From skreuzer at exit2shell.com Tue Apr 1 00:05:18 2008 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Tue, 1 Apr 2008 00:05:18 -0400 Subject: [nycbug-talk] Kernel.org Downtime Notice Message-ID: <20080401040518.GA93896@scruffy.exit2shell.com> Just so everyone is aware, kernel.org is going to be offline tomorrow for a necessary upgrade. ;) http://lkml.org/lkml/2008/3/31/367 -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From matt at atopia.net Tue Apr 1 15:22:58 2008 From: matt at atopia.net (Matt Juszczak) Date: Tue, 1 Apr 2008 15:22:58 -0400 (EDT) Subject: [nycbug-talk] New Server - IDE or SATA RAID?, 6.x or 7.x? (fwd) Message-ID: <20080401152242.W65526@uranus.bitvenue.net> Looking to launch a new server here shortly. I've had bad experience with SATA and FreeBSD in the past - primarily with some errors in dmesg that only seemed resolved when I swapped in a SATA raid controller (even though these were individual drives and not raid!). Of course, this setup would be RAID 1 - but I'm wondering what the best way to go would be - SATA or IDE. What are all of your experiences? Also, as far as OS choice, are people moving to 7.x now for production boxes, or still sticking with the 6.x branch? Thanks! -Matt From george at ceetonetechnology.com Tue Apr 1 16:01:28 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 01 Apr 2008 16:01:28 -0400 Subject: [nycbug-talk] New Server - IDE or SATA RAID?, 6.x or 7.x? (fwd) In-Reply-To: <20080401152242.W65526@uranus.bitvenue.net> References: <20080401152242.W65526@uranus.bitvenue.net> Message-ID: <47F29498.6050408@ceetonetechnology.com> Matt Juszczak wrote: > Looking to launch a new server here shortly. I've had bad experience with SATA > and FreeBSD in the past - primarily with some errors in dmesg that only seemed > resolved when I swapped in a SATA raid controller (even though these were > individual drives and not raid!). From which controller to which? What types of errors? > > Of course, this setup would be RAID 1 - but I'm wondering what the best way to > go would be - SATA or IDE. > Definitely 'no' on IDE. . . SATA without question. I've used a lot more IDE RAID than I'd like to admit, since I end up salvaging hardware on occasions. > What are all of your experiences? > Depends on the manufacturer. . . Have used 3ware, highpoint, lsi, pseudo mb raids. . . end up using what's around as much as what I want to buy. Look at the management tools available in /usr/ports/sysutils for the card. . . But LSI is probably the best bet (mea culpa, nako :). . . sysutils/amrstat is pretty nice. > Also, as far as OS choice, are people moving to 7.x now for production boxes, > or still sticking with the 6.x branch? I really look forward to moving with 7.x in production. . . but for now it's 6 stable. There's too many commits regularly with 7.x for my tastes, but ask Yarema tomorrow :) George From okan at demirmen.com Tue Apr 1 16:14:29 2008 From: okan at demirmen.com (Okan Demirmen) Date: Tue, 1 Apr 2008 16:14:29 -0400 Subject: [nycbug-talk] New Server - IDE or SATA RAID?, 6.x or 7.x? (fwd) In-Reply-To: <47F29498.6050408@ceetonetechnology.com> References: <20080401152242.W65526@uranus.bitvenue.net> <47F29498.6050408@ceetonetechnology.com> Message-ID: <20080401201429.GG313@clam.khaoz.org> On Tue 2008.04.01 at 16:01 -0400, George Rosamond wrote: > Matt Juszczak wrote: > > Looking to launch a new server here shortly. I've had bad experience with SATA > > and FreeBSD in the past - primarily with some errors in dmesg that only seemed > > resolved when I swapped in a SATA raid controller (even though these were > > individual drives and not raid!). > > From which controller to which? What types of errors? > > > > > Of course, this setup would be RAID 1 - but I'm wondering what the best way to > > go would be - SATA or IDE. > > > > Definitely 'no' on IDE. . . SATA without question. > > I've used a lot more IDE RAID than I'd like to admit, since I end up > salvaging hardware on occasions. > > > What are all of your experiences? > > > > Depends on the manufacturer. . . > > Have used 3ware, highpoint, lsi, pseudo mb raids. . . end up using > what's around as much as what I want to buy. > > Look at the management tools available in /usr/ports/sysutils for the > card. . . > > But LSI is probably the best bet (mea culpa, nako :). . . > sysutils/amrstat is pretty nice. i suppose by poking me, you're expecting a response? :) well, i use a different OS and therefore have a set of choices based on raid management tools that are part of my OS of choice, and ports; i go on that information first...but we are not talking about my OS of choice. back to the OP... why IDE? why SATA? use SCSI or SAS if you have real needs. "launching a server" describes no requirements for one to help decide the technology recommended or deployed. help us help you... From george at ceetonetechnology.com Tue Apr 1 16:18:44 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 01 Apr 2008 16:18:44 -0400 Subject: [nycbug-talk] New Server - IDE or SATA RAID?, 6.x or 7.x? (fwd) In-Reply-To: <20080401201429.GG313@clam.khaoz.org> References: <20080401152242.W65526@uranus.bitvenue.net> <47F29498.6050408@ceetonetechnology.com> <20080401201429.GG313@clam.khaoz.org> Message-ID: <47F298A4.90506@ceetonetechnology.com> Okan Demirmen wrote: > On Tue 2008.04.01 at 16:01 -0400, George Rosamond wrote: >> Matt Juszczak wrote: >>> Looking to launch a new server here shortly. I've had bad experience with SATA >>> and FreeBSD in the past - primarily with some errors in dmesg that only seemed >>> resolved when I swapped in a SATA raid controller (even though these were >>> individual drives and not raid!). >> From which controller to which? What types of errors? >> >>> Of course, this setup would be RAID 1 - but I'm wondering what the best way to >>> go would be - SATA or IDE. >>> >> Definitely 'no' on IDE. . . SATA without question. >> >> I've used a lot more IDE RAID than I'd like to admit, since I end up >> salvaging hardware on occasions. >> >>> What are all of your experiences? >>> >> Depends on the manufacturer. . . >> >> Have used 3ware, highpoint, lsi, pseudo mb raids. . . end up using >> what's around as much as what I want to buy. >> >> Look at the management tools available in /usr/ports/sysutils for the >> card. . . >> >> But LSI is probably the best bet (mea culpa, nako :). . . >> sysutils/amrstat is pretty nice. > > i suppose by poking me, you're expecting a response? :) well, i use a > different OS and therefore have a set of choices based on raid > management tools that are part of my OS of choice, and ports; i go on > that information first...but we are not talking about my OS of choice. > Poking at myself. . . > back to the OP... why IDE? why SATA? use SCSI or SAS if you have real > needs. "launching a server" describes no requirements for one to help > decide the technology recommended or deployed. help us help you... To go with SCSI or SAS over SATA or IDE should have gone without saying. . . but ditto to that. But when it comes to cost, SATA ends up being a choice over SCSI/SAS. . . George From deep_blue at sebek.org Wed Apr 2 10:02:47 2008 From: deep_blue at sebek.org (deep_blue at sebek.org) Date: Wed, 2 Apr 2008 07:02:47 -0700 (PDT) Subject: [nycbug-talk] New Server - IDE or SATA RAID?, 6.x or 7.x? (fwd) In-Reply-To: <20080401152242.W65526@uranus.bitvenue.net> Message-ID: <38358.59987.qm@web406.biz.mail.mud.yahoo.com> I have used the 3ware 9500 sata in raid 10 with FreeBSD 5-6.3 and the LSI Megaraid in raid 10 in OpenBSD. Never had any problems or performance issues with either. Matt Juszczak wrote: Looking to launch a new server here shortly. I've had bad experience with SATA and FreeBSD in the past - primarily with some errors in dmesg that only seemed resolved when I swapped in a SATA raid controller (even though these were individual drives and not raid!). Of course, this setup would be RAID 1 - but I'm wondering what the best way to go would be - SATA or IDE. What are all of your experiences? Also, as far as OS choice, are people moving to 7.x now for production boxes, or still sticking with the 6.x branch? Thanks! -Matt >I have used the 3ware 9500 sata in raid 10 with FreeBSD 5-6.3 and the >LSI Megaraid in raid 10 in OpenBSD. Never had any problems or >performance issues with either. John _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk -------------- next part -------------- An HTML attachment was scrubbed... URL: From vitaliy at gmail.com Wed Apr 2 23:13:41 2008 From: vitaliy at gmail.com (Vitaliy Gladkevitch) Date: Wed, 2 Apr 2008 23:13:41 -0400 Subject: [nycbug-talk] BSDA Registration Message-ID: Hello, Does anybody know if you must register on BSDCertification.org (https://register.bsdcertification.org//register/get-a-bsdcg-id ) in order to take the exam at the BSDCan/NYCBSDCon? Or can the information and payment be processed on the spot at the con? - Vitaliy From techneck at goldenpath.org Thu Apr 3 17:38:31 2008 From: techneck at goldenpath.org (Tim A.) Date: Thu, 03 Apr 2008 17:38:31 -0400 Subject: [nycbug-talk] That crazy typedef In-Reply-To: <47F298A4.90506@ceetonetechnology.com> References: <20080401152242.W65526@uranus.bitvenue.net> <47F29498.6050408@ceetonetechnology.com> <20080401201429.GG313@clam.khaoz.org> <47F298A4.90506@ceetonetechnology.com> Message-ID: <47F54E57.1070804@goldenpath.org> We bounced this around a little last night. First line of code presented in "Designing BSD Rootkits" (by Joseph Kong) is the Prototype for the module event handler function as defined in sys/module.h FreeBSD source header typedef int (*modeventhand_t) (module_t, int /* modeventtype_t */, void * ); At first it didn't make any sense. But I was, like, ok! there's only so much you can do with a typedef! Brushing up on my C recently, this just seemed a more complex kind of typedef than I'm used to. Checking the C Pocket Reference did not help, but as Marc pointed out K&R had the answer. Actually, a nearly identical example. If I am now understanding it correctly, the statement creates the type modeventhand_t as a pointer to function returning int and taking three arguments, (that inline comment threw me off at first). Just thought I'd share that for anyone else who was curious about it. And, please, correct me if I'm wrong. From dlavigne6 at sympatico.ca Fri Apr 4 07:29:59 2008 From: dlavigne6 at sympatico.ca (dlavigne6 at sympatico.ca) Date: Fri, 04 Apr 2008 11:29:59 +0000 Subject: [nycbug-talk] BSDA Registration In-Reply-To: Message-ID: >Hello, > >Does anybody know if you must register on BSDCertification.org >(https://register.bsdcertification.org//register/get-a-bsdcg-id >) in order to take the exam at the BSDCan/NYCBSDCon? Or can the >information and payment be processed on the spot at the con? Hi Vitaliy, You should register online first. Cheers, Dru From nikolai at fetissov.org Fri Apr 4 09:49:45 2008 From: nikolai at fetissov.org (nikolai) Date: Fri, 4 Apr 2008 09:49:45 -0400 (EDT) Subject: [nycbug-talk] Audio of April 2, 2008 meeting - NOT Message-ID: <24264.204.153.88.2.1207316985.squirrel@www.geekisp.com> Sorry folks, I hit some "technical difficulties" with my voice recorder. It's the second time I'm messing up audio of Yarema's presentation, so more embarrassing. My apologies. -- Nikolai From netmantej at gmail.com Sat Apr 5 21:29:37 2008 From: netmantej at gmail.com (tim jacques) Date: Sat, 5 Apr 2008 21:29:37 -0400 Subject: [nycbug-talk] Lenovo Thinkcentre A61 .. Message-ID: <1aa60f4d0804051829y347903ebx6adf7e8058e7b6ad@mail.gmail.com> Good evening all . Has anyone installed and run FreeBSD 6.x or 7.x ( i386 or amd64 ) successfully on a Lenovo Thinkcentre A61 Athlon 64 x2 ... ?? I have googled around and have not found much . I am considering one for my main workstation , but I do not have access to one to test with a FreeBSD boot cd .. Any thoughts would be appreciated .. Thank you .. -- Tim .. -------------- next part -------------- An HTML attachment was scrubbed... URL: From cthala at gmail.com Sun Apr 6 03:34:05 2008 From: cthala at gmail.com (C Thala) Date: Sun, 6 Apr 2008 03:34:05 -0400 Subject: [nycbug-talk] local VPS provider? Message-ID: <77647f500804060034y1ea14689nb67b571707d25824@mail.gmail.com> ehlo, Looking for a local VPS BSD provider. Need root, enough HDD space/RAM to use ports, and at least 1 public IP. This is for personal stuff, so I'm looking for something cheap, a little bit of webhosting, a bit of email and that's about it. No irc/warez/pr0n. Currently thinking about rootbsd.net, the price is right over there (their cheap plan starts at $20/month), but I'm a littly wary because they are only about 6 months old. I'd prefer to go with someone local, if anyone in the area does that sort of thing. NYI is a NYCBUG sponsor, but from looking at their website, I don't think they do VPS, only webhosting. Recommendations appreciated. From matt at atopia.net Tue Apr 8 00:15:34 2008 From: matt at atopia.net (Matt Juszczak) Date: Tue, 8 Apr 2008 00:15:34 -0400 (EDT) Subject: [nycbug-talk] New Webserver Message-ID: <20080408001154.N99600@mercury.atopia.net> Hi all, Been sick for a day or so so if my email sounds a bit choppy, sorry! I'm about to setup (well, ok, I actually did just setup) a new webserver for my side ventures. This server will have managed and self-managed webhosting. In the past, I've never really chrooted and/or jailed processes - I have to do it once or twice per customer request, but never on my own boxes as a general security policy. I'm usually really good at keeping boxes patched and up to date, etc. But this box is going to have about 20 webhosting customers - both managed and un managed. Some of these users will of course be uploading their own content via SFTP or FTP, and for all I know the security of their PHP scripts, etc. may be "not so good". What does everyone here usually do in securing those boxes? Do you usually setup jails/chroots for the webserver processes, etc., or do you rely on internal settings in things like php.ini to maintain security for your public webservers? Thanks! -Matt From tekronis at gmail.com Tue Apr 8 00:59:31 2008 From: tekronis at gmail.com (H. G.) Date: Tue, 8 Apr 2008 00:59:31 -0400 Subject: [nycbug-talk] New Webserver In-Reply-To: <60131f920804072157h383e9d50p68072f61060496b9@mail.gmail.com> References: <20080408001154.N99600@mercury.atopia.net> <60131f920804072157h383e9d50p68072f61060496b9@mail.gmail.com> Message-ID: <60131f920804072159s3a455b0ejcc1fda7786d991ae@mail.gmail.com> On 4/8/08, Matt Juszczak wrote: > > Hi all, > > Been sick for a day or so so if my email sounds a bit choppy, sorry! > > I'm about to setup (well, ok, I actually did just setup) a new webserver > for my side ventures. This server will have managed and self-managed > webhosting. > > In the past, I've never really chrooted and/or jailed processes - I have > to do it once or twice per customer request, but never on my own boxes as > a general security policy. I'm usually really good at keeping boxes > patched and up to date, etc. But this box is going to have about 20 > webhosting customers - both managed and un managed. Some of these users > will of course be uploading their own content via SFTP or FTP, and for all > I know the security of their PHP scripts, etc. may be "not so good". > > What does everyone here usually do in securing those boxes? Do you > usually setup jails/chroots for the webserver processes, etc., or do you > rely on internal settings in things like php.ini to maintain security for > your public webservers? > > Thanks! > > -Matt I don't think you can rely on php.ini settings to provide you security. The very least I suggest is to at least be running several light web server processes with each as a separate low-priv user. You could probably do well to use mount_nullfs + jails to create separate chroot jails that share the same /usr directories. You could create on master jail where you set up and install Apache/Lighttpd, PHP and whatever else you want. Then for each client jail, you make sure that it has a super minimal loadout (no binaries the client wouldn't ever need), and have a script to mount_nullfs read-only each /usr subdir in the master jail to the client jails, except for /usr/local/etc. This way, you will only have to update software in your master jail. The updates will immediately propagate, since all the other jails are null-mounted to the same /usr directory. And you also ensure that none of the resources (shared stuff in /usr/local/share, libraries in /usr/lib, /usr/local/lib) can be tampered with since every client jail has these directories mounted read-only. The client jails each have their own fstab., if I remember correctly. So your script can just make modifications to those. This is at least for FreeBSD 6.2, I doubt that it's changed for 7.0. Perverse and probably over-complicated, but that setup has worked well for me in the past. -------------- next part -------------- An HTML attachment was scrubbed... URL: From techneck at goldenpath.org Wed Apr 9 12:57:56 2008 From: techneck at goldenpath.org (Tim A.) Date: Wed, 09 Apr 2008 12:57:56 -0400 Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t Message-ID: <47FCF594.2090506@goldenpath.org> I'm working through "Designing FreeBSD Rootkits" as a means of deepening my understanding of both FreeBSD and C. I'm understanding it well enough (I hope), examples all work, experimenting has worked. Up to hooking syscalls now. There's this one part from the beginning though, concerning FreeBSD source from sys/module.h that I can't seem to wrap my head around and it's bothering me. Understanding it isn't essential to making things work. But, I feel like if I can just understand this, it's a personal break through for me. It's probably some simple explanation that's right in front of my face but eluding me. We had debated the meaning of the *modeventhand_t in discussion after the last meeting. And after closer examination I felt I understood it for the most part. This question partly involves that line but more so the line immediately preceding it, which declares *module_t and how we see *module_t is used. Using cscope, I could find no definition for the "struct module" structure. *module_t points to "struct module" (which is, apparently, undefined). If I have to guess, I'd say the module structure then becomes defined by whatever we make module_t point to, so long as it's a structure. Later in hello.c modeventhand_t is set to point to our event handler function "load". *modeventhand_t expects for it's first argument (module_t), a pointer variable pointing to a structure type. but load expects for it's first argument (struct module *module), a dereferrenced pointer to a module structure that exists, but isn't defined? What's really going on here? And, here's a good question: What *is* the first argument being passed to load in execution? I didn't see source for kldload, but I guess I'll hit the KLD man page and maybe that will explain things more. ####################################################################### #/sys/sys/module.h ...snip... typedef struct module *module_t; /* Tim: Where is this module struct defined? */ typedef int (*modeventhand_t)(module_t, int /* modeventtype_t */, void *); /* * Struct for registering modules statically via SYSINIT. */ typedef struct moduledata { const char *name; /* module name */ modeventhand_t evhand; /* event handler */ void *priv; /* extra data */ } moduledata_t; ...snip... #./hello.c ...snip... /* Event Handler */ static int load(struct module *module, int cmd, void *arg) {...snip...} /* Module data structure, 2nd argument of DECLARE_MODULE */ static moduledata_t hello_mod = { "hello", load, NULL, }; DECLARE_MODULE(hello, hello_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE); ####################################################################### From nikolai at fetissov.org Wed Apr 9 14:25:48 2008 From: nikolai at fetissov.org (nikolai) Date: Wed, 9 Apr 2008 14:25:48 -0400 (EDT) Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <47FCF594.2090506@goldenpath.org> References: <47FCF594.2090506@goldenpath.org> Message-ID: <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> > I'm working through "Designing FreeBSD Rootkits" as a means > of deepening my understanding of both FreeBSD and C. > I'm understanding it well enough (I hope), examples all work, > experimenting has worked. Up to hooking syscalls now. > > There's this one part from the beginning though, concerning > FreeBSD source from sys/module.h that I can't seem to wrap my head > around and it's bothering me. > Understanding it isn't essential to making things work. > But, I feel like if I can just understand this, it's a personal break > through for me. It's probably some simple explanation that's right > in front of my face but eluding me. > > We had debated the meaning of the *modeventhand_t in discussion after > the last meeting. And after closer examination I felt I understood it > for the most part. > > This question partly involves that line but more so the line > immediately preceding it, which declares *module_t and how we see > *module_t is used. > > Using cscope, I could find no definition for the "struct module" > structure. > *module_t points to "struct module" (which is, apparently, undefined). > > If I have to guess, I'd say the module structure then becomes defined by > whatever > we make module_t point to, so long as it's a structure. > > Later in hello.c > modeventhand_t is set to point to our event handler function "load". > *modeventhand_t expects for it's first argument (module_t), a pointer > variable pointing to a structure type. > but load expects for it's first argument (struct module *module), a > dereferrenced pointer > to a module structure that exists, but isn't defined? > You are wrong here - parameter declaration "struct module *module" means module here is a pointer (otherwise it would just be "struct module varname" - but people usually don't pass structures by value in C :) > What's really going on here? > And, here's a good question: What *is* the first argument being passed > to load in execution? > > I didn't see source for kldload, but I guess I'll hit the KLD man page > and maybe that will > explain things more. > > ####################################################################### > > #/sys/sys/module.h > > ...snip... > > typedef struct module *module_t; /* Tim: Where is this module struct > defined? */ > typedef int (*modeventhand_t)(module_t, int /* modeventtype_t */, void *); > > /* > * Struct for registering modules statically via SYSINIT. > */ > typedef struct moduledata { > const char *name; /* module name */ > modeventhand_t evhand; /* event handler */ > void *priv; /* extra data */ > } moduledata_t; > > ...snip... > I don't know what's actually being given to the function here, but suspect it's that "priv" thing above that is used as a pointer to "opaque" module-specific data structure that only your module would understand. I might be wrong. Cheers, -- Nikolai > #./hello.c > > ...snip... > /* Event Handler */ > static int > load(struct module *module, int cmd, void *arg) > {...snip...} > > /* Module data structure, 2nd argument of DECLARE_MODULE */ > static moduledata_t hello_mod = { > "hello", > load, > NULL, > }; > > DECLARE_MODULE(hello, hello_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE); > > ####################################################################### > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From nikolai at fetissov.org Wed Apr 9 14:42:12 2008 From: nikolai at fetissov.org (nikolai) Date: Wed, 9 Apr 2008 14:42:12 -0400 (EDT) Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> Message-ID: <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> >> I'm working through "Designing FreeBSD Rootkits" as a means >> of deepening my understanding of both FreeBSD and C. >> I'm understanding it well enough (I hope), examples all work, >> experimenting has worked. Up to hooking syscalls now. >> >> There's this one part from the beginning though, concerning >> FreeBSD source from sys/module.h that I can't seem to wrap my head >> around and it's bothering me. >> Understanding it isn't essential to making things work. >> But, I feel like if I can just understand this, it's a personal break >> through for me. It's probably some simple explanation that's right >> in front of my face but eluding me. >> >> We had debated the meaning of the *modeventhand_t in discussion after >> the last meeting. And after closer examination I felt I understood it >> for the most part. >> >> This question partly involves that line but more so the line >> immediately preceding it, which declares *module_t and how we see >> *module_t is used. >> >> Using cscope, I could find no definition for the "struct module" >> structure. >> *module_t points to "struct module" (which is, apparently, undefined). >> >> If I have to guess, I'd say the module structure then becomes defined by >> whatever >> we make module_t point to, so long as it's a structure. >> >> Later in hello.c >> modeventhand_t is set to point to our event handler function "load". >> *modeventhand_t expects for it's first argument (module_t), a pointer >> variable pointing to a structure type. >> but load expects for it's first argument (struct module *module), a >> dereferrenced pointer >> to a module structure that exists, but isn't defined? >> > > You are wrong here - parameter declaration "struct module *module" > means module here is a pointer (otherwise it would just be > "struct module varname" - but people usually don't pass structures > by value in C :) > >> What's really going on here? >> And, here's a good question: What *is* the first argument being passed >> to load in execution? >> >> I didn't see source for kldload, but I guess I'll hit the KLD man page >> and maybe that will >> explain things more. >> >> ####################################################################### >> >> #/sys/sys/module.h >> >> ...snip... >> >> typedef struct module *module_t; /* Tim: Where is this module struct >> defined? */ >> typedef int (*modeventhand_t)(module_t, int /* modeventtype_t */, void >> *); >> >> /* >> * Struct for registering modules statically via SYSINIT. >> */ >> typedef struct moduledata { >> const char *name; /* module name */ >> modeventhand_t evhand; /* event handler */ >> void *priv; /* extra data */ >> } moduledata_t; >> >> ...snip... >> > > I don't know what's actually being given to the function > here, but suspect it's that "priv" thing above that is used > as a pointer to "opaque" module-specific data structure > that only your module would understand. I might be wrong. > > Cheers, > -- > Nikolai > > >> #./hello.c >> >> ...snip... >> /* Event Handler */ >> static int >> load(struct module *module, int cmd, void *arg) >> {...snip...} >> >> /* Module data structure, 2nd argument of DECLARE_MODULE */ >> static moduledata_t hello_mod = { >> "hello", >> load, >> NULL, >> }; >> >> DECLARE_MODULE(hello, hello_mod, SI_SUB_DRIVERS, SI_ORDER_MIDDLE); Also, pointer to anything is still a pointer (4 or 8 byte thing). So it doesn't matter to a compiler if it knows the exact type when it sees pointer declaration (it does care when pointer is being dereferenced though.) Here's a quick example to show this point (compiles on sparc/solaris with SunStudio11): #include typedef struct booohaaa* booohaaa_t; typedef int (*boo_f)( booohaaa_t, void* ); int boo_ex( booohaaa_t p, void* ptr ) { printf( "boo_ex( %p, %p )\n", p, ptr ); } int main( int argc, char* argv[] ) { boo_f func = boo_ex; (*func)( ( void* )0x0000ffff, ( void* )0xffff0000 ); return 0; } Cheers, -- Nikolai From techneck at goldenpath.org Thu Apr 10 00:47:51 2008 From: techneck at goldenpath.org (Tim A.) Date: Thu, 10 Apr 2008 00:47:51 -0400 Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> Message-ID: <47FD9BF7.1020307@goldenpath.org> >>> Using cscope, I could find no definition for the "struct module" >>> structure. >>> *module_t points to "struct module" (which is, apparently, undefined). >>> >>> If I have to guess, I'd say the module structure then becomes defined by >>> whatever >>> we make module_t point to, so long as it's a structure. >>> >>> Later in hello.c >>> modeventhand_t is set to point to our event handler function "load". >>> *modeventhand_t expects for it's first argument (module_t), a pointer >>> variable pointing to a structure type. >>> but load expects for it's first argument (struct module *module), a >>> dereferrenced pointer >>> to a module structure that exists, but isn't defined? >>> >>> >> You are wrong here - parameter declaration "struct module *module" >> means module here is a pointer (otherwise it would just be >> "struct module varname" - but people usually don't pass structures >> by value in C :) >> >> >>> What's really going on here? >>> And, here's a good question: What *is* the first argument being passed >>> to load in execution? >>> >>> I didn't see source for kldload, but I guess I'll hit the KLD man page >>> and maybe that will >>> explain things more. >>> >>> ####################################################################### >>> >>> #/sys/sys/module.h >>> >>> ...snip... >>> >>> typedef struct module *module_t; /* Tim: Where is this module struct >>> defined? */ >>> typedef int (*modeventhand_t)(module_t, int /* modeventtype_t */, void >>> *); >>> >>> /* >>> * Struct for registering modules statically via SYSINIT. >>> */ >>> typedef struct moduledata { >>> const char *name; /* module name */ >>> modeventhand_t evhand; /* event handler */ >>> void *priv; /* extra data */ >>> } moduledata_t; >>> >>> ...snip... >>> >>> >> I don't know what's actually being given to the function >> here, but suspect it's that "priv" thing above that is used >> as a pointer to "opaque" module-specific data structure >> that only your module would understand. I might be wrong. >> >> No the *priv pointer is useless here. NULL in the hello module. Unused extra data place holder. At some point, something is calling the event handler, in my module called "load" (evhand in the moduledata struct definition), or it's calling *modeventhand_t which is made to point to load in moduledata_t. If I'm understanding the process, SYSINIT is what's doing the work. At some point one of it's subroutines is calling on "load", and I'd like to know what is the first argument. If I'm guessing right, it is what defines the "struct module" structure, if "defines" is the right terminology here. As you point out, it's not defining it, but just redirecting the pointer. Digging around I found plenty of complicated stuff, but not anything that explains it.. Thinking "lets look at kldload", best I came up with is: ...snip... struct kldload_args { char file_l_[PADL_(const char *)]; const char * file; char file_r_[PADR_(const char *)]; ...snip.... int kldload(struct thread *, struct kldload_args *); ...snip.... But, that kldload_args struct has some weird [] stuff going on. I looked up the PADL symbols, but that just raises more questions. > #include > > typedef struct booohaaa* booohaaa_t; > typedef int (*boo_f)( booohaaa_t, void* ); > > int boo_ex( booohaaa_t p, void* ptr ) > { > printf( "boo_ex( %p, %p )\n", p, ptr ); > } > > int main( int argc, char* argv[] ) > { > boo_f func = boo_ex; > > (*func)( ( void* )0x0000ffff, ( void* )0xffff0000 ); > > return 0; > } > Great example summary. Other than your breakage example, in comparison, I'm essentially trying to find the equivalent part in my scenario as your ( void* )0x0000ffff in that booohaaa_t points to it. But my scenario ends at the boo_ex declaration, and actually in better comparision, boo_ex would be: int boo_ex( struct booohaaa *booohaaa_t, void *ptr) But, of course, you're passing the memory address? That's kind of weird how you're doing that. From techneck at goldenpath.org Thu Apr 10 00:55:20 2008 From: techneck at goldenpath.org (Tim A.) Date: Thu, 10 Apr 2008 00:55:20 -0400 Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> Message-ID: <47FD9DB8.5030100@goldenpath.org> >>> Using cscope, I could find no definition for the "struct module" >>> structure. >>> *module_t points to "struct module" (which is, apparently, undefined). >>> >>> If I have to guess, I'd say the module structure then becomes defined by >>> whatever >>> we make module_t point to, so long as it's a structure. >>> >>> Later in hello.c >>> modeventhand_t is set to point to our event handler function "load". >>> *modeventhand_t expects for it's first argument (module_t), a pointer >>> variable pointing to a structure type. >>> but load expects for it's first argument (struct module *module), a >>> dereferrenced pointer >>> to a module structure that exists, but isn't defined? >>> >>> >> You are wrong here - parameter declaration "struct module *module" >> means module here is a pointer (otherwise it would just be >> "struct module varname" - but people usually don't pass structures >> by value in C :) Woops! Yep, pretty obvious mistake in my reading. It's confusing enough as it is. I ought not to be confusing myself on top of it. I guess you C pros do this pointer magic as naturally as breathing :) From mspitzer at gmail.com Thu Apr 10 08:21:28 2008 From: mspitzer at gmail.com (Marc Spitzer) Date: Thu, 10 Apr 2008 08:21:28 -0400 Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <47FD9BF7.1020307@goldenpath.org> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> <47FD9BF7.1020307@goldenpath.org> Message-ID: <8c50a3c30804100521i156767d5ob9f76b30674c0d00@mail.gmail.com> [snip] one point, I do not think the kernel include files are stored in /usr/include so cscope may not have them indexed. marc -- Freedom is nothing but a chance to be better. Albert Camus From techneck at goldenpath.org Thu Apr 10 09:35:58 2008 From: techneck at goldenpath.org (Tim A.) Date: Thu, 10 Apr 2008 09:35:58 -0400 Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <8c50a3c30804100521i156767d5ob9f76b30674c0d00@mail.gmail.com> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> <47FD9BF7.1020307@goldenpath.org> <8c50a3c30804100521i156767d5ob9f76b30674c0d00@mail.gmail.com> Message-ID: <47FE17BE.3030001@goldenpath.org> > [snip] > > one point, I do not think the kernel include files are stored in > /usr/include so cscope may not have them indexed. > > marc > diff -r /usr/src/sys/sys /usr/include/sys Only in /usr/src/sys/sys: cscope.out Only in /usr/src/sys/sys: syscall.mk Besides, when I'm doing an "exhaustive" search, I'm just running cscope in /sys/sys which should be including anywhere it could be, no? Then look for anything related to what I'm looking for and take my clues from there. But what you're saying is that, where each of those files under /sys/sys have #include (for example) when cscope runs, it's checking those #include statements in /usr/include/sys , not /sys/sys as I might be tempted to think, yes? From nikolai at fetissov.org Thu Apr 10 10:43:52 2008 From: nikolai at fetissov.org (nikolai) Date: Thu, 10 Apr 2008 10:43:52 -0400 (EDT) Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <47FD9BF7.1020307@goldenpath.org> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> <47FD9BF7.1020307@goldenpath.org> Message-ID: <38058.204.153.88.2.1207838632.squirrel@www.geekisp.com> > >>>> Using cscope, I could find no definition for the "struct module" >>>> structure. >>>> *module_t points to "struct module" (which is, apparently, undefined). >>>> >>>> If I have to guess, I'd say the module structure then becomes defined >>>> by >>>> whatever >>>> we make module_t point to, so long as it's a structure. >>>> >>>> Later in hello.c >>>> modeventhand_t is set to point to our event handler function "load". >>>> *modeventhand_t expects for it's first argument (module_t), a pointer >>>> variable pointing to a structure type. >>>> but load expects for it's first argument (struct module *module), a >>>> dereferrenced pointer >>>> to a module structure that exists, but isn't defined? >>>> >>>> >>> You are wrong here - parameter declaration "struct module *module" >>> means module here is a pointer (otherwise it would just be >>> "struct module varname" - but people usually don't pass structures >>> by value in C :) >>> >>> >>>> What's really going on here? >>>> And, here's a good question: What *is* the first argument being passed >>>> to load in execution? >>>> >>>> I didn't see source for kldload, but I guess I'll hit the KLD man page >>>> and maybe that will >>>> explain things more. >>>> >>>> ####################################################################### >>>> >>>> #/sys/sys/module.h >>>> >>>> ...snip... >>>> >>>> typedef struct module *module_t; /* Tim: Where is this module struct >>>> defined? */ >>>> typedef int (*modeventhand_t)(module_t, int /* modeventtype_t */, void >>>> *); >>>> >>>> /* >>>> * Struct for registering modules statically via SYSINIT. >>>> */ >>>> typedef struct moduledata { >>>> const char *name; /* module name */ >>>> modeventhand_t evhand; /* event handler */ >>>> void *priv; /* extra data */ >>>> } moduledata_t; >>>> >>>> ...snip... >>>> >>>> >>> I don't know what's actually being given to the function >>> here, but suspect it's that "priv" thing above that is used >>> as a pointer to "opaque" module-specific data structure >>> that only your module would understand. I might be wrong. >>> >>> > No the *priv pointer is useless here. NULL in the hello module. Unused > extra data place holder. > > At some point, something is calling the event handler, in my module > called "load" (evhand in the moduledata struct definition), or it's > calling *modeventhand_t > which is made to point to load in moduledata_t. > > If I'm understanding the process, SYSINIT is what's doing the work. > At some point one of it's subroutines is calling on "load", and I'd like > to know what is the first argument. > If I'm guessing right, it is what defines the "struct module" structure, > if "defines" is the right terminology here. > As you point out, it's not defining it, but just redirecting the pointer. > Tim, I think the easiest way to find out what's passed as that first argument is to find an existing working module in the source tree and try to figure out what it gets there and what it does with it. Some random pointers: There got to be a table/list/hash of module pointers somewhere there, most probably dynamically allocated. Kernel linker needs to know about modules being loaded - its duty is to parse elf, map the segments, and fixup references. Fun and Games with FreeBSD Kernel Modules (old): http://packetstormsecurity.org/papers/unix/fbsdfun.htm Dynamic Kernel Linker (KLD) Facility Programming Tutorial [Intro] http://rlz.cl/books/Books/BSD/blueprints.html I think the second one actually explains that module_t business. Cheers, -- Nikolai > Digging around I found plenty of complicated stuff, but not anything > that explains it.. > Thinking "lets look at kldload", best I came up with is: > > ...snip... > struct kldload_args { > char file_l_[PADL_(const char *)]; const char * file; char > file_r_[PADR_(const char *)]; > ...snip.... > int kldload(struct thread *, struct kldload_args *); > ...snip.... > > But, that kldload_args struct has some weird [] stuff going on. I looked > up the PADL symbols, but that just raises more questions. > This is not complicated once you get the idea of separate pre-processing (macros) and compilation :) From techneck at goldenpath.org Thu Apr 10 11:06:04 2008 From: techneck at goldenpath.org (Tim A.) Date: Thu, 10 Apr 2008 11:06:04 -0400 Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <38058.204.153.88.2.1207838632.squirrel@www.geekisp.com> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> <47FD9BF7.1020307@goldenpath.org> <38058.204.153.88.2.1207838632.squirrel@www.geekisp.com> Message-ID: <47FE2CDC.2080905@goldenpath.org> > Dynamic Kernel Linker (KLD) Facility Programming Tutorial [Intro] > http://rlz.cl/books/Books/BSD/blueprints.html > > I think the second one actually explains that module_t business. Yes, thank you. That one drops a big hint: The 'module_t mod' structure is just a pointer to the module structure. This structure is part of a linked list of currently loaded modules. It contains links to the other modules loaded, KLD ID number and other such useful information. I'd still like to be able to find where that linked list is defined. I guess I'll just keep reading Rootkits. Considering that hint, I'll guess it's addressed later when he starts hiding things. From nikolai at fetissov.org Thu Apr 10 11:23:51 2008 From: nikolai at fetissov.org (nikolai) Date: Thu, 10 Apr 2008 11:23:51 -0400 (EDT) Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <47FE2CDC.2080905@goldenpath.org> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> <47FD9BF7.1020307@goldenpath.org> <38058.204.153.88.2.1207838632.squirrel@www.geekisp.com> <47FE2CDC.2080905@goldenpath.org> Message-ID: <43860.204.153.88.2.1207841031.squirrel@www.geekisp.com> > >> Dynamic Kernel Linker (KLD) Facility Programming Tutorial [Intro] >> http://rlz.cl/books/Books/BSD/blueprints.html >> >> I think the second one actually explains that module_t business. > > Yes, thank you. That one drops a big hint: > > The 'module_t mod' structure is just a pointer to the module structure. > This structure is part of a linked list of currently loaded modules. It > contains links to the other modules loaded, KLD ID number and other such > useful information. > > > I'd still like to be able to find where that linked list is defined. > > I guess I'll just keep reading Rootkits. Considering that hint, I'll > guess it's addressed later when he starts hiding things. Tim, Just one suggestion if I may - try reading the kernel source (also). That would probably give you more insight into how modules work then a reference on how to rootkit them :) As for the module list, I think here it is in sys/kern/kern_module.c: ... typedef TAILQ_HEAD(, module) modulelist_t; struct module { TAILQ_ENTRY(module) link; /* chain together all modules */ TAILQ_ENTRY(module) flink; /* all modules in a file */ struct linker_file *file; /* file which contains this module */ int refs; /* reference count */ int id; /* unique id number */ char *name; /* module name */ modeventhand_t handler; /* event handler */ void *arg; /* argument for handler */ modspecific_t data; /* module specific data */ }; ... Cheers, -- Nikolai From techneck at goldenpath.org Thu Apr 10 12:43:48 2008 From: techneck at goldenpath.org (Tim A.) Date: Thu, 10 Apr 2008 12:43:48 -0400 Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <43860.204.153.88.2.1207841031.squirrel@www.geekisp.com> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> <47FD9BF7.1020307@goldenpath.org> <38058.204.153.88.2.1207838632.squirrel@www.geekisp.com> <47FE2CDC.2080905@goldenpath.org> <43860.204.153.88.2.1207841031.squirrel@www.geekisp.com> Message-ID: <47FE43C4.9080000@goldenpath.org> >>> Dynamic Kernel Linker (KLD) Facility Programming Tutorial [Intro] >>> http://rlz.cl/books/Books/BSD/blueprints.html >>> >>> I think the second one actually explains that module_t business. >>> >> Yes, thank you. That one drops a big hint: >> >> The 'module_t mod' structure is just a pointer to the module structure. >> This structure is part of a linked list of currently loaded modules. It >> contains links to the other modules loaded, KLD ID number and other such >> useful information. >> >> >> I'd still like to be able to find where that linked list is defined. >> >> I guess I'll just keep reading Rootkits. Considering that hint, I'll >> guess it's addressed later when he starts hiding things. >> > > Tim, > > Just one suggestion if I may - try reading the kernel source (also). > That would probably give you more insight into how modules work > then a reference on how to rootkit them :) > Very true. But I've been walking around beating myself up with this "Design & Implementation" book for so long it's depressing. Browsing sys/kern without any particular (or some obscure) purpose has thoroughly boggled my brain and put me to sleep on numerous occasions. I *want* to understand it, but I think what I've been needing is a lower / more defined point of entry. "Rootkits" has been excellent for that. An exciting sort of taboo allure, with very well defined, fairly simple objectives with an intimate exposure to (what I'm guessing to be) some of the most significant aspects of the system internals. > As for the module list, I think here it is in > sys/kern/kern_module.c: > > ... > typedef TAILQ_HEAD(, module) modulelist_t; > struct module { > TAILQ_ENTRY(module) link; /* chain together all modules */ > TAILQ_ENTRY(module) flink; /* all modules in a file */ > struct linker_file *file; /* file which contains this module */ > int refs; /* reference count */ > int id; /* unique id number */ > char *name; /* module name */ > modeventhand_t handler; /* event handler */ > void *arg; /* argument for handler */ > modspecific_t data; /* module specific data */ > }; > ... > > That is exactly what I was looking for. Thank you, so much! I owe you dinner :) I thought for sure it would have turned up in cscope by searching the headers. -------------- next part -------------- An HTML attachment was scrubbed... URL: From techneck at goldenpath.org Thu Apr 10 13:05:27 2008 From: techneck at goldenpath.org (Tim A.) Date: Thu, 10 Apr 2008 13:05:27 -0400 Subject: [nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t In-Reply-To: <47FE43C4.9080000@goldenpath.org> References: <47FCF594.2090506@goldenpath.org> <28515.204.153.88.2.1207765548.squirrel@www.geekisp.com> <12613.204.153.88.2.1207766532.squirrel@www.geekisp.com> <47FD9BF7.1020307@goldenpath.org> <38058.204.153.88.2.1207838632.squirrel@www.geekisp.com> <47FE2CDC.2080905@goldenpath.org> <43860.204.153.88.2.1207841031.squirrel@www.geekisp.com> <47FE43C4.9080000@goldenpath.org> Message-ID: <47FE48D7.9030005@goldenpath.org> >> As for the module list, I think here it is in >> sys/kern/kern_module.c: >> >> ... >> typedef TAILQ_HEAD(, module) modulelist_t; >> struct module { >> TAILQ_ENTRY(module) link; /* chain together all modules */ >> TAILQ_ENTRY(module) flink; /* all modules in a file */ >> struct linker_file *file; /* file which contains this module */ >> int refs; /* reference count */ >> int id; /* unique id number */ >> char *name; /* module name */ >> modeventhand_t handler; /* event handler */ >> void *arg; /* argument for handler */ >> modspecific_t data; /* module specific data */ >> }; >> ... >> >> > > That is exactly what I was looking for. > Thank you, so much! I owe you dinner :) > > I thought for sure it would have turned up in cscope by searching the > headers. In retrospect, I probably should have just greped /sys/ for "struct module {" Silly me. Playing around with cscope so much (which I'm loving by the way), I neglected the obvious. From mspitzer at gmail.com Thu Apr 10 22:50:50 2008 From: mspitzer at gmail.com (Marc Spitzer) Date: Thu, 10 Apr 2008 22:50:50 -0400 Subject: [nycbug-talk] wayy off topic and funny yet offensive Message-ID: <8c50a3c30804101950n27e330e5r9add4ac9d128825e@mail.gmail.com> http://www.justsayhi.com/bb/fight5 I got 33 before they dragged me down marc -- Freedom is nothing but a chance to be better. Albert Camus From lists at kithalsted.com Thu Apr 10 23:18:43 2008 From: lists at kithalsted.com (Kit Halsted) Date: Thu, 10 Apr 2008 23:18:43 -0400 Subject: [nycbug-talk] wayy off topic and funny yet offensive In-Reply-To: <8c50a3c30804101950n27e330e5r9add4ac9d128825e@mail.gmail.com> References: <8c50a3c30804101950n27e330e5r9add4ac9d128825e@mail.gmail.com> Message-ID: Wow. I could only take 25 5-year-olds. How depressing. Fortunately, finding out my corpse is worth almost as much as my motorcycle made me feel strangely better. Briefly. http://www.justsayhi.com/bb/cadaver Cheers, -Kit At 10:50 PM -0400 4/10/08, Marc Spitzer wrote: >http://www.justsayhi.com/bb/fight5 > >I got 33 before they dragged me down > >marc >-- >Freedom is nothing but a chance to be better. >Albert Camus >_______________________________________________ >talk mailing list >talk at lists.nycbug.org >http://lists.nycbug.org/mailman/listinfo/talk -- Kit Halsted Computers & Networking 917-903-9438 kit at kithalsted.com From lists at kithalsted.com Thu Apr 10 23:28:06 2008 From: lists at kithalsted.com (Kit Halsted) Date: Thu, 10 Apr 2008 23:28:06 -0400 Subject: [nycbug-talk] On-topic server questions Message-ID: So, my last off-topic post reminded me that maybe y'all would be good people to ask: what's everybody doing for email stuff lately? I'm a weensy bit overdue for some upgrades, & I'm starting to think this newfangled webmail might come in handy once in a while. Also, now that HD capacity has hit 1TB, IMAP may finally become useful for me. Seriously, I'm looking at putting together an OpenBSD-stable system, probably with qmail & vpopmail 'cause I'm used to them. Anybody know which webmail & IMAP projects play nice with that setup? Have things changed enough in the last year or so that I should consider a different base setup? Thanks, -Kit -- Kit Halsted Computers & Networking 917-903-9438 kit at kithalsted.com From tillman at seekingfire.com Fri Apr 11 10:46:01 2008 From: tillman at seekingfire.com (Tillman Hodgson) Date: Fri, 11 Apr 2008 08:46:01 -0600 Subject: [nycbug-talk] On-topic server questions In-Reply-To: References: Message-ID: <20080411144601.GD43564@seekingfire.com> On Thu, Apr 10, 2008 at 11:28:06PM -0400, Kit Halsted wrote: > So, my last off-topic post reminded me that maybe y'all would be good > people to ask: what's everybody doing for email stuff lately? > > I'm a weensy bit overdue for some upgrades, & I'm starting to think > this newfangled webmail might come in handy once in a while. Also, > now that HD capacity has hit 1TB, IMAP may finally become useful for > me. I'm using mutt (with /lots/ of config tweaking to make it do what I want) around 95% of the time. It's served off of a set of around 20 Maildirs (sitting on an Infrant NAS) that courier-imapd also serves out as folders, so that I can access it via Mail on my OS X laptop, via my ipod touch, and via squirrelmail (which I've used maybe twice). I tried to switch over to roundcube recently but failed to get the sqlite db version working on NetBSD, despite that being one of the default pkgsrc options. For 1 user, a real DB is too heavyweight. So ... back to squirrelmail as a backup that I rarely use. I'm told that I should look at Dovecot for imap instead, but I'm lazy and my setup is already working ;-) -T -- There is no reality -- only our own order imposed on everything. - Basic Bene Gesserit Dictum From carton at Ivy.NET Fri Apr 11 12:43:09 2008 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 11 Apr 2008 12:43:09 -0400 Subject: [nycbug-talk] On-topic server questions In-Reply-To: (Kit Halsted's message of "Thu, 10 Apr 2008 23:28:06 -0400") References: Message-ID: >>>>> "kh" == Kit Halsted writes: kh> what's everybody doing for email stuff lately? dovecot at home. i also am using dovecot for Outlook -> Mac OS Mail migrations. It's a tiny program using ordinary Maildir for storage. I ran it on OpenBSD to move the first guy's mail, but after downloading Apple's XCode and NetBSD's pkgsrc it only took me an hour of work to get dovecot running on Mac OS. the sun java communications suite at work. I inherited it and haven't dug into it much yet. It's big with LDAP and Java and even a Jabber server in there, and it is unfree. It is $0, but does not come with complete source---it is only possible to brand some of the webmail pages, not to modify the Java servlets that access the message store. The size is annoying. I can't recommend any mail system that doesn't come with source code, because mail is far too simple an application to have any excuse for that kind of nonsense. but I think maybe the performance is really good, and it is webmail that is not PHP which I like because of PHP security and quality problems. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From techneck at goldenpath.org Mon Apr 14 11:12:55 2008 From: techneck at goldenpath.org (Tim A.) Date: Mon, 14 Apr 2008 11:12:55 -0400 Subject: [nycbug-talk] Student's / College's Interest in NYCBUG / NYBSDCon '08 Message-ID: <48037477.9040208@goldenpath.org> I attended the first NYBSDCon while a student at BMCC in 2005. At the time, it was the first conference of it's kind I had attended. (Of course, it turned me on to many more.) It was an inspiring and excellent educational experience and a great opportunity to meet other like-minded BSD aficionados spanning the gamut from new users and home sysadmins to hard-core developer gurus and kernel hackers, and some of my favorite authors. Since then, my continued association with NYCBUG has been the most persistent and valuable influence on my personal and professional interests as they relate (not only to BSD, but on a wider basis) to IT, not to mention a thoroughly enjoyable experience. One thing I've often regretted is the lack of involvement by more students, then and now. Sure, we get the occasional Columbia grad student doing their Thesis project and that's always welcome--good stuff. However, coming from a working-class community college back ground, I can't help but think it a tragedy that the students who could most use this sort of influence are the furthest from it. With that in mind, and with George's encouragement, I'm reaching out to BMCC this year to help raise awareness of NYCBUG in general and the upcoming NYBSDCon '08 in particular. We would also like to invite anyone on list having an interest in or contacts at any of CUNY's or other college campuses throughout the city to get involved in helping to promote awareness among faculty, staff and students of the upcoming NYBSDCon '08. ~Tim From techneck at goldenpath.org Tue Apr 15 10:43:49 2008 From: techneck at goldenpath.org (Tim A.) Date: Tue, 15 Apr 2008 10:43:49 -0400 Subject: [nycbug-talk] Student's / College's Interest in NYCBUG / NYBSDCon '08 In-Reply-To: References: Message-ID: <4804BF25.8070604@goldenpath.org> > I'm delighted that you are doing this, I'm a sysadmin at Baruch College and > I think you are absolutely right about the working class community college > students. Its those very students I try to hire as part-time sysadmins. It > would be hard press to find any FreeBSD/Linux students at Baruch, but count > me in on spreading the word. My colleague tried to host NYCBSDCon here, but > it was a hard sell. I don't think it's fair to expect to find "FreeBSD/Linux students" in abundance. Usually, it's something specific someone wants to accomplish that leads them to experiment with it. For example, I initially wanted to learn how to use my old computer as a general purpose sever for web / mail / ftp. I downloaded and installed FreeBSD and started playing around. From there, the sky's the limit. In general, you have a mix of (probably pretty confused) people with only a vague idea of something trivial (but new and exciting to them) that they want to do. Building a lasting awareness and appreciation for the BSDs on campuses, I think, is not an effort focused on students so much as on faculty, the administration, and curriculum... permanent / long-term fixtures. While it may be the student body you want to reach, focusing your efforts there is largely wasted due to the nature of your audience and its frequent turn over. It's not something we can reasonably expect to accomplish over the course of a semester or two by posting some fliers. The focus has to be on building lasting relationships, expanding the user base and knowledge sharing. I've also shifted focus in attitude. While in college, I did the "hard sell" approach to the max, and frankly it's counter productive. It implies we have some hidden motive, some personal gain. Honestly, it's "take it or leave it". From an academic perspective, for example, I think the value of http://www.freebsd.org/doc/ speaks for itself. And if who I'm talking to can't see that, I'm probably talking to the wrong person. From mspitzer at gmail.com Tue Apr 15 14:29:19 2008 From: mspitzer at gmail.com (Marc Spitzer) Date: Tue, 15 Apr 2008 14:29:19 -0400 Subject: [nycbug-talk] printer recommendations? Message-ID: <8c50a3c30804151129k11fde1b0jd05266ea528e725c@mail.gmail.com> Well the list has been quite so what the hell. I am looking for a printer for home use, here is my hit list: 1: laser 2: monochrome 3: network ready 4: duplex 5: can handle envelops and other odd stock 6: cost new under $300 I am looking for something like the lexmark 250dn, but that seems to be getting harder to find. I also want fairly good toner life as I do tend to print books on occasion. SAMSUNG ML series ML-3051ND, from newegg also seems to fit the bill. So what do you think? marc -- Freedom is nothing but a chance to be better. Albert Camus From josh at rivels.org Tue Apr 15 21:49:14 2008 From: josh at rivels.org (Josh Rivel) Date: Tue, 15 Apr 2008 21:49:14 -0400 Subject: [nycbug-talk] printer recommendations? In-Reply-To: <8c50a3c30804151129k11fde1b0jd05266ea528e725c@mail.gmail.com> References: <8c50a3c30804151129k11fde1b0jd05266ea528e725c@mail.gmail.com> Message-ID: <20080416014914.GA20991@rivels.org> Marc, Marc Spitzer wrote... > Well the list has been quite so what the hell. > > I am looking for a printer for home use, here is my hit list: > > 1: laser > 2: monochrome > 3: network ready > 4: duplex > 5: can handle envelops and other odd stock > 6: cost new under $300 > > I am looking for something like the lexmark 250dn, but that seems to > be getting harder to find. I also want fairly good toner life as I do > tend to print books on occasion. SAMSUNG ML series ML-3051ND, from > newegg also seems to fit the bill. > > So what do you think? I'd stay away from some of the lower end Dell's. I got a Dell 1710, then picked up a wireless adapter for it on eBay for ~$20, but it doesn't do PostScript, so it's Windows only, I can't print to it from my aging G4 PowerBook either (OSX 10.4.whatever) I think that the print server is a rebranded Lexmark, but since it doesn't handle PostScript, it's useless in *nix, CUPS won't play nice with it. (Not sure if it will work directly connected via the USB cable, but that kind of defeats the point of having it on the network now doesn't it....) Josh From spork at bway.net Wed Apr 16 00:13:02 2008 From: spork at bway.net (Charles Sprickman) Date: Wed, 16 Apr 2008 00:13:02 -0400 (EDT) Subject: [nycbug-talk] printer recommendations? In-Reply-To: <20080416014914.GA20991@rivels.org> References: <8c50a3c30804151129k11fde1b0jd05266ea528e725c@mail.gmail.com> <20080416014914.GA20991@rivels.org> Message-ID: On Tue, 15 Apr 2008, Josh Rivel wrote: > Marc, > > Marc Spitzer wrote... >> Well the list has been quite so what the hell. >> >> I am looking for a printer for home use, here is my hit list: >> >> 1: laser >> 2: monochrome >> 3: network ready >> 4: duplex >> 5: can handle envelops and other odd stock >> 6: cost new under $300 >> >> I am looking for something like the lexmark 250dn, but that seems to >> be getting harder to find. I also want fairly good toner life as I do >> tend to print books on occasion. SAMSUNG ML series ML-3051ND, from >> newegg also seems to fit the bill. >> >> So what do you think? > > I'd stay away from some of the lower end Dell's. I got a Dell 1710, > then picked up a wireless adapter for it on eBay for ~$20, but > it doesn't do PostScript, so it's Windows only, I can't > print to it from my aging G4 PowerBook either (OSX 10.4.whatever) I don't know if HP makes anything similar anymore, but I've got a Laserjet 1200 that has been great. I've had it for at least 6 years and we use it pretty heavily at home. It can be slow on high-dpi images, but for text it's great and it's fast. It was around $225, replacement high-yield toner runs about $60 which is nothing compared to inkjet prices. I have not replaced anything but toner. Page count is 15,079 and that's been about 4 or 5 toner cartridges. I agree 100% on PostScript support. It's just easier to deal with. Mine was networked for most of that time off a little 486 POS terminal running OBSD 2.6 (the last thing I installed on it before the floppy died) and CUPS (IPP and lpd). No problems printing from *BSD or Macs. The little 486 died, so now I just share that and a color inkjet from my iMac, which is on all the time anyway. I don't know if HP has gone to shit since I bought this, but I've been happy with their older products. I keep a 4Mv and 4MPlus running at work with very little $$ and they refuse to die. They are at least 10 years old and get used heavily. Hope that helps somehow... Charles > I think that the print server is a rebranded Lexmark, but since it > doesn't handle PostScript, it's useless in *nix, CUPS won't play > nice with it. (Not sure if it will work directly connected via the > USB cable, but that kind of defeats the point of having it on the network > now doesn't it....) > > Josh > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From netmantej at gmail.com Tue Apr 15 23:54:41 2008 From: netmantej at gmail.com (tim jacques) Date: Tue, 15 Apr 2008 23:54:41 -0400 Subject: [nycbug-talk] printer recommendations? In-Reply-To: <8c50a3c30804151129k11fde1b0jd05266ea528e725c@mail.gmail.com> References: <8c50a3c30804151129k11fde1b0jd05266ea528e725c@mail.gmail.com> Message-ID: <1aa60f4d0804152054t6f5cea01ua9a03cd55cc0b95e@mail.gmail.com> Good evening all .. I use a HP 2100tn with a built in JetDirect .. Mono , 1200 x 1200 , Postscript , quick .. All of my unix boxes , as well as my win box print without issue .. Yeah , I know it is not new , but the price / performance ratio is outstanding .. Tim .. On Tue, Apr 15, 2008 at 2:29 PM, Marc Spitzer wrote: > Well the list has been quite so what the hell. > > I am looking for a printer for home use, here is my hit list: > > 1: laser > 2: monochrome > 3: network ready > 4: duplex > 5: can handle envelops and other odd stock > 6: cost new under $300 > > I am looking for something like the lexmark 250dn, but that seems to > be getting harder to find. I also want fairly good toner life as I do > tend to print books on occasion. SAMSUNG ML series ML-3051ND, from > newegg also seems to fit the bill. > > So what do you think? > > marc > > -- > Freedom is nothing but a chance to be better. > Albert Camus > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- Tim .. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ruben at mrbrklyn.com Wed Apr 16 06:55:58 2008 From: ruben at mrbrklyn.com (Ruben Safir) Date: Wed, 16 Apr 2008 06:55:58 -0400 Subject: [nycbug-talk] printer recommendations? In-Reply-To: References: <8c50a3c30804151129k11fde1b0jd05266ea528e725c@mail.gmail.com> <20080416014914.GA20991@rivels.org> Message-ID: <20080416105558.GA29566@www2.mrbrklyn.com> On Wed, Apr 16, 2008 at 12:13:02AM -0400, Charles Sprickman wrote: > On Tue, 15 Apr 2008, Josh Rivel wrote: > > > Marc, > > > > Marc Spitzer wrote... > >> Well the list has been quite so what the hell. > >> > >> I am looking for a printer for home use, here is my hit list: > >> > >> 1: laser > >> 2: monochrome > >> 3: network ready > >> 4: duplex > >> 5: can handle envelops and other odd stock > >> 6: cost new under $300 > >> > >> I am looking for something like the lexmark 250dn, but that seems to > >> be getting harder to find. I also want fairly good toner life as I do > >> tend to print books on occasion. SAMSUNG ML series ML-3051ND, from > >> newegg also seems to fit the bill. > >> > >> So what do you think? > > > > I'd stay away from some of the lower end Dell's. I got a Dell 1710, > > then picked up a wireless adapter for it on eBay for ~$20, but > > it doesn't do PostScript, so it's Windows only, I can't > > print to it from my aging G4 PowerBook either (OSX 10.4.whatever) > > I don't know if HP makes anything similar anymore, but I've got a Laserjet > 1200 that has been great. I've had it for at least 6 years and we use it > pretty heavily at home. It can be slow on high-dpi images, but for text > it's great and it's fast. It was around $225, replacement high-yield > toner runs about $60 which is nothing compared to inkjet prices. I have > not replaced anything but toner. Page count is 15,079 and that's been > about 4 or 5 toner cartridges. > i have an HP 2500i color laserjet that is PS and works lik magic. I cost me about $325 with shipping at the time. ruben > I agree 100% on PostScript support. It's just easier to deal with. Mine > was networked for most of that time off a little 486 POS terminal running > OBSD 2.6 (the last thing I installed on it before the floppy died) and > CUPS (IPP and lpd). No problems printing from *BSD or Macs. > > The little 486 died, so now I just share that and a color inkjet from my > iMac, which is on all the time anyway. > > I don't know if HP has gone to shit since I bought this, but I've been > happy with their older products. I keep a 4Mv and 4MPlus running at work > with very little $$ and they refuse to die. They are at least 10 years > old and get used heavily. > > Hope that helps somehow... > > Charles > > > I think that the print server is a rebranded Lexmark, but since it > > doesn't handle PostScript, it's useless in *nix, CUPS won't play > > nice with it. (Not sure if it will work directly connected via the > > USB cable, but that kind of defeats the point of having it on the network > > now doesn't it....) > > > > Josh > > _______________________________________________ > > talk mailing list > > talk at lists.nycbug.org > > http://lists.nycbug.org/mailman/listinfo/talk > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 "Yeah - I write Free Software...so SUE ME" "The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society." "> I'm an engineer. I choose the best tool for the job, politics be damned.< You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one." ? Copyright for the Digital Millennium From skreuzer at exit2shell.com Wed Apr 16 11:45:17 2008 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Wed, 16 Apr 2008 11:45:17 -0400 Subject: [nycbug-talk] Google and IPv6 Adoption Message-ID: <20080416154517.GA30801@scruffy.exit2shell.com> Greetings- I just got an email from Hurricane Electric and they had a link to a very interesting graph: On March 12, 2008, Google launched ipv6.google.com, and HE.net saw a pretty large increase in the number of sign ups they have for their tunnel broker service. http://tunnelbroker.net/usage/ipv6-google-com-signup-surge.php -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From carton at Ivy.NET Wed Apr 16 16:51:38 2008 From: carton at Ivy.NET (Miles Nordin) Date: Wed, 16 Apr 2008 16:51:38 -0400 Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: <20080416154517.GA30801@scruffy.exit2shell.com> (Steven Kreuzer's message of "Wed, 16 Apr 2008 11:45:17 -0400") References: <20080416154517.GA30801@scruffy.exit2shell.com> Message-ID: >>>>> "sk" == Steven Kreuzer writes: sk> ipv6.google.com interesting they did not just add AAAA to www.google.com, the way the designers intended. I guess they do not have much faith in hobbyist ability to operate consistently-working tunnels, and don't want their image tarnished by incompetent sysadmins? I wish they had not reached so far, and everyone with broken v6 got complaints ``google doesn't work'' or ``google is really slow at your house.'' That'd end the practice of spamming broken router advertisements onto wires pretty quickly, and stop my site from seeming laggy when viewed from anywhere with slow IPv6. :) By doing that they are also working around how some versions of firefox were lobotomized to prefer v4---you can use the v6 when you want it because ipv6.google.com has no A record. Because of others' kludging their kludge is the only way. anyway there is never going to be an ipv6.ivy.net. I'll do it the proper way. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From carton at Ivy.NET Wed Apr 16 17:16:02 2008 From: carton at Ivy.NET (Miles Nordin) Date: Wed, 16 Apr 2008 17:16:02 -0400 Subject: [nycbug-talk] printer recommendations? In-Reply-To: Josh Rivel's message of "Tue, 15 Apr 2008 21:49:14 -0400" References: <8c50a3c30804151129k11fde1b0jd05266ea528e725c@mail.gmail.com> <20080416014914.GA20991@rivels.org> Message-ID: >>>>> "jr" == Josh Rivel writes: >>>>> "cs" == Charles Sprickman writes: jr> it doesn't do PostScript, so it's Windows only, I jr> can't print to it from my aging G4 PowerBook either (OSX jr> 10.4.whatever) That seems bogus. I've never had such problems. In fact almost the reverse is true, because people like to use very old printers sometimes, and it would be nice to update the PostScript software independently from the physical printer. The printer probably has no software updates at all, or stops getting software-updated long before it stops functioning. Also there are font consistency problems, while now that ghostscript has taken over Unix, for better or worse everyone has the same disgusting crappy builtin fonts, which inshallah are also installed into plain X and XRender X (but probably not. maybe on mac?). If I had a Postscript printer I might still run it through Ghostscript. The old reasons for Postscript are gone now: * printers having bigger memory and faster CPU than the 68k mac desktops, so the page rendering job could be handled as a batch job on one expensive server-like machine shared by everyone rather than ten client-like machines. It was normal for printers to have eight times as much memory and three times as much CPU power as the box running pagemaker, and for bigger printers i bet the gap was even wider! * slow interconnects between desktops and printer. fonts and ``preambles'' were cached in printer RAM, or even on printer hard disks. This takes language complexity. * software licensing. Adobe was very stingy with postscript and almost seemed to use loading it into printers as a copy protection strategy, as well as a justification for licensing fonts per-printer. all that's in the past, so there's no architectural justification. The only maybe-nice thing about it that remains is that you used to be able to ask the printer in a standardized way to describe its shape---the number of trays and paper sizes and stuff. But that never really worked very well for me on the Mac---you still had to hunt for a PPD and install AFM's for all your fonts---and the Unix printing subsystem has always been unidirectional, not bidirectional like old Macs, so on Unix it never worked at all. I think, aside from no justification, also, no real practical need for postscript in the printer. For OS X please have a look at: http://openprinting.org/show_driver.cgi?driver=foo2zjs There are some ghostscript-based drivers in the Mac OS, but these guys have more of them. They do indeed work much better on the low-end HP printer I have than the awful drivers HP provided, and they don't try to hard-sell you ink cartridges either. I am not up-to-date with Unix printing having never dug into it since LPRng and the LaserJet IIIsi, but it looks to me like it's quite advanced now and definitely doesn't require (or even want?) Postscript in the printer. cs> I keep a 4Mv and 4MPlus running at work yeah i just bought a duplexer and an A4 tray for my Laserjet 5 at home. but it was probably dumb of me. work has all newfangled printers, and they are really fast. (do those cheap printers everyone suggested really all meet Marc's duplexing requirement?) cs> I don't know if HP has gone to shit since I bought this, yes, yes. emphatically yes. Their expensive ($2 - $3k) mono printers seem mostly okay to me when I've bumped into them (most people have, right?), but their cheap printers, and their things which are not printers, and also their ``multi function'' units including the very big expensive ones, are lurching spring-spewing pieces of astonishing garbage with ponderous bug-ridden software that constantly make me feel like someone is playing a joke on me. Please buy anything, anything else, if for no other reason than just for the sense of adventure. For example i think there is an okidata printer I saw in a catalog which can print on strips of 8.5"-wide paper up to six feet long! Adventure! unless you care more about having a good laugh than about printing, faxing, or scanning. then buy HP. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From pete at nomadlogic.org Thu Apr 17 12:21:02 2008 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 17 Apr 2008 09:21:02 -0700 Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: <20080416154517.GA30801@scruffy.exit2shell.com> References: <20080416154517.GA30801@scruffy.exit2shell.com> Message-ID: On Apr 16, 2008, at 8:45 AM, Steven Kreuzer wrote: > Greetings- > > I just got an email from Hurricane Electric and they had a link > to a very interesting graph: > > On March 12, 2008, Google launched ipv6.google.com, and HE.net saw a > pretty > large increase in the number of sign ups they have for their tunnel > broker > service. > > http://tunnelbroker.net/usage/ipv6-google-com-signup-surge.php good to see. as an aside - i just got the most recent ;login and there are a couple interesting articles about ipv6. there was a quick write-up on using ipv6 patches with asterix which looks interesting. guess i'll have to wait until Usenix to get more info on it though. rick also had a good writeup about trying to get ipv6 working with ubuntu - made me happy i'm a *bsd user :) -pete From bonsaime at gmail.com Fri Apr 18 12:26:33 2008 From: bonsaime at gmail.com (Jesse Callaway) Date: Fri, 18 Apr 2008 12:26:33 -0400 Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: References: <20080416154517.GA30801@scruffy.exit2shell.com> Message-ID: On Thu, Apr 17, 2008 at 12:21 PM, Pete Wright wrote: > > On Apr 16, 2008, at 8:45 AM, Steven Kreuzer wrote: > > > Greetings- > > > > I just got an email from Hurricane Electric and they had a link > > to a very interesting graph: > > > > On March 12, 2008, Google launched ipv6.google.com, and HE.net saw a > > pretty > > large increase in the number of sign ups they have for their tunnel > > broker > > service. > > > > http://tunnelbroker.net/usage/ipv6-google-com-signup-surge.php > > good to see. > > as an aside - i just got the most recent ;login and there are a couple > interesting articles about ipv6. there was a quick write-up on using > ipv6 patches with asterix which looks interesting. guess i'll have to > wait until Usenix to get more info on it though. rick also had a good > writeup about trying to get ipv6 working with ubuntu - made me happy > i'm a *bsd user :) > > -pete > Reminds me of trying to get ip6 with asterisk, which is something I would love to see. Can be done, but it would need a proxy-less connection to get the desired effect. IPSEC + NAT + VoIP is sucksville. -jesse From techneck at goldenpath.org Mon Apr 21 13:38:59 2008 From: techneck at goldenpath.org (Tim A.) Date: Mon, 21 Apr 2008 13:38:59 -0400 Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: References: <20080416154517.GA30801@scruffy.exit2shell.com> Message-ID: <480CD133.9080107@goldenpath.org> > Reminds me of trying to get ip6 with asterisk, which is something I > would love to see. Can be done, but it would need a proxy-less > connection to get the desired effect. IPSEC + NAT + VoIP is > sucksville. > > -jesse Definitely, SIP is one of the leading business arguments for IPv6, IMO. That will no doubt be where I'll be doing my IPv6 crash course--in a telcom test bed playing with SIP. But not till the end of the year. One of the things I've always liked most about Asterisk is IAX. From techneck at goldenpath.org Mon Apr 21 15:16:07 2008 From: techneck at goldenpath.org (Tim A.) Date: Mon, 21 Apr 2008 15:16:07 -0400 Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: References: Message-ID: <480CE7F7.8050607@goldenpath.org> Alex Pilosov wrote: > On Mon, 21 Apr 2008, Tim A. wrote: > > >>> Reminds me of trying to get ip6 with asterisk, which is something I >>> would love to see. Can be done, but it would need a proxy-less >>> connection to get the desired effect. IPSEC + NAT + VoIP is >>> sucksville. >>> >>> -jesse >>> >> Definitely, SIP is one of the leading business arguments for IPv6, IMO. >> > are you on crack? sip is far more broken for v6 than v4. > I've not tried it. If it has problems I wouldn't know. I'm saying, in terms of doing away with NAT and the need to proxy SIP, supposedly built in IPSEC? (gotta see how that's going to work), and the globally unique address per device... that all just seems like they ought to go together pretty well. > >> That will no doubt be where I'll be doing my IPv6 crash course--in a >> telcom test bed playing with SIP. But not till the end of the year. >> > you like pain. > I'm kind of looking at IPv6 as the "pain" part. I was hoping SIP would make a fun and exciting example of something obviously useful to be done with it. Thanks for the heads up. > >> One of the things I've always liked most about Asterisk is IAX. >> > iax sucks and mustdie. amateurs. > > -alex > I've heard that before, ha! I've not done anything *big* with it. idk. Works fine at home! IAX2 on the trunk side, SIP inside. Amateurish, I suppose, but hey--it just works. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at pilosoft.com Mon Apr 21 15:20:08 2008 From: alex at pilosoft.com (Alex Pilosov) Date: Mon, 21 Apr 2008 15:20:08 -0400 (EDT) Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: <480CE7F7.8050607@goldenpath.org> Message-ID: On Mon, 21 Apr 2008, Tim A. wrote: > Alex Pilosov wrote: > > On Mon, 21 Apr 2008, Tim A. wrote: > > > > > >>> Reminds me of trying to get ip6 with asterisk, which is something I > >>> would love to see. Can be done, but it would need a proxy-less > >>> connection to get the desired effect. IPSEC + NAT + VoIP is > >>> sucksville. > >>> > >>> -jesse > >>> > >> Definitely, SIP is one of the leading business arguments for IPv6, IMO. > >> > > are you on crack? sip is far more broken for v6 than v4. > > > > I've not tried it. If it has problems I wouldn't know. I'm saying, in > terms of doing away with NAT and the need to proxy SIP, supposedly built > in IPSEC? (gotta see how that's going to work), and the globally unique > address per device... that all just seems like they ought to go together > pretty well. Myths. See: http://www.ripe.net/ripe/meetings/ripe-55/presentations/bush-ipv6-transition.pdf Pages 11 to 16. Actually, read through that. Science is being dropped. > >> That will no doubt be where I'll be doing my IPv6 crash course--in a > >> telcom test bed playing with SIP. But not till the end of the year. > >> > > you like pain. > > I'm kind of looking at IPv6 as the "pain" part. I was hoping SIP would > make a fun and exciting example of something obviously useful to be done > with it. ...not really. the only IPv6 application that I see is vanity IP addresses for irc. > Thanks for the heads up. > > > > >> One of the things I've always liked most about Asterisk is IAX. > >> > > iax sucks and mustdie. amateurs. > > > > -alex > > > > I've heard that before, ha! > > I've not done anything *big* with it. idk. Works fine at home! > IAX2 on the trunk side, SIP inside. > Amateurish, I suppose, but hey--it just works. IAX doesn't scale, correct. From alex at pilosoft.com Mon Apr 21 13:50:12 2008 From: alex at pilosoft.com (Alex Pilosov) Date: Mon, 21 Apr 2008 13:50:12 -0400 (EDT) Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: <480CD133.9080107@goldenpath.org> Message-ID: On Mon, 21 Apr 2008, Tim A. wrote: > > > Reminds me of trying to get ip6 with asterisk, which is something I > > would love to see. Can be done, but it would need a proxy-less > > connection to get the desired effect. IPSEC + NAT + VoIP is > > sucksville. > > > > -jesse > Definitely, SIP is one of the leading business arguments for IPv6, IMO. are you on crack? sip is far more broken for v6 than v4. > That will no doubt be where I'll be doing my IPv6 crash course--in a > telcom test bed playing with SIP. But not till the end of the year. you like pain. > One of the things I've always liked most about Asterisk is IAX. iax sucks and mustdie. amateurs. -alex From ruben at mrbrklyn.com Mon Apr 21 16:38:37 2008 From: ruben at mrbrklyn.com (Ruben Safir) Date: Mon, 21 Apr 2008 16:38:37 -0400 Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: References: <480CD133.9080107@goldenpath.org> Message-ID: <20080421203837.GA27101@www2.mrbrklyn.com> On Mon, Apr 21, 2008 at 01:50:12PM -0400, Alex Pilosov wrote: > On Mon, 21 Apr 2008, Tim A. wrote: > > > > > > Reminds me of trying to get ip6 with asterisk, which is something I > > > would love to see. Can be done, but it would need a proxy-less > > > connection to get the desired effect. IPSEC + NAT + VoIP is > > > sucksville. > > > > > > -jesse > > Definitely, SIP is one of the leading business arguments for IPv6, IMO. > are you on crack? sip is far more broken for v6 than v4. > Crack? Does that help with IP6? Ruben -- http://www.mrbrklyn.com - Interesting Stuff http://www.nylxs.com - Leadership Development in Free Software So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://fairuse.nylxs.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 "Yeah - I write Free Software...so SUE ME" "The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society." "> I'm an engineer. I choose the best tool for the job, politics be damned.< You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt. I guess you missed that one." ? Copyright for the Digital Millennium From alex at pilosoft.com Mon Apr 21 16:40:40 2008 From: alex at pilosoft.com (Alex Pilosov) Date: Mon, 21 Apr 2008 16:40:40 -0400 (EDT) Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: <20080421203837.GA27101@www2.mrbrklyn.com> Message-ID: On Mon, 21 Apr 2008, Ruben Safir wrote: > Crack? Does that help with IP6? Yeah. Although weed is better. Puff puff give man, don't screw up the rotation! :) -alex From carton at Ivy.NET Mon Apr 21 17:29:38 2008 From: carton at Ivy.NET (Miles Nordin) Date: Mon, 21 Apr 2008 17:29:38 -0400 Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: <480CE7F7.8050607@goldenpath.org> (Tim A.'s message of "Mon, 21 Apr 2008 15:16:07 -0400") References: <480CE7F7.8050607@goldenpath.org> Message-ID: >>>>> "ta" == Tim A writes: ta> supposedly built in IPSEC? no, that's a god damned lie fed to us by Eurocrats. the conference neckties made a bunch of hype about integrating it in the spec, and they used this implementation to squeeze other kinds of crypto out of iSCSI and OSPFv3 and probably other stuff. but existing ipsec implementations are much jmore likely to work, and have hardware acceleration, on v4. AIUI FreeBSD and NetBSD only just got v6 support in the FAST_IPSEC codepath. i'm not sure how well racoon is operating on v6 or with what other stacks it interoperates, but it's certain to be much less tested and thus interoperate less well than v4, and all the outside-spec extras that we depend on for actually useable IPsec for road warriors (I'm thinking mostly of phase 1.5 MODE CONFIG) are missing for v6. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From branto at branto.com Tue Apr 22 22:29:00 2008 From: branto at branto.com (Brant I. Stevens) Date: Tue, 22 Apr 2008 22:29:00 -0400 Subject: [nycbug-talk] Google and IPv6 Adoption In-Reply-To: Message-ID: On 4/21/08 4:40 PM, "Alex Pilosov" wrote: > On Mon, 21 Apr 2008, Ruben Safir wrote: > >> Crack? Does that help with IP6? > Yeah. Although weed is better. Puff puff give man, don't screw up the > rotation! I believe you are looking for "Puff Puff Pass". :) > > :) > > -alex > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From matt at atopia.net Wed Apr 23 15:50:57 2008 From: matt at atopia.net (Matt Juszczak) Date: Wed, 23 Apr 2008 15:50:57 -0400 (EDT) Subject: [nycbug-talk] Simple PHP-based website Message-ID: <20080423154355.B26710@mercury.atopia.net> I'm writing a PHP-based website for a small start-up company. The website is for the most part static content, with a little dynamic content on the sides here and there. Now, for a complex dynamic PHP/MySQL/AJAX based website, I would use some sort of templating system or something, but I feel like doing that would be overkill for a project like this. I've even thought of writing a "fake" modularized setup - where each area of the site is simply a PHP include which I can then branch out. But then, I feel like once again, even that's overkill if the content isn't changing from page load to page load. So now, I've resorted to possibly just using a header/footer type setup. Do people even use that anymore? Is that kind of setup frowned upon nowadays? Thanks for any advice! -Matt From max at neuropunks.org Wed Apr 23 16:01:11 2008 From: max at neuropunks.org (Max Gribov) Date: Wed, 23 Apr 2008 16:01:11 -0400 Subject: [nycbug-talk] Simple PHP-based website In-Reply-To: <20080423154355.B26710@mercury.atopia.net> References: <20080423154355.B26710@mercury.atopia.net> Message-ID: <480F9587.8000001@neuropunks.org> hi matt, Matt Juszczak wrote: > Now, for a complex dynamic PHP/MySQL/AJAX based website, I would use some > sort of templating system or something, but I feel like doing that would > be overkill for a project like this. > smarty is never overkill. you can use all features or only basic ones, and contrary to popular belief, it doesnt make things slow. for extra performance you can install xcache on the web server - downside is you have to restart the web server when you change php content. for some reason "flush cache" doesnt do that for you.. at least for me. > I've even thought of writing a "fake" modularized setup - where each area > of the site is simply a PHP include which I can then branch out. But > then, I feel like once again, even that's overkill if the content isn't > changing from page load to page load. > php include sites is the beginning of nightmare. at some point, you wont be able to keep track of all the includes and how they tie together. obviously, you have to use include for certain things, but i would really strongly suggest against using include/require as "templating" > So now, I've resorted to possibly just using a header/footer type setup. > Do people even use that anymore? Is that kind of setup frowned upon > nowadays? > i dont use that, and last site like that ive worked with was in 2005 and they tanked : ) prolly not because of spaghetti of includes, but still, it sucked as a project.. From jonathan at kc8onw.net Thu Apr 24 14:07:37 2008 From: jonathan at kc8onw.net (Jonathan Stewart) Date: Thu, 24 Apr 2008 21:07:37 +0300 Subject: [nycbug-talk] On-topic server questions In-Reply-To: References: Message-ID: <4810CC69.1040702@kc8onw.net> Kit Halsted wrote: > So, my last off-topic post reminded me that maybe y'all would be good > people to ask: what's everybody doing for email stuff lately? > > I'm a weensy bit overdue for some upgrades, & I'm starting to think > this newfangled webmail might come in handy once in a while. Also, > now that HD capacity has hit 1TB, IMAP may finally become useful for > me. > > Seriously, I'm looking at putting together an OpenBSD-stable system, > probably with qmail & vpopmail 'cause I'm used to them. Anybody know > which webmail & IMAP projects play nice with that setup? Have things > changed enough in the last year or so that I should consider a > different base setup? I use squirrel mail for my webmail. I've looked at other stuff in the past but nothing in the last few years. Dovecot is just awesome as an IMAP server. It's easy to set up, has a good wiki maintained by Timo (the author), and can do just about anything I've ever heard of for IMAP. It is still updated quite frequently as it's relatively new but the updates have been utterly painless so far and Timo often replies within 24 hours to people that have problems of any kind. Jonathan From marylynn at blueskystudios.com Thu Apr 24 14:41:35 2008 From: marylynn at blueskystudios.com (Mary Lynn Kirby) Date: Thu, 24 Apr 2008 14:41:35 -0400 Subject: [nycbug-talk] On-topic server questions In-Reply-To: <4810CC69.1040702@kc8onw.net> References: <4810CC69.1040702@kc8onw.net> Message-ID: <20080424144135.5jzak3d1nkgw8gwk@webmail.blueskystudios.com> ditto on dovecot. And you should take a look at the Horde framework too. Quoting Jonathan Stewart : > Kit Halsted wrote: >> So, my last off-topic post reminded me that maybe y'all would be good >> people to ask: what's everybody doing for email stuff lately? >> >> I'm a weensy bit overdue for some upgrades, & I'm starting to think >> this newfangled webmail might come in handy once in a while. Also, >> now that HD capacity has hit 1TB, IMAP may finally become useful for >> me. >> >> Seriously, I'm looking at putting together an OpenBSD-stable system, >> probably with qmail & vpopmail 'cause I'm used to them. Anybody know >> which webmail & IMAP projects play nice with that setup? Have things >> changed enough in the last year or so that I should consider a >> different base setup? > > I use squirrel mail for my webmail. I've looked at other stuff in the > past but nothing in the last few years. Dovecot is just awesome as an > IMAP server. It's easy to set up, has a good wiki maintained by Timo > (the author), and can do just about anything I've ever heard of for > IMAP. It is still updated quite frequently as it's relatively new but > the updates have been utterly painless so far and Timo often replies > within 24 hours to people that have problems of any kind. > > Jonathan > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- Mary Lynn Kirby UNIX/Networking Sys Admin Blue Sky Studios From carton at Ivy.NET Thu Apr 24 14:58:18 2008 From: carton at Ivy.NET (Miles Nordin) Date: Thu, 24 Apr 2008 14:58:18 -0400 Subject: [nycbug-talk] On-topic server questions In-Reply-To: <20080424144135.5jzak3d1nkgw8gwk@webmail.blueskystudios.com> (Mary Lynn Kirby's message of "Thu, 24 Apr 2008 14:41:35 -0400") References: <4810CC69.1040702@kc8onw.net> <20080424144135.5jzak3d1nkgw8gwk@webmail.blueskystudios.com> Message-ID: >>>>> "mlk" == Mary Lynn Kirby writes: mlk> Horde medemail.com.au seems to be using this, but I don't know their SA. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From chsnyder at gmail.com Thu Apr 24 15:00:04 2008 From: chsnyder at gmail.com (csnyder) Date: Thu, 24 Apr 2008 15:00:04 -0400 Subject: [nycbug-talk] Simple PHP-based website In-Reply-To: <20080423154355.B26710@mercury.atopia.net> References: <20080423154355.B26710@mercury.atopia.net> Message-ID: On Wed, Apr 23, 2008 at 3:50 PM, Matt Juszczak wrote: > So now, I've resorted to possibly just using a header/footer type setup. > Do people even use that anymore? Is that kind of setup frowned upon > nowadays? You mean you just want to keep it simple, and not spend the next 3 weeks getting up to speed on an MVC framework? I don't think that's gonna fly in Web 2.0 world... ...but if you don't actually tell anyone they'll never know the difference. You will have to make it clear to the owners of the site that what you build for them now will be quick but limited of course, so they don't get sticker shock later when they go to expand it. -- Chris Snyder http://chxo.com/ From techneck at goldenpath.org Fri Apr 25 15:24:46 2008 From: techneck at goldenpath.org (Tim A.) Date: Fri, 25 Apr 2008 15:24:46 -0400 Subject: [nycbug-talk] Change password at next login? Message-ID: <48122FFE.80607@goldenpath.org> Internal FreeBSD server, no outside access. Using SSH with password authentication. I would like to be able to reset someone's password and require them to change it at next login. I looked at OPIE. I think that's going to be too complicated for my users. Is there anything else that does this? Also, is there someway to require a certain level of password complexity? Of course, I'd prefer to setup some sort of ssh-key escrow management and avoid password authentication all together, if anyone out there's familiar with that. From lavalamp at spiritual-machines.org Fri Apr 25 15:48:05 2008 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Fri, 25 Apr 2008 15:48:05 -0400 (EDT) Subject: [nycbug-talk] Change password at next login? In-Reply-To: <48122FFE.80607@goldenpath.org> References: <48122FFE.80607@goldenpath.org> Message-ID: <20080425154241.O66505@arbitor.digitalfreaks.org> On Fri, 25 Apr 2008, Tim A. wrote: > Internal FreeBSD server, no outside access. pw(8) and login.conf(8). You can expire passwords and accounts after X-days. > Is there anything else that does this? > > Also, is there someway to require a certain level of password complexity? For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords using a custom filter, but I have found that 2-factor authentication is much more successful than strong passwords (which just encourage people to write them down) For this, you can use something like Entrust IdentityGuard, in combination with pam_radius (with fallback to pam_ldap), for two-factor authentication (grid cards, FOBs), OTP password lists, etc... ~BAS > Of course, I'd prefer to setup some sort of ssh-key escrow management From marylynn at blueskystudios.com Fri Apr 25 16:34:57 2008 From: marylynn at blueskystudios.com (Mary Lynn Kirby) Date: Fri, 25 Apr 2008 16:34:57 -0400 Subject: [nycbug-talk] speaking of 2 factor authentication... Message-ID: <20080425163457.lrbk5n4bkgwow40o@webmail.blueskystudios.com> I have just started looking into token based authentication. I wasn't familiar with Entrust IdentityGuard previous to Brian's mention of it. Does anyone have any experience/wisdom to impart on me? Things to look for, traps to avoid and so forth Thanks! Mary Lynn -- Mary Lynn Kirby UNIX/Networking Sys Admin Blue Sky Studios From mspitzer at gmail.com Fri Apr 25 16:17:28 2008 From: mspitzer at gmail.com (Marc Spitzer) Date: Fri, 25 Apr 2008 16:17:28 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: <48122FFE.80607@goldenpath.org> References: <48122FFE.80607@goldenpath.org> Message-ID: <8c50a3c30804251317h5a0dedf1u818dbac971ae94b5@mail.gmail.com> man pw look at the -p option, and as a guess set it to yesterday thanks, marc On Fri, Apr 25, 2008 at 3:24 PM, Tim A. wrote: > Internal FreeBSD server, no outside access. > Using SSH with password authentication. > > I would like to be able to reset someone's password and require them to > change it at next login. > > I looked at OPIE. I think that's going to be too complicated for my users. > > Is there anything else that does this? > > Also, is there someway to require a certain level of password complexity? > > Of course, I'd prefer to setup some sort of ssh-key escrow management > and avoid password authentication all together, if anyone out there's > familiar with that. > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -- Freedom is nothing but a chance to be better. Albert Camus From techneck at goldenpath.org Sun Apr 27 14:09:16 2008 From: techneck at goldenpath.org (Tim A.) Date: Sun, 27 Apr 2008 14:09:16 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: <20080425154241.O66505@arbitor.digitalfreaks.org> References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> Message-ID: <4814C14C.2040608@goldenpath.org> Brian A. Seklecki wrote: > > On Fri, 25 Apr 2008, Tim A. wrote: > >> Internal FreeBSD server, no outside access. > > pw(8) and login.conf(8). You can expire passwords and accounts after > X-days. Thanks. I got it. Just expire a password: $ pw moduser theuser -p `date` > >> Is there anything else that does this? >> >> Also, is there someway to require a certain level of password >> complexity? > > For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords using > a custom filter, but I have found that 2-factor authentication is much > more successful than strong passwords (which just encourage people to > write them down) > > For this, you can use something like Entrust IdentityGuard, in > combination with pam_radius (with fallback to pam_ldap), for > two-factor authentication (grid cards, FOBs), OTP password lists, etc... > > ~BAS Again, thanks. I'll check that out. 2-factor authentication sounds like a good idea. In login.conf man page I found minpasswordlen, which unfortunately didn't work. Then I noticed a reference to pam_passwdqc superseding minpasswordlen option. I added this line to /etc/pam.d/passwd password requisite pam_passwdqc.so min=disabled,6 match=4 similar=deny enforce=users Under the impression that it would disallow passwords of a single character class (like, all letters or all numbers), require at least 6 characters from at least 2 character classes, and match up to 4 of those in comparing for similarity to the previous password and deny if found, and enforce this policy for users. As a user, it does prompt and warn, but it's not enforcing. If I persist in attempting to set a password that violates that policy, it prompts a second time but then gives up and allows it. Is this normal? Have I done something wrong? > >> Of course, I'd prefer to setup some sort of ssh-key escrow management From george at ceetonetechnology.com Sun Apr 27 15:47:41 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Sun, 27 Apr 2008 15:47:41 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: <4814C14C.2040608@goldenpath.org> References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> <4814C14C.2040608@goldenpath.org> Message-ID: <4814D85D.5020002@ceetonetechnology.com> Tim A. wrote: > Brian A. Seklecki wrote: >> On Fri, 25 Apr 2008, Tim A. wrote: >> >>> Internal FreeBSD server, no outside access. >> pw(8) and login.conf(8). You can expire passwords and accounts after >> X-days. > > Thanks. I got it. Just expire a password: > $ pw moduser theuser -p `date` > >>> Is there anything else that does this? >>> >>> Also, is there someway to require a certain level of password >>> complexity? >> For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords using >> a custom filter, but I have found that 2-factor authentication is much >> more successful than strong passwords (which just encourage people to >> write them down) >> >> For this, you can use something like Entrust IdentityGuard, in >> combination with pam_radius (with fallback to pam_ldap), for >> two-factor authentication (grid cards, FOBs), OTP password lists, etc... >> >> ~BAS > > Again, thanks. I'll check that out. 2-factor authentication sounds like > a good idea. > > In login.conf man page I found minpasswordlen, which unfortunately > didn't work. Then I noticed a reference to pam_passwdqc superseding > minpasswordlen option. > > I added this line to /etc/pam.d/passwd > password requisite pam_passwdqc.so min=disabled,6 > match=4 similar=deny enforce=users > > Under the impression that it would disallow passwords of a single > character class (like, all letters or all numbers), require at least 6 > characters from at least 2 character classes, and match up to 4 of those > in comparing for similarity to the previous password and deny if found, > and enforce this policy for users. > > As a user, it does prompt and warn, but it's not enforcing. If I persist > in attempting to set a password that violates that policy, it prompts a > second time but then gives up and allows it. > > Is this normal? Have I done something wrong? > cap_mkdb /etc/login.conf ? g From techneck at goldenpath.org Sun Apr 27 18:46:01 2008 From: techneck at goldenpath.org (Tim A.) Date: Sun, 27 Apr 2008 18:46:01 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: <4814D85D.5020002@ceetonetechnology.com> References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> <4814C14C.2040608@goldenpath.org> <4814D85D.5020002@ceetonetechnology.com> Message-ID: <48150229.3040903@goldenpath.org> George Rosamond wrote: > Tim A. wrote: >> Brian A. Seklecki wrote: >>> On Fri, 25 Apr 2008, Tim A. wrote: >>> >>>> Internal FreeBSD server, no outside access. >>> pw(8) and login.conf(8). You can expire passwords and accounts >>> after X-days. >> >> Thanks. I got it. Just expire a password: >> $ pw moduser theuser -p `date` >> >>>> Is there anything else that does this? >>>> >>>> Also, is there someway to require a certain level of password >>>> complexity? >>> For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords >>> using a custom filter, but I have found that 2-factor authentication >>> is much more successful than strong passwords (which just encourage >>> people to write them down) >>> >>> For this, you can use something like Entrust IdentityGuard, in >>> combination with pam_radius (with fallback to pam_ldap), for >>> two-factor authentication (grid cards, FOBs), OTP password lists, >>> etc... >>> >>> ~BAS >> >> Again, thanks. I'll check that out. 2-factor authentication sounds >> like a good idea. >> >> In login.conf man page I found minpasswordlen, which unfortunately >> didn't work. Then I noticed a reference to pam_passwdqc superseding >> minpasswordlen option. >> >> I added this line to /etc/pam.d/passwd >> password requisite pam_passwdqc.so >> min=disabled,6 match=4 similar=deny enforce=users >> >> Under the impression that it would disallow passwords of a single >> character class (like, all letters or all numbers), require at least >> 6 characters from at least 2 character classes, and match up to 4 of >> those in comparing for similarity to the previous password and deny >> if found, and enforce this policy for users. >> >> As a user, it does prompt and warn, but it's not enforcing. If I >> persist in attempting to set a password that violates that policy, it >> prompts a second time but then gives up and allows it. >> >> Is this normal? Have I done something wrong? >> > > cap_mkdb /etc/login.conf ? > > g Yes. I did that after trying the minpasswordlen. Didn't work, and that's when I found pam_passwdqc. It was not mentioned as required after pam_passwdqc change, is it? btw, after changes to /etc/pam.d/passwd I'd reboot to initiate, is there a way to reinitialize that without rebooting? From techneck at goldenpath.org Sun Apr 27 19:56:35 2008 From: techneck at goldenpath.org (Tim A.) Date: Sun, 27 Apr 2008 19:56:35 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: <48150229.3040903@goldenpath.org> References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> <4814C14C.2040608@goldenpath.org> <4814D85D.5020002@ceetonetechnology.com> <48150229.3040903@goldenpath.org> Message-ID: <481512B3.3000603@goldenpath.org> Tim A. wrote: > George Rosamond wrote: > >> Tim A. wrote: >> >>> Brian A. Seklecki wrote: >>> >>>> On Fri, 25 Apr 2008, Tim A. wrote: >>>> >>>> >>>>> Internal FreeBSD server, no outside access. >>>>> >>>> pw(8) and login.conf(8). You can expire passwords and accounts >>>> after X-days. >>>> >>> Thanks. I got it. Just expire a password: >>> $ pw moduser theuser -p `date` >>> >>> >>>>> Is there anything else that does this? >>>>> >>>>> Also, is there someway to require a certain level of password >>>>> complexity? >>>>> >>>> For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords >>>> using a custom filter, but I have found that 2-factor authentication >>>> is much more successful than strong passwords (which just encourage >>>> people to write them down) >>>> >>>> For this, you can use something like Entrust IdentityGuard, in >>>> combination with pam_radius (with fallback to pam_ldap), for >>>> two-factor authentication (grid cards, FOBs), OTP password lists, >>>> etc... >>>> >>>> ~BAS >>>> >>> Again, thanks. I'll check that out. 2-factor authentication sounds >>> like a good idea. >>> >>> In login.conf man page I found minpasswordlen, which unfortunately >>> didn't work. Then I noticed a reference to pam_passwdqc superseding >>> minpasswordlen option. >>> >>> I added this line to /etc/pam.d/passwd >>> password requisite pam_passwdqc.so >>> min=disabled,6 match=4 similar=deny enforce=users >>> >>> Under the impression that it would disallow passwords of a single >>> character class (like, all letters or all numbers), require at least >>> 6 characters from at least 2 character classes, and match up to 4 of >>> those in comparing for similarity to the previous password and deny >>> if found, and enforce this policy for users. >>> >>> As a user, it does prompt and warn, but it's not enforcing. If I >>> persist in attempting to set a password that violates that policy, it >>> prompts a second time but then gives up and allows it. >>> >>> Is this normal? Have I done something wrong? >>> >>> >> cap_mkdb /etc/login.conf ? >> >> g >> > Yes. I did that after trying the minpasswordlen. Didn't work, and that's > when I found pam_passwdqc. > It was not mentioned as required after pam_passwdqc change, is it? > Done. Works. Thanks. Still gives back passwd: pam_chauthtok(): authentication token failure Is there a way to shut that up? But it does enforce now. So, making changes to /etc/pam.d/passwd also requires cap_mkdb /etc/login.conf You'd think they would have mentioned that in the man page. From techneck at goldenpath.org Mon Apr 28 11:43:24 2008 From: techneck at goldenpath.org (Tim A.) Date: Mon, 28 Apr 2008 11:43:24 -0400 Subject: [nycbug-talk] LPR: Drawer Selection / Page Orientation? Message-ID: <4815F09C.7030000@goldenpath.org> Drawer selection isn't really a big deal, just curious there. But I would like to change page orientation to landscape. Is there something I can add to the spooler entry? Reading Handbook and the Corporate Networker's Guide, but not seeing it. Printing to an Aficio 3500 over the network, plain text, RAW Maybe there's some standard control code for landscape I could add with a filter? From jpb at sixshooter.v6.thrupoint.net Mon Apr 28 13:40:14 2008 From: jpb at sixshooter.v6.thrupoint.net (Jim Brown) Date: Mon, 28 Apr 2008 13:40:14 -0400 Subject: [nycbug-talk] LPR: Drawer Selection / Page Orientation? In-Reply-To: <4815F09C.7030000@goldenpath.org> References: <4815F09C.7030000@goldenpath.org> Message-ID: <20080428174014.GA20414@sixshooter.v6.thrupoint.net> * Tim A. [2008-04-28 11:39]: > Drawer selection isn't really a big deal, just curious there. > But I would like to change page orientation to landscape. > > Is there something I can add to the spooler entry? > Reading Handbook and the Corporate Networker's Guide, but not seeing it. > > Printing to an Aficio 3500 over the network, plain text, RAW > > Maybe there's some standard control code for landscape I could add with > a filter? > Assuming you're talking the Aficio MP 3500 here... It appears that Aficio, like a lot of companies nowdays, doesn't publish tech specs on their hardware- just config guides on "How to set up your printer through Control Panel". That said, it appears the engine is a Ricoh, and it supports TWAIN (www.twain.org). Maybe you could cobble together something what will throw the right control codes at the device with a simple TWAIN program or script. Hope that helps, Jim B. From techneck at goldenpath.org Mon Apr 28 15:25:09 2008 From: techneck at goldenpath.org (Tim A.) Date: Mon, 28 Apr 2008 15:25:09 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: <481512B3.3000603@goldenpath.org> References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> <4814C14C.2040608@goldenpath.org> <4814D85D.5020002@ceetonetechnology.com> <48150229.3040903@goldenpath.org> <481512B3.3000603@goldenpath.org> Message-ID: <48162495.9060304@goldenpath.org> Tim A. wrote: > Tim A. wrote: > >> George Rosamond wrote: >> >> >>> Tim A. wrote: >>> >>> >>>> Brian A. Seklecki wrote: >>>> >>>> >>>>> On Fri, 25 Apr 2008, Tim A. wrote: >>>>> >>>>> >>>>> >>>>>> Internal FreeBSD server, no outside access. >>>>>> >>>>>> >>>>> pw(8) and login.conf(8). You can expire passwords and accounts >>>>> after X-days. >>>>> >>>>> >>>> Thanks. I got it. Just expire a password: >>>> $ pw moduser theuser -p `date` >>>> >>>> >>>> >>>>>> Is there anything else that does this? >>>>>> >>>>>> Also, is there someway to require a certain level of password >>>>>> complexity? >>>>>> >>>>>> >>>>> For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords >>>>> using a custom filter, but I have found that 2-factor authentication >>>>> is much more successful than strong passwords (which just encourage >>>>> people to write them down) >>>>> >>>>> For this, you can use something like Entrust IdentityGuard, in >>>>> combination with pam_radius (with fallback to pam_ldap), for >>>>> two-factor authentication (grid cards, FOBs), OTP password lists, >>>>> etc... >>>>> >>>>> ~BAS >>>>> >>>>> >>>> Again, thanks. I'll check that out. 2-factor authentication sounds >>>> like a good idea. >>>> >>>> In login.conf man page I found minpasswordlen, which unfortunately >>>> didn't work. Then I noticed a reference to pam_passwdqc superseding >>>> minpasswordlen option. >>>> >>>> I added this line to /etc/pam.d/passwd >>>> password requisite pam_passwdqc.so >>>> min=disabled,6 match=4 similar=deny enforce=users >>>> >>>> Under the impression that it would disallow passwords of a single >>>> character class (like, all letters or all numbers), require at least >>>> 6 characters from at least 2 character classes, and match up to 4 of >>>> those in comparing for similarity to the previous password and deny >>>> if found, and enforce this policy for users. >>>> >>>> As a user, it does prompt and warn, but it's not enforcing. If I >>>> persist in attempting to set a password that violates that policy, it >>>> prompts a second time but then gives up and allows it. >>>> >>>> Is this normal? Have I done something wrong? >>>> >>>> >>>> >>> cap_mkdb /etc/login.conf ? >>> >>> g >>> >>> >> Yes. I did that after trying the minpasswordlen. Didn't work, and that's >> when I found pam_passwdqc. >> It was not mentioned as required after pam_passwdqc change, is it? >> >> > Done. Works. Thanks. > Still gives back > passwd: pam_chauthtok(): authentication token failure > > Is there a way to shut that up? > > But it does enforce now. > > So, making changes to /etc/pam.d/passwd also requires cap_mkdb > /etc/login.conf > You'd think they would have mentioned that in the man page. It works when calling passwd directly. But it won't enforce when prompted on first login via ssh. I've added pam_passwdqc line to /etc/pam.d/sshd Am I supposed to rebuild something after changing that too? -------------- next part -------------- An HTML attachment was scrubbed... URL: From techneck at goldenpath.org Mon Apr 28 21:31:25 2008 From: techneck at goldenpath.org (Tim A.) Date: Mon, 28 Apr 2008 21:31:25 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: <48162495.9060304@goldenpath.org> References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> <4814C14C.2040608@goldenpath.org> <4814D85D.5020002@ceetonetechnology.com> <48150229.3040903@goldenpath.org> <481512B3.3000603@goldenpath.org> <48162495.9060304@goldenpath.org> Message-ID: <48167A6D.9080104@goldenpath.org> Tim A. wrote: > Tim A. wrote: >> Tim A. wrote: >> >>> George Rosamond wrote: >>> >>> >>>> Tim A. wrote: >>>> >>>> >>>>> Brian A. Seklecki wrote: >>>>> >>>>> >>>>>> On Fri, 25 Apr 2008, Tim A. wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Internal FreeBSD server, no outside access. >>>>>>> >>>>>>> >>>>>> pw(8) and login.conf(8). You can expire passwords and accounts >>>>>> after X-days. >>>>>> >>>>>> >>>>> Thanks. I got it. Just expire a password: >>>>> $ pw moduser theuser -p `date` >>>>> >>>>> >>>>> >>>>>>> Is there anything else that does this? >>>>>>> >>>>>>> Also, is there someway to require a certain level of password >>>>>>> complexity? >>>>>>> >>>>>>> >>>>>> For LDAP (nss_ldap+pam_ldap), you could enforce strong passwords >>>>>> using a custom filter, but I have found that 2-factor authentication >>>>>> is much more successful than strong passwords (which just encourage >>>>>> people to write them down) >>>>>> >>>>>> For this, you can use something like Entrust IdentityGuard, in >>>>>> combination with pam_radius (with fallback to pam_ldap), for >>>>>> two-factor authentication (grid cards, FOBs), OTP password lists, >>>>>> etc... >>>>>> >>>>>> ~BAS >>>>>> >>>>>> >>>>> Again, thanks. I'll check that out. 2-factor authentication sounds >>>>> like a good idea. >>>>> >>>>> In login.conf man page I found minpasswordlen, which unfortunately >>>>> didn't work. Then I noticed a reference to pam_passwdqc superseding >>>>> minpasswordlen option. >>>>> >>>>> I added this line to /etc/pam.d/passwd >>>>> password requisite pam_passwdqc.so >>>>> min=disabled,6 match=4 similar=deny enforce=users >>>>> >>>>> Under the impression that it would disallow passwords of a single >>>>> character class (like, all letters or all numbers), require at least >>>>> 6 characters from at least 2 character classes, and match up to 4 of >>>>> those in comparing for similarity to the previous password and deny >>>>> if found, and enforce this policy for users. >>>>> >>>>> As a user, it does prompt and warn, but it's not enforcing. If I >>>>> persist in attempting to set a password that violates that policy, it >>>>> prompts a second time but then gives up and allows it. >>>>> >>>>> Is this normal? Have I done something wrong? >>>>> >>>>> >>>>> >>>> cap_mkdb /etc/login.conf ? >>>> >>>> g >>>> >>>> >>> Yes. I did that after trying the minpasswordlen. Didn't work, and that's >>> when I found pam_passwdqc. >>> It was not mentioned as required after pam_passwdqc change, is it? >>> >>> >> Done. Works. Thanks. >> Still gives back >> passwd: pam_chauthtok(): authentication token failure >> >> Is there a way to shut that up? >> >> But it does enforce now. >> >> So, making changes to /etc/pam.d/passwd also requires cap_mkdb >> /etc/login.conf >> You'd think they would have mentioned that in the man page. > > It works when calling passwd directly. > But it won't enforce when prompted on first login via ssh. > > I've added pam_passwdqc line to /etc/pam.d/sshd > > Am I supposed to rebuild something after changing that too? > ------------------------------------------------------------------------ Well, I learned a lot about PAM. It's pretty cool. I still can't get pam_passwdqc to enforce on expired passwords being renewed via ssh logins though. I've added: password requisite pam_passwdqc.so enforce=users to the seemingly obvious service files: /etc/pam.d/passwd /etc/pam.d/login /etc/pam.d/sshd /etc/pam.d/system I ran strace on the sshd pid, reset and expired a pass, then connected. strace pauses at the password prompt though, and doesn't continue until after the password has been changed. The output does not indicate that passwd is being called. So, I'm guessing: something else is being used to call passwd? some other system utility is being used to change the password other than passwd? Something weird is going on. As far as I can tell, I've made the appropriate changes to enforce this. From reading up on PAM, I'm guessing there are other pam modules I can use to do this and more. I just figured I should try to make the default system modules work the way their supposed to before I go digging around in the ports tree to do something that seems like it should be really simple and standard. Maybe I'm just screwing it up. idk. -------------- next part -------------- An HTML attachment was scrubbed... URL: From george at ceetonetechnology.com Mon Apr 28 22:06:42 2008 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 28 Apr 2008 22:06:42 -0400 Subject: [nycbug-talk] [Fwd: [BSDCert] [BSDCert-Announce] BSD Certification Group awards first certified BSD Associates (fwd)] Message-ID: <481682B2.8010001@ceetonetechnology.com> FYI. . . and as mentioned, we will be hosting the exam as NYCBSDCon. . . -------- Original Message -------- Subject: [BSDCert] [BSDCert-Announce] BSD Certification Group awards first certified BSD Associates (fwd) Date: Mon, 28 Apr 2008 20:42:43 -0500 (CDT) From: Jeremy C. Reed To: bsdcert at lists.nycbug.org Please share this news. Thanks! ---------- Forwarded message ---------- Date: Mon, 28 Apr 2008 20:20:12 -0500 (CDT) From: Announce list for the BSD Certification To: bsdcert-announce at lists.nycbug.org Subject: [BSDCert-Announce] BSD Certification Group awards first certified BSD Associates Apr. 28, 2008 -- Today, the BSD Certification Group, Inc., announced its first certified BSD Associates (BSDA). The BSDA certification, which began development in late 2006, was officially launched in February 2008. The BSDA certification measures common skills needed by entry-level BSD Unix system administrators. The candidates took the proctored exams at the SCALE, FOSDEM, or Linux-Tage Chemnitz conferences. According to the psychometrician, 79 percent of the tests received a passing score of 61 or higher and the highest score was 95 percent. Based on a job task analysis, the BSDA covers seven weighted knowledge domains, which include installation, security, filesystems, user management, networking, and various basic system administration and Unix skills. The skills target the DragonFly BSD, FreeBSD, NetBSD and OpenBSD operating systems. "We'd like to thank the conferences that provided space and assisted in making it a success -- and thank the proctors who traveled on their own dime," said Jeremy C. Reed of the BSD Certification Group. Upcoming BSDA examinations will be held at BSDCan, CONFidence, NYCBSDCON, and other technical conferences across the globe. To register for a proctored BSDA exam, visit https://register.bsdcertification.org/register/get-a-bsdcg-id . About the BSD Certification Group The BSD Certification Group (BSDCG) is a non-profit organization committed to creating and maintaining a global certification standard for system administration on BSD-based operating systems. The BSDCG works with the BSD and sysadmin communities in order to provide a practical and relevant certification. The BSD Certification Group was founded in February 2005. Details about the group and the BSDA certification are available via http://www.bsdcertification.org/. (Please share this news. Thanks.) _______________________________________________ BSDCert-Announce mailing list BSDCert-Announce at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/bsdcert-announce _______________________________________________ BSDCert mailing list BSDCert at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/bsdcert From carton at Ivy.NET Tue Apr 29 14:38:12 2008 From: carton at Ivy.NET (Miles Nordin) Date: Tue, 29 Apr 2008 14:38:12 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: <48167A6D.9080104@goldenpath.org> (Tim A.'s message of "Mon, 28 Apr 2008 21:31:25 -0400") References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> <4814C14C.2040608@goldenpath.org> <4814D85D.5020002@ceetonetechnology.com> <48150229.3040903@goldenpath.org> <481512B3.3000603@goldenpath.org> <48162495.9060304@goldenpath.org> <48167A6D.9080104@goldenpath.org> Message-ID: >>>>> "ta" == Tim A writes: ta> Well, I learned a lot about PAM. It's pretty cool. cool! ta> I still can't get pam_passwdqc to enforce on expired passwords ta> being renewed via ssh logins though. aaahh. ah-hah. ta> I've added: password requisite pam_passwdqc.so enforce=users ta> to the seemingly obvious service files: /etc/pam.d/passwd ta> /etc/pam.d/login /etc/pam.d/sshd /etc/pam.d/system oh! oh yes! because, you see, ... I think I remember this part. Uh.. with PAM!, instead of changing, uh this, in n^2 places, you only have to change it in n places. or, was that ``instead of changing it in n places, you change it in 1 place.'' Are you changing it in n places or 1 place? OH WAIT! It doesn't work AT ALL! oh it does work a little? You're changing it in 2 places, it's working in 1 place, n places are left to test? Or n * m places left to test? How many places might be broken? n * m - 2? well, one place is definitely broken. I think you need to change it in o places, but you need to test it in m places, and it's broken in x places where 1 <= x <= m - 1. not great. BUT, as you can see, there is no exponentiation going on here. Thank god for PAM! not like before! ta> I ran strace on the sshd pid, reset and expired a pass, then ta> connected. strace pauses at the password prompt though, and ta> doesn't continue until after the password has been changed. ta> The output does not indicate that passwd is being called. So, ta> I'm guessing: something else is being used to call passwd? try looking for libvoodoo_dl.la ta> some other system utility is being used to change the password ta> other than passwd? does passwd still change passwords? no, this is a serious question. are you SURE passwd changes passwords? maybe it's invocating something else. ta> From reading up on PAM, I'm guessing there are other pam ta> modules I can use to do this and more. oh, sure, that's the ticket, MOAR MODULEZ!! Seriously, this PAM stuff is garbage and always has been. Their pitch, to begin with, was, ``if you have n programs authenticating (ssh, login, xdm, AFP, Samba, IMAP) and m types of passwords (crypted, one-time S/Keys, tokens, smartcards with certificates inside, kerberos), with PAM you can use n modules + m modules instead of writing n * m bits of custom code.'' In practice, it falls on its face, constantly, yet everyone absolutely REFUSES to see it! S/Keys require challenging the user and getting a response. PAM has probably some API for passing messages that works with login, but not with ANY of the other n programs---how do you pass the challenge to an AFP user, an IMAP user, even an ssh user? The PAM problem-statement is misguided and ill-formed. Or a Samba user---OHWAIT! Samba can't accomodate S/Key at ALL because of its quirky over-the-wire hashing nonsense. Which brings us straight to Kerberos. This is clearly the password checking sso infrastructure of both the future and the past. It predated PAM and will outlive PAM, so _surely_ PAM's n * m inclusive architecture is well-suited to implementing Kerberos, right? Thanks to PAM, people no longer understand what *is* Kerberos. They think it's like a password storage back-end, a special more secure LDAP-like thing for passwordstorage. so if they let users type plaintext or MITM-vulnerable SSL-encrypted passwords into IMAP and then check these passwords on the IMAP server against a KDC, they think they have ``kerberized'' IMAP, because this brokeass implementation of Kerberos is necesaarily all that PAM can allow. Kerberizing something used to mean altering the protocol itself so the user logs in at the IMAP client and then passes tokens instead of passwords over the IMAP session. When I set up BSD/OS in 1995, all the r* tools and telnet and login and xdm were all Kerberized, and thre were cookbook instructions for setting up a KDC that I completed in an hour or two. Many protocols have defined extensions for kerberization which aren't used any more because everyone is in PAM lala-land. How about the idea of tickets expiring and renewing? PAMification of login gets you a ticket, right? But will PAM kill the session when the ticket expires? There is a rather advanced though often broken, underimplemented, underused ``sessions'' mechanism in Unix so that all the descendent processes of a particular password presentation can be killed at once, so we ought to wish for this---if done right, it would work SYSTEM-WIDE---when your TGT on a client expires, all IMAP sessions and NFS rights and ssh logins and webapps all magically expire at once. Will PAM even help you renew your TGT (assuming PAM kludgily gives you a TGT at all, rather than simply checking the password in Kerberos and feeding the TGT to /dev/null), or do you have to use an un-PAMified raw Kerberos program to do that? PAM isn't cool. It's also full of bugs, and its behavior can be reliably known only by observation which is exactly the type of quirkyness what you *DO NOT* want from a subsystem meant to be checking passwords! no, you don't have to write n * m bits of special code, but everyone has m broken applications, and n * m things to test looking for surprise security problems. and, as you found, debuggers don't work well any more, source code is hard to find, and the internal behavior of modules is not documented, only rather optimistic fantasies of how to configure the module are sometimes partially documented. PAM's an embarassment. http://groups.google.com/group/mailing.openbsd.tech/browse_thread/thread/5ea7de6c58f08d54/68ba289c9dad5514?lnk=gst&q=PAM+%22buzzword+compliance%22#68ba289c9dad5514 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From okan at demirmen.com Tue Apr 29 14:49:48 2008 From: okan at demirmen.com (Okan Demirmen) Date: Tue, 29 Apr 2008 14:49:48 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> <4814C14C.2040608@goldenpath.org> <4814D85D.5020002@ceetonetechnology.com> <48150229.3040903@goldenpath.org> <481512B3.3000603@goldenpath.org> <48162495.9060304@goldenpath.org> <48167A6D.9080104@goldenpath.org> Message-ID: <20080429184948.GM10923@clam.khaoz.org> On Tue 2008.04.29 at 14:38 -0400, Miles Nordin wrote: > PAM isn't cool. It's also full of bugs, and its behavior can be > reliably known only by observation which is exactly the type of > quirkyness what you *DO NOT* want from a subsystem meant to be > checking passwords! no, you don't have to write n * m bits of special > code, but everyone has m broken applications, and n * m things to test > looking for surprise security problems. and, as you found, debuggers > don't work well any more, source code is hard to find, and the > internal behavior of modules is not documented, only rather optimistic > fantasies of how to configure the module are sometimes partially > documented. PAM's an embarassment. to others: while this may seem like a crazy rant, miles is right (and entertaining). From techneck at goldenpath.org Tue Apr 29 21:51:51 2008 From: techneck at goldenpath.org (Tim A.) Date: Tue, 29 Apr 2008 21:51:51 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> <4814C14C.2040608@goldenpath.org> <4814D85D.5020002@ceetonetechnology.com> <48150229.3040903@goldenpath.org> <481512B3.3000603@goldenpath.org> <48162495.9060304@goldenpath.org> <48167A6D.9080104@goldenpath.org> Message-ID: <4817D0B7.4070405@goldenpath.org> Miles Nordin wrote: > PAM isn't cool. It's also full of bugs, and its behavior can be > reliably known only by observation which is exactly the type of > quirkyness what you *DO NOT* want from a subsystem meant to be > checking passwords! no, you don't have to write n * m bits of special > code, but everyone has m broken applications, and n * m things to test > looking for surprise security problems. and, as you found, debuggers > don't work well any more, source code is hard to find, and the > internal behavior of modules is not documented, only rather optimistic > fantasies of how to configure the module are sometimes partially > documented. PAM's an embarassment. That's funny. I thought it seemed kind of wacky but I didn't want to dis it because apparently everyone else is using it and I figured I was just using it wrong. If it's so totally wacked out though, why would they have made it the default in such a critical system component as security? I have a base of untrusted, mostly irresponsible users who are more than glad to set themselves a blank password if they can. All I want to do is be able to reset someone's password while requiring them to change it at next login (over SSH) and enforce some minimal complexity requirement. I don't need to make it work with ldap or imap or anything else. The only thing they connect to this machine for is to run a legacy custom application. From techneck at goldenpath.org Tue Apr 29 23:08:07 2008 From: techneck at goldenpath.org (Tim A.) Date: Tue, 29 Apr 2008 23:08:07 -0400 Subject: [nycbug-talk] Change password at next login? In-Reply-To: References: <48122FFE.80607@goldenpath.org> <20080425154241.O66505@arbitor.digitalfreaks.org> <4814C14C.2040608@goldenpath.org> <4814D85D.5020002@ceetonetechnology.com> <48150229.3040903@goldenpath.org> <481512B3.3000603@goldenpath.org> <48162495.9060304@goldenpath.org> <48167A6D.9080104@goldenpath.org> Message-ID: <4817E297.6070406@goldenpath.org> Miles Nordin wrote: > PAM isn't cool. It's also full of bugs, and its behavior can be > reliably known only by observation which is exactly the type of > quirkyness what you *DO NOT* want from a subsystem meant to be > checking passwords! no, you don't have to write n * m bits of special > code, but everyone has m broken applications, and n * m things to test > looking for surprise security problems. and, as you found, debuggers > don't work well any more, source code is hard to find, and the > internal behavior of modules is not documented, only rather optimistic > fantasies of how to configure the module are sometimes partially > documented. PAM's an embarassment. Thank you for the head's up. It lead me to the answer: disabling PAM in sshd Fixed everything. Actually, I was kind of freaked out when after your rant I thought I better personally check up on some things I was taking for granted. Apparently this PAM business changes sshd default behavior such that the FreeBSD default *does* allow ssh login with a blank password. eeww. So, I thought I'd test another service, just to see if it was only SSH having the problem. I don't know about other pam modules, but pam_passwdqc does not work with telnet either. It doesn't even prompt. If you put it in login, telnet prompts, but does not enforce. So... like I said. I've been learning a lot about PAM... It does sound cool, but apparently has serious problems. Oh, and it's built into the FreeBSD system default security methods and is not well documented. Hmmm. What about the other BSDs? Are they doing this as well?