01:37:50 scoobybejesus Does those user have a local home directory? 01:38:12 rwp I wanted to pull a backup from a server to store a copy in a remote location. 01:50:45 3-2-1 backups, offsite for the nuclear attack. 01:52:26 s2r yes, there needs to be a home folder with a .ssh directory with an authorized_keys file 02:00:28 scoobybejesus where do you limit access to certain scripts? Because in the case for directory just adding that user to a group would be enough. 02:04:35 well, for example, my script user can login and is only able to run a single command, which runs a single script. That script launches all the other scripts. 02:07:57 in authorized_keys, you provide the command that the holder of the ssh key can run. and upon login, that command runs, and that's it 02:08:55 or for the scp user, they don't get a terminal at all with no-pty 03:03:34 ah, i also made it so the script needed root privs, and i allowed the script user to be run with sudo w/out password specifically for that script 03:12:59 There are many different ways to solve this same problem. Can do it one way. Can do it another way. Lots of possible ways to do it. 03:37:38 adic/storagetek/quantum robot tape library. veritas netbackup media cluster. lto won the tape wars. sdlt vs lto. the last fight. 03:38:07 sony ait 4mm i liked cause it was small. 03:39:54 The latest generation as of 2021, LTO-9, can hold 18 TB in one cartridge. 03:40:00 crazy 03:41:23 https://en.wikipedia.org/wiki/Linear_Tape-Open 03:43:31 New for LTO-3 was write once read many (WORM) capability. worm drive. 03:43:48 auditing 03:45:33 https://www.lto.org/lto-participants/ 08:09:06 kubernetes run on freebsd? 08:43:46 fyi CVE-2024-6387 FreeBSD is effected 08:43:54 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280068 08:45:43 SSH - Remote root login 08:47:54 really? 08:47:59 that's bad 08:48:10 so every freebsd box in the world can be hacked right now? 08:49:12 i read in the original blog about 700'000 servers in internet and 31%, that is really bad 08:49:28 Not straight away, this is async remote call issue, this is not 100% guarantee you can do that, there is a chance, and to explioit this it might take ~10 days ... 08:49:55 if pf blocks ssh it's safe? because i restrict ssh login by ip 08:50:11 wasn't a patch released for it yesterday? 08:50:17 Or is the patch incomplete? 08:51:46 AllanJude: I thought ZFS RAIDZ expansion was to be added in 14.0. Am I wrong? 08:52:12 just set "LoginGraceTime 0" in the /etc/ssh/sshd_config file 08:52:35 And don't open SSH to the internet 08:52:40 Oh, I see now, that bug report is for sshd distributed as part of the ports tree 08:52:43 weust, lol 08:52:48 that was epic :D 08:54:35 weust: regarding raidz exp: i asked this a while ago and was told here, that it's in 15 08:54:53 ridcully: ah, crap. thanks 08:55:29 anyone else see a problem that kubernetes is getting huge but doesn't run on freebsd? 08:55:54 i'm afraid freebsd's tech is good but it's getting left behind and dying off 08:56:24 I really liked this part of the post by OpenSSH: "Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation (yes - this is a thing, no - we don't understand why) may potentially have an easier path to exploitation." 08:57:49 ya see linux is a shitpile yet waaaay more popular than freebsd 08:57:54 so we're obviously doing something wrong 08:58:33 Well, Linux has the advantage of not having been emproiled in a huge lawsuit in the 90s 08:58:43 that really put a hamper on the adoption of BSD 08:59:23 agree but that was 20 years ago and we shoulda recovered by now 08:59:32 instead we've lost market share 08:59:40 "market share" implies paying customers 08:59:47 pretty often i run into ppl who left freebsd to use linux because it got the momentum 08:59:54 not just that but sure 09:00:24 if you look at modern server oriented software, it always runs on linux, but not always on freebsd 09:04:44 And a lot of python project, like homeassistant, pretty much only runs on Linux. Can't even compile it anymore. 09:05:13 ya that's what i'm saying. it's biting me enough that i'm getting worried about my bet on freebsd 09:10:50 it's ok to use both 09:11:46 if i gotta learn linux, why bother keep using freebsd? 09:12:32 well, learning linux is a repetitive thing, each time you upgrade ubuntu, you need to learn how to set a static ip address in yet another new way. in freebsd you just need to learn that once. 09:13:58 ^that 09:13:59 k well we already covered that freebsd is better, but that doesn't matter when we start running into too many cases of "linux supported, freebsd not" 09:15:38 I am only a home user, but to me GNU/Linux is a big clusterf*ck, and only use it when I can't use FreeBSD, or it's a appliance type thing I can't avoid myself. 12:06:29 weust: it landed in upstream zfs, so 15-current has it, but not 14.0 12:09:11 AllanJude: And no backport to 14.2 by any chance? 12:09:32 that depends on the timing of OpenZFS 2.3's release 12:23:54 OK 14:51:42 hello 14:53:16 regarding the openssh security issue, is it possible to do: 1) gitup release 2) cd /usr/src/secure/lib/libssh 3) make all 4) make install 5) service sshd restart . Will this patch the issue? 15:07:17 <|cos|> CyberCr33p: Assuming you've aware freebsd-update would generally be the easiest path to take? 15:07:47 |cos| I use /usr/src for upgrading my systems 15:08:55 <|cos|> CyberCr33p: I would research it more closely if not being able to use freebsd-update. My **guess** is that secure/usr.sbin/sshd sounds more relevant than secure/lib/libssh, but I have no actual idea. 15:11:30 I think you are right. Before I had "Server Version OpenSSH_9.6 FreeBSD-20240104" now I have "Server Version OpenSSH_9.6 FreeBSD-20240701" 15:11:36 The safest way to figure out is probably to do a git update and to see which files are updated 15:11:59 * /usr/src/crypto/openssh/log.c 15:11:59 * /usr/src/crypto/openssh/version.h 15:11:59 * /usr/src/sys/conf/newvers.sh 15:16:32 why do you upgrade your system in a way you don't understand? 15:17:54 llua I understand how to do a full upgrade. Now I want to patch just this issue and tomorrow I will do a full upgrade. 15:21:06 just in case it gets owned in 24h? 15:21:19 but yeah that's how you do it 15:22:07 ketas yes exactly 15:22:49 i heard it's kind of hard to craft that thing up but building sshd is fast anyway 15:23:37 damn pkgbase comes useful here :p 15:25:13 I use sshguard to block SSH brute force attacks, but I'm unsure if it protects against the specific vulnerability mentioned. It also blocks connections that idle, this might offer some level of protection. 15:40:13 <|cos|> CyberCr33p: The known working mitigation is `LoginGraceTime 0`. Search for that config in https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc 15:41:06 I know but if I do this then maybe I can't login to the servers again if many bots try to brute force 15:45:14 ketas: i had to wait until today until pkgbase actually had the package... i wonder how often the mirrors are synced? 15:49:49 spiped should mitigate as well 15:49:53 i would think 15:51:44 running with -e mitigates too :p 15:52:50 one could also fw the ssh 15:58:48 leah2: i more meant you can do it on your own and get it faster 15:59:13 unsure why security can't be prioritized or so? 16:01:26 dkeav: yes 16:01:54 colin wrote a thing about it years ago, and it's still what he uses: https://www.daemonology.net/blog/2012-08-30-protecting-sshd-using-spiped.html 16:02:30 (also: https://x.com/cperciva/status/1807699405514105306) 16:02:58 yup 16:03:17 after the whole xz attempt and things like this, spiped seems like a good idea 16:05:14 that's almost as complex as running whole vpn 16:10:07 ovpn with tls auth with ssh behind it is one hell of a security onion already, if one wished, one could put layers of different oses and other stuff into path too, just can't really imagine a lot of places where it actually benefits 16:11:06 i dunno, seems more complex than it really is, I think I set it up the first time in about 5 minutes 16:37:12 ketas: can one easily build a single package as pkgbase? 16:40:36 Hello, all. I beg yoour pardon for a potentially lamer question, so feel free to kick me for it. I am away form my computer with FreeBSD, but need to find the QEmu version in its standard .pkg . Is it possible? 16:44:01 https://www.freshports.org/emulators/qemu/ ? 16:45:51 dkeav, QEmu, right, but it is a port, whereas I installed it via `pkg'., 16:47:45 As I understand, ports are usually ahead of packages, right? 16:48:06 look at the quarterly 16:48:38 in the packages section 16:52:31 ant-x: ports are constantly being built into packages from the two branches as often as they can, so packages shouldn't lag behind that much but you're probably tracking quarterly rather than latest 16:52:32 dkeav, OK, thanks. 16:53:06 kevans, I must be, using FreeBSD 14.1 with default pkg config. 16:53:15 yeah 18:41:33 is there a public url/xml/json document showing the latest patch level? e.g. right now something i could query and get back '14.1-RELEASE-p2'? 18:44:01 I previously installed world/lib32 but now want to get rid of it, how do I go about that? I am trying to install FreeBSD 14.1 now. 18:45:50 The kernel/generic-dbg component seems to also be installed but not sure what the proper procedure to remove that is either. 18:46:59 That's one of those open-questions that I have too. It's a "component" that is installed. But not sure how to remove it. 18:51:15 rwp: yea.. I figured if it was easy to install it'd be easy to uninstall. but doesn't seem to be the case. 18:53:43 hah, yeah, had the same issue and basically the answers i found via google were "you can't, so you may as well keep it updated" 18:54:31 that said, i imagine you could look at the .tbzs or whatever from netinstall and see where they extract, and then clean those directories/files out, but seems fairly manual and prone to error 18:54:44 I am sure it is easy if one knows what it was done to "install" it. AFAIK there is just some entry in a file saying that it is installed. 18:55:00 alternatively, you could look at the freebsd-update source code to see where it's checking, and you know, go there and clean it out 18:55:07 yeah 18:55:12 Removing components from /etc/freebsd-update.conf is not sufficient. I already tried that and it still insisted to do it. 18:55:20 same 18:55:49 I have crawled through the script before and it isn't bad. It just took more time than I had at the moment and I postponed getting to the bottom of it. 18:55:52 rwp: so, that crucial drive has been going rock solid for like two weeks now... 18:56:07 for sure, it's totally a time vs how much do i actually care about this type of thing 18:56:14 It's also possible to do two installs to two test areas, one with and one without, and then compare what is different between them. That would tell. 18:56:32 Good about the Crucial! I wonder what the details of the WD failure really are there. It's a scary problem actually. 18:58:44 yeah, it is. i really liked the WD, too, because it's supposed to be low power :/ 19:00:17 wcarson: yea, looking at what was installed and then manually undoing that seems like it would take a bit of time and prone to errors; so stick with what is already installed is what I'll continue doing :( lol.. 19:51:23 where can i read up on what big features are coming in freebsd 15? i know it's probably 2 years away i'm jc 20:19:38 what would cause vi and many expected utilities to be "not found" when booting into single user mode. my user is root. 20:20:43 `which`, `vi`, `env` none of those work 20:20:57 PATH not set right, or filesystems where they live not mounted 20:21:49 path looks good.. I think it has to do with my /usr not being mounted 20:22:37 yup that was it.. mount -a fixes it