mmlj4: I have 2 (sometimes 3) freebsd hosts with vultr. 2 regularly sends mail; i’ve had no issues.

Good evening gentlemen

I'm trying to install FreeBSD on my Mac mini G4 but I can't connect to the network. "gem0: cannot reset transmitter" "gem0: cannot reset receiver". DHCP fails and I cannot download installation files from the mirror, etc.

Tried on 14.2 and 13.5, same behavior

Before anybody says "PowerPC is a Tier 2 platform" Yes, I am aware.

Can you pastebin the content of 'pciconf -lv' ?

CrtxReavr: pastebin.com/RdxeGYWi

cedar: i'm pretty sure you have to build a custom kernel with the hardware support, but maybe that was a intel mini that was for, i don't recall which specific, there was a page explaining what to do years ago

r0ni: bsd-hardware.info/?id=pci:106b-0032

seems to be supported... somewhat recently

Someone posted about this on the forums recently

huh well i've sadly not touched a ppc mac in over a decade, but my last g5 i did put fbsd on and it did all work then but that had to be like v11 or 12, maybe older

r0ni: i also tried on my G5, couldn't even get the installer to boot

powerpc64 should be a more supported platform though...

i'm setting up a fresh freebsd on a vps. somehow I can log in locally via serial console, but I can't SSH, it tells me password wrong, i'm very sure its right, even accounting for keyboard layouts etc

I have set up several freeBSDs before, and i'm kinda lost :D

yourfate: what does /var/log/auth.log say?

PAM Authentication error for root

from...

I'm just trying to get an ssh key in there somehow, so I can stop using the serial console :D

i'm very close to actually typing an ed25519 key into the serial console lol

did you enable PermitRootLogin in /etc/ssh/sshd_config? i think this might be disabled by default, although i wouldn't expect a PAM error from that

the permit root login line is commented

i'll change it an reboot, but I also doubt that's it

the default is no, so you should uncomment it and change it to yes, then restart sshd, no need to reboot

remember to change it back afterwards

same same

error wise

I have also changed the pw again, just to be extra sure

hmm I created a new user, with the same pw, and could log in

after that I could log in as root too.

I have now uploaded a key and disbaled password auth

yourfate, Almost certainly the previous user was not in the wheel group but the new user is in wheel and can su.

I can now log in with root

which didn't work before

The ssh in as root is as ivy said, the default for PermitRootLogin is No.

I changed that

but it only worked after I createda new user for some reason

even tho I had restarted sshd

anyways, it works now

well, rn it doesn't, but that's b/c I hosed the network config

Computers are like cats. Subtle and quick to anger.

they sense weekness

weak

horses sense weakness too

you show it you're afraid, it will fuck w/ you

my Grandpa always said horses are dangerous in the front and back, and uncomfortable in between.

he's a Farmer.

Old proverb: Don't approach a goat from the front, a horse from the back, or a fool from any side.

ah, but a mule can kick in any direction

hmmm, anyone here run a freebsd server?

I have been looking at forums.freebsd.org/threads/unencryp…-encrypted-root-disk-with-ufs.96706 to allow headless booting

but it seems to be a big workaround for it

so do most people run freebsd without FDE (server use)?

<polarian:#freebsd> hmmm, anyone here run a freebsd server?

no

what's a server

alright dumb question I know

please dont kill me :P

I should have asked, does anyone run a freebsd server with FDE?

better >:)

FDE? Federal Dick Expansion?...

ivy in a trolling mood today?

Full Disk Encryption

a little, yes, but only because i know you can take it

but i also have no idea what "FDE" means

weird, I thought FDE was a well-used acronym

it is

i have never heard it before, but i try to avoid anything related to corporate IT, so take that how you will

right... you must also avoid security channels too then eh? >:)

polarian: but to provide a helpful (?) answer, if you want federal dick encryption for zfs etc., you probably want geli

this is, as far as i know, the only encryption system supported in the boot loader

I know how to do FDE, I use it on my laptop

problem is, its attended

and for servers, you dont want to attend the boot

(especially if I am off at EuroBSDCon)

well if your encryption is unattended what is the point of it?

anyway who steals your server can boot it and mount the filesystems

well for servers it helps to easier disposal of disks

s/anyway/anyone/

polarian: ah, in that case consider zfs native encryption

polarian: there is, to my knowledge, no good (meaning 100% secure) solution to this problem on any operating system

this used to be broken but it was recently fixed

hmm

how would zfs encryption be unattended

doesnt it still need a passphrase?

avoid native zfs encryption, it is shitty and buggy, use geli

(yeah I know about the zfs encryption bugginess --> is useful for per-user home encryption though)

polarian: it will be unattended if you want to mount /myCIAfilesystem and you store the keys in /etc/zfs/keys/cia.key

tykling: well I was looking at this forums.freebsd.org/threads/unencryp…-encrypted-root-disk-with-ufs.96706

polarian: the "zfs encryption bugginess" is supposed to be fixed now which is the only reason i recommend it

polarian: you are just moving the problem

tykling: indeed I am

<tykling:#freebsd> avoid native zfs encryption, it is shitty and buggy, use geli

I was thinking of also using a rpi as a terminal server and yeah but ugh idk

wrong

I cant decide tbh

tykling: the only known bug in zfs encryption is fixed

running unencrypted is the easiest choice, but also means I have to be more careful handing disks, and to properly destroy them

keyfile encryption can help shift the problem to a more easily destroyed medium

passphrase is obviously the best one, but requires attended boot + secure passphrases (and a lot of them) which inevitably means writing them down or storing them in a password manager, which adds another factor of security to consider

you need to sit down and think about your process and your threat model

because this question reminds me of everyone who is like "i want no one to be able to access my data but i never want to provide a key"

Linux security people all use TPM2 decryption which would link the disk encryption to the hardware, and then they lock the bootloader, but in many cases this can be bypassed as you jump a pin, flash the stock bios back to it and then you can load a os you control and decrypt the disks.

so there is no perfect way

of course not

ivy: I have thought about it for about 6 months and I still cant decide, so I am seeing what others do now >:)

copying peoples homework :P

im in a lot of security paranoid circles, but they are Linux focused, so obviously they shill TPM2 encryption, but even if I wanted to, FreeBSD doesnt have support for it (well actually I heard it does, but just not documented, if anyone knows more about this?)

but anyways TPM isn't ideal anyways

ivy: what do you do then?

what do i do what?

well, you should start with your threat modeling

if you're asking how do i secure my data there are so many answers to that depending on the data in question

e.g. ssh keys, i store those in my password manager, i forward them to certain specific hosts

movies i downloaded from bittorrent, i don't secure those at all, anyone on my network can download them via ftp, rsync, http, etc

nimaje: have done already, currently I dont FDE for this exact annoyance I am discussing right now, I self host so physical security is something I can do myself, but also they are in the open in a REDACTED place, which means anyone who enters my home could smuggle out a disk, so ideally I want to make it as difficult as posisble to ensure family/vistors do not go tamper (family not too worried

about)

I am not going to be able to stop a full squad of armed police from raiding my home and decrypting my disks obviously, but I also dont want to make it as easy as snatching them and mounting them elsewhere

I mean, you can prevent that sort of thing with just a seperate geli partition with zfs which you mount manually after boot, and have all the interesting data on that

I was also interested in keyfile a while back to harden a passphrase protected laptop, as when in public people can overlook you entering your passphrases, unlikely to be a problem, but it was an idea, but storing keyfile on a different device seems to be a difficult task so I just use passphrase

noone in that threat model is going to be backdooring your geli executables while you are out and about

evil geli maid

"there is, to my knowledge, no good (meaning 100% secure)" - basically any reference to "100% secure" as a meaningful bar for comparison negates any other point a person may have

oh thanks

hmmm

that brings up more issues though, services which store data on $encrypted_partition would then fail to start on boot, which means each boot you would need to ssh in and mount it, I guess you could write a "startservices.sh" script which onestart's all the services after decryption

its a good work around, but adds complexity

also you have the consideration of data leaks in logs (so possibly /var/log should be encrypted)

polarian: i am sorry but no one is going to give you a good answer when you ask technical but extremely basic questions like this

ivy: "technical but extremly basic" --> elaborate?

polarian: you ask questions from a technical point of view (e.g., talking about /var/log) but you seem to have no understand of threat model as it relates to disk encryption

the best advice i can office is, on a desktop, buy a Mac, on a server, use geli as offered in the freebsd installer

s/office/offer/

I would rather die than use a macbook

also I do have a threat model for it

just... im a little lazy to explain

polarian: you know Thatcher used a MacBook?

and?

aren't you required to copy her?

no

free will

polarian: Atlas used a MacBook

I cracked open a cold beer now, gotta be productive tonight :P

anyways, I have done the software security shit

it's kind of frustrating that i spend so long getting reviews on bridge(4) changes and them soneone feels fine sending an email like "bridge gone wrong"

the main issue I have is the exact situation I explained above, I want to protect more against vistors tampering... but it does seem after further thinking that this is a situation where if I want it to be simple, I either pick unencrypted or use passphrase and attend the boot. tykling's solution is more compicated but is a compromise between the two... and because I would like to share this

server it does mean others can attend the boot remotely over ssh provided I securely share the decryption key. My problem is, I am the worst for aiming for perfection which is exactly why I came here this evening

if I keep on thinking I will never *do*

and something, even if it is not the best, is better than *nothing*

ivy: ah you patch FreeBSD network stack/

?

polarian: not sure about "network stack" but i'm basically the only person maintaining if_bridge

hey ivy getz wanted me to ask whether you are coming to EuroBSDCon cause hes too shy to ask himself :)

indeed

i am not

i have been training polarian in the way of the blade the past 6 months

blade!?!?

ivy: Well I guess we can nickname you IvyBridge then can't we >:)

this is gonna turn into #freebsd-offtopic real soon

polarian: excellent joke

funny enough I am using an ivy bridge cpu right now :P

i am using a Raptor Lake CPU which is much more exciting

getz: its still ontopic... mostly :P

will it break? randomly crash? who knows

russian roulette, FreeBSD edition!

hmmm... yk what fuck it, the board has serial, I will do FDE and later plug an OpenBSD'd RPI into the serial and use it as a terminal server over shs

ssh*

thanks for the help with me being indecisive ivy and tykling

polarian: remember to not use default passwords ;)

getz: haha funny

if Ivy doesnt matter I will nickname them IvyBridge for now on for the giggles

I like it too much

getz: dont you have patches to be writing

Aymeric is not a committer, and you are not... obviously haven't been doing enough work have you getz tut tut tut

s/not/now/

polarian: aymeric got his commit bit a few days ago

getz: ik

wheres yours?

he's being smart and avoids punishment

FreeBSD bareMetalFreeBSD 15.0-CURRENT FreeBSD 15.0-CURRENT #0 main-n279073-763d1bc05a71: Fri Jul 25 19:55:24 CDT 2025 root@bareMetalFreeBSD:/usr/obj/usr/src/amd64.amd64/sys/GENERIC-NODEBUG amd64 1500054 1500054

how do you get poudriere to retry the ones from your bulk that failed prior?

sponix2ipfw: just rerun it as you can it before. it'l find what's missing and rebuild

er s/can/did/

hmm, I had that with llvm19 and it never would actually even try it again, even when I specified it

are you sure it failed?

odd part is, it didn't generate any errors after the 1st fail either LOL

it might have successfully built the time after

zi: yeah, it got killed for taking too long on the 1st run

check the packages directory

175G of Ram used lol cdn.discordapp.com/attachments/7270…00ad630d4f117d70cabafddfd99b560ace&

PROBLEM DRINKER:

A man who never buys.

sponix2ipfw: does poudriere actually kill builds by timeout? I've never seen that happen before…

99% of the time my llvm builds fail due to OOM kills :D

Remilia: there is a value for it in its configuration file, and yes -- mine did -- it was like 18+ hours

since the poudriere VM only has 16 GB RAM

Remilia: your box may not have 256G of ram ;)

it has 32, it is my desktop PC from 2019 haha

mine is from 2015/2016

I run poudriere in Hyper-V

X99 for LIFE

Remilia: you are sick and twisted

perhaps, but I also need to be able to do my job and also engage in my hobbies

I'm just giving you shit ;)

my day job is watching Microsoft stuff crash at the gas station and getting paid to reboot it over and over

my day job is localisation which revolves around Excel

sponix2ipfw: more importantly *nix systems as desktop/primary interfaces for me only worked with IRIX and Solaris, and this is entirely my fault

I was IT, but sucked at trying to keep Microsoft running -- so I gave up

since I need accessibility tools

and accessibility has been an issue in *BSD and Linux for me since like 1990s

Yeah, it is still a weak spot in X11 let alone Wayland

improving slowly I hear, but I don't depend on it, so have no real ideas

closest thing for me is larger fonts because my vision isn't the best in my old age

it is improving but the issue is that it was always an afterthought until very recently haha

I don't hard-require accessibility stuff but it is very nice to have when I take my contact lenses off

plus in localisation you sometimes have to test that stuff too

...and 99% of accessibility framework users are on Windows/Mac OS

speaking of, I need to swap my hexchat over to dark mode before it drives me nuts

my systems are in the bedroom with light and noise to a min -- so team headphones and dark mode always

I might have to swap over to my Linux box -- this build stuff is starting to make this one lag a bit

much better

kinda dumb that you have to restart the app for that, but whatever

I'd need to by Excedrine Migraine in bulk if I worked with Excel as my day job

sponix2ipfw: such is life in localisation, it's basically the common exchange format and everything else also relies on it because it is already in use

Excel, the real noSQL database

yeah, end up with a lot of legacy stuff like that in IT -- it is just still used because that is how it has always been, and it would take tons of effort to do it another way

like depending on Microsoft SQL and Sharepoint for the Military information portal. Not ideal, and when the db grows to large it becomes unstable as hell, but keep tossing more hardware at it and apply as many patches of duct tape as possible

exchange -- same way, end up spending all your time migrating data from one store to another to attempt to balance boxes and keep the whole things floating

better solutions to all of this exist, but they would all take folks with skills/training, instead of folks that can click around in circles

and with a high turn over rate, easier to again -- toss more hardware at it

we had hundreds of thousands of dollars worth of gear in our server room to do less than what my current home systems can :)

well, Bank of Tokyo still runs its mission critical stuff written in COBOL, on the same mainframe they got in the 70s

it works and they have unsuccessfully tried to move it over to modern hardware several times already

I wish this true more often in tech

hey, is it possible to boot FreeBSD with grub?

I have a single internal SSD. I would like to have a single EFI partition and have options to boot either Linux or BSD

grub cant properly boot BSD

BSD's come with their own loader...

also BSD loader is needed for geli

a EFI partition can hold multiple boot loaders, how about using that?