yuripv: i have managed to lxc launch --vm a thing, but not yet to connect to it via lxc console

Re: Earlier discussion on audio devices...

I remember a while back when I was setting up my headphones, it was a pain in the neck to review & figure out the various options/configurations and how they interact with each other.

I'm honestly looking at revising the notes I took on it and updating some docs or something on it.

One of the things that I remember was bt/virtual_oss vs. kernel/module managed devices and the sysctl combinations neccessary for them.

yuripv: i can't seem to get a login… will try again tomorrow, fresher.

meena: thank you.

btw, i had similiar ifconfig change to show the original ifname parked somewhere, don't remember why it wasn't wanted

How can I generate a custom RARP packet?

in the meantime, i have writen up all my pain points with ifconfig vs infiniband here: lists.freebsd.org/archives/freebsd-net/2023-April/003237.html and lists.freebsd.org/archives/freebsd-cloud/2023-April/000037.html

Title: Ifconfig limitations

if ab interface is renamed, it would be cool if you could still refer to it somehow, because sysctl doesn't give a damn about your rename

I'm trying to find hosts for which I know the MAC addresses, but they don't source enough packets to show up reliably in the switch's mac address table. So, RARP.

I take it you don't know their IP addresses either?

_xor: If you refine your notes, could you put them up on the wiki?

Yes.

Going through that stuff is on my agenda, but I'm getting through it pretty slowly as it's not a high priority. I have a ton of notes that would likely be useful in general. The USB issue though is particularly annoying because I remember thinking to myself, "What should have taken no more than 20-30 minutes has now had over an hour spent on it.

Maybe I'm just dumb, but better docs here would have saved a bunch of time."

V_PauAmma_V: if I knew the IP, I wouldn't need RARP. :)

_xor: I want to finally just get all the audio and videoconferencing stuff I want working under FreeBSD, and I remember the maze that presented itself last time I tried.

Don't source enough packets to show up on the switch? How short is the ARP cache TTL? Or alternatively, depending on the switch, maybe SNMP via push/poll when entries are added/updated/removed?

mason: Which version of FreeBSD? Which browser? What's the audio device interface? (e.g. Bluetooth, USB, etc)

ghoti: there are several *arp* utilities in ports/net/, may be one of those could be useful? (looking at arping and arp-scan)

_xor: FreeBSD 13.1, or I guess it'll be 13.2, Firefox, USB.

That's another thing I should try to spend a bit of time on each week. Submitting internal ports I whipped up. I know I have a few that weren't in the main ports tree before (maybe they are now), of which at least a couple of them dealt with network diagnostics (including ARP utilities).

yuripv: In fact, unless I'm mistaken, I think I've seen some of those ports pop up on the freshports.org home page that you created?

mason: What was the issue you ran into? Anything relevant pop up in /var/logs around the time you plugged in the USB device or when you tried playing audio in Firefox? Alternatively, launch firefox from a terminal and watch what it dumps to stdout/stderr when trying to play audio to see if there are any warnings/errors (which can tell you if it

can't find a device, can't open it, etc)

_xor: Hrm, it was long enough ago that I'll have to try again. One thing I was trying to do was enable V4L and I couldn't for the life of me find how I was supposed to specify device names to ffmpeg on FreeBSD.

That's my environment too btw, 13.1 + Firefox + USB headset.

_xor: me? i don't know anything about freshports (probably confusing me with yuri@?)

Yeah, probably.

mason: wiki.freebsd.org/WebcamCompat

Title: WebcamCompat - FreeBSD Wiki

mason: Check that and see if your device(s) need webcamd, cuse, etc.

yuripv: arping doesn't seem to produce rarp. I'll check a few other ports, thanks for that suggestion

_xor: the problem is, the devices don't source packets frequently enough to stay cache. They know their IP, but I can't send them status requests if I don't know where they are.

And besides, I get more utility by populating the local ARP cache than trying to query the switch's mac forwarding table.

So, GELI might be vulnerable, if it uses PBKDF2. mjg59.dreamwidth.org/66429.html

Title: Captcha Check

If nothing, that could provide some formal|serious scrutiny (for GELI) as had not found any concrete reviews about the security of the encryption

Ellenor, Thank you for the link

On the related topic, Back to "PBKDF2" from "Aargon2" due to more memory use by the later go-gitea/gitea #14675/commits/b337ef56b90e11136ddb23826838404d8eb2f3e2

Title: Turn default hash password algorightm back to pbkdf2 from argon2 until we found a better one (#14673) by lunny · Pull Request #14675 · go-gitea/gitea · GitHub

the higher memory use is a feature, not a bug...

password validation needs to be rate limited. higher memory and cpu usage is a crude way to do that and sometimes the only

that setting is gone

Title: Hector Martin: "@mjg59⊙nc Something doesn'…" - Treehouse Mastodon

let's hope they're doing better by now, yeah, defaults back to argon2: github.com/search?q=repo%3Ago-gitea%2Fgitea%20argon2&type=code

Title: Sign in to GitHub · GitHub

but still, this shit drives me bonkers go-gitea/gitea #3217

Title: Confidential (private) issues on public repo · Issue #3217 · go-gitea/gitea · GitHub

meena, Your earlier URL asked me to "sign-in"

the one with search query

parv: yeah, the new search feature is login only

meena, Aaahhh

because the search is now actually really good lol

but also, i reckon, it is quite costly, performance wise

Ellenor: GELI was designed differently, because it doesn't make assumptions about the number of iterations - instead it tests to see how many iterations can be performed on the CPU it's being initialized on, and subsequently uses that number of iterations.

Also, if the point is to use something that's memory-prohibitive, scrypt is better.

morning, debdrup. :)

well this looks like a fun bug, bugs.freebsd.org/bugzilla/show_bug.cgi?id=270909

Title: 270909 – find: /.zfs: Invalid argument

meena: that's weird indeed. But thanks for the reminder to upgrade. :)

debdrup: and can i increase that despite a low bench

If only there was some sort of manual page that'd give some sort of answer..

Also, Matthews article is making a LOT of guesses..

Yes

I'm since hearing it's not credible

Matthews article talks about 128bit key lengths, but GELI is using PKCS#5 specifically because it features HMAC/SHA1 which variable length, and the number of interations that can be performed by the CPU in 2 seconds is what defines that length.

You can try setting up geli on top of a ggate to see how many interations a modern CPU does.

ah.

I find it much more likely that a nation state could manage to simply bypass the encryption simply by knowing the key.

yes.

If someone doesn't know they're being watched, they aren't likely to practice the highest levels of opsec when typing in their password.

I've no idea what LUKS does with respect to the key derivation function used to supply the key material for the AES encryption, but the French-language text does seem to suggest (to my understanding, which admittedly is very limited) that they decrypted the full-disk encryption by knowing the password since they had full write access to the machine (given that there were modified files).

French is NOT a language I'm even remotely comfortable with, though - so it's possible I missed something.

Iteration count for LUKS1 seems to default to 1000 (used to default to 10) and for LUKS2 it seems to be controlled by a time variable (or the number of iterations can be forced).

I think they used LUKS1, since they mention Ubuntu 18 (which I take to mean the one released in 2018, and which defaulted to LUKS1 according to what little documentation I can find).

1000 iterations wasn't a lot in 2005.

luks has terrible usability…

..turns out, even the most-recently-released Ubuntu still defaults to LUKS1.

methinks the wikipedia page for LUKS is begging for a "criticism" section.. :)

gist.github.com/Edu4rdSHL/8f97eb1bab454fb2b348f1167cee7cd2 you can't upgrade a live system

Title: Ubuntu LUKS cryptsetup upgrade · GitHub

fun

I don't see how you should be able to do in-place upgrades of the key derivation function, or the encryption, for any system.

Even changing the number of iterations should, it seems to me, warrent a complete rewrite of the system.

aye, that makes sense

I think if crypto(9) implemented scrypt as a replacement for PKCS#5 and I wanted to take advantage of it, I'd set up partitioning and geli initialiszation a disk connected via USB, then do zpool create (mirroring what's in zpool-history(8)), do zfs send | receive, and then switch out the disks.

If I had a laptop with two M.2 slots, I might insert one, do the partitioning+geli initialization+zpool create+zfs send|receive, and then use rerooting..

In theory you could reroot to the USB disk and replace the M.2 disk since PCIe does support hot-plugging - but I'm not sure uptime is _that_ important on a laptop.

bugs.freebsd.org/bugzilla/show_bug.cgi?id=270794 Whoa, awesome!

Title: 270794 – multimedia/kodi-addon-inputstream.adaptive unbreak

freebsd.org/releases/14.0R/schedule huh.

Title: FreeBSD 14.0 Release Process | The FreeBSD Project

pretty soon yeah

wat

what are the chances we'll get dhcpcd into base until then

non zero, i would predict

10.0.0 was released, that's what we were waiting for

q

Morning.

meena: reviews.freebsd.org/D22012#894877 seems to suggest that there's work being done on it

Title: ⚙ D22012 Import dhcpcd(8) into FreeBSD base.

Having dhcpcd in base would not be a terrible idea.

oh my, i was reading it as dhcpd

dhcpcd is alright... on linux, where the alternatives are BINDCO dhclient and manual configuration.

i have a strange issue where an ethernet interface on pci is being detached overnight with a message such as the following on console: "pci2: <network, ethernet> at device 0.0 (no driver attached)" "pci2: detached" "pci2: <ACPI PCI bus> on pcib2"

i'm thinking it would be hardware related since it's an old machine, but not sure

now on a restart it's displaying these messages fairly radpidly, maybe 2-3 per second on average

and also a message "pcib2: Timed out waiting for Data Link Layer Active"

that looks very much like hardware

thanks

i will replace it temporarily with usb-ethernet, hoping that it's not also affected

can someone explain to me what the benefit is of *not* backgrounding dhclient?

Debug. If run in the foreground it is useful for debugging to see the messages in the terminal.

I would also recommend the "dhcpdump" utility run in another terminal window too if debugging that area of things. As a, by-the-by...

I just don't understand why debugging is the default

whew, i don't know how or why, but my LUKS on this laptop is Version 2; and uses argon2

meena: You want argon2id specifically, not argon2i fwiw

Easy enough to fix as it turns out.

cryptsetup luksConvertKey /dev/foo --pbkdf argon2id but take it with my usual warning about breaking the dishes.

mason: what's wrong with argon2i?

I seem to have that :(

meena: This morning I couldn't have told you, but then I read crypto.stackexchange.com/questions/…-use-argon2i-vs-argon2d-vs-argon2id

Title: encryption - When to use Argon2i vs Argon2d vs Argon2id? - Cryptography Stack Exchange

Maybe that's not the best resource. I wonder if the MJG article notes differences.

It does. mjg59.dreamwidth.org/66429.html says: "But even so, systems using the LUKS2 header format used to default to argon2i, again not a memory expensive KDF. New versions default to argon2id, which is. You want to be using argon2id."

Title: Captcha Check

TL;DR, the algorithm needs to be memory-intensive as well as time-intensive to defeat attackers with a wall of GPUs.

rwp,

I haven't had a chance yet but I'm really curious to see how GELI's default selections stand up.

rwp, hey i figured out the commonality. all the jails having problems with updates were jails that were previously ezjail jails and migrated to iocage.

you can just read the backlog here

meena: Ah, hadn't realized it had come up. Good.

Thank you.

debdrup: Is there a notion of memory consumption, atop a high iteration count?

That was the big thing I learned about today.

mason: sorry, I'm not sure I understand.

meena: making dhclient synchronous/blocking is basically equivalent ot configuring net-wait.

in-place upgrades of KDF for filesystem encryption is trivial because the password isn't used to generate the storage key, but rather to encrypt that key.

so a new KDF is no harder than adding a second user key

debdrup: So, what I take from all of it is that in addition to requiring a decent amount of time, nowadays it's also necessary to take a lot of memory to defeat attackers with parallel processing brute-forcing things.

mason: PKCS#5 doesn't have the features that scrypt does visa-vis being resistent to ASIC attacks because of the larger memory requirements.

hrm

Oh, you'd mentioned that earlier and I missed it. Sorry.

I thought I did :)

If your threat model includes a legitimate worry about a nation state capable of, and willing to go to the trouble of implementing an ASIC to attack gelis KDF, then I suppose now would be an excellent time to sponsor Colin Percival in implementing scrypt into crypto(9) so that it can take the place of PKCS#5 ;)

If argon2 needs to be argon2id in order to be memory-expensive, and also need to be in a copy-free license to be implemented in FreeBSD, it's probably quicker to pay Colin for it. :)

freebsd currently uses SHA256 right?

or sha512

For what?

crypt()

crypto(9) support all manner of things.

the default for password encryption is a sha512-based algorithm

the algorithm used by crypt() is chosen by specifying it as part of the provided salt

i tried copying over a encrypted $6$ password from linux and despite it using the same hmac identifier it was incompatible

crypt(3) would be the place to get answers for your questions, I imagine.

6. SHA-512

sfox: looking at the code they seem to be trying to be compatible.

sfox: you could try running the freebsd test values on linux and see if it gets the same results

e.g. crypt("Hello world!","$6$saltstring") = "$6$saltstring$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJuesI68u4OTLiBFdcbYEdFCoEOfaS35inz1"

how do you detect if headphones are connected? I was looking at the sysctls values but none of them tells that

depends on the hardware

neirac: do a `sysctl -a > before` and `> after`, then diff to see if you missed something you can use.

If they're USB, you can hook something into that infrastructure, or even just scan `usbconfig list` if that works for you.

ghoti nothing relevant to sound diffing the outputs, I just could add a sysctl to show it for hda

Notice they're not The_Dragon.

how do build snd_hda as a module?

just removing device from kernel config is enough?

yeah

personally I remove almost all devices from the kernel, just leaving the ones needed to boot the machine plus a few "always use" ones

how do I know which kernel I'm running I mean the file

RhodiumToad: do use MINIMAL as your starting point?

neirac: kenv kernel_path and kernelname

meena thanks!

mine: meena@beasdix ~> kenv -v kernel_path ; kenv -v kernelname

kernel_path="/boot/kernel.GENERIC-MMCCAM"

kernelname="/boot/kernel.GENERIC-MMCCAM/kernel"

also sysctl kern.bootfile

iirc, installkernel updates kern.bootfile to point to kernel.old when renaming it

anyone know how to translate this to FreeBSD's route(8)? canonical/cloud-init #2127/files#diff-cd821c37069f7250ff98a74ab14f0203d12eb18e9d394159824fa66e6a8ea4acR22-R45

Title: Support Ephemeral Networking for BSD by holmanb · Pull Request #2127 · canonical/cloud-init · GitHub

["route", "-4", "add", [-net|-host] + route, gateway, "-interface", interface, and then I'm stuck

is route really not smart enough to figure out if the route is a net or a host address?

it affects old-style parsing of incompletely-specified addresses

e.g. whether 128.32 is interpreted as 128.0.0.32 or 128.32.0.0

(moral, never do that)

what kind of monster does that?

What kind of MONSTER puts that in the SPEC?

anyway, what is the src thing?

vixie

the src thing looks like a linuxism

src ADDRESS

the source address to prefer when sending to the

destinations covered by the route prefix.

I don't think fbsd does source selection that way

that 128.32 thing is only the tip of that particular iceberg of horrors, btw

always use 4 octets/pfxlen for specifying ipv4 destinations

suricrasia.online/iceberg i wonder if it's actually on here

Title: The Cursed Computer Iceberg Meme

ld-elf.so.1: /usr/local/bin/git: Undefined symbol "__libc_start1@FBSD_1.7"

chasing HEAD and this bit me. is there a way to backout? or must I rebuild everything in ports?

Did you use bectl as part of your update procedure?

only updates if any were from `pkg install xxxx`

s/chasing head/running head

What FreeBSD version?

14.0-current

only affects items installed from pkg. the OS mismatch warning was legit. nvm I'll figure it out

Then it looks like you're installing packages built for 23

hi! I am trying to install FreeBSD in a VPS. During the boot, it stays almost 1min3sec in the line "ugen0.2: <QEMU QEMU USB Tablet> at usbus0". It happens on the installation (live CD) and on the installed system. Is there anything I can do to improve this boot time?

Ronis_BR: what's the _next_ line?

ober, it looks like you're installing packages built for 12.x or 13.x under 14-current. That won't work.

ok. I had been without error, but with the warning, so to be expected :P

or installing packages built for an older 14-current on a newer one

Or that.

the whole point of -current is that the ABI is not stable

RhodiumToad: I will run dmesg to check! It is too fast

Ronis_BR, you could also look at /var/run/dmesg.boot.

ok

V_PauAmma_V: Thanks! It is booting

Rockpro64s required 14 afaik

RhodiumToad, V_PauAmma_V: The next line is: "hdacc0: <Generic (0x1af40022) HDA CODEC> at cad 0 on hdac0

hm

and after that?

and what hypervisor is this?

RhodiumToad: It is a VPS in Vultr, let me check the hypervisor

It seems to be KVM

RhodiumToad: After that line the log is: "hdaa0: <Generic (0x1af40022) Audio Function Group> at nid1 on hdacc0

so either it's spending a lot of time in trying to figure out an emulated sound device, or there's a lot of other boot probes going on in between that find nothing.

have you tried it with bootverbose on?

no! I will do that