freebsdfoundation.org/blog/laptop-s…onthly-report-community-initiatives life is going forward

There was an openssh MITM patch today, although I do not see any security advisory on it freebsd side, does this not affect freebsd or is it pending? freebsd.org/security/advisories

scoobybejesus: Nice, glad you nailed it down. :)

polarian: openwall.com/lists/oss-security/2025/02/18/4

mason: OpenSSH_9.7p1, OpenSSL 3.0.13 30 Jan 2024

This does not contain the MITM patch afaik

i read that announcd

seems nonaffective

as i get it

non default configs

One specific option that is changed from the default configs. No need to panic if you don't run sshd on port 22. :3

why would !22 matter?

because usually it don't get bot scans?

for mitm you needed access too

i doubt you discard ssh traffic on other ports

impersonate any server when the

VerifyHostKeyDNS option is enabled. This option is off by default.

ketas: its still a good thing to patch

in case people are using it

ketas: The option that makes sshd vulnerable without the patch is the VerifyHostKeyDNS option being "on" where the default value is usually "off". Hence, as a joke, I said "No need to panic if you don't run sshd on port 22." because that's a completely different and unrelated option.

and second was dos?

TommyC: it's also ssh(1) that's affected, not sshd(8)...

ivy: My bad, you're right. I'm just used to typing "sshd" when it comes to some vulnerability.

mitm is ssh, dos is sshd

dos is not a big deal, at least imo... it is not a security flaw but is annoying

but a mitm, even if it is non-default options is a big deal

dos sucks too

yeah but you aren't going to get pwned from a dos

are you?

but yeah, VerifyHostKeyDNS=on == mitm

is cursed

i bet everyone also looks into it

logic error is also stupid mistake

real bad

hmmm, i booted 15.0 disc1 ISO and expected to get the installer on the serial console, but did not... is dual console not enabled on the installer?

i thought i'd done this before and it just worked

ivy: i ran into the same thing today too. had to enable it in /boot/loader.conf

ivy: fwiw, enabling the corresponding serial console settings in loader.conf didn

yeah, just mildly annoying as i had to set up VNC in order to do that :-)

't seem to work

To install with serial one must boot the installer initial loader to the boot prompt which does work over serial. Then Select "3. Escape to loader prompt" and then type in set console=comconsole and then boot in order to get a serial port install.

i didn't get beastie over serial, if the BIOS loader prints anything i must have been too slow to see it :(

i wonder if this is because (iirc) this VM provider only supports BIOS boot rather than UEFI, i recall BIOS serial console support is a bit more limited or you have to recompile the first stage loader to change the default, or something

If you are not getting to the Beastie prompt then perhaps the serial is a different address than the default? No idea.

(did i mention i hate BIOS boot?)

Let me mention that I hate UEFI boot.

So between the two of us we have everything covered! :-)

and mine's an APU2 board, i don't have a VGA option

oh well, after install setting boot_serial=YES; console=comconsole is all working

rwp: Why do you hate UEFI?

Frankly anything that's not OpenFirmware is subpar.

does anyone know if the powerpc64/powerpc64le port support PowerVM virtualized Power8/9/10 systems or only the linux-only systems?

i just tried booting 14.2 (both big and little endianess) on an S822 (Power8) system in an lpar, but i only get an error on boot

scoobybejesus: OK, but out of curiosity, then what caused the SSL error? your proxy was malfunctioning? because the description for that error said it should be something unrelated to the peers or their exchange

I did not confirm (I suppose I may try later) but I suspect getting the middle of a tcp stream causes the recipient to immediately respond with "this is nonsense", which why the immediate response is to request to close the connection

re: the ssh MitM attack - assuming VerifyHostKeyDNS /is/ set to yes, is that mitigated by DNSSEC? I do publish SSHFP RRs to my DNSSEC-enabled domains...

jschmidt: I'd guess it is not a mitigation. From the attack description: "as if no error had occurred, and without checking the server's host key at all." openwall.com/lists/oss-security/2025/02/18/1

ok, then "ouch". :^)

I will try again, how well supported tend Dell laptops (from 2018/2019) to be in FreeBSD? Thanks

uskerine: bsd-hardware.info/?view=computers&year=all&vendor=Dell

thanks, shall I understand this one is reasonablily supported?

bsd-hardware.info/?probe=0f9d0c49d2 lts

let's say i do 'zfs create -o mountpoint=/export zroot/export', then it's fine to do 'zfs create -o mountpoint=/export/home data/home', right? since zroot (the root pool) is mounted before data and will never be unmounted, this should work okay

ivy: yes

thanks