Aaron | 1 Jul 03:07 2007

Re: following stable, extra file sets?

Marco S Hyman wrote:
> Maurice Janssen writes:
>  > >Is there anyway to _not_  get these extra sets as part of 
>  > >following stable?  I don't know that it hurts anything, but I have no 
>  > >use for them on the system and would like to keep it as minimalistic as 
>  > >possible.
>  > 
>  > I'm sure it's possible to modify the tree in some way to prevent this,
>  > but that's not supported and it may break other things (like cvs
>  > updates).
>
> If you want to go unsupported and non-standard you can play with the
> makefiles.   Games is easy: remove "games" from the list of SUBDIR in
> /usr/src/Makefile.  misc is quite a bit harder as it contains
> the documentation for thing that you still want built and installed.
>
>  > I guess the easiest way is to build a release on another system and
>  > install only the file sets that you used during the initial
>  > installation.
>
> Or, let it install then remove the unneeded files.  The source contains
> a list of everything in a set and in the case of misc everything is
> machine independat.   After a build you could do something like this
> (untested):
>
> cd /
> # remove the regular files
> cat /usr/src/distrib/sets/lists/misc/mi |
> while read f; do test -f $f && rm $f; done
> # remove the directories
(Continue reading)

Juan Miscaro | 1 Jul 04:18 2007
Picon

Intel 975X Express Chipset supported?

Is the Intel 975X Express Chipset supported by OpenBSD 4.1 ?

Thank you,

Juan

      Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail at http://mrd.mail.yahoo.com/try_beta?.intl=ca

David Higgs | 1 Jul 04:27 2007
Picon

Re: following stable, extra file sets?

On 6/30/07, Aaron <ml <at> proficuous.com> wrote:
> Ok this has answered the question, and thanks.    This raises another
> question for me.. If updating just the sets that you install, and I am
> making an assumption here that people would want to update code when
> needed, and be supported, why even give the choice on which sets to
> install initially if the two extra sets will be installed anyway during
> the supported method of updating?

Keep in mind there is more than one way of updating in a supported
manner.  Applying the errata patches rarely requires a full userland
rebuild.  Also, you can make a -stable release(8) on one machine and
still choose your sets whenever you install/upgrade from them.

--david

Chris Cappuccio | 1 Jul 04:46 2007
Picon

Re: Intel 975X Express Chipset supported?

The 965 works fine for me.  I use the pci-e slot with an 8x raid controller
instead of a 16x video card.  The CPU is the cheapest 512k cache celeron D that
I could find, they are really fast and around $40-$50.

Juan Miscaro [scry_mr <at> yahoo.ca] wrote:
> Is the Intel 975X Express Chipset supported by OpenBSD 4.1 ?
> 
> Thank you,
> 
> Juan
> 
> 
>       Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail
at http://mrd.mail.yahoo.com/try_beta?.intl=ca

--

-- 
"The lessons of history teach us - if they teach us anything - that nobody
learns the lessons that history teaches us." - Paul Robinson

Aaron | 1 Jul 04:54 2007

Re: following stable, extra file sets?

David Higgs wrote:
> On 6/30/07, Aaron <ml <at> proficuous.com> wrote:
>> Ok this has answered the question, and thanks.    This raises another
>> question for me.. If updating just the sets that you install, and I am
>> making an assumption here that people would want to update code when
>> needed, and be supported, why even give the choice on which sets to
>> install initially if the two extra sets will be installed anyway during
>> the supported method of updating?
>
> Keep in mind there is more than one way of updating in a supported
> manner.  Applying the errata patches rarely requires a full userland
> rebuild.  Also, you can make a -stable release(8) on one machine and
> still choose your sets whenever you install/upgrade from them.
>
> --david
>
That sounds good, and i read http://www.openbsd.org/faq/upgrade41.html 
about upgrading, and http://www.openbsd.org/faq/faq5.html#Release

When following stable with the method described in the faq, i didn't 
notice anything about "final steps" as outlined in the upgrade faq.  Can 
i safely assume since i'm not in fact upgrading, only updating that I 
wouldn't have to worry about upgrading /etc, new users and groups, 
operational changes, /etc file changes and checking the kernel as 
described in the final steps of the upgrade faq?  Would this leave all 
of my /etc files in tact with any changes I have made?

Thanks,

Aaron
(Continue reading)

Shawn K. Quinn | 1 Jul 04:04 2007
Picon

Re: [OT] Open Source OSS for OpenBSD?

On Thu, 2007-06-14 at 19:23 -0600, Theo de Raadt wrote:
> I have been throwing around a phrase for a few weeks.  Perhaps it
> should
> be popularized.
> 
> OpenBSD is free as in air.

Unfortunately, Richard Stallman beat you to this one by about 24 years.
He never popularized it, but this was one of the phrases he used in the
first posts announcing the GNU project.

--

-- 
Shawn K. Quinn <skquinn <at> speakeasy.net>

Chris Cappuccio | 1 Jul 05:23 2007
Picon

Re: Setting up a virtual hosting machine w. SSH/SFTP accounts - pitfalls/experiences?

I've found that most clients don't need or expect to login to a web server.
The handful of people that do can be given their own dedicated server to use
or something like that.  For the rest, just give each domain name/user
their own httpd instance running with its own config, its own unix user, and
its own IP address.  Or give each domain two users-one user to own the file
system and a separate one that is selectively given permission to write within
that filesystem.  Run httpd chrooted, and you can use any module you want
without sharing write permissions between unix users (shared webhosting evil).
Give all the users chrooted access to their own web root files through ftp or
sftp.  I've never tried to chroot sftp, or at least there is no obvious way
to do it to me.  But, since no unix user needs access to another's directory
tree, it's pretty easy to lock people out of places they don't need to be.

You need to give SSL users their own IP address anyways, and this technique
makes it easier to ensure security on a shared server.  It is a bit more
resource intensive since each virtual host has several apache processes
running, but apache will scale down the number of processes when hits
are low and modern hardware is fast and big enough that this becomes a decent
compromise for resource usage (versus multiple virtualized OS servers or
whatever.)

For email it is nice to keep the users in an sql or ldap database, use
one of a million web/database mangement tools for it, and point your
software to use it.  I like postfix and dovecot but i am not overjoyed
with any of the mediocre web tools for managing the virtual users and
whatever else.  A well thought out database driven system can be fairly
easy to scale as disk or cpu load increases by using multiple data stores,
pop/imap proxies and multiple front end spam processors.  There are lots of
examples of these sorts of designs available through google so I won't bore
you anymore.
(Continue reading)

a666 | 1 Jul 07:44 2007

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

>From: Fredrik Staxeng <fstx+u <at> update.uu.se>
>
>I have a server that runs OpenBSD 4.1, and a laptop running
>Windows. I want
>to use Thunderbird on the laptop to send mail via the server. The
>laptop
>connects from many different networks.
>
>I would like to use port 587, since some isps blocks port 25.
>I want to use my username/password to authenticate.
>I want to use TLS to protect the password.
>

I've done experiments with what you are doing.  I found it simpler
to just get openvpn working with sendmail and popa3d.

But either way you might want to play with /etc/mail/relay-domains. 

Karl O. Pinc | 1 Jul 08:18 2007

ftp-proxy binat design -- Was: Re: binat questions

On 03/22/2007 03:17:00 PM, Stuart Henderson wrote:

> One thing to watch out for with binat: you can't use it with
> ftp-proxy(8), since binat is of higher priority than the rdr or
> nat rules which are added to the anchor. The workaround there
> is to list nat and rdr separately.

I just figured this out myself.

    binat + ftp-proxy => passive ftp broken

It seems a bit clunky to work-around this in pf.conf
by doing both an rdr and a nat, and having double the
states in consequence.

Instead, how does the design below sound?

The basic idea is to modify ftp-proxy so it adds binat
rules to it's anchors.

ftp-proxy adds a binat rule for every nat rule
added to its anchors.  Like so (based on the man page):

----<snip>-------
      In case of passive mode (PASV or EPSV):

        binat from $client to $server port $port -> $proxy
        nat from $client to $server port $port -> $proxy
        pass in quick inet proto tcp \
            from $client to $server port $port
(Continue reading)

Fredrik Staxeng | 1 Jul 10:02 2007
Picon
Picon

Re: Relaying denied. Trying to do TLS+SMTP AUTH. Do I really need SASL?

Lyndon Nerenberg <lyndon <at> orthanc.ca> writes:

>> Well, that is exactly what I want to do. I use the system passwords
>> for imap anyway, so why not? Of course, the channel must be protected
>> by SSL/TLS when you do that.
>
>Because there are a large number of IMAP clients that are not aware of
>LOGINDISABLED, and which will blindly attempt LOGIN or AUTH PLAIN in
>the absence of TLS (which they are not aware of, either).  Many IMAP
>clients predate RFC3501.  So those passwords (with the matching
>authentication ids) are going to be flying around the Internet in the
>clear no matter what you do.  Using the UNIX account password for IMAP
>(or POP) in this manner makes your system effectively password free.

You have a way with words, but I think you are exaggerating slighly. 

I have never allowed plaintext IMAP/POP. Wouldn't dream of it.

The client is Thunderbird. The default IMAP configuration will use
plaintext passwords, but only if it talks to an IMAP server that
does not support TLS, but see above.

Also, I always use imaps/993, and not TLS on 143. I don't fell comfortable
using a password over a connection that is "encrypted, if possible".

But I must thank you for reminding me to disable port 143, 

--

-- 
Fredrik Stax\"ang | rot13: sfgk <at> hcqngr.hh.fr
This is all you need to know about vi: ESC : q ! RET
(Continue reading)


Gmane