Tag Archives: #OpenBSD

Positive, comparative, and the code used in a linux

I read a thread where OpenBSD community were discussing the code for the network time daemon, and some figures stated there seemed almost unreal. Out of the pure curiosity, that has nothing to do with deeper understanding of the ntp daemon code, I ran “a test” used there on an OpenBSD, a FreeBSD and a Linux machine. The results are truly staggering:

uname -rms ; pwd ; for i in $(find . -name “*.[ch]”); do cat $i >> allcode; done ; egrep -v ‘[:blank:]*/?\*’ allcode | grep -v “^ *$” | wc -l
OpenBSD 5.6 amd64
/usr/src/usr.sbin/ntpd
2898

uname -rms ; pwd ; for i in $(find . -name “*.[ch]”); do cat $i >> allcode; done ; egrep -v ‘[:blank:]*/?\*’ allcode | grep -v “^ *$” | wc -l
FreeBSD 11.0-CURRENT amd64
/usr/src/contrib/ntp/ntpd
40055

uname -rms ; pwd ; for i in $(find . -name “*.[ch]”); do cat $i >> allcode; done ; egrep -v ‘[[:blank:]]*/?\*’ allcode | grep -v “^ *$” | wc -l
Linux 3.17.6-200.fc20.x86_64 x86_64
/tmp/ntp-4.2.8/ntpd
102214

Project OpenBSD proved itself time and again as a proper place if you want to learn coding!

If php-fastcgi won’t come to the IP:port, the socket will come to the php-fastcgi

I’ve had an unusual problem with lighttpd-1.4.35p2-ldap-mysql and php-fastcgi-5.4.30 on an OpenBSD 5.6 amd64: php-fastcgi-5.4.30 was refusing to use/bind to an otherwise perfectly available address and port no matter what, with similar to the following in the logs:

(mod_fastcgi.c.984) bind failed for: tcp:192.168.100.32:9000 Can’t assign requested address

That was ridiculous, because

a) none of the methods would give even a smallest hint that the IP and port were somehow and somewhere in use,
b) changing the IP, the port, or any other parameter for the server.bind, server.port, or the fastcgi.server section would make a difference – exactly the same message would emerge again in the log, only with the new parameters.

The socket, though, works just fine, so, in order to stop spending time on debugging of such a bizarre behaviour, I simply switched to the socket method.

However, I’d really like to read an explanation for this particular mystery. Any ideas? Or I simply have to start somewhere before the line 984 of the mod_fastcgi.c?

Mediawiki in chroot – php in hell

Setting Mediawiki’s LDAP authentication and mail functionality while it is running in an OpenBSD’s nginx chroot took some time to debug and prepare.

As always, the first thing should be the set-up of a log:

$wgDebugLogFile = “../logs/mediawiki/debug-{$wgDBname}.log”;
error_reporting( -1 );
ini_set( ‘display_errors’, 1 );

Continue reading

Amavis’ BDB suicidal after power outages

I’ve had a few power outages in a row this morning, and the mail server rebooted, too. The FFS reported no major problems, but amavisd failed to start, with the following in the /var/log/maillog:

Sep 18 18:34:11 continuum amavis[17028]: (!!)TROUBLE in pre_loop_hook: db_init: BDB no dbN: __fop_file_setup:  Retry limit (100) exceeded, File exists. at (eval 103) line 322.
Sep 18 18:34:11 continuum amavis[17028]: (!)_DIE: Suicide () TROUBLE in pre_loop_hook: db_init: BDB no dbN: __fop_file_setup:  Retry limit (100) exceeded, File exists. at (eval 103) line 322.

The data in BDBs was corrupted although the file system didn’t report that! Moving the /var/amavais/db/* into another directory, and restarting postfix and amavis solved the problem, though.

irssi, Tor and SSL on linux

I’ve noticed that I cannot connect to an SSL port of an IRC server running on an .onion address using torsocks on a linux. Using the OpenBSD’s irssi-0.8.15p3-socks works fine, though, just as using Xchat with usewithtor option. For instance, using

vanja@ip:~> usewithtor irssi

and then

/connect -ssl tn3zho2yrhkdpmo7.onion 6697

simply hangs the connection. There are a few traces in the terminal about the problem:

libtorsocks(17204): The symbol res_querydomain() was not found in any shared library. The error reported was: not found!

Similar traces get spilled in the very irssi’s window if proxychains are used:

-!- Irssi: Unable to connect server tn3zho2yrhkdpmo7.onion port 6697
[Connection refused]

and

[(status)] |DNS-request| tn3zho2yrhkdpmo7.onion
|S-chain|-<>-127.0.0.1:9050-<>-127.0.0.1:8123-<–timeout
|DNS-response|: tn3zho2yrhkdpmo7.onion is not exist

The solution that works well for irssi on OpenSuSE 13.1, Debian 7, and Scientific Linux 6.5 is to use socat, just like it is explained at Tor’s pages for irssi:

$ socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:tn3zho2yrhkdpmo7.onion:6697,socksport=9050

and then from within irssi:

/connect -ssl localhost 4242

That should allow irssi to connect to an SSL port of an IRC server running on an .onion address.

Apache 2 and LDAP group auth on OpenBSD 5.4

Recently I’ve ended up with only OpenBSD’s Apache 2 available to serve some pages that had to be authorised and authenticated through LDAP’s groups. Installing a few packages before that set-up pulled /usr/port/devel/apr-util that Apache’s FLAVOR=ldap simply didn’t like, because apr-utils were missing ldap flavour, too:

# FLAVOR=ldap make 
===> apache-httpd-2.2.25-ldap depends on: groff->=1.21 -> groff-1.22.2p1
===> apache-httpd-2.2.25-ldap depends on: pcre-* -> pcre-8.33
===> apache-httpd-2.2.25-ldap depends on: openldap-client-* -> openldap-client-2.4.35p1
===> apache-httpd-2.2.25-ldap depends on: apr-util-*-ldap – not found
===>  Verifying install for apr-util-*-ldap in devel/apr-util
`/usr/ports/bulk/amd64/apr-util-1.4.1p2-ldap’ is up to date.
===>  Installing apr-util-1.4.1p2-ldap from /usr/ports/packages/amd64/all/
Can’t install apr-util-1.4.1p2-ldap because of conflicts (apr-util-1.4.1p2)
— apr-util-1.4.1p2-ldap ——————-
Can’t install apr-util-1.4.1p2-ldap: conflicts
*** Error 1 in /usr/ports/devel/apr-util (/usr/ports/infrastructure/mk/bsd.port.mk:1876 ‘/var/db/pkg/apr-util-1.4.1p2-ldap/+CONTENTS’: @ /us…)
*** Error 1 in /usr/ports/devel/apr-util (/usr/ports/infrastructure/mk/bsd.port.mk:2388 ‘install’)
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2016 ‘/usr/ports/pobj/apache-httpd-2.2.25-ldap/.dep-apr-util-ANY-ldap-devel-apr-util,ldap’)
*** Error 1 in /usr/ports/www/apache-httpd (/usr/ports/infrastructure/mk/bsd.port.mk:2388 ‘all’)

Removing apr-util, subversion and apache-httpd helped, so I was able to build Apache 2 with support for LDAP from ports. If you need subversion, too, don’t forget to add it again, because Apache will, of course, build only apr-util as a dependency. Trying to remove apr-util on its own won’t be successful:

# FLAVOR=ldap make deinstall
===> Deinstalling for apr-util-1.4.1p2-ldap
Problem finding apr-util-1.4.1p2-ldap
*** Error 1 in /usr/ports/devel/apr-util (/usr/ports/infrastructure/mk/bsd.port.mk:3360 ‘deinstall’: @ /usr/sbin/pkg_delete -m apr-util-1.4….)
# FLAVOR=ldap make reinstall 
===>  Cleaning for apr-util-1.4.1p2-ldap
/usr/sbin/pkg_delete -m apr-util-1.4.1p2-ldap
Problem finding apr-util-1.4.1p2-ldap
*** Error 1 in target ‘_internal-clean’ (ignored)
===>  Installing apr-util-1.4.1p2-ldap from /usr/ports/packages/amd64/all/
Can’t install apr-util-1.4.1p2-ldap because of conflicts (apr-util-1.4.1p2)
— apr-util-1.4.1p2-ldap ——————-
Can’t install apr-util-1.4.1p2-ldap: conflicts
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:1876 ‘/var/db/pkg/apr-util-1.4.1p2-ldap/+CONTENTS’: @ /usr/bin/env -i PKG_TMPDIR=…)
*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2388 ‘install’)
*** Error 1 in /usr/ports/devel/apr-util (/usr/ports/infrastructure/mk/bsd.port.mk:3348 ‘reinstall’)

Using SSL for LDAP was the other part of the problem. The combination that makes it all play nicely is the following: in the root, we need

LDAPVerifyServerCert off
LDAPTrustedGlobalCert CA_BASE64 /etc/apache2/ldap/ldap.pem
LDAPTrustedGlobalCert CERT_BASE64 /etc/apache2/ldap/ldap.pem

and for the directory we need

<Directory “/directory/that/we/auth/through/ldap/”>
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
AuthName “Protected zone”
AuthLDAPBindDN “cn=ldapproxy,ou=users,dc=example,dc=com”
AuthLDAPBindPassword averysecretpass
AuthLDAPURL ldaps://thesslldap.example.com/ou=users,dc=example,dc=com?cn?sub
AuthzLDAPAuthoritative on
Require ldap-group cn=ThePrivilegedGroup,ou=bands,dc=example,dc=com
</Directory>

Your distinguished names will vary, though, as well as the pass, but this should be sufficient for the group auth with Apache 2 and OpenLDAP on OpenBSD.

DKIM and amavisd-new problems

Creating DKIM keys and using them with amavisd should be straightforward. However, I managed to complicate it, because I failed to notice that amavisd for OpenBSD came with p5-Mail-DKIM module, and so I installed dkim-milter.

Running both in parallel started leaving double dkim flags entries in my mail log, and got me totally confused, ultimately because I used amavisd to generate certificate, and then used the cert for both amavisd and dkim-milter. On top of the confusion, one of them, dkim-milter, wouldn’t recognise the signatures, and the other, p5-Mail-DKIM, wasn’t able to read the key; nevertheless, both happily worked in parallel, former being called by main.cf, and latter by amavisd-new.

When I figured what was I doing and choosing to sort this mess, I turned off dkim-milter, and decided to use the amavisd-new module. The problem that remained was that amavisd would show the certs for virtual domains, but asked to test them, it would reply with:

# amavisd testkeys
TESTING#1: mail._domainkey.domain1.org    => invalid (public key: Can’t locate object method “new_public_key” via package “Crypt::OpenSSL::RSA” at /usr/local/libdata/perl5/site_perl/Mail/DKIM/PublicKey.pm line 351.)
TESTING#2: mail._domainkey.domain2.com => invalid (public key: Can’t locate object method “new_public_key” via package “Crypt::OpenSSL::RSA” at /usr/local/libdata/perl5/site_perl/Mail/DKIM/PublicKey.pm line 351.)

Backup the  /usr/local/libdata/perl5/site_perl/amd64-openbsd/Crypt/OpenSSL/RSA.pm file, and change line:

require AutoLoader;

with line:

use AutoLoader ‘AUTOLOAD’;

After that, the p5-Mail-DKIM module should work just fine, and testing keys should be alright now:

# amavisd testkeys
TESTING#1: mail._domainkey.domain1.org    => pass
TESTING#2: mail._domainkey.domain2.com => pass

Restart amavisd-new and postfix, and there should be no more double or erroneous entries in the mail log. The implications of the change of the perl file are described in the bug 84444.