Contributed by
rueda
on
from the saner-future-than-past dept.
Thanks to a
commit
by Damien Miller (djm@),
scp(1) (in -current)
now defaults to using the
SFTP protocol:
CVSROOT: /cvs
Module name: src
Changes by: djm@cvs.openbsd.org 2021/09/08 17:31:39
Modified files:
usr.bin/ssh : scp.1 scp.c
Log message:
Use the SFTP protocol by default. The original scp/rcp protocol remains
available via the -O flag.
Note that ~user/ prefixed paths in SFTP mode require a protocol extension
that was first shipped in OpenSSH 8.7.
ok deraadt, after baking in snaps for a while without incident
In a recent
message
to tech@ Martin Pieuchot (mpi@) wrote about
analysis of kernel lock contention.
We reproduce the message(s) here, reformatted with his permission.
Unlocking UVM [virtual memory - Ed.]
faults makes build time decrease a lot and improve the
overall latency of mixed userland workload. In other words it gives
a smoother feeling for "desktop usage": it is now possible to do 'make
-j17' and watch a HD video at the same time.
CVSROOT: /cvs
Module name: src
Changes by: florian@cvs.openbsd.org 2021/09/03 03:13:00
Modified files:
usr.sbin/traceroute: Makefile traceroute.8 traceroute.c
traceroute.h worker.c
Log message:
Make traceroute(8) faster by sending probes and doing DNS async.
Traditional traceroute would send one probe and then wait for up to 5
seconds for a reply and then send the next probe. On a lossy link that
eventually ends in a black hole this would take about 15 minutes and
people would hit control-c in anger.
This rewrites the traceroute engine to use libevent and asr's async
DNS interface. Probes are now send every 30ms or as soon as we get an
answer back. With that we got the 15 minute worse case down to about
10 seconds.
A minor adjustment that is possible with this is to delay printing a
line until we get to a line with answers. This has two effects:
1) If there are intermediate hops that don't answer, output pauses for
a bit so we keep the visual cue of "something might be wrong here".
2) If there is a black hole at the end, we don't print out many "* * *"
lines and thus scrolling the interesting bits out of the terminal.
We collapse those lines and just print
64 * * *
at the end.
Unfortunately the -c option to send udp probes to a fixed port had to
go for now. But we should be able to add it back.
"Once you have seen the new one you can't go back to the old one" &
enthusiastic OK deraadt@
OK sthen@
"I am very distressed that florian went to bed without committing it"
beck@
Florian tooted
links to recordings showing the
old
and
new
behaviours with an earlier version of this work.
Contributed by
rueda
on
from the xterms of unveilment dept.
With the following
commit,
Matthieu Herrb (matthieu@)
gave
xterm(1)
some
unveil(2)
goodness:
CVSROOT: /cvs
Module name: xenocara
Changes by: matthieu@cvs.openbsd.org 2021/09/02 03:31:38
Modified files:
app/xterm : main.c
Log message:
Unveil paths needed by xterm at run-time. work with tb@ and deraadt@
Only in (default) case where there are no exec-formatted or
exec-selected resources set. In those case the commands and their
arguments could be anywhere.
Contributed by
rueda
on
from the iked naming things dept.
With the following
commit,
Tobias Heider (tobhe@)
added client-side support for DNS configuration
to iked(8):
CVSROOT: /cvs
Module name: src
Changes by: tobhe@cvs.openbsd.org 2021/09/01 09:30:07
Modified files:
sbin/iked : config.c iked.c iked.h ikev2.c ikev2_msg.c
ikev2_pld.c policy.c types.h vroute.c
Log message:
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.
Automatic name server configuration is enabled by default for policies using
the 'iface' option.
discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@
Contributed by
rueda
on
from the hit-me-hit-me-hit-me dept.
Job Snijders (job@)
imported
the
timeout(1)
utility from NetBSD:
CVSROOT: /cvs
Module name: src
Changes by: job@cvs.openbsd.org 2021/09/01 09:50:34
Added files:
usr.bin/timeout: Makefile timeout.1 timeout.c
Log message:
Import timeout(1) from NetBSD
The timeout(1) utility can be used to run commands with a time limit.
OK deraadt@ beck@
I have a simple DSL line with 15 Mb/s in download and 900 kb/s upload rates and there are many devices using the Internet and two people in remote work. Some poorly designed software (mostly on windows) will auto update without allowing to reduce the bandwidth or some huge bloated website will require lot of download and will impact workers using the network.
The point of this article is to explain how to use OpenBSD as a router on your network to allow the Internet access to be used fairly by devices on the network to guarantee everyone they will have at least a bit of Internet to continue working flawlessly.
Contributed by
rueda
on
from the winter-of-our-disk-content dept.
Theo de Raadt (deraadt@)
committed
a change which significantly reduces
hibernate
time on machines with larger amounts of RAM:
CVSROOT: /cvs
Module name: src
Changes by: deraadt@cvs.openbsd.org 2021/08/30 03:45:29
Modified files:
sys/kern : subr_hibernate.c
Log message:
increase hibernate writeout speed a little. modern machines have vast
tracts of unused memory, and the empty-space RLE scanner (uvm_page_rle)
would rescan for empty space needlessly wasting excessive cpu time
16G machine, 100sec -> 9sec
40G machine, 325sec -> 28sec
with kettenis mlarkin
Contributed by
rueda
on
from the Really Senile Algorthms dept.
In a
message to tech@
Damien Miller (djm@)
explained the consequences of his recent
commit:
[…]
RSA/SHA1, a.k.a the "ssh-rsa" signature type is now disabled by default
in OpenSSH.
While The SSH protocol confusingly uses overlapping names for key and
signature algorithms, this does not stop the use of RSA keys and there
is no need to regenerate "ssh-rsa" keys - most servers released in the
last five years will automatically negotiate the use of RSA/SHA-256/512
signatures.
This has been coming for a long time, but I do expect it will be
distruptive for some people as there are likely to be some devices
out there that cannot be upgraded to support the safer algorithms.
In these cases, it is possible to selectively re-enable RSA/SHA1
support by specifying PubkeyAcceptedAlgorithms=+ssh-rsa in the
ssh_config(5) or sshd_config(5) for the endpoint.
Please report any problems here, to bugs@ or to openssh@
[…]
TL;DR:
The "ssh-rsa" signature type is now disabled by default.
"ssh-rsa" signatures can be selectively re-enabled if necessary.
RSA ("ssh-rsa")
keys are not affected by this change and remain valid.
We are constantly on the lookout for stories of how you put OpenBSD to work.
Please submit any informative articles on how OpenBSD is helping your company.
