Wednesday, February 3, 2010
One more NetBSD security advisory
Tuesday, February 2, 2010
NetBSD - hackathon + two security advisories
The 13th Hackathon February 19-22 2010,
come and join us on IRC channel #netbsd-code at FreeNode (irc.freenode.net).
OpenSSL TLS renegotiation man in the middle vulnerability <-- everyone
File system module autoloading Denial of Service attack <-- current-only
come and join us on IRC channel #netbsd-code at FreeNode (irc.freenode.net).
OpenSSL TLS renegotiation man in the middle vulnerability <-- everyone
File system module autoloading Denial of Service attack <-- current-only
Labels: NetBSD
Wednesday, January 27, 2010
NetBSD network tuning thread
The recent thread Why is my gigabit ethernet so slow? shows application of old recommendations found here. (NetBSD 2-era; also includes tips for freebsd, linux, and windows!)
This thread also shows NMBCLUSTERS cropping up again as the first part of solving a performance problem. I wonder why it isn't dynamicially tunable. It looks like freebsd can pass it on the boot options, at least.
This thread also shows NMBCLUSTERS cropping up again as the first part of solving a performance problem. I wonder why it isn't dynamicially tunable. It looks like freebsd can pass it on the boot options, at least.
Labels: NetBSD
Friday, January 22, 2010
NetBSD - still fun
the register says that 75% of linux coders get paid to work on linux. This reminds me of a study I wanted to see a few years ago of how much of linux was corporate sponsored development and, truly, not very much fun anymore.
Now, I only know of one NetBSD developer who definitely got paid to work, and I helped pay for it by donating! So remember when you're using NetBSD that it truly happened (and continues to do so) by miracles, charity, and general insanity which I find more appealing than cubicles. I'm in one of those all day anyway. :)
Now, I only know of one NetBSD developer who definitely got paid to work, and I helped pay for it by donating! So remember when you're using NetBSD that it truly happened (and continues to do so) by miracles, charity, and general insanity which I find more appealing than cubicles. I'm in one of those all day anyway. :)
Labels: NetBSD
Monday, January 18, 2010
NetBSD postfix to gmail relay
Over the weekend I decided to configure my NetBSD system to stop sending emails to the local mbox (where I never read them) and start sending emails correctly to the internet. I also wanted to do so using my gmail account. Most of my info came from here but it's a little verbose for my tastes. Basically I had to do the following:
build and install pkgsrc/mail/postfix
install (I used a binary) pkgsrc/security/cyrus-sasl
install (I used a binary) pkgsrc/security/cy2-plain-2.1.23
cp /usr/pkg/share/examples/rc.d/postfix /etc/rc.d/
modify /usr/pkg/etc/postfix/main.cf
add /usr/pkg/etc/postfix/tls_policy
add /usr/pkg/etc/postfix/sasl_passwd
/usr/pkg/sbin/postmap /usr/pkg/etc/postfix/tls_policy
/usr/pkg/sbin/postmap /usr/pkg/etc/postfix/sasl_passwd
/etc/rc.d/postfix start
Now test with mailx someone@something.com and watch the maillog. I do get a warning about not liking the thawt cert, so I may figure out how to import it, but other tutorials all talked about needing your own CA and other insanity. I would hope the MUST in tls_policy insured that I was using SSL. I'll tcpdump and see sometime, but for now this seems to be all that's needed.
(Can we get SASL in base? I know LDAP, kerberos, and NFSv4 would appreciate it)
UPDATE!
To fix the ssl cert warning, add the following package:
mozilla-rootcerts
then
cd /etc/openssl/certs
mozilla-rootcerts extract
mozilla-rootcerts rehash
And add the following to your main.cf:
smtp_tls_CApath = /etc/openssl/certs
- /etc/mk.conf
PKG_OPTIONS.postfix+= sasl
ACCEPTABLE_LICENSES+= postfix-license
relayhost = [smtp.gmail.com]:587
#use ssl/tls
smtp_use_tls = yes
smtp_tls_policy_maps = hash:/usr/pkg/etc/postfix/tls_policy
#Now add a username and password
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/pkg/etc/postfix/sasl_passwd
smtp_sasl_security_options=
smtp.gmail.com MUST
[smtp.gmail.com]:587 username@gmail.com:password
Now test with mailx someone@something.com and watch the maillog. I do get a warning about not liking the thawt cert, so I may figure out how to import it, but other tutorials all talked about needing your own CA and other insanity. I would hope the MUST in tls_policy insured that I was using SSL. I'll tcpdump and see sometime, but for now this seems to be all that's needed.
(Can we get SASL in base? I know LDAP, kerberos, and NFSv4 would appreciate it)
UPDATE!
To fix the ssl cert warning, add the following package:
mozilla-rootcerts
then
cd /etc/openssl/certs
mozilla-rootcerts extract
mozilla-rootcerts rehash
And add the following to your main.cf:
smtp_tls_CApath = /etc/openssl/certs
Labels: NetBSD
Friday, January 15, 2010
NetBSD on wikipedia
Call for improvement of NetBSD on wikipedia. If you have some free time feel free to improve the NetBSD articles on wikipedia. I've added the NetBSD template and some stubs that could use some example usage screenshots (netpgp for sure).
Improve everything linked here!
Improve everything linked here!
Labels: NetBSD
Thursday, December 31, 2009
NetBSD, MAC, etc
recently, Elad Efrat has been sending in a lot of patches to move closer to full integration with veriexec, secmodel, and apparently MAC as a whole.
I expect to see a lot of increased interest in kauth, secmodel, veriexec, and friends as some of these integrations efforts continue to work their way through the entire system. -current should be interesting for a while, at least. :)
I expect to see a lot of increased interest in kauth, secmodel, veriexec, and friends as some of these integrations efforts continue to work their way through the entire system. -current should be interesting for a while, at least. :)
Labels: NetBSD
