scoobybejesus Does those user have a local home directory?

rwp I wanted to pull a backup from a server to store a copy in a remote location.

3-2-1 backups, offsite for the nuclear attack.

s2r yes, there needs to be a home folder with a .ssh directory with an authorized_keys file

scoobybejesus where do you limit access to certain scripts? Because in the case for directory just adding that user to a group would be enough.

well, for example, my script user can login and is only able to run a single command, which runs a single script. That script launches all the other scripts.

in authorized_keys, you provide the command that the holder of the ssh key can run. and upon login, that command runs, and that's it

or for the scp user, they don't get a terminal at all with no-pty

ah, i also made it so the script needed root privs, and i allowed the script user to be run with sudo w/out password specifically for that script

There are many different ways to solve this same problem. Can do it one way. Can do it another way. Lots of possible ways to do it.

adic/storagetek/quantum robot tape library. veritas netbackup media cluster. lto won the tape wars. sdlt vs lto. the last fight.

sony ait 4mm i liked cause it was small.

The latest generation as of 2021, LTO-9, can hold 18 TB in one cartridge.

crazy

New for LTO-3 was write once read many (WORM) capability. worm drive.

auditing

kubernetes run on freebsd?

fyi CVE-2024-6387 FreeBSD is effected

SSH - Remote root login

really?

that's bad

so every freebsd box in the world can be hacked right now?

i read in the original blog about 700'000 servers in internet and 31%, that is really bad

Not straight away, this is async remote call issue, this is not 100% guarantee you can do that, there is a chance, and to explioit this it might take ~10 days ...

if pf blocks ssh it's safe? because i restrict ssh login by ip

wasn't a patch released for it yesterday?

Or is the patch incomplete?

AllanJude: I thought ZFS RAIDZ expansion was to be added in 14.0. Am I wrong?

just set "LoginGraceTime 0" in the /etc/ssh/sshd_config file

And don't open SSH to the internet

Oh, I see now, that bug report is for sshd distributed as part of the ports tree

weust, lol

that was epic :D

weust: regarding raidz exp: i asked this a while ago and was told here, that it's in 15

ridcully: ah, crap. thanks

anyone else see a problem that kubernetes is getting huge but doesn't run on freebsd?

i'm afraid freebsd's tech is good but it's getting left behind and dying off

I really liked this part of the post by OpenSSH: "Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation."

ya see linux is a shitpile yet waaaay more popular than freebsd

so we're obviously doing something wrong

Well, Linux has the advantage of not having been emproiled in a huge lawsuit in the 90s

that really put a hamper on the adoption of BSD

agree but that was 20 years ago and we shoulda recovered by now

instead we've lost market share

"market share" implies paying customers

pretty often i run into ppl who left freebsd to use linux because it got the momentum

not just that but sure

if you look at modern server oriented software, it always runs on linux, but not always on freebsd

And a lot of python project, like homeassistant, pretty much only runs on Linux. Can't even compile it anymore.

ya that's what i'm saying. it's biting me enough that i'm getting worried about my bet on freebsd

it's ok to use both

if i gotta learn linux, why bother keep using freebsd?

well, learning linux is a repetitive thing, each time you upgrade ubuntu, you need to learn how to set a static ip address in yet another new way. in freebsd you just need to learn that once.

^that

k well we already covered that freebsd is better, but that doesn't matter when we start running into too many cases of "linux supported, freebsd not"

I am only a home user, but to me GNU/Linux is a big clusterf*ck, and only use it when I can't use FreeBSD, or it's a appliance type thing I can't avoid myself.

weust: it landed in upstream zfs, so 15-current has it, but not 14.0

AllanJude: And no backport to 14.2 by any chance?

that depends on the timing of OpenZFS 2.3's release

OK

hello

regarding the openssh security issue, is it possible to do: 1) gitup release 2) cd /usr/src/secure/lib/libssh 3) make all 4) make install 5) service sshd restart . Will this patch the issue?

CyberCr33p: Assuming you've aware freebsd-update would generally be the easiest path to take?

|cos| I use /usr/src for upgrading my systems

CyberCr33p: I would research it more closely if not being able to use freebsd-update. My **guess** is that secure/usr.sbin/sshd sounds more relevant than secure/lib/libssh, but I have no actual idea.

I think you are right. Before I had "Server Version OpenSSH_9.6 FreeBSD-20240104" now I have "Server Version OpenSSH_9.6 FreeBSD-20240701"

The safest way to figure out is probably to do a git update and to see which files are updated

* /usr/src/crypto/openssh/log.c

* /usr/src/crypto/openssh/version.h

* /usr/src/sys/conf/newvers.sh

why do you upgrade your system in a way you don't understand?

llua I understand how to do a full upgrade. Now I want to patch just this issue and tomorrow I will do a full upgrade.

just in case it gets owned in 24h?

but yeah that's how you do it

ketas yes exactly

i heard it's kind of hard to craft that thing up but building sshd is fast anyway

damn pkgbase comes useful here :p

I use sshguard to block SSH brute force attacks, but I'm unsure if it protects against the specific vulnerability mentioned. It also blocks connections that idle, this might offer some level of protection.

CyberCr33p: The known working mitigation is `LoginGraceTime 0`. Search for that config in freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc

I know but if I do this then maybe I can't login to the servers again if many bots try to brute force

ketas: i had to wait until today until pkgbase actually had the package... i wonder how often the mirrors are synced?

spiped should mitigate as well

i would think

running with -e mitigates too :p

one could also fw the ssh

leah2: i more meant you can do it on your own and get it faster

unsure why security can't be prioritized or so?

dkeav: yes

colin wrote a thing about it years ago, and it's still what he uses: daemonology.net/blog/2012-08-30-protecting-sshd-using-spiped.html

(also: x.com/cperciva/status/1807699405514105306)

yup

after the whole xz attempt and things like this, spiped seems like a good idea

that's almost as complex as running whole vpn

ovpn with tls auth with ssh behind it is one hell of a security onion already, if one wished, one could put layers of different oses and other stuff into path too, just can't really imagine a lot of places where it actually benefits

i dunno, seems more complex than it really is, I think I set it up the first time in about 5 minutes

ketas: can one easily build a single package as pkgbase?

Hello, all. I beg yoour pardon for a potentially lamer question, so feel free to kick me for it. I am away form my computer with FreeBSD, but need to find the QEmu version in its standard .pkg . Is it possible?

freshports.org/emulators/qemu ?

dkeav, QEmu, right, but it is a port, whereas I installed it via `pkg'.,

As I understand, ports are usually ahead of packages, right?

look at the quarterly

in the packages section

ant-x: ports are constantly being built into packages from the two branches as often as they can, so packages shouldn't lag behind that much but you're probably tracking quarterly rather than latest

dkeav, OK, thanks.

kevans, I must be, using FreeBSD 14.1 with default pkg config.

yeah

is there a public url/xml/json document showing the latest patch level? e.g. right now something i could query and get back '14.1-RELEASE-p2'?

I previously installed world/lib32 but now want to get rid of it, how do I go about that? I am trying to install FreeBSD 14.1 now.

The kernel/generic-dbg component seems to also be installed but not sure what the proper procedure to remove that is either.

That's one of those open-questions that I have too. It's a "component" that is installed. But not sure how to remove it.

rwp: yea.. I figured if it was easy to install it'd be easy to uninstall. but doesn't seem to be the case.

hah, yeah, had the same issue and basically the answers i found via google were "you can't, so you may as well keep it updated"

that said, i imagine you could look at the .tbzs or whatever from netinstall and see where they extract, and then clean those directories/files out, but seems fairly manual and prone to error

I am sure it is easy if one knows what it was done to "install" it. AFAIK there is just some entry in a file saying that it is installed.

alternatively, you could look at the freebsd-update source code to see where it's checking, and you know, go there and clean it out

yeah

Removing components from /etc/freebsd-update.conf is not sufficient. I already tried that and it still insisted to do it.

same

I have crawled through the script before and it isn't bad. It just took more time than I had at the moment and I postponed getting to the bottom of it.

rwp: so, that crucial drive has been going rock solid for like two weeks now...

for sure, it's totally a time vs how much do i actually care about this type of thing

It's also possible to do two installs to two test areas, one with and one without, and then compare what is different between them. That would tell.

Good about the Crucial! I wonder what the details of the WD failure really are there. It's a scary problem actually.

yeah, it is. i really liked the WD, too, because it's supposed to be low power :/

wcarson: yea, looking at what was installed and then manually undoing that seems like it would take a bit of time and prone to errors; so stick with what is already installed is what I'll continue doing :( lol..

where can i read up on what big features are coming in freebsd 15? i know it's probably 2 years away i'm jc

what would cause vi and many expected utilities to be "not found" when booting into single user mode. my user is root.

`which`, `vi`, `env` none of those work

PATH not set right, or filesystems where they live not mounted

path looks good.. I think it has to do with my /usr not being mounted

yup that was it.. mount -a fixes it