Or kern/25986 is different bug?
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> =
> FreeBSD-SA-15
On Mon, May 18, 2015 at 08:42:54AM -0500, Mark Felder wrote:
> >
> > > Actually, that might be the reason -- Google search results. Perhaps
> > > Google is also logging what protocols/ciphers your HTTPS has and is
> > > using that in search rankings.
> >
> > You're seriously suggesting that t
On Mon, May 18, 2015 at 09:43:24AM +0200, pat...@patpro.net wrote:
> On 18 mai 2015, at 09:05, Ian Smith wrote:
>
> >>
> >> Actually, that might be the reason -- Google search results. Perhaps
> >> Google is also logging what protocols/ciphers your HTTPS has and is
> >> using that in search ran
On Mon, Apr 27, 2015 at 03:12:43PM -0700, Ronald F. Guilmette wrote:
>
> In message ,
> Charles Swiger wrote:
>
> >On Apr 27, 2015, at 11:37 AM, Ronald F. Guilmette
> >wrot
> >e:
> ...
> >> and/or whether FreeBSD provides any options which,
> >> for example, might automagically trigger a clo
On Tue, Mar 31, 2015 at 03:15:45PM +0200, Willem Jan Withagen wrote:
> On 31-3-2015 15:00, Slawa Olhovchenkov wrote:
>
> >> Check:
> >> man utempter_add_record
> >>
> >> If you want the old behaviour, you have to dig into the code, and DIY.
> >
On Tue, Mar 31, 2015 at 02:47:21PM +0200, Willem Jan Withagen wrote:
> On 31-3-2015 13:02, Slawa Olhovchenkov wrote:
> > On Tue, Mar 31, 2015 at 12:28:04PM +0200, Willem Jan Withagen wrote:
> >
> >>>> Slawa,
> >>>>
> >>>> I can&#x
On Tue, Mar 31, 2015 at 12:28:04PM +0200, Willem Jan Withagen wrote:
> >> Slawa,
> >>
> >> I can't tell you that, but it is in r202209. And you can ask the one
> >> that removed it (ed@). :)
> >> Like r202209 says 5 years ago:
> >>Maybe we can address this in the future if it turns out to be a
On Tue, Mar 31, 2015 at 11:34:21AM +0200, Willem Jan Withagen wrote:
> On 31-3-2015 10:44, Slawa Olhovchenkov wrote:
> > On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote:
> >
> >> On 31-3-2015 05:44, Slawa Olhovchenkov wrote:
> >>> On M
On Tue, Mar 31, 2015 at 10:09:00AM +0200, Willem Jan Withagen wrote:
> On 31-3-2015 05:44, Slawa Olhovchenkov wrote:
> > On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov writes:
> >>
> >>> ftpd from FreeB
On Mon, Mar 30, 2015 at 08:08:49PM -0400, Lowell Gilbert wrote:
> Slawa Olhovchenkov writes:
>
> > ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database
> > (for case of chrooted login).
> > This is lack security information.
> > I found
ftpd from FreeBSD-10 and up don't record ftp logins to utmpx database
(for case of chrooted login).
This is lack security information.
I found this is done by r202209 and r202604.
I can't understand reason of this.
Can somebody explain?
___
freebsd-securi
On Thu, Mar 05, 2015 at 12:53:35PM +0100, Dag-Erling Smorgrav wrote:
> Slawa Olhovchenkov writes:
> > I see same message for may setup (track -STABLE) for base component.
>
> You can't run freebsd-update on a system that tracks -STABLE (i.e. is
> built from source).
On Tue, Mar 03, 2015 at 09:53:11AM +0100, Dag-Erling Smorgrav wrote:
> Slawa Olhovchenkov writes:
> > Do you planed to fix it?
>
> It's not a bug. Remove the src component from your freebsd-update.conf.
I see same message for may setup (track -STABLE
On Tue, Feb 24, 2015 at 11:40:44PM -0800, Xin Li wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
>
>
> On 2/24/15 23:36, Bartek Rutkowski wrote:
> > Seems like freebsd-update is throwing some error:
> >
> > root@04-dev:~ # freebsd-update install Installing
> > updates...install: /
On Thu, Sep 25, 2014 at 03:35:55PM -0400, Chris Nehren wrote:
> On Thu, Sep 25, 2014 at 11:57:38 -0500, Bryan Drewery wrote:
> > 1. Do not ever link /bin/sh to bash. This is why it is such a big
> > problem on Linux, as system(3) will run bash by default from CGI.
>
> I would think that this woul
In 10.x branch ftpd don't record successful login into login data base
(/var/log/utx.log).
For examle, in 9.x and earlier:
slwftpd localhost Thu Aug 14 19:47 - 19:47 (00:00)
Now I don't have such records.
What reasson for remove this functionality ?
FreeBSD 10.0-STABLE #5 r265949M: Tue May 13 19:52:37 MSK 2014
Jun 16 14:06:07 srv3 kernel: pid 95261 (sshd), uid 0: exited on signal 11
Jun 24 06:03:25 srv3 kernel: pid 59497 (sshd), uid 0: exited on signal 11
Jun 24 06:03:31 srv3 kernel: pid 59500 (sshd), uid 0: exited on signal 11
Jun 24 06:04:1
On Wed, Apr 30, 2014 at 01:48:41PM -0500, Kevin Day wrote:
> > Affects:All supported versions of FreeBSD.
> > Corrected: 2014-04-30 04:04:20 UTC (stable/8, 8.4-STABLE)
> > 2014-04-30 04:05:47 UTC (releng/8.4, 8.4-RELEASE-p9)
> > 2014-04-30 04:05:47 UTC
http://www.openssh.com/txt/gcmrekey.adv
2. Affected configurations
OpenSSH 6.2 and OpenSSH 6.3 when built against an OpenSSL
that supports AES-GCM.
On Fri, Sep 06, 2013 at 09:39:33AM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov writes:
> > Now I found next strange behaviour: for account with not found login
> > class sshd refuse GSSAPIAuthentication.
>
> Hmm, I think that's an upstream issue. Try aski
On Tue, Sep 03, 2013 at 04:16:06PM +0200, Dag-Erling Sm??rgrav wrote:
> Lev Serebryakov writes:
> > "Dag-Erling Sm??rgrav" writes:
> > > Actually, sshd already does most of this by farming PAM out to a
> > > child process.
> > And, IMHO, proper way to fix this bug is to fix it here, as "most of
On Tue, Sep 03, 2013 at 03:23:48PM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov writes:
> > Dag-Erling Sm??rgrav writes:
> > > The application does not need pam_krb5's temporary credential cache. It
> > > is only used internally. Single sign-o
On Tue, Sep 03, 2013 at 01:27:04PM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov writes:
> > Dag-Erling Sm??rgrav writes:
> > > Slawa Olhovchenkov writes:
> > > > And how in this case can be resolved situation with PAM credentials
> > > > (Ke
On Tue, Sep 03, 2013 at 02:26:37PM +0400, Lev Serebryakov wrote:
> Hello, Dag-Erling.
> You wrote 3 сентября 2013 г., 13:38:48:
>
> >> And how in this case can be resolved situation with PAM credentials
> >> (Kerberos credentials in may case)?
> DES> The application does not need them.
> They ar
On Tue, Sep 03, 2013 at 11:38:48AM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov writes:
> > Dag-Erling Sm??rgrav writes:
> > > When I spoke of passing credentials, I meant process credentials, not
> > > the cached Kerberos credentials - which th
On Tue, Sep 03, 2013 at 11:31:09AM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov writes:
> > Dag-Erling Sm??rgrav writes:
> > > The proper solution would be an identification and authentication daemon
> > > with a well-designed RPC interface and
On Tue, Sep 03, 2013 at 09:51:35AM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov writes:
> > If in this scenario on step 4 insted fork do pthread_create we don't
> > lost stored credentials and (I think) have full-synchronized thread
> > (new thred only work
On Mon, Sep 02, 2013 at 07:36:57PM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov writes:
> > Hmmm, now I try to compile sshd with UNSUPPORTED_POSIX_THREADS_HACK and
> > it works (/tmp/krb5cc_ created, kerberosied login to other host
> > working w/o entering pas
On Fri, Aug 30, 2013 at 02:51:44PM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov writes:
> > Dag-Erling Sm??rgrav writes:
> > > PAM authentication in OpenSSH was broken for non-trivial cases when
> > > privilege separation was implemented. Fixing it p
On Fri, Aug 30, 2013 at 02:09:26PM +0400, Slawa Olhovchenkov wrote:
> On Fri, Aug 30, 2013 at 09:44:54AM +0200, Dag-Erling Sm??rgrav wrote:
>
> > Slawa Olhovchenkov writes:
> > > I am try to setup single sign-on and found this is imposuble due to
> > > bug
On Fri, Aug 30, 2013 at 09:44:54AM +0200, Dag-Erling Sm??rgrav wrote:
> Slawa Olhovchenkov writes:
> > I am try to setup single sign-on and found this is imposuble due to
> > bug in OpenSSH: currently sshd do pam_authenticate() and
> > pam_acct_mgmt() from child process, b
On Thu, Aug 29, 2013 at 04:48:44AM +0400, Slawa Olhovchenkov wrote:
> I am try to setup single sign-on and found this is imposuble due to
> bug in OpenSSH: currently sshd do pam_authenticate() and
> pam_acct_mgmt() from child process, but pam_setcred() from paren
> proccess.
I am try to setup single sign-on and found this is imposuble due to
bug in OpenSSH: currently sshd do pam_authenticate() and
pam_acct_mgmt() from child process, but pam_setcred() from paren
proccess. pam_krb5 in pam_sm_setcred() required information from
pam_sm_authenticate and can't work corretly
On Fri, Aug 23, 2013 at 12:37:32AM +0300, Konstantin Belousov wrote:
> On Thu, Aug 22, 2013 at 12:15:29PM -0700, Xin Li wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> > Hi,
> >
> > Do anybody have concerns if I would commit this?
> >
> > Index: sys/fs/tmpfs/tmpfs_vfsops.c
69 matches
Mail list logo
