From skreuzer at exit2shell.com Tue Dec 1 10:12:00 2009 From: skreuzer at exit2shell.com (Steven Kreuzer) Date: Tue, 1 Dec 2009 10:12:00 -0500 Subject: [nycbug-talk] FreeBSD localroot Zero day Message-ID: Freebsd 7 and 8 are vulnerable. http://seclists.org/fulldisclosure/2009/Nov/371 -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From akosela at andykosela.com Tue Dec 1 10:20:38 2009 From: akosela at andykosela.com (Andy Kosela) Date: Tue, 01 Dec 2009 16:20:38 +0100 Subject: [nycbug-talk] FreeBSD localroot Zero day In-Reply-To: References: Message-ID: <4b153446.w/gqYJvZ7/AgmST8%akosela@andykosela.com> Steven Kreuzer wrote: > Freebsd 7 and 8 are vulnerable. > > http://seclists.org/fulldisclosure/2009/Nov/371 > For those of you who don't follow freebsd-security@ http://lists.freebsd.org/pipermail/freebsd-security/2009-December/005369.html The temporary patch is here http://people.freebsd.org/~cperciva/rtld.patch and has SHA256 hash ffcba0c20335dd83e9ac0d0e920faf5b4aedf366ee5a41f548b95027e3b770c1 --Andy From nikolai at fetissov.org Thu Dec 3 11:00:27 2009 From: nikolai at fetissov.org (nikolai) Date: Thu, 3 Dec 2009 11:00:27 -0500 Subject: [nycbug-talk] December 2009 meeting audio Message-ID: <9cbe0b5490062b2c428678e88e059339.squirrel@geekisp.com> Folks, Audio recording of the presentations is online at http://www.fetissov.org/public/nycbug/nycbug-12-02-09.mp3 Cheers, -- Nikolai From george at ceetonetechnology.com Thu Dec 3 11:19:15 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 03 Dec 2009 11:19:15 -0500 Subject: [nycbug-talk] Last night's meeting Message-ID: <4B17E503.3040704@ceetonetechnology.com> Wondering other's thoughts on last nights meeting. . . I thought it was a great meeting overall. .. brought in more speakers, some for the first time, encouraged more people to be involved. We often have side discussions about topics that don't justify a full meeting. It might be an SSH hack, a creative use of pipes, and so it reflects the day-to-day activities of people. . . so it's worth integrating into our meetings without the rigidity of this or that specific topic. Personally, though, I was thinking we should try for a "pipes and scripts" meetings as opposed to "ports and packages." Maybe a bit clearer by saying the solutions/hints/hacks should be interoperable for all bsds (and even Linux and Solaris, etc). .. . basically a focus on creatively employing the core unix commands. .. from "at to zcat." Say, unix is a toolbox, what do you do with the tools? Say. . . running a command then ending with "&& mail -s 'script done' root" or uniquely piping things to logger, like ike's jls example (jls being a FreeBSD ls for the current jails for the host). little things that make life easier because ppl are employing the core unix tools creatively. Nevertheless, we could look at repeating last night in some form or another. Other thoughts? g From mark.saad at ymail.com Thu Dec 3 11:45:14 2009 From: mark.saad at ymail.com (Mark Saad) Date: Thu, 3 Dec 2009 08:45:14 -0800 (PST) Subject: [nycbug-talk] Last night's meeting In-Reply-To: <4B17E503.3040704@ceetonetechnology.com> References: <4B17E503.3040704@ceetonetechnology.com> Message-ID: <240869.35285.qm@web113512.mail.gq1.yahoo.com> George My wife Sheila had a good idea, some of the short topics from last night or another similar meeting could be an entire meeting. Why not vote someone to come back and expand on their topic for a future meeting. -- Mark Saad mark.saad at ymail.com ----- Original Message ---- > From: George Rosamond > To: talk > Sent: Thu, December 3, 2009 11:19:15 AM > Subject: [nycbug-talk] Last night's meeting > > Wondering other's thoughts on last nights meeting. . . > > I thought it was a great meeting overall. .. brought in more speakers, > some for the first time, encouraged more people to be involved. > > We often have side discussions about topics that don't justify a full > meeting. It might be an SSH hack, a creative use of pipes, and so it > reflects the day-to-day activities of people. . . so it's worth > integrating into our meetings without the rigidity of this or that > specific topic. > > Personally, though, I was thinking we should try for a "pipes and > scripts" meetings as opposed to "ports and packages." > > Maybe a bit clearer by saying the solutions/hints/hacks should be > interoperable for all bsds (and even Linux and Solaris, etc). .. . > basically a focus on creatively employing the core unix commands. .. > from "at to zcat." Say, unix is a toolbox, what do you do with the tools? > > Say. . . running a command then ending with "&& mail -s 'script done' > root" or uniquely piping things to logger, like ike's jls example (jls > being a FreeBSD ls for the current jails for the host). little things > that make life easier because ppl are employing the core unix tools > creatively. > > Nevertheless, we could look at repeating last night in some form or another. > > Other thoughts? > > g > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From isaac at diversaform.com Thu Dec 3 15:43:12 2009 From: isaac at diversaform.com (Isaac Levy) Date: Thu, 3 Dec 2009 15:43:12 -0500 Subject: [nycbug-talk] Last night's meeting In-Reply-To: <240869.35285.qm@web113512.mail.gq1.yahoo.com> References: <4B17E503.3040704@ceetonetechnology.com> <240869.35285.qm@web113512.mail.gq1.yahoo.com> Message-ID: <15977950-38E2-4C18-BEE6-EFD7B6BFC02C@diversaform.com> > ----- Original Message ---- >> From: George Rosamond >> To: talk >> Sent: Thu, December 3, 2009 11:19:15 AM >> Subject: [nycbug-talk] Last night's meeting >> >> Wondering other's thoughts on last nights meeting. . . >> >> I thought it was a great meeting overall. .. brought in more >> speakers, >> some for the first time, encouraged more people to be involved. >> >> We often have side discussions about topics that don't justify a full >> meeting. It might be an SSH hack, a creative use of pipes, and so it >> reflects the day-to-day activities of people. . . so it's worth >> integrating into our meetings without the rigidity of this or that >> specific topic. >> >> Personally, though, I was thinking we should try for a "pipes and >> scripts" meetings as opposed to "ports and packages." >> >> Maybe a bit clearer by saying the solutions/hints/hacks should be >> interoperable for all bsds (and even Linux and Solaris, etc). .. . >> basically a focus on creatively employing the core unix commands. .. >> from "at to zcat." Say, unix is a toolbox, what do you do with the >> tools? >> >> Say. . . running a command then ending with "&& mail -s 'script done' >> root" or uniquely piping things to logger, like ike's jls example >> (jls >> being a FreeBSD ls for the current jails for the host). little >> things >> that make life easier because ppl are employing the core unix tools >> creatively. >> >> Nevertheless, we could look at repeating last night in some form or >> another. >> >> Other thoughts? >> >> g On Dec 3, 2009, at 11:45 AM, Mark Saad wrote: > George > My wife Sheila had a good idea, some of the short topics from last > night or another similar meeting > could be an entire meeting. Why not vote someone to come back and > expand on their topic for a future meeting. > > -- > Mark Saad > mark.saad at ymail.com I vote for a full meeting on logger(1) "advanced" usage, so I can correct what was missing last night, (using it without pipes!) e.g.: # logger hi ike instead of: # echo 'hi ike' | logger Rocket- .ike From o_sleep at belovedarctos.com Thu Dec 3 18:54:02 2009 From: o_sleep at belovedarctos.com (Bjorn Nelson) Date: Thu, 03 Dec 2009 18:54:02 -0500 Subject: [nycbug-talk] Last night's meeting In-Reply-To: <4B17E503.3040704@ceetonetechnology.com> References: <4B17E503.3040704@ceetonetechnology.com> Message-ID: <4B184F9A.6070204@belovedarctos.com> George Rosamond wrote: > Wondering other's thoughts on last nights meeting. . . > > I thought it was a great meeting overall. .. brought in more speakers, > some for the first time, encouraged more people to be involved. > > We often have side discussions about topics that don't justify a full > meeting. It might be an SSH hack, a creative use of pipes, and so it > reflects the day-to-day activities of people. . . so it's worth > integrating into our meetings without the rigidity of this or that > specific topic. > > Personally, though, I was thinking we should try for a "pipes and > scripts" meetings as opposed to "ports and packages." > > Maybe a bit clearer by saying the solutions/hints/hacks should be > interoperable for all bsds (and even Linux and Solaris, etc). .. . > basically a focus on creatively employing the core unix commands. .. > from "at to zcat." Say, unix is a toolbox, what do you do with the tools? > > Say. . . running a command then ending with "&& mail -s 'script done' > root" or uniquely piping things to logger, like ike's jls example (jls > being a FreeBSD ls for the current jails for the host). little things > that make life easier because ppl are employing the core unix tools > creatively. > > Nevertheless, we could look at repeating last night in some form or another. > > Other thoughts? > > g > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > There is a lot of use in just trying to massage data (log files/stuff in a database) into a format that one can build a pivot table out of (openoffice calls it data plot). Basically using a mix of awk, sed, tr. Would this fall into what you are thinking of? -Bjorn From matt at atopia.net Fri Dec 4 01:19:43 2009 From: matt at atopia.net (Matt Juszczak) Date: Fri, 4 Dec 2009 01:19:43 -0500 (EST) Subject: [nycbug-talk] [OT] - Interesting SVN Question Message-ID: Hi all, I've got a bit of a dilemma. I've got an internal SVN server, running anonymous SVN serve (though I'd like to setup authentication on it if I can). The only box that has outside SSH access is a different box. The devs want to start accessing the repositories remotely, and I don't want to open the internal SVN server up to the outside world. So ideally, I'm wondering, is it possible to do: svn co svn+ssh://user at host/repo Where /repo is actually pulled from: svn co svn://servername/repo or is this double dip strategy not going to work? I guess my other options would be to either move the repository to the server that has the outside ssh access, or setup the repository on NFS or something. Any thoughts on this? Thanks, Matt From lists at zaunere.com Fri Dec 4 10:18:10 2009 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 4 Dec 2009 10:18:10 -0500 Subject: [nycbug-talk] [OT] - Interesting SVN Question In-Reply-To: References: Message-ID: <006c01ca74f4$fd688c50$f839a4f0$@com> > I've got a bit of a dilemma. I've got an internal SVN server, running > anonymous SVN serve (though I'd like to setup authentication on it if I > can). The only box that has outside SSH access is a different box. The > devs want to start accessing the repositories remotely, and I don't want > to open the internal SVN server up to the outside world. > > So ideally, I'm wondering, is it possible to do: > > svn co svn+ssh://user at host/repo > > Where /repo is actually pulled from: > > svn co svn://servername/repo > > or is this double dip strategy not going to work? I guess my other > options would be to either move the repository to the server that has the > outside ssh access, or setup the repository on NFS or something. > > Any thoughts on this? Go the Apache route and bask in all the glories of HTTP/S: Obviously: http://svnbook.red-bean.com/en/1.5/index.html Specifically: http://svnbook.red-bean.com/en/1.5/svn.serverconfig.html http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html#svn.servercon fig.httpd.authz.perdir http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html#svn.servercon fig.httpd.authn.sslcerts H From matt at atopia.net Fri Dec 4 10:43:24 2009 From: matt at atopia.net (Matt Juszczak) Date: Fri, 4 Dec 2009 10:43:24 -0500 (EST) Subject: [nycbug-talk] [OT] - Interesting SVN Question In-Reply-To: <006c01ca74f4$fd688c50$f839a4f0$@com> References: <006c01ca74f4$fd688c50$f839a4f0$@com> Message-ID: > > Obviously: > http://svnbook.red-bean.com/en/1.5/index.html > > Specifically: > http://svnbook.red-bean.com/en/1.5/svn.serverconfig.html > http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html#svn.servercon > fig.httpd.authz.perdir > http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html#svn.servercon > fig.httpd.authn.sslcerts Eh, the http option isn't really an option at this point for multiple reasons =( Side note: thanks so far for everyone's replies! From lists at stringsutils.com Fri Dec 4 11:14:10 2009 From: lists at stringsutils.com (Francisco Reyes) Date: Fri, 04 Dec 2009 11:14:10 -0500 Subject: [nycbug-talk] Last night's meeting References: <4B17E503.3040704@ceetonetechnology.com> <4B184F9A.6070204@belovedarctos.com> Message-ID: Bjorn Nelson writes: > a database) into a format that one can build a pivot table out of > (openoffice calls it data plot). Basically using a mix of awk, sed, tr. I for one would find that very interesting. Looked a few times for already made programs/scripts to make pivot tables. From spork at bway.net Fri Dec 4 12:21:15 2009 From: spork at bway.net (Charles Sprickman) Date: Fri, 4 Dec 2009 12:21:15 -0500 Subject: [nycbug-talk] Last night's meeting In-Reply-To: References: <4B17E503.3040704@ceetonetechnology.com> <4B184F9A.6070204@belovedarctos.com> Message-ID: On Dec 4, 2009, at 11:14 AM, Francisco Reyes wrote: > Bjorn Nelson writes: > >> a database) into a format that one can build a pivot table out of >> (openoffice calls it data plot). Basically using a mix of awk, >> sed, tr. > > I for one would find that very interesting. > Looked a few times for already made programs/scripts to make pivot > tables. Hell, I'd like a presentation on "excel for sysadmins". I strictly use most MS office tools for viewing. I have no clue what a pivot table is. C > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From george at ceetonetechnology.com Fri Dec 4 12:26:06 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Fri, 04 Dec 2009 12:26:06 -0500 Subject: [nycbug-talk] pan-BSD YouTube channel Message-ID: <4B19462E.6080107@ceetonetechnology.com> Many of you are may be aware of the BSDConferences YouTube Channel: http://www.youtube.com/user/bsdconferences Lots of great content up there. . . While we don't have *any* video from NYCBUG events to post, hit me off-list if you're interested in syncing the slides with Nikolai's audio. g From bonsaime at gmail.com Sat Dec 5 14:09:24 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Sat, 5 Dec 2009 14:09:24 -0500 Subject: [nycbug-talk] [OT] - Interesting SVN Question In-Reply-To: References: <006c01ca74f4$fd688c50$f839a4f0$@com> Message-ID: On Fri, Dec 4, 2009 at 10:43 AM, Matt Juszczak wrote: >> >> Obviously: >> http://svnbook.red-bean.com/en/1.5/index.html >> >> Specifically: >> http://svnbook.red-bean.com/en/1.5/svn.serverconfig.html >> http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html#svn.servercon >> fig.httpd.authz.perdir >> http://svnbook.red-bean.com/en/1.5/svn.serverconfig.httpd.html#svn.servercon >> fig.httpd.authn.sslcerts > > Eh, the http option isn't really an option at this point for multiple > reasons =( > > Side note: thanks so far for everyone's replies! > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > Late on this. Can authorized_keys be set up to run another ssh session to the inside machine upon login to your "outside ssh" box? I'm sure someone suggested this already. -jesse From george at ceetonetechnology.com Mon Dec 7 20:16:22 2009 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 07 Dec 2009 20:16:22 -0500 Subject: [nycbug-talk] OT on VOIP Message-ID: <4B1DA8E6.6020007@ceetonetechnology.com> Cool stuff. . http://www.cs.columbia.edu/~salman/peer/ g From isaac at diversaform.com Tue Dec 8 09:40:13 2009 From: isaac at diversaform.com (Isaac Levy) Date: Tue, 8 Dec 2009 09:40:13 -0500 Subject: [nycbug-talk] Last night's meeting In-Reply-To: References: <4B17E503.3040704@ceetonetechnology.com> <4B184F9A.6070204@belovedarctos.com> Message-ID: On Dec 4, 2009, at 11:14 AM, Francisco Reyes wrote: >> a database) into a format that one can build a pivot table out of >> (openoffice calls it data plot). Basically using a mix of awk, >> sed, tr. > > I for one would find that very interesting. > Looked a few times for already made programs/scripts to make pivot > tables. I'll second that- This sounds like a very useful topic... Rocket- .ike From mark.saad at ymail.com Wed Dec 9 16:36:39 2009 From: mark.saad at ymail.com (Mark Saad) Date: Wed, 9 Dec 2009 13:36:39 -0800 (PST) Subject: [nycbug-talk] New Softupdate work Message-ID: <974912.867.qm@web113514.mail.gq1.yahoo.com> All I stumbled on this over at FreeBSDnews.net . Looks very interesting. http://jeffr-tech.livejournal.com/22716.html -- Mark Saad mark.saad at ymail.com From jpb at sixshooter.v6.thrupoint.net Sat Dec 19 15:46:45 2009 From: jpb at sixshooter.v6.thrupoint.net (Jim B.) Date: Sat, 19 Dec 2009 15:46:45 -0500 Subject: [nycbug-talk] BSDCG Study Guide DVD and QEMU/AQEMU Material Message-ID: <20091219204645.GC3986@sixshooter.v6.thrupoint.net> Hi All, The material I presented at the end of the Oct NYCBUG on using the QEMU and AQEMU virtualization tools with the BSDCG study guide DVD is now available on Jeremy Reeds BSD wiki: http://bsdwiki.reedmedia.net/wiki/using_the_bsda_study_dvd.html The article also contains information on networking multiple BSD QEMU systems. Happy Holiday Reading! Jim B. From matt at atopia.net Wed Dec 23 02:13:00 2009 From: matt at atopia.net (Matt Juszczak) Date: Wed, 23 Dec 2009 02:13:00 -0500 (EST) Subject: [nycbug-talk] OT: RootBSD.net Message-ID: Hi all, Does anyone here use rootbsd.net or have a server with them? One project I worked on used them, but I haven't had enough time to totally test them out. I have a small server at a data center that just does basic email and web, and I'm considering moving that to them, but it houses some websites like bsdjobs.net, etc., so I'd probably want not only a reliable service, but also a secure service with a good privacy policy. Can anyone recommend rootbsd? Thanks! -Matt From spork at bway.net Wed Dec 23 15:10:05 2009 From: spork at bway.net (Charles Sprickman) Date: Wed, 23 Dec 2009 15:10:05 -0500 (EST) Subject: [nycbug-talk] FreeBSD 32-bit to 64-bit? Message-ID: Howdy, Anyone got some pointers on how to "convert" an existing 8.0 32 bit install to a 64 bit install? Caveat: The machine in question has no floppy, no optical drive, and usb keys and such are a bit wonky on it, so I have to do this without resorting to booting new install media. I do have a serial console. I did manage to build and boot a 64 bit kernel using this incantation: make -j4 TARGET_ARCH=amd64 buildworld buildkernel KERNCONF=BWAY8-64 Installing was rough, the build system wants that installed anywhere but "/boot", so I had to set DESTDIR to a directory in /tmp and move the kernel into place manually. Using nextboot to boot that kernel works, but the build system seems to kind of fall apart when trying to install world. Even simple pointers like "this is how the build system figures out what architecture it's on and these are the variables it sets" would be very helpful. Thanks, Charles ___ Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet - www.bway.net spork at bway.net - 212.655.9344 From jhb at freebsd.org Wed Dec 23 16:15:28 2009 From: jhb at freebsd.org (John Baldwin) Date: Wed, 23 Dec 2009 16:15:28 -0500 Subject: [nycbug-talk] FreeBSD 32-bit to 64-bit? In-Reply-To: References: Message-ID: <200912231615.28671.jhb@freebsd.org> On Wednesday 23 December 2009 3:10:05 pm Charles Sprickman wrote: > Howdy, > > Anyone got some pointers on how to "convert" an existing 8.0 32 bit > install to a 64 bit install? > > Caveat: The machine in question has no floppy, no optical drive, and usb > keys and such are a bit wonky on it, so I have to do this without > resorting to booting new install media. I do have a serial console. > > I did manage to build and boot a 64 bit kernel using this incantation: > > make -j4 TARGET_ARCH=amd64 buildworld buildkernel KERNCONF=BWAY8-64 > > Installing was rough, the build system wants that installed anywhere but > "/boot", so I had to set DESTDIR to a directory in /tmp and move the > kernel into place manually. Using nextboot to boot that kernel works, but > the build system seems to kind of fall apart when trying to install world. > > Even simple pointers like "this is how the build system figures out what > architecture it's on and these are the variables it sets" would be very > helpful. One tactic I know some people have used to do this is to newfs a swap partition, do an installworld into that and boot into single-user with that mounted as your / (by editing /etc/fstab or setting vfs.mountroot_from in the loader), mount the rest of your partitions under /mnt or some such, installworld into /mnt, restore /etc/fstab if necessary, then reboot back to your normal layout. -- John Baldwin From pete at nomadlogic.org Tue Dec 29 10:46:09 2009 From: pete at nomadlogic.org (Pete Wright) Date: Tue, 29 Dec 2009 07:46:09 -0800 Subject: [nycbug-talk] OT: RootBSD.net In-Reply-To: References: Message-ID: <22F30F06-A13D-47F7-A806-3DD21ACD3796@nomadlogic.org> On Dec 22, 2009, at 11:13 PM, Matt Juszczak wrote: > Hi all, > > Does anyone here use rootbsd.net or have a server with them? One project > I worked on used them, but I haven't had enough time to totally test them > out. > > I have a small server at a data center that just does basic email and web, > and I'm considering moving that to them, but it houses some websites like > bsdjobs.net, etc., so I'd probably want not only a reliable service, but > also a secure service with a good privacy policy. > > Can anyone recommend rootbsd? > Hi Matt, Yes I can recommend them for sure. I host my personal domain with them and have been quite happy. There was a snafu where I missed a billing cycle and they were very helpful getting my VM back up and running once the payment went through - and this was on a Sat. The VM being powered off was my fault, and I can not blame them for wanting to be paid either :) But for the several months I've been using them I have had zero issues, and their web add-on's are quite nice as well. You can monitor network usage etc. -pete From njt at ayvali.org Tue Dec 29 11:42:38 2009 From: njt at ayvali.org (N.J. Thomas) Date: Tue, 29 Dec 2009 11:42:38 -0500 Subject: [nycbug-talk] OT: RootBSD.net In-Reply-To: <22F30F06-A13D-47F7-A806-3DD21ACD3796@nomadlogic.org> References: <22F30F06-A13D-47F7-A806-3DD21ACD3796@nomadlogic.org> Message-ID: <20091229164238.GS14697@zaph.org> * Pete Wright [2009-12-29 07:46:09-0800]: > > Does anyone here use rootbsd.net or have a server with them? One > > project I worked on used them, but I haven't had enough time to > > totally test them out. > > Yes I can recommend them for sure. I host my personal domain with > them and have been quite happy. (I replied to Matt offlist earlier, but I should probably reply here as well for posterity's sake.) Been a RootBSD customer for almost two years now, and my experiences with them are only positive, so I highly recommend them. Thomas From spork at bway.net Wed Dec 30 01:05:23 2009 From: spork at bway.net (Charles Sprickman) Date: Wed, 30 Dec 2009 01:05:23 -0500 (EST) Subject: [nycbug-talk] FreeBSD 32-bit to 64-bit? In-Reply-To: References: Message-ID: Top-posting and answering myself for the archives... Easiest way to do this was to build a kernel as described below, grab all the install filesets for amd64, boot the 64-bit kernel single user and then extract the install bits over the existing system and smack permissions into place with the mtree files included with the install filesets. The only gotcha is to watch during the extraction for anything that could not be overwritten due to the immutable bit being set on the files. Oh, and the base install will give you a new /etc (figured that out when I couldn't login anymore). :) C On Wed, 23 Dec 2009, Charles Sprickman wrote: > Howdy, > > Anyone got some pointers on how to "convert" an existing 8.0 32 bit > install to a 64 bit install? > > Caveat: The machine in question has no floppy, no optical drive, and usb > keys and such are a bit wonky on it, so I have to do this without > resorting to booting new install media. I do have a serial console. > > I did manage to build and boot a 64 bit kernel using this incantation: > > make -j4 TARGET_ARCH=amd64 buildworld buildkernel KERNCONF=BWAY8-64 > > Installing was rough, the build system wants that installed anywhere but > "/boot", so I had to set DESTDIR to a directory in /tmp and move the > kernel into place manually. Using nextboot to boot that kernel works, but > the build system seems to kind of fall apart when trying to install world. > > Even simple pointers like "this is how the build system figures out what > architecture it's on and these are the variables it sets" would be very > helpful. > > Thanks, > > Charles > > ___ > Charles Sprickman > NetEng/SysAdmin > Bway.net - New York's Best Internet - www.bway.net > spork at bway.net - 212.655.9344 > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > From okan at demirmen.com Wed Dec 30 11:46:54 2009 From: okan at demirmen.com (Okan Demirmen) Date: Wed, 30 Dec 2009 11:46:54 -0500 Subject: [nycbug-talk] password repository Message-ID: <20091230164654.GW14500@clam.khaoz.org> what do you all use, recommend, love, hate? what about "shared" repositories in environments where you have a bunch of sysadmins, all of whom should be able to view/add/modify entires and such? while this is off-BSD topic, i'm sure all of us have run into such a question at some point. cheers, okan From chsnyder at gmail.com Wed Dec 30 12:07:59 2009 From: chsnyder at gmail.com (Chris Snyder) Date: Wed, 30 Dec 2009 12:07:59 -0500 Subject: [nycbug-talk] password repository In-Reply-To: <20091230164654.GW14500@clam.khaoz.org> References: <20091230164654.GW14500@clam.khaoz.org> Message-ID: On Wed, Dec 30, 2009 at 11:46 AM, Okan Demirmen wrote: > what do you all use, recommend, love, hate? > > what about "shared" repositories in environments where you have a bunch > of sysadmins, all of whom should be able to view/add/modify entires and > such? > I like using TrueCrypt files for this. TC is cross-platform and easy to understand. If you need to share with others you just give them access to the file and the password needed to mount it. The passwords themselves are in a text file or spreadsheet within the .tc file. From mark.saad at ymail.com Wed Dec 30 12:44:48 2009 From: mark.saad at ymail.com (Mark Saad) Date: Wed, 30 Dec 2009 09:44:48 -0800 (PST) Subject: [nycbug-talk] Facebook Group Message-ID: <582953.12013.qm@web113514.mail.gq1.yahoo.com> Hello Talk For you who are using Facebook, I created a NYCBUG group. The Group will mirror the up coming events and provide a new way to promote NYCBug. Please feel free to join and spread the word. -- Mark Saad mark.saad at ymail.com From nikolai at fetissov.org Wed Dec 30 13:02:46 2009 From: nikolai at fetissov.org (nikolai) Date: Wed, 30 Dec 2009 13:02:46 -0500 Subject: [nycbug-talk] password repository In-Reply-To: <20091230164654.GW14500@clam.khaoz.org> References: <20091230164654.GW14500@clam.khaoz.org> Message-ID: > what do you all use, recommend, love, hate? > > what about "shared" repositories in environments where you have a bunch > of sysadmins, all of whom should be able to view/add/modify entires and > such? > > while this is off-BSD topic, i'm sure all of us have run into such a > question at some point. I encrypt text file with passwords, etc. using openssl like 'openssl enc -bf -salt -in vault -out vault.bf' and check it into cvs. Of course people using/updating the file need to know the master password ... -- Nikolai From mark.saad at ymail.com Wed Dec 30 12:41:51 2009 From: mark.saad at ymail.com (Mark Saad) Date: Wed, 30 Dec 2009 09:41:51 -0800 (PST) Subject: [nycbug-talk] password repository In-Reply-To: <20091230164654.GW14500@clam.khaoz.org> References: <20091230164654.GW14500@clam.khaoz.org> Message-ID: <683942.93113.qm@web113517.mail.gq1.yahoo.com> Hey Talk ----- Original Message ---- > From: Okan Demirmen > To: talk at lists.nycbug.org > Sent: Wed, December 30, 2009 11:46:54 AM > Subject: [nycbug-talk] password repository > > what do you all use, recommend, love, hate? > > what about "shared" repositories in environments where you have a bunch > of sysadmins, all of whom should be able to view/add/modify entires and > such? > Okan I love using RCS its simple and its installed almost everywhere. Its no CVS but its good for the quick and dirty check-in check-out sort of repo. > while this is off-BSD topic, i'm sure all of us have run into such a > question at some point. > > cheers, > okan > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -- Mark Saad mark.saad at ymail.com From marco at metm.org Wed Dec 30 13:25:40 2009 From: marco at metm.org (Marco Scoffier) Date: Wed, 30 Dec 2009 13:25:40 -0500 Subject: [nycbug-talk] Facebook Group In-Reply-To: <582953.12013.qm@web113514.mail.gq1.yahoo.com> References: <582953.12013.qm@web113514.mail.gq1.yahoo.com> Message-ID: <4B3B9B24.8080602@metm.org> Mark Saad wrote: > Hello Talk > For you who are using Facebook, I created a NYCBUG group. The Group will mirror the up coming events and provide > a new way to promote NYCBug. Please feel free to join and spread the word. > > Link ? From ike at lesmuug.org Wed Dec 30 14:20:07 2009 From: ike at lesmuug.org (Isaac Levy) Date: Wed, 30 Dec 2009 14:20:07 -0500 Subject: [nycbug-talk] OT: RootBSD.net In-Reply-To: <20091229164238.GS14697@zaph.org> References: <22F30F06-A13D-47F7-A806-3DD21ACD3796@nomadlogic.org> <20091229164238.GS14697@zaph.org> Message-ID: <1258BC29-BF42-450F-8E5D-0F1890B50021@lesmuug.org> On Dec 29, 2009, at 11:42 AM, N.J. Thomas wrote: > * Pete Wright [2009-12-29 07:46:09-0800]: >>> Does anyone here use rootbsd.net or have a server with them? One >>> project I worked on used them, but I haven't had enough time to >>> totally test them out. >> >> Yes I can recommend them for sure. I host my personal domain with >> them and have been quite happy. > > (I replied to Matt offlist earlier, but I should probably reply here > as > well for posterity's sake.) > > Been a RootBSD customer for almost two years now, and my experiences > with them are only positive, so I highly recommend them. > > Thomas RootBSD looks like a pretty cool looking hosting provider- just for comparison's sake, I thought I'd toss in old http://johncompanies.com/ as well, they've been doing jailed VPS server hosting *forever*, very good folks- I believe I've mentioned them on list before. /salute Best, .ike From ike at lesmuug.org Wed Dec 30 14:33:48 2009 From: ike at lesmuug.org (Isaac Levy) Date: Wed, 30 Dec 2009 14:33:48 -0500 Subject: [nycbug-talk] PXE/TFTPd Sanity Message-ID: <89150BF1-2C17-48CC-BE09-99A4B7CABBCA@lesmuug.org> Hi All, I've CC'd Pete here, because I'm hoping he can refresh my memory on stuff he showed us years ago... Sorry Pete- don't mean to call you out on list, but guess I am :) Anyhow, at work, we're heading toward the tipping point where we're going to drown without network installs (for fairly homogenous software, and nearly homegenous hardware). It's been quite some time since I've hacked around with PXE, (back then it was just for installing OpenBSD on Soekris boards), so I'm not totally clueless- but diving back into it I sure feel clueless :) Been spending a bunch of time digging through Wikipedia and the net at large, and still don't feel like I found the path foreword. -- Here's my questions, even just some URL's would make my day: - Has any unified software/packaging come about for doing network installs, or is it all still all just a matter of setting up TFTPD and a DHCP server? - Have any neat accounting utilities/database tools come along for storing MAC addresses, and their corresponding IP/boot-media info? Our reqs are simple: Set up a long-lasting PXE boot enviornment so we can install: + FreeBSD + OpenBSD + CentOS/Linux (our immediate need) -- After we get our install media situation setup, we'll move on to the various OS options for install- (CentOS Kickstart, FreeBSD installer scripts, post-flight config scripts, etc...) Thanks in advance for any thoughts/urls/etc... Rocket- .ike From okan at demirmen.com Wed Dec 30 14:35:44 2009 From: okan at demirmen.com (Okan Demirmen) Date: Wed, 30 Dec 2009 14:35:44 -0500 Subject: [nycbug-talk] password repository In-Reply-To: References: <20091230164654.GW14500@clam.khaoz.org> Message-ID: <20091230193544.GX14500@clam.khaoz.org> On Wed 2009.12.30 at 13:02 -0500, nikolai wrote: > > what do you all use, recommend, love, hate? > > > > what about "shared" repositories in environments where you have a bunch > > of sysadmins, all of whom should be able to view/add/modify entires and > > such? > > > > while this is off-BSD topic, i'm sure all of us have run into such a > > question at some point. > > I encrypt text file with passwords, etc. using openssl > like 'openssl enc -bf -salt -in vault -out vault.bf' > and check it into cvs. Of course people using/updating > the file need to know the master password ... so we do the same thing, bf and store the encrypted bits in our local cvs tree. issue here is of course the person changing it better not mis-type the password when re-crypting and committing ;( this is the thing i dislike about the approach. truecrypt is analogues to disk/volume encrypting bits we already have in bsd - but it doesn't help if this image is mounted on a server somewhere..and say someone doesn't un-mount it after use... the moving-into-complex solutions could revolve around a public/private trust, such as pgp, with a series of wrappers to make it work for a group of people.. i'm just shooting out ideas - curious to see how others handle this type of stuff ;) i'm aware of the tons of "commerical" and "complicated" stuff out there, but i tend to stay away from those... cheers, okan From chsnyder at gmail.com Wed Dec 30 14:50:20 2009 From: chsnyder at gmail.com (Chris Snyder) Date: Wed, 30 Dec 2009 14:50:20 -0500 Subject: [nycbug-talk] password repository In-Reply-To: <20091230193544.GX14500@clam.khaoz.org> References: <20091230164654.GW14500@clam.khaoz.org> <20091230193544.GX14500@clam.khaoz.org> Message-ID: On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen wrote: > truecrypt is analogues to disk/volume encrypting bits we already have in > bsd - but it doesn't help if this image is mounted on a server > somewhere..and say someone doesn't un-mount it after use... Sort of. The point of using something cross-platform is that devs / admins mount the image locally on their Win/Mac workstations. And you don't need to explain openssl to the Windows guys... From dave at donnerjack.com Wed Dec 30 15:09:37 2009 From: dave at donnerjack.com (David Lawson) Date: Wed, 30 Dec 2009 15:09:37 -0500 Subject: [nycbug-talk] PXE/TFTPd Sanity In-Reply-To: <89150BF1-2C17-48CC-BE09-99A4B7CABBCA@lesmuug.org> References: <89150BF1-2C17-48CC-BE09-99A4B7CABBCA@lesmuug.org> Message-ID: <33C29FCA-473B-4A8D-B4CC-FA0878C914F2@donnerjack.com> > - Has any unified software/packaging come about for doing network > installs, or is it all still all just a matter of setting up TFTPD and > a DHCP server? Cobbler/Satellite are worth taking a look at, they're both, unfortunately, very linux-centric as they grew out of Red Hat projects, but I believe they can do BSDs. > - Have any neat accounting utilities/database tools come along for > storing MAC addresses, and their corresponding IP/boot-media info? Cobbler provides a system for that. There's also at least some Satellite integration. Also some hooks into Puppet or other config management/accounting type tools. ZenOSS is another option that has that kind of functionality to it, though I don't know whether it has any network install type stuff in it. I know of a couple large companies that are using it at least for monitoring if not for machine accounting. I'm 99% sure I've talked about Cobbler with someone on this list before who was leveraging it more heavily than I am, so there may be some more expert opinions kicking around. There's a lot of value add to it beyond what you're asking about, so it's possible it's too much gun, but I've found that it's a tool we've grown into using very nicely. --Dave From ike at lesmuug.org Wed Dec 30 15:37:42 2009 From: ike at lesmuug.org (Isaac Levy) Date: Wed, 30 Dec 2009 15:37:42 -0500 Subject: [nycbug-talk] password repository In-Reply-To: References: <20091230164654.GW14500@clam.khaoz.org> <20091230193544.GX14500@clam.khaoz.org> Message-ID: <36D09108-247D-4959-82A9-DA90520062D2@lesmuug.org> On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote: > On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen > wrote: > >> truecrypt is analogues to disk/volume encrypting bits we already >> have in >> bsd - but it doesn't help if this image is mounted on a server >> somewhere..and say someone doesn't un-mount it after use... > > Sort of. The point of using something cross-platform is that devs / > admins mount the image locally on their Win/Mac workstations. And you > don't need to explain openssl to the Windows guys... Just to be clear- Is that the only benefit of Truecrypt, Windows compatibility? I've never used it and I'm just curious... (perhaps I should *try* it) I've been watching this thread but since we're a totally UNIX shop, I'm leaning towards nikolai's OpenSSL/Version-Repo answer... A very UNIX-ish approach to solving the problem. Mix it with some commit emails from your Version Repo of choice, or toss some more pipes into there, or script out more parts, and viola- the solution gains features very cheaply... :) Rocket- .ike From ike at lesmuug.org Wed Dec 30 15:41:27 2009 From: ike at lesmuug.org (Isaac Levy) Date: Wed, 30 Dec 2009 15:41:27 -0500 Subject: [nycbug-talk] PXE/TFTPd Sanity In-Reply-To: <33C29FCA-473B-4A8D-B4CC-FA0878C914F2@donnerjack.com> References: <89150BF1-2C17-48CC-BE09-99A4B7CABBCA@lesmuug.org> <33C29FCA-473B-4A8D-B4CC-FA0878C914F2@donnerjack.com> Message-ID: On Dec 30, 2009, at 3:09 PM, David Lawson wrote: >> - Has any unified software/packaging come about for doing network >> installs, or is it all still all just a matter of setting up TFTPD >> and >> a DHCP server? > > Cobbler/Satellite are worth taking a look at, they're both, > unfortunately, very linux-centric as they grew out of Red Hat > projects, but I believe they can do BSDs. > >> - Have any neat accounting utilities/database tools come along for >> storing MAC addresses, and their corresponding IP/boot-media info? > > Cobbler provides a system for that. There's also at least some > Satellite integration. Also some hooks into Puppet or other config > management/accounting type tools. ZenOSS is another option that has > that kind of functionality to it, though I don't know whether it has > any network install type stuff in it. I know of a couple large > companies that are using it at least for monitoring if not for > machine accounting. > > I'm 99% sure I've talked about Cobbler with someone on this list > before who was leveraging it more heavily than I am, so there may be > some more expert opinions kicking around. There's a lot of value > add to it beyond what you're asking about, so it's possible it's too > much gun, but I've found that it's a tool we've grown into using > very nicely. > > --Dave Thanks Dave- I'll take a look at Cobbler and see how it feels- (and I'll search the mail archives for Cobbler stuff)... Rocket- .ike From nikolai at fetissov.org Wed Dec 30 16:19:08 2009 From: nikolai at fetissov.org (nikolai) Date: Wed, 30 Dec 2009 16:19:08 -0500 Subject: [nycbug-talk] password repository In-Reply-To: <36D09108-247D-4959-82A9-DA90520062D2@lesmuug.org> References: <20091230164654.GW14500@clam.khaoz.org> <20091230193544.GX14500@clam.khaoz.org> <36D09108-247D-4959-82A9-DA90520062D2@lesmuug.org> Message-ID: <9afb696ab7ce06ff55455987948ea1ab.squirrel@geekisp.com> > On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote: > >> On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen >> wrote: >> >>> truecrypt is analogues to disk/volume encrypting bits we already >>> have in >>> bsd - but it doesn't help if this image is mounted on a server >>> somewhere..and say someone doesn't un-mount it after use... >> >> Sort of. The point of using something cross-platform is that devs / >> admins mount the image locally on their Win/Mac workstations. And you >> don't need to explain openssl to the Windows guys... > > Just to be clear- Is that the only benefit of Truecrypt, Windows > compatibility? I've never used it and I'm just curious... (perhaps I > should *try* it) > > I've been watching this thread but since we're a totally UNIX shop, > I'm leaning towards nikolai's OpenSSL/Version-Repo answer... A very > UNIX-ish approach to solving the problem. Mix it with some commit > emails from your Version Repo of choice, or toss some more pipes into > there, or script out more parts, and viola- the solution gains > features very cheaply... :) > Hmm, what's wrong with a private cvs/svn/git/whatever repository for admin group only where password file(s) are stored in *clear text*? Diffs are priceless :) Put it onto encrypted slice/file to prevent single-user snoop? Backup encrypted data? I know there's always a trade-off. -- Nikolai From chsnyder at gmail.com Wed Dec 30 16:26:56 2009 From: chsnyder at gmail.com (Chris Snyder) Date: Wed, 30 Dec 2009 16:26:56 -0500 Subject: [nycbug-talk] password repository In-Reply-To: <36D09108-247D-4959-82A9-DA90520062D2@lesmuug.org> References: <20091230164654.GW14500@clam.khaoz.org> <20091230193544.GX14500@clam.khaoz.org> <36D09108-247D-4959-82A9-DA90520062D2@lesmuug.org> Message-ID: On Wed, Dec 30, 2009 at 3:37 PM, Isaac Levy wrote: > On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote: > >> On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen wrote: >> >>> truecrypt is analogues to disk/volume encrypting bits we already have in >>> bsd - but it doesn't help if this image is mounted on a server >>> somewhere..and say someone doesn't un-mount it after use... >> >> Sort of. The point of using something cross-platform is that devs / >> admins mount the image locally on their Win/Mac workstations. And you >> don't need to explain openssl to the Windows guys... > > Just to be clear- Is that the only benefit of Truecrypt, Windows > compatibility? ?I've never used it and I'm just curious... ?(perhaps I > should *try* it) For this, yeah: Mac/Win/Linux compat and GUI. TC has a plausible-deniability mode that embeds an image within an image, so that in theory you could give out the "outer" password if someone held a gun to your head, and keep the inner password secret. By the way, I'm not sure if they use a password salt or not, I seem to recall warnings about saving .tc files in version control because they might leak info if attacker has many versions of the same file. For that reason alone the openssl approach is better if you're a unix shop. From mark.saad at ymail.com Wed Dec 30 16:20:42 2009 From: mark.saad at ymail.com (Mark Saad) Date: Wed, 30 Dec 2009 13:20:42 -0800 (PST) Subject: [nycbug-talk] Facebook Group In-Reply-To: <4B3B9B24.8080602@metm.org> References: <582953.12013.qm@web113514.mail.gq1.yahoo.com> <4B3B9B24.8080602@metm.org> Message-ID: <770715.43958.qm@web113516.mail.gq1.yahoo.com> Marco ----- Original Message ---- > From: Marco Scoffier > To: Mark Saad > Cc: nycbug talk > Sent: Wed, December 30, 2009 1:25:40 PM > Subject: Re: [nycbug-talk] Facebook Group > > Mark Saad wrote: > > Hello Talk > > For you who are using Facebook, I created a NYCBUG group. The Group will > mirror the up coming events and provide > > a new way to promote NYCBug. Please feel free to join and spread the word. > > > Link ? I just sent you an invite. The group is open for anyone to join . From the Facebook search box just type in nycbug and in the results make sure you are looking for groups not people. -- Mark Saad mark.saad at ymail.com From njt at ayvali.org Wed Dec 30 17:02:48 2009 From: njt at ayvali.org (N.J. Thomas) Date: Wed, 30 Dec 2009 17:02:48 -0500 Subject: [nycbug-talk] PXE/TFTPd Sanity In-Reply-To: <89150BF1-2C17-48CC-BE09-99A4B7CABBCA@lesmuug.org> References: <89150BF1-2C17-48CC-BE09-99A4B7CABBCA@lesmuug.org> Message-ID: <20091230220248.GZ14697@zaph.org> * Isaac Levy [2009-12-30 14:33:48-0500]: > - Has any unified software/packaging come about for doing network > installs, or is it all still all just a matter of setting up TFTPD and > a DHCP server? The thing I've seen done at most places is something similar to the following: - use PXE/DHCP/TFTP to have the box grab an IP and fetch the OS install files - use sysinstall/cobbler/kickstart/jumpstart/FAI to install a minimal OS and the configuration management system - use the configuration management system (cfengine, puppet, bcfg2, etc.) to install everything else The key here is to keep the first two steps as simple and as small/minimal as possible. I would strongly suggest that you avoid the temptation to have it do more than this. They all have capabilities that will do far more (Cobbler especially), but cfengine/puppet/bcfg2 are far better suited to handle this task, so you want to give that job to them. The basic idea is you want to get to the point where your automated install is done when the configuration management system package/port is installed. Everything else is done by the latter. Thomas From marco at metm.org Wed Dec 30 17:07:30 2009 From: marco at metm.org (Marco Scoffier) Date: Wed, 30 Dec 2009 17:07:30 -0500 Subject: [nycbug-talk] Facebook Group In-Reply-To: <770715.43958.qm@web113516.mail.gq1.yahoo.com> References: <582953.12013.qm@web113514.mail.gq1.yahoo.com> <4B3B9B24.8080602@metm.org> <770715.43958.qm@web113516.mail.gq1.yahoo.com> Message-ID: <4B3BCF22.4030408@metm.org> Mark Saad wrote: > I just sent you an invite. The group is open for anyone to join . From > the Facebook search box just type in nycbug and in the results make > sure you are looking for groups not people. > Hi Mark, NYCBUG wasn't coming up in the search for "groups". Maybe a FB hiccup ... Thanks for the invite, Marco From mark.saad at ymail.com Wed Dec 30 17:58:04 2009 From: mark.saad at ymail.com (Mark Saad) Date: Wed, 30 Dec 2009 14:58:04 -0800 (PST) Subject: [nycbug-talk] Facebook Group In-Reply-To: <4B3BCF22.4030408@metm.org> References: <582953.12013.qm@web113514.mail.gq1.yahoo.com> <4B3B9B24.8080602@metm.org> <770715.43958.qm@web113516.mail.gq1.yahoo.com> <4B3BCF22.4030408@metm.org> Message-ID: <909939.88384.qm@web113519.mail.gq1.yahoo.com> Marco ----- Original Message ---- > From: Marco Scoffier > To: Mark Saad > Cc: nycbug talk > Sent: Wed, December 30, 2009 5:07:30 PM > Subject: Re: [nycbug-talk] Facebook Group > > Mark Saad wrote: > > I just sent you an invite. The group is open for anyone to join . From > > the Facebook search box just type in nycbug and in the results make > > sure you are looking for groups not people. > Hi Mark, > > NYCBUG wasn't coming up in the search for "groups". > Maybe a FB hiccup ... I noticed that searching for groups is sometimes foobar'ed . I hope this gets fixed up. > Thanks for the invite, > > Marco -- Mark Saad mark.saad at ymail.com From josh at rivels.org Wed Dec 30 21:31:30 2009 From: josh at rivels.org (Josh Rivel) Date: Wed, 30 Dec 2009 21:31:30 -0500 Subject: [nycbug-talk] password repository In-Reply-To: References: <20091230164654.GW14500@clam.khaoz.org> <20091230193544.GX14500@clam.khaoz.org> <36D09108-247D-4959-82A9-DA90520062D2@lesmuug.org> Message-ID: <2B0DC59A-F8C0-40CF-AF40-4A8B19584989@rivels.org> All. On Dec 30, 2009, at 4:26 PM, Chris Snyder wrote: > On Wed, Dec 30, 2009 at 3:37 PM, Isaac Levy wrote: >> On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote: >> >>> On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen wrote: >>> >>>> truecrypt is analogues to disk/volume encrypting bits we already have in >>>> bsd - but it doesn't help if this image is mounted on a server >>>> somewhere..and say someone doesn't un-mount it after use... >>> >>> Sort of. The point of using something cross-platform is that devs / >>> admins mount the image locally on their Win/Mac workstations. And you >>> don't need to explain openssl to the Windows guys... >> >> Just to be clear- Is that the only benefit of Truecrypt, Windows >> compatibility? I've never used it and I'm just curious... (perhaps I >> should *try* it) > > For this, yeah: Mac/Win/Linux compat and GUI. > > TC has a plausible-deniability mode that embeds an image within an > image, so that in theory you could give out the "outer" password if > someone held a gun to your head, and keep the inner password secret. > > By the way, I'm not sure if they use a password salt or not, I seem to > recall warnings about saving .tc files in version control because they > might leak info if attacker has many versions of the same file. For > that reason alone the openssl approach is better if you're a unix > shop. How about Password Safe? http://passwordsafe.sourceforge.net/ There are Linux clients, Windows, Mac, and some CLI stuff as well. Setup a passphrase for unlocking the "safe" and you can use it with Windows/Mac/Linux and there are GUI's for them as well. I use it at work between Windows and Linux (The encrypted safe file is actually on my Windows home file share which is backed up, etc.) and I access it from my Linux workstation with no issues. Hope this is useful.... Josh From spork at bway.net Wed Dec 30 23:37:40 2009 From: spork at bway.net (Charles Sprickman) Date: Wed, 30 Dec 2009 23:37:40 -0500 (EST) Subject: [nycbug-talk] OpenBSD "router shell" Message-ID: This is new to me, thought I'd share: http://www.nmedia.net/nsh/ "NSH consolidates configuration for interfaces, bridging, routing, PF packet filtering, NAT, queueing, BGP, OSPF, RIP, IPsec, DHCP, DVMRP, SNMP, relayd, sshd, inetd, ftp-proxy, resolv.conf and NTP. It presents the user with a vaguely cisco-like interface with all configuration in one easy to read text list. It also gives the user access to system information and diagnostics. NSH replaces the userland commands which handle these functions, and talks directly to the OpenBSD kernel or control utility for daemon functionality." From cwolsen at ubixos.com Thu Dec 31 09:13:55 2009 From: cwolsen at ubixos.com (Christopher Olsen) Date: Thu, 31 Dec 2009 09:13:55 -0500 Subject: [nycbug-talk] Facebook Group In-Reply-To: <909939.88384.qm@web113519.mail.gq1.yahoo.com> References: <582953.12013.qm@web113514.mail.gq1.yahoo.com> <4B3B9B24.8080602@metm.org> <770715.43958.qm@web113516.mail.gq1.yahoo.com> <4B3BCF22.4030408@metm.org> <909939.88384.qm@web113519.mail.gq1.yahoo.com> Message-ID: <004401ca8a23$7e2f06a0$7a8d13e0$@com> polo -----Original Message----- From: talk-bounces at lists.nycbug.org [mailto:talk-bounces at lists.nycbug.org] On Behalf Of Mark Saad Sent: Wednesday, December 30, 2009 5:58 PM To: nycbug talk Subject: Re: [nycbug-talk] Facebook Group Marco ----- Original Message ---- > From: Marco Scoffier > To: Mark Saad > Cc: nycbug talk > Sent: Wed, December 30, 2009 5:07:30 PM > Subject: Re: [nycbug-talk] Facebook Group > > Mark Saad wrote: > > I just sent you an invite. The group is open for anyone to join . From > > the Facebook search box just type in nycbug and in the results make > > sure you are looking for groups not people. > Hi Mark, > > NYCBUG wasn't coming up in the search for "groups". > Maybe a FB hiccup ... I noticed that searching for groups is sometimes foobar'ed . I hope this gets fixed up. > Thanks for the invite, > > Marco -- Mark Saad mark.saad at ymail.com _______________________________________________ talk mailing list talk at lists.nycbug.org http://lists.nycbug.org/mailman/listinfo/talk From mikel.king at olivent.com Thu Dec 31 10:55:52 2009 From: mikel.king at olivent.com (mikel king) Date: Thu, 31 Dec 2009 10:55:52 -0500 Subject: [nycbug-talk] Facebook Group In-Reply-To: <4B3BCF22.4030408@metm.org> References: <582953.12013.qm@web113514.mail.gq1.yahoo.com> <4B3B9B24.8080602@metm.org> <770715.43958.qm@web113516.mail.gq1.yahoo.com> <4B3BCF22.4030408@metm.org> Message-ID: On Dec 30, 2009, at 5:07 PM, Marco Scoffier wrote: > Mark Saad wrote: >> I just sent you an invite. The group is open for anyone to join . >> From >> the Facebook search box just type in nycbug and in the results make >> sure you are looking for groups not people. >> > Hi Mark, > > NYCBUG wasn't coming up in the search for "groups". > Maybe a FB hiccup ... > Thanks for the invite, > > Marco http://www.facebook.com/group.php?gid=264110491163 From bonsaime at gmail.com Thu Dec 31 12:13:35 2009 From: bonsaime at gmail.com (Jesse Callaway) Date: Thu, 31 Dec 2009 12:13:35 -0500 Subject: [nycbug-talk] password repository In-Reply-To: <20091230164654.GW14500@clam.khaoz.org> References: <20091230164654.GW14500@clam.khaoz.org> Message-ID: On Wed, Dec 30, 2009 at 11:46 AM, Okan Demirmen wrote: > what do you all use, recommend, love, hate? > > what about "shared" repositories in environments where you have a bunch > of sysadmins, all of whom should be able to view/add/modify entires and > such? > > while this is off-BSD topic, i'm sure all of us have run into such a > question at some point. > > cheers, > okan > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > I've talked about multi-key encryption but it looks like a pain in the butt to me typing-wise, never used it. Here's a link to a message thread on how to do it with gpg http://lists.gnupg.org/pipermail/gnupg-users/2003-September/020170.html The thought is you can spam everyone, and everyone can spam back regarding changes and it's encrypted n-ways. As computers get faster I think this technology will start to catch on. That said, I never tried it and it might be reasonably fast up to some number of keys. The best web-based thing I've found was PassPack. It's totally awesome. Each user has their own login to PassPack. Users can share passwords and assign read/write privileges to them per item being shared. -jesse From ike at lesmuug.org Thu Dec 31 13:18:37 2009 From: ike at lesmuug.org (Isaac Levy) Date: Thu, 31 Dec 2009 13:18:37 -0500 Subject: [nycbug-talk] PXE/TFTPd Sanity In-Reply-To: <20091230220248.GZ14697@zaph.org> References: <89150BF1-2C17-48CC-BE09-99A4B7CABBCA@lesmuug.org> <20091230220248.GZ14697@zaph.org> Message-ID: On Dec 30, 2009, at 5:02 PM, N.J. Thomas wrote: > * Isaac Levy [2009-12-30 14:33:48-0500]: >> - Has any unified software/packaging come about for doing network >> installs, or is it all still all just a matter of setting up TFTPD and >> a DHCP server? > > The thing I've seen done at most places is something similar to the > following: > > - use PXE/DHCP/TFTP to have the box grab an IP and fetch > the OS install files > > - use sysinstall/cobbler/kickstart/jumpstart/FAI to install a > minimal OS and the configuration management system > > - use the configuration management system (cfengine, puppet, bcfg2, > etc.) to install everything else > > The key here is to keep the first two steps as simple and as > small/minimal as possible. I would strongly suggest that you avoid the > temptation to have it do more than this. They all have capabilities that > will do far more (Cobbler especially), but cfengine/puppet/bcfg2 are far > better suited to handle this task, so you want to give that job to them. Perfect! > > The basic idea is you want to get to the point where your automated > install is done when the configuration management system package/port is > installed. Everything else is done by the latter. > > Thomas This is exactly the sentiment I was looking for- and as our aim is to continue to maintain very homogeneous groups of software servers, we may not even get into the cfengine/puppet/bcfg2 etc... apps for quite some time- our scripted installs and updates should hold us for at least the next year. It's the boot and install parts we need to focus on- perhaps months from now I'll post back with notes on what we did. Now it's up to us to go sort out the tools' options! Thanks Thomas, and Dave! Best, .ike From ike at lesmuug.org Thu Dec 31 13:12:12 2009 From: ike at lesmuug.org (Isaac Levy) Date: Thu, 31 Dec 2009 13:12:12 -0500 Subject: [nycbug-talk] OpenBSD "router shell" In-Reply-To: References: Message-ID: <4D718867-51D6-403A-B974-E39BAC4F2219@lesmuug.org> On Dec 30, 2009, at 11:37 PM, Charles Sprickman wrote: > This is new to me, thought I'd share: > > http://www.nmedia.net/nsh/ > > "NSH consolidates configuration for interfaces, bridging, routing, PF > packet filtering, NAT, queueing, BGP, OSPF, RIP, IPsec, DHCP, DVMRP, SNMP, > relayd, sshd, inetd, ftp-proxy, resolv.conf and NTP. It presents the user > with a vaguely cisco-like interface with all configuration in one easy to > read text list. > > It also gives the user access to system information and diagnostics. NSH > replaces the userland commands which handle these functions, and talks > directly to the OpenBSD kernel or control utility for daemon > functionality." I'd be interested to hear how your trip goes with this down the road once you've used it... Rocket- .ike From ike at lesmuug.org Thu Dec 31 13:47:16 2009 From: ike at lesmuug.org (Isaac Levy) Date: Thu, 31 Dec 2009 13:47:16 -0500 Subject: [nycbug-talk] password repository In-Reply-To: <9afb696ab7ce06ff55455987948ea1ab.squirrel@geekisp.com> References: <20091230164654.GW14500@clam.khaoz.org> <20091230193544.GX14500@clam.khaoz.org> <36D09108-247D-4959-82A9-DA90520062D2@lesmuug.org> <9afb696ab7ce06ff55455987948ea1ab.squirrel@geekisp.com> Message-ID: <89575B41-0ED4-4581-A29A-3ACA09D15061@lesmuug.org> On Dec 30, 2009, at 4:19 PM, nikolai wrote: >> On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote: >> >>> On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen >>> wrote: >>> >>>> truecrypt is analogues to disk/volume encrypting bits we already >>>> have in >>>> bsd - but it doesn't help if this image is mounted on a server >>>> somewhere..and say someone doesn't un-mount it after use... >>> >>> Sort of. The point of using something cross-platform is that devs / >>> admins mount the image locally on their Win/Mac workstations. And you >>> don't need to explain openssl to the Windows guys... >> >> Just to be clear- Is that the only benefit of Truecrypt, Windows >> compatibility? I've never used it and I'm just curious... (perhaps I >> should *try* it) >> >> I've been watching this thread but since we're a totally UNIX shop, >> I'm leaning towards nikolai's OpenSSL/Version-Repo answer... A very >> UNIX-ish approach to solving the problem. Mix it with some commit >> emails from your Version Repo of choice, or toss some more pipes into >> there, or script out more parts, and viola- the solution gains >> features very cheaply... :) >> > > Hmm, what's wrong with a private cvs/svn/git/whatever repository > for admin group only where password file(s) are stored in *clear text*? > Diffs are priceless :) > > Put it onto encrypted slice/file to prevent single-user snoop? > Backup encrypted data? I know there's always a trade-off. > > -- > Nikolai Ostensibly, that secure/isolated repo is what I've seen in many IT/Sec groups at various institutions- storage for everything save for a couple of most critical resources, (Sr. Admins private SSH Key info, any 'master-key' type credentials, and of course- the cridentials for rooting the repo itself...) Not a bad strategy- it at least scales fast/well. On Dec 30, 2009, at 9:31 PM, Josh Rivel wrote: > How about Password Safe? http://passwordsafe.sourceforge.net/ > There are Linux clients, Windows, Mac, and some CLI stuff as well. Setup a passphrase for unlocking the "safe" and you can use it with Windows/Mac/Linux and there are GUI's for them as well. > > I use it at work between Windows and Linux (The encrypted safe file is actually on my Windows home file share which is backed up, etc.) and I access it from my Linux workstation with no issues. > > Hope this is useful.... > Josh Killer. I'm gonna' check this out asap! -- It reminds me of a tangent, something I use so much I forget about it, Apple's Keychain.app (and system keychain). Off-topic for the BSD list, but interesting and germane to this thread IMHO: Keychain.app is Apple-specific, and to my knowledge not open, (something which has urked me for years- limits my trust and use of it), but it has some notable features: - The keychains themselves are separate from the GUI Keychain.app, and are used to store nearly all user cridentials- built into every apple app, (Mail, Web Passwords, SSL Certs, whatever). - The Keychain.App has the ability to add ad-hock text notes. - The Copy/Paste/Find buffers are separated from the rest of Apple's GUI text frameworks, though features are there for searching for the cridential title- (not the secret contents), so the GUI app is one of the more interestingly secured GUI things I've seen. - Keychains can be auto-locked, whereby apps need to ask permission (and have you unlock the keychain) in order to continue to access a given resource on the keychain. The cruddy part, is that Apple doesn't really document it very well, all the info that means something about it these days is strewn about across the web: http://en.wikipedia.org/wiki/Keychain_(Mac_OS) http://www.macgeekery.com/tips/security/basic_mac_os_x_security There's a ton of info about it in the old MacOSX Security book, mostly all the same: http://books.google.com/books?id=A54wEFXr5KUC&dq=mac+os+x+security&printsec=frontcover&source=bl&ots=K57be6g4qf&sig=58EegqQmPBeQQFA72h6Jz57tL0k&hl=en&ei=ge88S9zXENPhlAfa6v2nBw&sa=X&oi=book_result&ct=result&resnum=10&ved=0CC0Q6AEwCQ#v=onepage&q=keychain&f=false -- With all that, the Apple keychains are just files, which I have used with others in group environments- and I've wanted to get away from using it since it's Apple-specific. Rocket- .ike From ike at lesmuug.org Thu Dec 31 14:09:57 2009 From: ike at lesmuug.org (Isaac Levy) Date: Thu, 31 Dec 2009 14:09:57 -0500 Subject: [nycbug-talk] password repository In-Reply-To: References: <20091230164654.GW14500@clam.khaoz.org> Message-ID: <074363BF-9605-4915-9932-3303B9809ABC@lesmuug.org> On Dec 31, 2009, at 12:13 PM, Jesse Callaway wrote: > On Wed, Dec 30, 2009 at 11:46 AM, Okan Demirmen wrote: >> what do you all use, recommend, love, hate? >> >> what about "shared" repositories in environments where you have a bunch >> of sysadmins, all of whom should be able to view/add/modify entires and >> such? >> >> while this is off-BSD topic, i'm sure all of us have run into such a >> question at some point. >> >> cheers, >> okan >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > > > I've talked about multi-key encryption but it looks like a pain in the > butt to me typing-wise, never used it. Here's a link to a message > thread on how to do it with gpg > http://lists.gnupg.org/pipermail/gnupg-users/2003-September/020170.html > The thought is you can spam everyone, and everyone can spam back > regarding changes and it's encrypted n-ways. As computers get faster I > think this technology will start to catch on. That said, I never tried > it and it might be reasonably fast up to some number of keys. PKI dreaminess :) Ideally, PKI does seem to deal with this problem in a most ideal fashion- but it doesn't sound like it scales back/forth well for dynamic groups over time- (e.g. Sysadmins in a group/work enviornment, people coming/going, etc...). For example, what to do when someone leaves the group? Or how does a new user get access to the old data, (before their key was put in the mix?). The version control stuff is awesome for those cases where you've just come across a problem with a router/server/blah whose only access uses cridentials for people who no longer exist in your enviornment- and left far before you came onboard... To any size group, this can be a serious case. Hrm. There has to be some old slick PKI paper or software which attacks this exact problem with PKI slickness? > > The best web-based thing I've found was PassPack. It's totally > awesome. Each user has their own login to PassPack. Users can share > passwords and assign read/write privileges to them per item being > shared. Hrm? I dug around for it online and there's tons of other noise... Sounds awful dangerous, but interesting- Rocket- .ike From pete at nomadlogic.org Thu Dec 31 14:15:28 2009 From: pete at nomadlogic.org (Peter Wright) Date: Thu, 31 Dec 2009 11:15:28 -0800 Subject: [nycbug-talk] password repository In-Reply-To: References: <20091230164654.GW14500@clam.khaoz.org> <20091230193544.GX14500@clam.khaoz.org> <36D09108-247D-4959-82A9-DA90520062D2@lesmuug.org> Message-ID: On Dec 30, 2009, at 1:26 PM, Chris Snyder wrote: > On Wed, Dec 30, 2009 at 3:37 PM, Isaac Levy wrote: >> On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote: >> >>> On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen wrote: >>> >>>> truecrypt is analogues to disk/volume encrypting bits we already have in >>>> bsd - but it doesn't help if this image is mounted on a server >>>> somewhere..and say someone doesn't un-mount it after use... >>> >>> Sort of. The point of using something cross-platform is that devs / >>> admins mount the image locally on their Win/Mac workstations. And you >>> don't need to explain openssl to the Windows guys... >> >> Just to be clear- Is that the only benefit of Truecrypt, Windows >> compatibility? I've never used it and I'm just curious... (perhaps I >> should *try* it) > > For this, yeah: Mac/Win/Linux compat and GUI. > > TC has a plausible-deniability mode that embeds an image within an > image, so that in theory you could give out the "outer" password if > someone held a gun to your head, and keep the inner password secret. > > By the way, I'm not sure if they use a password salt or not, I seem to > recall warnings about saving .tc files in version control because they > might leak info if attacker has many versions of the same file. For > that reason alone the openssl approach is better if you're a unix > shop. I am using password-safe currently for shared passwords: http://www.schneier.com/passsafe.html we save our files in psafe3 format which is supported by the native NT client...there is a pwsafeV3 compatible CLI utility available, and password gorilla works on X11. For OSX I use a pwsafe Java GUI called PasswordSafeSWT. pwsafe3 files are checked into our SCM. It seems to work well with the obvious issues of still having a shared password to unlock the password save. -pete From pete at nomadlogic.org Thu Dec 31 14:31:05 2009 From: pete at nomadlogic.org (Peter Wright) Date: Thu, 31 Dec 2009 11:31:05 -0800 Subject: [nycbug-talk] PXE/TFTPd Sanity In-Reply-To: <89150BF1-2C17-48CC-BE09-99A4B7CABBCA@lesmuug.org> References: <89150BF1-2C17-48CC-BE09-99A4B7CABBCA@lesmuug.org> Message-ID: <7A90C2E9-B58E-4D96-9605-0F94A5E3AC04@nomadlogic.org> On Dec 30, 2009, at 11:33 AM, Isaac Levy wrote: > Hi All, > > I've CC'd Pete here, because I'm hoping he can refresh my memory on stuff he showed us years ago... Sorry Pete- don't mean to call you out on list, but guess I am :) > > Anyhow, at work, we're heading toward the tipping point where we're going to drown without network installs (for fairly homogenous software, and nearly homegenous hardware). It's been quite some time since I've hacked around with PXE, (back then it was just for installing OpenBSD on Soekris boards), so I'm not totally clueless- but diving back into it I sure feel clueless :) > Been spending a bunch of time digging through Wikipedia and the net at large, and still don't feel like I found the path foreword. > > -- > Here's my questions, even just some URL's would make my day: > > - Has any unified software/packaging come about for doing network installs, or is it all still all just a matter of setting up TFTPD and a DHCP server? > - Have any neat accounting utilities/database tools come along for storing MAC addresses, and their corresponding IP/boot-media info? > for my deployment servers I have standardized on cobbler. it runs on RHEL/Fedora (ugg) but scales quite well (read 20k + servers managed w/ no performance issues): https://fedorahosted.org/cobbler/ bells and whistles: - cli + webUI - manages dhcpd - manages bind - is written in its own API and supports xmlrpc - written in python - tight lib-virt integration (thats a linux'y API to support different hypervisor tech, currently speaks Xen and KVM) --> so it doesn't matter if you are building a real "bare-metal" server of a VM > > Our reqs are simple: Set up a long-lasting PXE boot enviornment so we can install: > + FreeBSD > + OpenBSD > + CentOS/Linux (our immediate need) > cobbler works great for CentOS/RHEL/Fedora/SuSE as these distro's use kickstart for automagic builds. Cobbler makes heavy usage of templates (called snippets) to auto-generate kickstarts on demand. this may seem confusing at first but think of it this way. I write a "snippet" of code to setup the root password on my node and every system that inherits this snippet shares this once piece of code. so if i need to update my default root pass i just need to update one snippet and all kickstarts will pick up this change. beats having to edit a bunch of different kickstarts when making small changes. features like this should make it easier to support this system over time. it's quite feature rich, but since it is being developed by RedHat its obviously not super portable atm. the lead developer is very keen to have other platforms supported by it. I worked on trying to get Ubuntu support working for a while but cried when i realized that a) ubuntu is crap and b) debian pre-seeds are needlessly complicated and are not as flexible as kickstarts. we eventually got ubuntu support working via some patches - but hopefully we'll "man up" and move away from ubuntu shortly. whew - having said that you can easily support freebsd (i was netbooting OSX clients which took a little elbow grease but worked - so the code is pretty flexible). the advantage of using something like cobbler is that you can treat it as your single source of MAC, IP, Hostname info. so when we get a new box first thing we do is enter it into our cobbler provisioning server and assign it a kickstart or OS. > -- > After we get our install media situation setup, we'll move on to the various OS options for install- (CentOS Kickstart, FreeBSD installer scripts, post-flight config scripts, etc...) > I have not done *too* much work with freebsd installer scripts - but it should be quite easy to integrate it into cobbler. let me know if you run into any issues - i'm obviously quite happy with this code and have put a bit of work into it myself. -pete From isaac at diversaform.com Thu Dec 31 14:34:32 2009 From: isaac at diversaform.com (Isaac Levy) Date: Thu, 31 Dec 2009 14:34:32 -0500 Subject: [nycbug-talk] password repository In-Reply-To: References: <20091230164654.GW14500@clam.khaoz.org> <20091230193544.GX14500@clam.khaoz.org> <36D09108-247D-4959-82A9-DA90520062D2@lesmuug.org>

Message-ID: On Dec 31, 2009, at 2:15 PM, Peter Wright wrote: > On Dec 30, 2009, at 1:26 PM, Chris Snyder wrote: >> On Wed, Dec 30, 2009 at 3:37 PM, Isaac Levy wrote: >>> On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote: >>>> On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen wrote: >>>> >>>>> truecrypt is analogues to disk/volume encrypting bits we already have in >>>>> bsd - but it doesn't help if this image is mounted on a server >>>>> somewhere..and say someone doesn't un-mount it after use... >>>> >>>> Sort of. The point of using something cross-platform is that devs / >>>> admins mount the image locally on their Win/Mac workstations. And you >>>> don't need to explain openssl to the Windows guys... >>> >>> Just to be clear- Is that the only benefit of Truecrypt, Windows >>> compatibility? I've never used it and I'm just curious... (perhaps I >>> should *try* it) >> >> For this, yeah: Mac/Win/Linux compat and GUI. >> >> TC has a plausible-deniability mode that embeds an image within an >> image, so that in theory you could give out the "outer" password if >> someone held a gun to your head, and keep the inner password secret. >> >> By the way, I'm not sure if they use a password salt or not, I seem to >> recall warnings about saving .tc files in version control because they >> might leak info if attacker has many versions of the same file. For >> that reason alone the openssl approach is better if you're a unix >> shop. > > > I am using password-safe currently for shared passwords: > http://www.schneier.com/passsafe.html > > we save our files in psafe3 format which is supported by the native NT client...there is a pwsafeV3 compatible CLI utility available, and password gorilla works on X11. For OSX I use a pwsafe Java GUI called PasswordSafeSWT. > > pwsafe3 files are checked into our SCM. It seems to work well with the obvious issues of still having a shared password to unlock the password save. > > -pete Well I'll be darned if that aint' a pretty cool one, from a killer source to boot. Fun list of tools to try now :0 Rocket- .ike