headers
ww | 1 Apr 2002 05:46
Favicon
Gravatar

Re: Allowing ifconfig to automatically fill in IPv6 host ID

On Tue, Mar 26, 2002 at 05:10:09PM +0700, Robert Elz wrote:
> 
> But all that happens in single user mode, without /usr mounted, so you can't
> use sed (nor awk, let alone perl) to assist, really just what the shell is
> able to do for you.

or you can call /usr a critical filesystem in /etc/rc.conf
and make sure it's mounted. you're not nfs mounting /usr on your
routers are you? (&

> Now, I have no doubt but that it is possible to do all that is needed in the
> NetBSD /bin/sh but this seems like something that is useful enough that
> having ifconfig able to do it seems like the better way.

at the expense of treating a mask of /64 as a special case. is the
feature creep necessary?

imo, we need a more general interface for configuring networking.
it should be extensible enough to do things like defining a prefix setting
operation.

> It may be that there's a method to do this already, but to make this easy,
> it would be nice to be able to config just the IID part of the address, and
> then allow the host (these are hosts, not routers...) autoconfigure from the
> prefixes obtained via RA's (or the above ioctls via ifconfig if that gets
> done).  Note: changing the MAC addr in order to have it build an EUI-64
> out of a configured mac addr isn't the right way to achieve this!

it seems to me that features like this belong in the daemons that implement
the userland parts of router advertisement and solicitation: maybe
(Continue reading)

Permalink | Reply | 0 comments |
headers
Chuck Silvers | 1 Apr 2002 09:59
Favicon

tlp driver nway for 21143 and clones (Re: MicroLinear PHY support)

hi,

please try this diff:

ftp://ftp.netbsd.org/pub/NetBSD/misc/chs/diff.tlp.2114x-nway.5

this diff brings over some changes from FreeBSD to support autonegotiation
for the non-MII 2114[23], Macronix and Lite-On 82C115 chips.
everyone please let me know test results for any of these cards
for which the tlp driver didn't offer "auto" media before.

-Chuck

On Fri, Mar 15, 2002 at 11:04:32PM -0800, B. James Phillippe wrote:
> Hello,
> 
> I have a DEC DE500-BA PCI 10/100 ethernet adapter which is presently
> installed in a DEC Alpha PC164 running NetBSD-1.5.3_RC1.  This board seems
> to have a MicroLinear ML6694CQ PHY, which does not appear to be supported
> in 1.5 or -current.  The ukphy driver does not detect it either.  I am
> guessing this is why the de and tlp drivers are not able to perform
> autonegotiation on this board.  Are my observations correct?
> 
> tlp0 at pci0 dev 5 function 0: DECchip 21143 Ethernet, pass 3.0
> tlp0: interrupting at eb164 irq 2
> tlp0: DEC DE500-BA, Ethernet address 00:00:f8:08:e6:74
> tlp0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX
> 
> -bp
> --
(Continue reading)

Permalink | Reply | 0 comments |
headers
Darren Reed | 2 Apr 2002 14:22
Picon

Re: identd with NAT and IPv6 support.

In some email I received from Greywolf, sie wrote:
> On Thu, 28 Mar 2002, Tim Rightnour wrote:
> 
> # The only argument I have for keeping identd, is that there are some
> # internet facilities, like certain IRC servers, that refuse your
> # connection if you don't have it.  It would be unfortunate to not
> # provide it to users because we think it's a stupid idea.  Yes it's
> # stupid, but some of our users might want to use IRC.
> 
> Indeed, quite a few of us *do* use IRC on a regular basis, if EFNet#netbsd
> is any indication.

For entertainment, you should hang out in EfNet#openbsd, on occasion
but remember, people here think the sun shines out of +he0's arse!
Permalink | Reply | 0 comments |
headers
Henry B. Hotz | 2 Apr 2002 22:08
Picon
Picon
Favicon

Re: identd with NAT and IPv6 support.

At 8:17 PM -0500 3/27/02, Jim Wise wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Wed, 27 Mar 2002, Aidan Cully wrote:
>
>>I take some issue with that...  ident can be very useful in limited
>>situations.  If you've got a multi-user shell service, and don't want
>>to ask your users for passwords when they connect over TCP to another
>>service you've got, but this service provides different things to
>>different users, ident is not a bad way to go.  INN's nnrpd can
>>resolve users over ident because of just this situation.
>>
>>ident is useless once you leave a trusted area.
>
>Which is to say that you translate a problem of imitating a trusted uer
>at a trusted IP to a problem of imitating jut the trusted IP?  If that's
>your goal, use .rhosts...

One of the easy ways to configure PostgreSQL is to use identd to 
identify the user when the request comes from the same machine as the 
server is running on.  All the other ways of authenticating a user 
connection are a real pain in comparison.  This is a standard 
application, compiled as provided.

I've always considered that if I couldn't trust the machine I was 
running on then I was pretty much hosed anyway.  CFS doesn't prevent 
root from seeing your data files, nor Kerberos prevent root from 
impersonating you.
--

--
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jim Wise | 2 Apr 2002 22:14
Gravatar

Re: identd with NAT and IPv6 support.


On Tue, 2 Apr 2002, Henry B. Hotz wrote:

>One of the easy ways to configure PostgreSQL is to use identd to
>identify the user when the request comes from the same machine as the
>server is running on.  All the other ways of authenticating a user
>connection are a real pain in comparison.  This is a standard
>application, compiled as provided.

An even easier way to configure postgresql is to not require
authentication at all.  And it's just as secure as what you suggest.

More seriously, encrypted password support in PostgreSQL is just not
that hard, and the fact that you can do a hack like the above is not an
excuse not to use it.

>I've always considered that if I couldn't trust the machine I was
>running on then I was pretty much hosed anyway.  CFS doesn't prevent
>root from seeing your data files, nor Kerberos prevent root from
>impersonating you.

Fine.  Than since you trust `the machine', I assume you use .rhosts all
over the place?  IP addresses are not hard to forge...

--

-- 
				Jim Wise
				jwise <at> draga.com
Permalink | Reply | 0 comments |
headers
Greg A. Woods | 2 Apr 2002 23:47
Favicon

Re: identd with NAT and IPv6 support.

[ On Tuesday, April 2, 2002 at 12:08:15 (-0800), Henry B. Hotz wrote: ]
> Subject: Re: identd with NAT and IPv6 support.
>
> One of the easy ways to configure PostgreSQL is to use identd to 
> identify the user when the request comes from the same machine as the 
> server is running on.  All the other ways of authenticating a user 
> connection are a real pain in comparison.  This is a standard 
> application, compiled as provided.

Yes indeed!

Unfortunately PostgreSQL cannot (yet) deal with more arbitrary IDENT
reply formatting and encryption using a shared secret....

> I've always considered that if I couldn't trust the machine I was 
> running on then I was pretty much hosed anyway.  CFS doesn't prevent 
> root from seeing your data files, nor Kerberos prevent root from 
> impersonating you.

Be careful how you deploy this particular application of IDENT though.
It's not just the systems you have to trust, but the network as well....

--

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods <at> acm.org>;  <g.a.woods <at> ieee.org>;  <woods <at> robohack.ca>
Planix, Inc. <woods <at> planix.com>; VE3TCP; Secrets of the Weird <woods <at> weird.com>
Permalink | Reply | 0 comments |
headers
Matt Doughty | 3 Apr 2002 01:10

Re: identd with NAT and IPv6 support.

> 
> >I've always considered that if I couldn't trust the machine I was
> >running on then I was pretty much hosed anyway.  CFS doesn't prevent
> >root from seeing your data files, nor Kerberos prevent root from
> >impersonating you.
> 
> Fine.  Than since you trust `the machine', I assume you use .rhosts all
> over the place?  IP addresses are not hard to forge...
> 

He was talking about users on the same host.  Its trivial and proper to
block packets from the network with 127.0.0.0/8 or the machines own ip
addr.  I don't care for Ident in general, but that doesn't mean it has
no uses at all. 

--Matt  
--

-- 
"Take away them collisions and the common channel and it's like Christianity 
 without Christ." -Jim Breen (speaking about "full-duplex" Ethernet)
Permalink | Reply | 0 comments |
headers
Henry B. Hotz | 3 Apr 2002 01:35
Picon
Picon
Favicon

Re: identd with NAT and IPv6 support.

At 3:14 PM -0500 4/2/02, Jim Wise wrote:
>On Tue, 2 Apr 2002, Henry B. Hotz wrote:
>  >I've always considered that if I couldn't trust the machine I was
>>running on then I was pretty much hosed anyway.  CFS doesn't prevent
>>root from seeing your data files, nor Kerberos prevent root from
>>impersonating you.
>
>Fine.  Than since you trust `the machine', I assume you use .rhosts all
>over the place?  IP addresses are not hard to forge...

Ignoring the perhaps-unintentionally insulting tone of the last 
response I will note that it's a lot harder to forge source==dest 
packets from outside the machine in question than from inside it.
--

-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu
Permalink | Reply | 0 comments |
headers
Henry B. Hotz | 3 Apr 2002 02:05
Picon
Picon
Favicon

Re: identd with NAT and IPv6 support.

At 4:47 PM -0500 4/2/02, Greg A. Woods wrote:
>[ On Tuesday, April 2, 2002 at 12:08:15 (-0800), Henry B. Hotz wrote: ]
>>  Subject: Re: identd with NAT and IPv6 support.
>>
>>  One of the easy ways to configure PostgreSQL is to use identd to
>>  identify the user when the request comes from the same machine as the
>>  server is running on.  All the other ways of authenticating a user
>>  connection are a real pain in comparison.  This is a standard
>>  application, compiled as provided.
>
>Yes indeed!
>
>Unfortunately PostgreSQL cannot (yet) deal with more arbitrary IDENT
>reply formatting and encryption using a shared secret....
>
>>  I've always considered that if I couldn't trust the machine I was
>>  running on then I was pretty much hosed anyway.  CFS doesn't prevent
>>  root from seeing your data files, nor Kerberos prevent root from
>>  impersonating you.
>
>Be careful how you deploy this particular application of IDENT though.
>It's not just the systems you have to trust, but the network as well....

As I thought I said above, I only *use* ident within the same machine 
and never over the network, though I usually allow it outside if 
someone else wants the information.  This was an acceptable 
workaround (for me) for some Kerberosv 4 bugs in PostgreSQL back in 
the 6.2 timeframe.

Everyone's getting all bent out of shape about how much you can trust
(Continue reading)

Permalink | Reply | 1 comment |
headers
Tomi Nylund | 4 Apr 2002 11:02

Miratel Dataphone & ISDN question

Hi all,

I'll have an ISDN line installed to my house in a week or so, and
consequently looking for ISDN comm system for NetBSD.

I have a Miratel Dataphone ISDN-phone which has a dataport with
DB-9 connector for computers to connect to. It does not support
TA emulation (AT commands), but does support CAPI 2.0 and 1.1.
I live in Finland, so it's EuroISDN for me.

My question is, since it uses the serial port, can I use the phone
as my ISDN "modem" in 1.5.2/3 with some software, or do I have to 
update to current?

And if I have to update to current, will it work with some magic?
If that fails,are ISDN cards based on HFC-S chipset supported by
NetBSD's isdn4bsd?

Thanks for the answers,

Tomi

PS: Please reply to the mailing list, as my address is obfuscated
    to repel spammers.
Permalink | Reply | 1 comment |

Gmane