00:01:26 https://freebsdfoundation.org/blog/laptop-support-and-usability-project-update-first-monthly-report-community-initiatives/ life is going forward 00:14:36 There was an openssh MITM patch today, although I do not see any security advisory on it freebsd side, does this not affect freebsd or is it pending? https://www.freebsd.org/security/advisories/ 00:17:25 scoobybejesus: Nice, glad you nailed it down. :) 00:24:59 polarian: https://www.openwall.com/lists/oss-security/2025/02/18/4 00:36:04 mason: OpenSSH_9.7p1, OpenSSL 3.0.13 30 Jan 2024 00:36:17 This does not contain the MITM patch afaik 00:51:10 i read that announcd 00:51:21 seems nonaffective 00:51:24 as i get it 00:51:35 non default configs 00:52:07 One specific option that is changed from the default configs. No need to panic if you don't run sshd on port 22. :3 00:52:45 why would !22 matter? 00:52:58 because usually it don't get bot scans? 00:53:25 for mitm you needed access too 00:53:50 i doubt you discard ssh traffic on other ports 00:55:12 impersonate any server when the 00:55:13 VerifyHostKeyDNS option is enabled. This option is off by default. 00:55:22 ketas: its still a good thing to patch 00:55:27 in case people are using it 00:55:36 ketas: The option that makes sshd vulnerable without the patch is the VerifyHostKeyDNS option being "on" where the default value is usually "off". Hence, as a joke, I said "No need to panic if you don't run sshd on port 22." because that's a completely different and unrelated option. 00:56:05 and second was dos? 00:56:16 TommyC: it's also ssh(1) that's affected, not sshd(8)... 00:56:47 ivy: My bad, you're right. I'm just used to typing "sshd" when it comes to some vulnerability. 00:57:04 mitm is ssh, dos is sshd 00:57:27 dos is not a big deal, at least imo... it is not a security flaw but is annoying 00:57:36 but a mitm, even if it is non-default options is a big deal 00:57:39 dos sucks too 00:57:47 yeah but you aren't going to get pwned from a dos 00:57:49 are you? 00:58:19 but yeah, VerifyHostKeyDNS=on == mitm 00:58:22 is cursed 00:58:44 i bet everyone also looks into it 00:59:40 logic error is also stupid mistake 00:59:45 real bad 02:24:15 hmmm, i booted 15.0 disc1 ISO and expected to get the installer on the serial console, but did not... is dual console not enabled on the installer? 02:24:28 i thought i'd done this before and it just worked 03:04:03 ivy: i ran into the same thing today too. had to enable it in /boot/loader.conf 03:05:02 ivy: fwiw, enabling the corresponding serial console settings in loader.conf didn 03:05:04 yeah, just mildly annoying as i had to set up VNC in order to do that :-) 03:05:07 't seem to work 03:16:01 To install with serial one must boot the installer initial loader to the boot prompt which does work over serial. Then Select "3. Escape to loader prompt" and then type in set console=comconsole and then boot in order to get a serial port install. 03:17:06 i didn't get beastie over serial, if the BIOS loader prints anything i must have been too slow to see it :( 03:17:57 i wonder if this is because (iirc) this VM provider only supports BIOS boot rather than UEFI, i recall BIOS serial console support is a bit more limited or you have to recompile the first stage loader to change the default, or something 03:17:58 If you are not getting to the Beastie prompt then perhaps the serial is a different address than the default? No idea. 03:18:19 (did i mention i hate BIOS boot?) 03:18:30 Let me mention that I hate UEFI boot. 03:18:44 So between the two of us we have everything covered! :-) 03:18:57 and mine's an APU2 board, i don't have a VGA option 03:19:09 oh well, after install setting boot_serial=YES; console=comconsole is all working 04:28:18 rwp: Why do you hate UEFI? 04:42:01 Frankly anything that's not OpenFirmware is subpar. 13:04:18 does anyone know if the powerpc64/powerpc64le port support PowerVM virtualized Power8/9/10 systems or only the linux-only systems? 13:05:22 i just tried booting 14.2 (both big and little endianess) on an S822 (Power8) system in an lpar, but i only get an error on boot 13:49:57 scoobybejesus: OK, but out of curiosity, then what caused the SSL error? your proxy was malfunctioning? because the description for that error said it should be something unrelated to the peers or their exchange 14:38:32 I did not confirm (I suppose I may try later) but I suspect getting the middle of a tcp stream causes the recipient to immediately respond with "this is nonsense", which why the immediate response is to request to close the connection 15:00:48 re: the ssh MitM attack - assuming VerifyHostKeyDNS /is/ set to yes, is that mitigated by DNSSEC? I do publish SSHFP RRs to my DNSSEC-enabled domains... 16:55:24 jschmidt: I'd guess it is not a mitigation. From the attack description: "as if no error had occurred, and without checking the server's host key at all." https://www.openwall.com/lists/oss-security/2025/02/18/1 17:49:59 ok, then "ouch". :^) 17:53:11 I will try again, how well supported tend Dell laptops (from 2018/2019) to be in FreeBSD? Thanks 17:59:22 uskerine: https://bsd-hardware.info/?view=computers&year=all&vendor=Dell 20:34:15 thanks, shall I understand this one is reasonablily supported? 20:34:45 https://bsd-hardware.info/?probe=0f9d0c49d2 lts 23:08:11 let's say i do 'zfs create -o mountpoint=/export zroot/export', then it's fine to do 'zfs create -o mountpoint=/export/home data/home', right? since zroot (the root pool) is mounted before data and will never be unmounted, this should work okay 23:13:23 ivy: yes 23:19:33 thanks