similar to: How to create Jail in FreeBSD

I have a somewhat busy sftp server where the users are all chrooted into their home directory. In order to log all the commands they enter, I have to create a /dev/log entry and hard link in their home directory so that syslog works for their commands Match user * ForceCommand internal-sftp -f local1 -l verbose Everything works, but its a bit of a pain if someone restarts syslogd and forgets

Hello, Is there any support (existing or planned) for host keys/certs being managed by some hardware device (tpm,hsm,etc..) instead of a flat file? thanks, -Kenny

Login seems to be ignoring my /etc/login.access settings. I have the following entries (see below) in my login.access, yet any new user (not in the wheel group) is still allowed to login. What am I missing? # $FreeBSD: src/etc/login.access,v 1.3 1999/08/27 23:23:42 peter Exp $ # -:ALL EXCEPT wheel:console -:ALL EXCEPT wheel:ALL Thanks, -- Scott Gerhardt, P.Geo. Gerhardt Information

On a rather full customer web server, I am trying to track down whose web site script is trying to make outbound network connections when they should not be. In /etc/security/audit_control, I added to the flags line dir:/var/audit flags:lo,aa,-nt minfree:5 to log failed network connection. When I try an make an outbound connection to something that is blocked in pf, it seems to sometimes work.

Other than cranking up logging to debug2, is there a way to better tune logging on a server to see if I am running into max sessions ? On FreeBSD RELENG11 I am periodically seeing connections being refused- 3way handshake not completing or completing and then FINs. Typically, I have a hundred or so connections at one time, but they can bounce up to a few hundred on occasion. Without leaving the

Does anyone know the practicality of this attack ? i.e. is this trivial to do ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada

Hi, I have been trying out a nice new tws controller and decided to enable debugging in the kernel and run some stress tests. With a regular GENERIC kernel, it boots up fine. But with debugging, it panics on boot. Anyone know whats up ? Is this something that should be sent directly to LSI ? pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0 pci0: <ACPI PCI bus> on pcib0

Hi, Just got some of the new Soekris 1401 VPN cards based on the hifn 7955 chip. hifn0 mem 0xe8510000-0xe8517fff,0xe8518000-0xe8519fff,0xe851a000-0xe851afff irq 5 at device 0.0 on pci1 hifn0: Hifn 7955, rev 0, 32KB dram, 64 sessions vs hifn0 mem 0xeb902000-0xeb902fff,0xeb901000-0xeb901fff irq 10 at device 8.0 on pci0 hifn0: Hifn 7951, rev 0, 128KB sram, 193 sessions When it says "n

Hi, I'm new to this list. For some years I've used CryptoSticks and YubiKeys to authenticate to SSH on the client side. Now I wondered if the same also worked on the server side. The closest I found was this old thread from 2012: http://www.gossamer-threads.com/lists/openssh/dev/54825 How did this progress further? Is it in the packages in the debian repositories yet? And is there some

On 7/24/2017 8:39 PM, Nico Kadel-Garcia wrote: > > Why are the targets of the hardlinks evaporating on rebooting? Is that > a FreeBSD'ism? Its when syslogd stops/starts. The hardlinks need to be recreated for some reason. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994

Am I the only person to be seeing this log message from sshd: fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] ? (security/openssh-portable, with HPN patches and MIT Kerberos, although Kerberos is not actually configured on this server.) A work-around is to disable aes128-cbc in sshd_config, but it would be nice not to have my logs spammed with this. Currently

An interesting paper http://www.acm.org/sigcomm/sigcomm2003/papers/p75-kuzmanovic.pdf ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike

While trying to speed up nanobsd builds, I mounted /usr/obj on a ramdisk and found my box crashing. Thinking it might be hardware, I tried a separate machine, but with the same results. I have 4G of ram (i386). Am I just running out of some kernel memory ? If so, is there anything I can adjust to prevent this, yet still use mfs in this way ? mdconfig -a -t malloc -s 1800M newfs /dev/md0

We still have MD5 as our default password hash, even though known-hash attacks against MD5 are relatively easy these days. We've supported SHA256 and SHA512 for many years now, so how about making SHA512 the default instead of MD5, like on most Linux distributions? Index: etc/login.conf =================================================================== --- etc/login.conf (revision

FYI >To: misc@openbsd.org >Subject: FreeBSD hiding security stuff >Date: Fri, 04 Mar 2005 03:51:42 -0700 >From: Theo de Raadt <deraadt@cvs.openbsd.org> > >A few FreeBSD developers apparently have found some security issue >of some sort affecting i386 operating systems in some cases. > >They have refused to give us real details. > >A promise is now being

Although RAW sockets can be used when specifying the source address of packets (defeating one of the aspects of the jail) some people may find it usefull to use utilities like ping(8) or traceroute(8) from inside jails. Enclosed is a patch I have written which gives you the option of allowing prison-root to create raw sockets inside the prison, so

Any chance someone can look at / commit the fix in PR 52349 before 4.9R ? Its a simple fix. As it is to netstat, I dont know of anyone who 'owns' that program to bug other than to make a general plea :-) ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications,

TB --- 2013-02-26 21:23:55 - tinderbox 2.10 running on freebsd-stable.sentex.ca TB --- 2013-02-26 21:23:55 - FreeBSD freebsd-stable.sentex.ca 8.3-STABLE FreeBSD 8.3-STABLE #0: Tue Oct 16 17:37:58 UTC 2012 mdtancsa at freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/server amd64 TB --- 2013-02-26 21:23:55 - starting RELENG_9 tinderbox run for arm/arm TB --- 2013-02-26 21:23:55 - cleaning the

I wrote a small app that monitors a Back-UPS ES500 UPS via the uhid0 interface. I want to run the daemon with as little privs as possible. gastest# ls -l /dev/uhid0 crw-rw---- 1 root operator 122, 0 Nov 12 05:26 /dev/uhid0 gastest# Is it safe to chmod o+r /dev/uhid0 ? Or is there a better way to drop privs of the daemon yet still be able to read from the device ? All I am doing is

Hi, I am using FreeBSD 8.2 and went to add 4 new disks today to expand my offsite storage. All was working fine for about 20min and then the new drive cage started to fail. Silly me for assuming new hardware would be fine :( The new drive cage started to fail, it hung the server and the box rebooted. After it rebooted, the entire pool is gone and in the state below. I had only written a few