Daniel Jakotshttps://oldblog.chown.me/2020-04-08T10:20:00-04:00How I accidentally wrote a static site generator2020-04-08T10:20:00-04:002020-04-08T10:20:00-04:00Vigdistag:oldblog.chown.me,2020-04-08:/blog/pics2html.html<p>How I accidentally wrote a static site generator</p><h1>Some context first</h1>
<p>I bought my
<a href="https://en.wikipedia.org/wiki/Digital_single-lens_reflex_camera">DSLR</a> at the
end of 2014. I wanted to host the resulting pictures somewhere. I never liked
Flickr much, so I went with 500px. I liked the website and the UI/UX was pretty
nice. The community was pretty cool. Having skilled photographers around is
really valuable, as you can learn and find inspiration. But it might also hurt
(it definitely did, sometimes) to see photographs much better than yours!</p>
<p>For some reason, I kinda stopped photography in 2017. I took a few pictures
here and there but didn't do anything with them. Basically, the cost (i.e. the
time the whole thing took) was way too high for what I felt I got from it
(emotions or whatever).</p>
<p>At the beginning of 2020, I went through all my data on my personal storage
(which included my pictures) to sort and rearrange them. It made me happy to
have all those <em>souvenirs</em> and I thought I should really go shoot again.</p>
<p>This narrative is not entirely true, though. ;)</p>
<p>While it did happen, it didn't happen initially. I bought <a href="https://dumpster.chown.me/mastodon/media_attachments/files/000/050/759/original/18e91ddf4f0c6ce4.jpeg">a case for my
photography
gear</a>
for unrelated reasons (compulsive buying) and thought if I was spending money
on it again, I should make good use of it. Nevertheless, the souvenirs really
nailed my motivation!</p>
<p>Initially, I thought I could keep using 500px but I realized I'd lost my access
and that during my hiatus <a href="https://support.500px.com/hc/en-us/articles/360017752493-Security-Issue-February-2019-FAQ">they had been
pwned</a>.
Now that I have more experience publishing pictures on the Internet, I have a
better idea of what I want and care about. During the ensuing years, I have
also acquired much more experience in <a href="./infrastructure-2019.html">hosting my own
services</a>, which I try to do for everything I use.</p>
<h1>Looking for some FOSS</h1>
<p>I thought writing my own would be difficult/time consuming, so I went for doing
what I do best: using existing Free Software. I carefully thought through my
requirements, and here they are:</p>
<p>A quality project is both subjective, and an obvious requirement so I won't
talk more about it. But PHP apps written by someone who wanted to make their
first project? I'll pass. :)</p>
<p>I really care about showing <a href="https://en.wikipedia.org/wiki/Exif">EXIF</a> for
pictures. As with software, being able to study how they're made is really
helpful. I feel like pictures without EXIF are as interesting as closed source
software, so I tend to ignore both. (In a photography context, of course. I
won't look at which phone model took that cat picture).</p>
<p>On a side note, surprisingly, I learned that people recently created gallery
software and added machine learning. Well, I've better use for my computing
power and I prefer simpler things.</p>
<p>AND SHOW THOSE DAMN EXIF!</p>
<h1>Writing my own - the process</h1>
<p>Sadly, I didn't find anything that met those two simple requirements.</p>
<p>Because of that, I thought I would either write something myself or put the
photos into my blog. I was not very fond of the idea of putting my pictures on
my blog (as a weird application of the "do one thing and do it well" rule), but
even if I were to do so, I wouldn't want to extract the EXIF myself/manually
for each picture.</p>
<p>I began writing a python script which parsed the EXIF, which was kind of funny.
For instance, the library I use gives a tuple for the exposure and depending on
each field's value, <a href="https://github.com/danieljakots/pics2html/blob/c08e2b17476e28e8304bfaadc94f76d77d4c74df/pics2html.py#L62-L74">it has a different
meaning</a>.</p>
<p>I had already used jinja2 in my <a href="https://github.com/danieljakots/uv">uv</a>
script, so I thought "let's generate a basic html page!" since it was easy.
That was my planned alternative to using my blog. Since I know nothing about
web design/frontend and I wasn't very enthusiastic, I thought maybe I would
later hire someone to do it.</p>
<p>I began to add some very basic CSS to experiment. I had scavenged it from some
random website which had the nice quality of being very simple! I was happy
with the result, so I tried to improve it further. I thought "if I'm stuck or
stop having fun, then I'll look into hiring" which eased my mind a lot!</p>
<p>Surprisingly, I didn't struggle that much and I did have fun! Tackling one
small issue at a time made it a breeze.</p>
<p>I thought that using icons was better than text since they convey as much
information while being much much shorter. I had bookmarked a <a href="https://github.com/tabler/tabler-icons">set of
icons</a> (because they're MIT-licensed) a
few days before, thinking "I doubt I'll ever need these, but who knows?" The
set didn't have an icon for the <em>lens</em> so I used the <em>lego</em> icon. It looks
similar and it has a smile on it! What's not to love?</p>
<p>During the process, I went to look at how I did stuff with my blog and I
noticed it was a complete mess. Seeing how easy writing a static site generator
was made me want to write one for my blog. So, stay tuned! ;)</p>
<h1>The result</h1>
<p>The result is available here: <a href="https://px.chown.me/">https://px.chown.me/</a>. The <a href="https://github.com/danieljakots/pics2html">code is, of course,
available</a> as well.</p>
<p>I would not necessarily advise someone to reuse the code as-is (even though you
definitely can since it's Free Software). It's pretty tailored to my needs. For
instance, the red color used is the same as on my <a href="./new-design.html">blog</a>
(coherency FTW). I made no effort to make it easily customizable, more than
what I needed to make the code maintainable (up to a certain point, since I
have exactly 0 tests... I already feel my future self's frustration, <em>oops!</em>).</p>
<p>That said, if you're thinking about building something similar, you're totally
free (well as long as you abide by the license terms ;)) to study/take parts
from it!</p>
<p>I'm really happy with the result. The code is pretty simple (though some hacks
exist here and there), as you would expect from a less-than-300-line python
script. I learned quite a few things (e.g. improved my skill with jinja2,
discovered that creating a RSS feed is actually not that hard, etc). I'm really
happy with how the website looks. Doing web design is completely out of the
ordinary for me, so it was nice to do something different!</p>
<p>And it's funny... I do things that are 1000x times more complicated, but
generating 200 html files with a single command really feels like magic!</p>My infrastructure as of 20192020-03-06T10:20:00-05:002020-03-06T10:20:00-05:00Vigdistag:oldblog.chown.me,2020-03-06:/blog/infrastructure-2019.html<p>My infrastructure as of 2019</p><p>I've wanted to write about my infrastructure for a while, but I kept thinking,
"I'll wait until after I've done $next_thing_on_my_todo." Of course this cycle
never ends, so I decided to write about its state at the end of 2019. Maybe
I'll write an update on it in a couple of moons; who knows?</p>
<h2>Goal for this infrastructure</h2>
<p>The goal for my infrastructure is to run the services I need. While a lot of
people in the homelab community experiment and play with software for its own
sake, I actively use the stuff I host. When I stop, I kill the service (though
I'm not as proficient at this as <a href="https://killedbygoogle.com/">Google</a>). These
are my production systems, and when one of them is down, I do miss it.</p>
<p>I kind of enjoy working on this infrastructure, but not that much (I used to
enjoy it more), so I'm careful with the software I choose. I want to spend time
on it when <em>I want to</em>, not because <em>I have to</em> (e.g. because something broke).
Consequently, I do my best to pick reliable, boring and easy software. Those
are my kinks.</p>
<p>Why do I host this myself? Mostly trust issues, and the fact that I care about
sovereignty.</p>
<p>I tend to lock down services as much as I can, either cutting them off
completely from the Internet (e.g. for <em>imap</em>) or running them on a
non-standard port and <a href="./2FA-with-ssh-on-OpenBSD.html">enabling 2FA</a>. I don't
use a VPN (mostly because I haven't come up with a nice, clean option yet), so
I restrict access to my services in different ways.</p>
<p>For most things, I'm the only user, which is both sad (as it's a waste of
resources) and great (as I can be more nimble). A notable exception is my
mastodon instance which is also used by <a href="https://awoo.chown.me/@jeancanard">my
cat</a>.</p>
<h2>Machines</h2>
<p>My machines are hosted in 3 different places. First is at
<a href="https://www.exoscale.com/">Exoscale</a>, second is
<a href="https://www.vultr.com/">Vultr</a> and the third is... my flat.</p>
<p>All of them run either OpenBSD on its -current branch, or the latest version of
Ubuntu. At this time, that's Ubuntu 19.10. After a couple of years working on
OpenBSD ports (i.e. packaging), I believe fresh software is better,
security-wise.</p>
<p>They're managed with Ansible. I began my Ansible repository 4 years ago and it
has about 1500 commits in it. I wrote the Ansible to fit my needs rather than
making generic (and therefore reusable) roles, so it's not public.</p>
<p>I update the OpenBSD machines regularly to a newer OpenBSD snapshot (so of
course the process has been
<a href="./upgrading-openbsd-with-ansible.html">automated</a>). For Ubuntu, I prefer to
reinstall them, since they're managed by Ansible and they don't have any data
on them. Reinstalling machines regularly helps spot missing pieces in Ansible.
:P</p>
<p>All the three sites are as
<a href="https://en.wikipedia.org/wiki/Loose_coupling">standalone</a> as possible. This is
both so that in the case that one gets pwned it won't help the attacker to
<a href="https://en.wikipedia.org/wiki/Network_Lateral_Movement">move laterally</a>, and
so that if one is unavailable it shouldn't impact anything else.</p>
<h3>ns3.chown.me (OpenBSD)</h3>
<p>It's my secondary name server and as you can guess, it replaced ns2. It's the
only machine that I don't back up, since I can replace it with my Ansible
without losing data.</p>
<p>It's hosted by <em>Vultr</em>. I mostly picked them because they offer OpenBSD
hosting. This virtual machine is in Toronto and has 1 CPU and 512M of ram.
(Disk space is not relevant here).</p>
<p>I wanted a different hosting provider/AS than my main name server for obvious
reasons of resiliency. Every now and then I think about using another name
server (whether instead of this machine or in addition to it, I don't know)
provided by my registrar (Gandi), but it has a low priority on my todo list.</p>
<p>The name server I use is <em>NSD</em>. I could use another one (like <em>knot</em>) as my
main name server also uses <em>NSD</em>, but the issues related to running the same
software on both aren't that serious in my case.</p>
<p>Since this machine doesn't do much otherwise, it's running
<a href="https://github.com/danieljakots/mownitoring">mownitoring</a> to check that
everything works.</p>
<h3>virtie.chown.me (OpenBSD)</h3>
<p>This virtual machine is the main one in my infrastructure. A moment ago your
browser connected to it to get this page. :)</p>
<p>It's hosted by Exoscale (with whom my experiences have been nothing less than
perfect). It's my oldest VM (4 or 5 years old). It has 1 CPU, 1G of ram and 50G
of disk space.</p>
<p>To host my blog I use OpenBSD's httpd which is fronted by <em>HAProxy</em>. While I
could remove <em>HAProxy</em>, I like this software and I trust it <a href="https://ftp.openbsd.org/pub/OpenBSD/patches/5.6/common/022_httpd.patch.sig">more
than</a>
<a href="https://github.com/openbsd/src/commit/49b1a9b154081c713af219b2422adaf51ca2584d">httpd</a>.</p>
<p>In addition to hosting my blog, it hosts my email. I switched to <em>postfix</em> in
the beginning of 2019 after a couple of years running <em>OpenSMTPD</em>. Since I
switched to <em>postfix</em> I also dropped <em>spamd</em> (the OpenBSD greylisting daemon).
I enabled <a href="https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS">FCrDNS</a>
on <em>postfix</em> when I switched (at the time it was not available on <em>OpenSMTPD</em>)
and I didn't notice more spam. I use <em>Dovecot</em> for imap with only my IP
allowed. I can easily allow another IP address with <code>pfctl -t imap_allowed -Ta
203.0.113.47</code>.</p>
<p>I've never really had deliverability problems (except with Microsoft, but who
can say they haven't?) I assume my IP has a good reputation, which is why this
VM is the oldest, as I've been reluctant to lose it.</p>
<p>This machine also hosts a <em>gitolite</em> for a couple of different internal git
repositories.</p>
<h3>pancake.chown.me (OpenBSD)</h3>
<p>This machine is an <a href="https://pcengines.ch/apu2.htm">APU2</a>. It acts as a router
for my flat. Since it's way more powerful than necessary for this task, I put
some other stuff on it. It's a trade-off between increasing the attack surface
of a critical machine and leaving a lot of CPU/RAM/SSD unused.</p>
<p>I collect <a href="https://en.wikipedia.org/wiki/NetFlow">flows</a> on it, which in my
opinion are super cool!</p>
<p>It also hosts influxdb + grafana and some machines send their metrics with
collectd (<a href="https://collectd.org/wiki/index.php/Networking_introduction#Cryptographic_setup">which allow signing/encrypting the network
traffic</a>).
This doesn't work well for a couple of reasons, so it's waiting to be replaced.</p>
<h3>kvm1, and sometimes kvm2 (Ubuntu)</h3>
<p>These machines are hosted at home. kvm1 is the main machine, and kvm2 is the
machine I use to play Windows games on another SSD. I boot on the Ubuntu SSD
whenever I want to do something on kvm1 and then I live-migrate guests on it so
I don't experience any downtime. I use full disk encryption on the guests, so
live-migrating (instead of rebooting them) allows me to avoid having to
manually unlock each guest. I encrypt the guests and not the kvm because in the
event of a power outage, machines may come back on, in which case I don't want
them to wait for the passphrase if I'm away. Some hacks could be done to
encrypt them as well, but I'm not willing to do them since they're overkill for
my threat model.</p>
<p>Both machines have an i5-4590. kvm2 has 4x4G of ram with a 256G SSD (which is
enough for the kvm system and all the guests). kvm1 also has a 256G SSD but
while its ram layout would make anyone sensible cringe, it amounts to 20G of
ram! I don't use RAID. kvm0 (the machine they replaced) used to and I wasn't
sure it would work (and I couldn't test it safely since it was my only
machine).</p>
<p>To manage this part of the infrastructure I wrote a <a href="https://github.com/danieljakots/uv">python
script</a>. This script is kind of a wrapper
around libvirt, which itself is kind of a wrapper around qemu, which itself
<a href="https://en.wikipedia.org/wiki/Turtles_all_the_way_down">wrangles turtles</a>.
Contrary to what other people run, I think, a guest disk isn't a qcow2/raw
file. I don't want to pile filesystems on one another, so I manage guests'
disks on the hypervisor with LVM directly. I tend to have multiple disks to
bring more flexibility to the disk layout/partitioning than OpenBSD would,
thanks to LVM.</p>
<p>It hosts all the following virtual machines:</p>
<h3>manicouagan1 (OpenBSD)</h3>
<p>This machine's name dates from back when I used names from Québec to name my
machines. The name comes from the <a href="https://en.wikipedia.org/wiki/Manicouagan_Reservoir">Manicouagan
Reservoir</a>, as this
machine is where I put my backups.</p>
<p>My backups are in three different places:
- locally, i.e. each machine stores its backup on itself
- <em>manicouagan</em> copies all the backups onto itself
- <em>manicouagan</em> ships the backups to an s3-like provider</p>
<p>I use <em>BorgBackup</em> for the backup, <em>rsync</em> to copy them onto <em>manicouagan</em> and
<em>s3cmd</em> to ship them away. I tried to use <em>rclone</em> but it used more ram. Once,
I was away from my place for a long time, and my whole infra there became
unreachable, so I decided to temporarily host stuff on the cloud in the
meantime. I had to restore those backups and it went so nicely that I'm not
looking to change anything. Borg is awesome!</p>
<p>This machine is also a syslog server to which all my OpenBSD machines ship
their logs. Thanks to OpenBSD syslogd (bluhm@ <3), it uses TCP+TLS with a
private PKI. This is mostly in case one machine gets hacked, to help with
<a href="https://en.wikipedia.org/wiki/Forensic_science">forensics</a>.</p>
<p>I wrote a short script that shows me the largest data transfers on my router. I
use this to check that the backups are alive (I receive emails if the
<em>BorgBackup</em> script fails, but isn't that less fun? :))</p>
<h3>db1 (OpenBSD)</h3>
<p>This machine hosts postgresql and redis. Two boring pieces of software which I
love. Redis requires so little care that when I moved from db0, I forgot I had
it!</p>
<h3>web1 (OpenBSD)</h3>
<p>This machine runs nginx for my whole web presence excluding my blog. It hosts
<em>nextcloud</em>, <em>tt-rss</em>, <em>shaarli</em> and pics.chown.me (whose content I should
update).</p>
<p>Have you ever thought, "naah I'm too much paranoid"? Yeah, me neither. A few
months ago, I restricted all the non-static websites (with the exception of
Mastodon) behind an <em>htpasswd</em>. There was some value in having them publicly
accessible, but at the time I thought it was not worth the risk. The php-fpm
pools should be secure (they have their own users, they're chrooted and so on)
but I'm not entirely sure I'm doing this stuff properly and it is such a pain
to get it working that I'm not willing to look into it more than that.</p>
<p>Nginx also acts as a reverse proxy for the docker containers that run on
another machine. Finally, it hosts <em>minio</em> for <em>mastodon</em>.</p>
<h3>docker2 (Ubuntu, obviously)</h3>
<p>This machine runs a few docker containers through <em>docker-compose</em>:
- 3 containers for <em>mastodon</em> (<em>ruby on rails</em> stuff, a node api and <em>sidekiq</em>)
- container running the code I wrote for api.chown.me; it's a <em>flask</em>
application
- registry:v2 that I have simply to ease the transfer of docker images</p>
<p>I build all the docker images I run myself (except for the registry one).</p>
<p>My policy regarding those containers is that they must not store any data
locally (i.e. they don't have a <em>docker volume</em>). This allows me not to care
about backups. The <em>docker-compose.yml</em> is tracked in my personal git, so I can
trash the VM any time.</p>
<p>api.chown.me is for now mostly a way to sync a list of IPs to block on my whole
infra. This way, if an IP is acting badly on one machine, it doesn't get to try
its luck on another of my machines. This list is also supplemented by public
lists of threats.</p>
<h2>That's it for now</h2>
<p>Currently, my infrastructure is good at meeting my needs. It's not perfect, of
course, and it's a perpetual work in progress. But it's stable, and usually the
most I need to do is quickly patch some security vulnerabilities. Since most
of the resources I use come from reused computers hosted at my place, I'm able
to keep the cost (both financial and ecological) really low.</p>Launching my newsletter2019-01-25T10:20:00-05:002019-01-25T10:20:00-05:00Vigdistag:oldblog.chown.me,2019-01-25:/blog/launching-my-newsletter.html<p>Launching my own newsletter</p><h2>Social media</h2>
<h3>Blogging...</h3>
<p>I created this blog a few years ago because I wanted to talk about the stuff I
was experimenting with, and in my opinion it was cool to have a blog. I still have
the same opinion, but now I'm using the blog more like a portfolio. I like it
because I take a lot of care with it and I like to build high quality stuff. However,
it takes me. So. Much. Time. I have to be really enthusiastic about something to
write about it.</p>
<h3>...and micro-blogging</h3>
<p>More or less at the same time, I created my Twitter account. I've used it for
multiple years and I have realized the way it was architected to influence users was obnoxious and the way I was using it made it even worse.</p>
<p>Then came Mastodon, and while there is lot to bit^Wsay about it, many things
are much better. The community is much more friendly, and I can self-host my own
instance. (Who doesn't like to host a RoR application with all the software it
needs, PostgreSQL, Redis, Elastic Search, Nginx, and about twelve others?)</p>
<p>My use evolved from the Twitter game of trying to get new followers to...
well, I'll just quote a friend I met there: <a href="https://octodon.social/@stoof/101360489620753545">"Please talk to me before you
follow me! I am on Mastodon to make friends and be part of a
community."</a>. Nonetheless, my
micro-posts there are still somewhat shallow. Even though I have 500 characters for
each post, I don't feel the medium is the right one to allow me to express myself deeply.
Which is perfectly fine, because I enjoy shitposting and bitching about a wide
spectrum of things!</p>
<h2>In between</h2>
<h3>Why?</h3>
<p>I'll be honest and tell you what happened. Recently, I read <a href="https://blog.chaddickerson.com/2019/01/09/replacing-facebook/">Going old school: how I
replaced Facebook with
email</a>. In his
blog article, the author explained that he created a newsletter to replace the role that had been held by the Facebook account he disabled. I really liked the idea and wondered
if I could justify creating my own newsletter, especially since I had just
been working on my email setup and wanted to put it to good use. I eventually
decided to just create one.</p>
<p>I think that having something between my blog, for which writing takes a lot
of time and Mastodon, where I express myself but in a more volatile setting, would be nice!</p>
<p>The goal is to have something where I can share my feelings and my thoughts
without putting things on the public Internet (and avoiding the dread of judgment)
with a format closer to a blog article than to a micro-post on Mastodon. I hope to
create an environment more friendly to replies than what my blog articles
currently provide (as there isn't a system for comments). I'm also
curious about how the social interaction will happen. Lastly, I'll do it for
myself, as a writing exercise.</p>
<h3>What?</h3>
<p>I plan to talk about my life, what I have been doing lately or a
particular subject I care about. My frequency goal ranges between multiple times a
week for a busy period to at least once per month. I'm not sure yet how I'm
going to do it, technically-speaking, but I won't use any external services.</p>
<p>Of course, I won't share your email address with anyone (including other
subscribers, i.e. I won't use a giant Cc:) and of course you'll receive solely
my newsletter and no other emails (ads or whatever). I don't have anything to
sell, anyway. <a href="https://en.wikipedia.org/wiki/Pyramid_scheme#The_%22eight_ball%22_model">Especially if you get two acquaintances of yours to
subscribe!</a>
There won't be a web interface or anything, so subscribing and unsubscribing
will require you to email me as the goal is also to experiment with human
interaction, since nowadays there is less and less of that.</p>
<p>Of course, you won't get access to the previous newsletters, only the
subsequent ones. (Maybe the previous one?)</p>
<h3>How can I subscribe?</h3>
<p>If you're curious about this experiment and want to be part of it, please send an email
to newsletter at chown dot me!</p>
<p><br/></p>
<p><em>Thanks <a href="https://bsd.network/@pamela">Pamela</a> for the proof-reading!</em></p>Upgrading OpenBSD with Ansible2018-10-19T08:30:00-04:002018-10-19T08:30:00-04:00Vigdistag:oldblog.chown.me,2018-10-19:/blog/upgrading-openbsd-with-ansible.html<p>How to upgrade an OpenBSD machine with Ansible</p><p>This article is best enjoyed with basic knowledge of <a href="https://man.openbsd.org/autoinstall">OpenBSD
autoinstall</a> and <a href="https://www.ansible.com/">Ansible</a></p>
<h2>My router runs OpenBSD -current</h2>
<p>A few months ago, I needed software that had just hit the ports tree. I didn't
want to wait for the next release, so I upgraded my router to use -current.
Since then, I've continued running -current, which means upgrading to a newer
snapshot every so often. Running -current is great, but the process of updating
to a newer snapshot was cumbersome. Initially, I had to plug in a serial cable
and then reboot into <em>bsd.rd</em>, hit enter ten times, then reboot, run <code>sysmerge</code>
and update packages.</p>
<p>I eventually switched to <a href="https://bitbucket.org/semarie/upobsd">upobsd</a> to be
able to upgrade without the need for a serial connection. The process was
better, but still tiresome. Usually, I would prepare the special version of
<em>bsd.rd</em>, boot on <em>bsd.rd</em>, and do something like wash the dishes in the
meantime. After about ten minutes, I would dry my hands and then go back to my
workstation to see whether the <em>bsd.rd</em> part had finished so I could run
<code>sysmerge</code> and <code>pkg_add</code>, and then return to the dishes while it upgraded
packages.</p>
<p>Out of laziness, I thought: "I should automate this," but what happened instead
is that I simply didn't upgrade that machine very often. (Yes, laziness). With
my router out of commission, life is very dull, because it is my gateway to the
Internet. Even services hosted at my place (like my Mastodon instance) are not
reachable when the router is down because I use multiple VLANs (so I need the
router to <em>jump</em> across VLANs).</p>
<h2>Ansible Reboot Module</h2>
<p>I recently got a new job, and one of my first tasks was auditing the <em>Ansible</em>
roles written by my predecessors. In one role, the machine rebooted and they
used the
<a href="https://docs.ansible.com/ansible/2.5/modules/wait_for_module.html"><em>wait_for_connection</em></a>
module to wait for it to come back up. That sounded quite hackish to me, so out
of curiosity, I tried to determine whether there was a better way. I also
thought I might be able to use something similar to further automate my OpenBSD
upgrades, and wanted to assess the cleanliness of this method. ;-)</p>
<p>I learned that with the then-upcoming 2.7 Ansible release, a proper <em>reboot</em>
module would be included. I went to the docs, which stated that for a certain
parameter:</p>
<div class="highlight"><pre><span></span>- On Linux and macOS, this is converted to minutes and
rounded down. If less than 60, it will be set to 0.
- On Solaris and FreeBSD, this will be seconds.
</pre></div>
<p>I took this to mean that there was no support for OpenBSD. I looked at the code
and, indeed, there was not. However, I believed that it wouldn't be too hard
to add it. I added the missing pieces for OpenBSD, tested it on my poor Pine64
and then submitted it upstream. After a quick back and forth, the module's
author <a href="https://github.com/ansible/ansible/commit/2769a4e2cc3aadbf91e7f4f83ef57b7ebe43442a">merged it into
devel</a>
(having a friend working at Red Hat helped the process, merci Cyril !) A couple
days later, the release engineer <a href="https://github.com/ansible/ansible/commit/26de4f97493adeb388c1c8fad7a266bb7652bac6">merged it into
stable-2.7</a>.</p>
<p>I proceeded to actually write the playbook, and then I hit a bug. The parameter
<em>reboot_timeout</em> was not recognized by Ansible. This feature would definitely
be useful on a slow machine (such as the Pine64 and its dying SD card). Again,
my fix was <a href="https://github.com/ansible/ansible/commit/0105b4aeadb94dd12b921ed6c427b21cd31182fa">merged into
master</a>
by the module's author and then <a href="https://github.com/ansible/ansible/commit/a0f38bdab5ae0e183cb960fe9e964bf1edf7c326">merged into
stable-2.7</a>.
2.7.1 will be the first release to feature these fixes, but if you use OpenBSD
-current, you already have access to them. I backported the patches when I
<a href="https://marc.info/?l=openbsd-ports-cvs&m=153994960724056&w=2">updated
ansible</a>.</p>
<p>Fun fact about Ansible and reboots: "The win_reboot module was [...] included
with Ansible 2.1," while for unix systems it wasn't added until 2.7. :D For
more details, you can read the <a href="http://samdoran.com/ansible-reboot-plugin/">module's author blog
article</a>.</p>
<h2>The Playbook</h2>
<p>Initially, my playbook did the upgrade as usual (i.e., it fetched the sets in
<em>bsd.rd</em>). During this process, of course, my machine is not performing its
function as a router. My Internet access is not super great, so fetching the
sets takes awhile. I got frustrated while I was testing it and looked into
lessening the amount of time spent inside <em>bsd.rd</em>.</p>
<p>To speed up the process, I wrote <a href="https://chown.me/iota/blog/fetch-sets">a basic shell
script</a> to fetch the sets <strong>before</strong>
rebooting into <em>bsd.rd</em>. It enabled me to remove some <em>tasks</em> I had to do in
order to get working Internet access in <em>bsd.rd</em>. (This is specific to my
case).</p>
<h3>The playbook itself</h3>
<div class="highlight"><pre><span></span><span class="x">---</span>
<span class="x">- name: Upgrade OpenBSD</span>
<span class="x"> hosts: apu-root</span>
<span class="x"> vars:</span>
<span class="x"> arch: amd64</span>
<span class="x"> date: "</span><span class="cp">{{</span> <span class="nv">lookup</span><span class="o">(</span><span class="s1">'pipe'</span><span class="o">,</span> <span class="s1">'date +%Y-%m-%d'</span><span class="o">)</span> <span class="cp">}}</span><span class="x">"</span>
<span class="x"> disk: "sd0"</span>
<span class="x"> mirror: "fastly.cdn.openbsd.org"</span>
<span class="x"> path_sets: "/home/danj/sets"</span>
<span class="x"> tasks:</span>
<span class="x"> - name: fetch sets</span>
<span class="x"> command: /home/danj/bin/fetch-sets</span>
<span class="x"> when: path_sets is defined</span>
<span class="x"> - name: create answer file for upobsd</span>
<span class="x"> template:</span>
<span class="x"> src: answer.j2</span>
<span class="x"> dest: answer</span>
<span class="x"> delegate_to: localhost</span>
<span class="x"> - name: create kernel with upobsd</span>
<span class="x"> command: "upobsd -v -a </span><span class="cp">{{</span> <span class="nv">arch</span> <span class="cp">}}</span><span class="x"> -u ./answer -m https://</span><span class="cp">{{</span> <span class="nv">mirror</span> <span class="cp">}}</span><span class="x">/pub/OpenBSD -V snapshots"</span>
<span class="x"> delegate_to: localhost</span>
<span class="x"> - name: copy bsd.rd created by upobsd</span>
<span class="x"> copy:</span>
<span class="x"> src: bsd.rd</span>
<span class="x"> dest: /bsd</span>
<span class="x"> - name: reboot host</span>
<span class="x"> reboot:</span>
<span class="x"> msg: "rebooting into bsd.rd to upgrade"</span>
<span class="x"> reboot_timeout: 900</span>
<span class="x"> - name: archive kernel</span>
<span class="x"> copy:</span>
<span class="x"> src: "/bsd"</span>
<span class="x"> dest: "/bsd-</span><span class="cp">{{</span> <span class="nv">date</span> <span class="cp">}}</span><span class="x">"</span>
<span class="x"> mode: 0700</span>
<span class="x"> remote_src: "yes"</span>
<span class="x"> - name: upgrade all packages</span>
<span class="x"> command: "pkg_add -u -Dsnap"</span>
</pre></div>
<h3>The answer file</h3>
<p>The answer file is automatically <a href="https://github.com/openbsd/src/blob/master/distrib/miniroot/install.sub#L2811-L2812">mailed to root at the end of the
upgrade</a>,
so it's easy to get it!</p>
<p>In my case, the answer file transformed into a jinja2 template is:</p>
<div class="highlight"><pre><span></span><span class="x">Which disk is the root disk = sd0</span>
<span class="x">Force checking of clean non-root filesystems = no</span>
<span class="cp">{%</span> <span class="k">if</span> <span class="nv">path_sets</span> <span class="k">is</span> <span class="nf">defined</span> <span class="cp">%}</span><span class="x"></span>
<span class="x">Location of sets = disk</span>
<span class="x">Is the disk partition already mounted = yes</span>
<span class="x">Pathname to the sets = </span><span class="cp">{{</span> <span class="nv">path_sets</span> <span class="cp">}}</span><span class="x"></span>
<span class="cp">{%</span> <span class="k">else</span> <span class="cp">%}</span><span class="x"></span>
<span class="x">Location of sets = http</span>
<span class="x">HTTP proxy URL = none</span>
<span class="x">HTTP Server = </span><span class="cp">{{</span> <span class="nv">mirror</span> <span class="cp">}}</span><span class="x"></span>
<span class="x">Server directory = pub/OpenBSD/snapshots/</span><span class="cp">{{</span> <span class="nv">arch</span> <span class="cp">}}</span><span class="x"></span>
<span class="cp">{%</span> <span class="k">endif</span> <span class="cp">%}</span><span class="x"></span>
<span class="x">Set name(s) = done</span>
<span class="x">Location of sets = done</span>
</pre></div>
<h3>The explanations</h3>
<p>Ansible runs my script on the remote host to fetch the sets. It creates an
answer file from the template and then gives it to <em>upobsd</em>. Once <em>upobsd</em> has
created the kernel, Ansible copies it in place of <code>/bsd</code> on the host. The
router reboots and boots on <code>/bsd</code>, which is upobsd's <em>bsd.rd</em>. The <em>installer</em>
runs in <em>auto_update</em> mode. Once it comes back from <em>bsd.rd</em> land, it archives
the kernel and finishes by upgrading all the packages.</p>
<p>It also supports upgrading without fetching the sets ahead of time. For
instance, I upgrade this way on my Pine64 because if I cared about speed, I
wouldn't use this weak computer with its dying SD card. For this case, I just
comment out the <em>path_sets</em> variable and Ansible instead creates an answer file
that will instruct the installer to fetch the sets from the designated mirror.</p>
<p>I've been archiving my kernels for a few years. It's a nice way to <strike>fill
up /</strike> keep a history of my upgrades. If I spot a regression, I can
try a previous kernel ... which may not work with the then-desynchronized
<em>userland</em>, but that's another story.</p>
<p><code>sysmerge</code> already runs with
<a href="https://github.com/openbsd/src/blob/master/etc/rc#L579-L580">rc.sysmerge</a> in
batch mode and sends the result by email. I don't think there's merit to
running it again in the playbook. The only perk would be discovering <strong>in the
terminal</strong> whether any files need to be manually merged, rather than reading
exactly the same output in the email.</p>
<p>Initially, I used the <em>openbsd_pkg</em> module, but it doesn't work on -current
just <strong>before</strong> a release because <code>pkg_add</code> automatically looks for
<em>pub/OpenBSD/${release}/packages/${arch}</em> (which is empty). I wrote and tested
this playbook while 6.4 was around the corner, so I switched to <em>command</em> to be
able to pass the <code>-Dsnap</code> parameter.</p>
<h2>The result</h2>
<p>I'm very happy with the playbook! It performs the upgrade with as little
intervention as possible and minimal downtime. \o/</p>
<p><br/></p>
<p><em>Thanks <a href="https://bsd.network/@pamela">Pamela</a> for the proof-reading!</em></p>Locking OpenBSD when it's sleeping2018-10-08T10:20:00-04:002018-10-08T10:20:00-04:00Vigdistag:oldblog.chown.me,2018-10-08:/blog/locking-openbsd-when-sleeping.html<p>A frequently asked question: how do you lock your machine?</p><p>I frequent the #openbsd IRC channel in order to help people. A question
commonly asked is how to automatically lock your machine when
putting it to sleep with zzz(1). I answered this question in a
previous article (which was actually written four years ago; time flies!) but
it was written in French, so here's a new one, also covering additional related topics.</p>
<h1>Locking the machine when it is put to sleep</h1>
<p>If you read <a href="https://man.openbsd.org/apmd.8">apmd(8)</a>:</p>
<div class="highlight"><pre><span></span>FILES
/etc/apm/suspend
/etc/apm/hibernate
/etc/apm/standby
/etc/apm/resume
/etc/apm/powerup
/etc/apm/powerdown These files contain the host's customized actions.
Each file must be an executable binary or shell
script. A single program or script can be used to
control all transitions by examining the name by
which it was called, which is one of suspend,
hibernate, standby, resume, powerup, or powerdown.
</pre></div>
<p>The trick is to write a script for 'etc/apm/suspend' to run when zzz is called
(either directly or by <a href="https://github.com/openbsd/src/blob/master/etc/etc.amd64/sysctl.conf#L3">closing the
lid</a>).
For instance, the script I'm using is:</p>
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre>1
2</pre></div></td><td class="code"><div class="highlight"><pre><span></span><span class="ch">#!/bin/sh</span>
doas -u danj env <span class="nv">DISPLAY</span><span class="o">=</span>:0 <span class="nv">XAUTHORITY</span><span class="o">=</span>/home/danj/.Xauthority xlock <span class="p">&</span>
</pre></div>
</td></tr></table>
<p>It requires:</p>
<ul>
<li>configuring doas, <em>left as an exercise to the reader</em> ;)</li>
<li>running apmd (hashtag rcctl)</li>
<li>an executable script</li>
</ul>
<h1>Locking it further</h1>
<p>This is off to a good start, but if you are a <em>startx</em> user (versus using xenodm), be sure to run <code>exec startx</code> and not just <code>startx</code>. Otherwise, it is possible to kill X and then access the shell.</p>
<p>If you don't set a maximum lifetime for your <code>ssh-agent</code>, you should clear your identities using <code>ssh-add -D</code>. You should also revoke any <code>sudo</code> permissions with <code>sudo -K</code>. <code>doas</code> doesn't work the same way, so <code>doas -L</code> won't help you much. (You have elevated permissions only in the current shell, not account-wide).</p>
<p>You might want to clear your clipboards, as well. Use something like: <code>xsel -c -p; xsel -c -s; xsel -c -b</code>.</p>
<p>Of course, if you use other authentication mechanisms (GNOME keyring, ssh's
Control*, etc.), you should handle those as well.</p>
<h1>Beware of the cat</h1>
<p>Now that I have a <a href="https://awoo.chown.me/@jeancanard">Captive Advanced
Threat</a>, I feel the need to automatically lock the screen after it has been idle for a short while. You can achieve this using <code>xidle</code>. The <a href="https://man.openbsd.org/xidle.1">man
page</a> is sufficiently descriptive that I won't talk about that further.</p>
<p><br/></p>
<p><em>Thanks <a href="https://maly.io/@semarie">semarie</a> for the technical proof-reading and <a href="https://bsd.network/@pamela">Pamela</a> for the English proof-reading!</em></p>2FA with ssh on OpenBSD2018-08-31T10:20:00-04:002018-08-31T10:20:00-04:00Vigdistag:oldblog.chown.me,2018-08-31:/blog/2FA-with-ssh-on-OpenBSD.html<p>How I locked down my ssh connection</p><p>Five years ago I wrote about <a href="./yubikey.html">using a yubikey</a> on OpenBSD. The
only problem with doing this is that there's no validation server available on
OpenBSD, so you need to use a different OTP slot for each machine. (You don't
want to risk a <a href="https://en.wikipedia.org/wiki/Replay_attack">replay attack</a> if
someone succeeds in capturing an OTP on one machine, right?) Yubikey has two
OTP slots per device, so you would need a yubikey for every two machines with
which you'd like to use it. You could use a
<a href="https://en.wikipedia.org/wiki/Bastion_host">bastion</a>—and use only one
yubikey—but I don't like the SPOF aspect of a bastion. YMMV.</p>
<p>After <a href="./my-recent-journey-with-2FA.html">I played with TOTP</a>, I wanted to use
them as a 2FA for ssh. At the time of writing, we can't do that using only the
tools in base. This article focuses on OpenBSD; if you use another operating
system, here are two <a href="https://www.openbsd.org/faq/faq4.html">handy</a>
<a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/INSTALL.amd64">links</a>.</p>
<h1>Seed configuration</h1>
<p>The first thing we need to do is to install the software which will be used to
verify the OTPs we submit.</p>
<div class="highlight"><pre><span></span># pkg_add login_oath
</pre></div>
<p>We need to create a <em>secret</em> - aka, the <em>seed</em> - that will be used to calculate
the Time-based One-Time Passwords. We should make sure no one can read or
change it.</p>
<div class="highlight"><pre><span></span>$ openssl rand -hex <span class="m">20</span> > ~/.totp-key
$ chmod <span class="m">400</span> ~/.totp-key
</pre></div>
<p>Now we have a hexadecimal key, but apps usually <a href="https://github.com/mattrubin/Authenticator/blob/develop/Authenticator/Source/TokenEntryForm.swift#L214">want a base32
secret</a>.
I initially wrote a small script to do the conversion.</p>
<p>While writing this article, I took the opportunity to improve it. When I
initially wrote this utility for my use,
<a href="https://github.com/lincolnloop/python-qrcode">python-qrcode</a> hadn't yet been
imported to the OpenBSD ports/packages system. It's easy to install now, so
let's use it.</p>
<p>Here's the improved version. It will ask for the hex key and output the secret
as a base32-encoded string, both with and without spacing so you can copy-paste
it into your password manager or easily retype it. It will then ask for the
information needed to generate a <em>QR code</em>. Adding our new OTP secret to any
mobile app using the QR code will be super easy!</p>
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37</pre></div></td><td class="code"><div class="highlight"><pre><span></span><span class="ch">#!/usr/bin/env python</span>
<span class="c1"># DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE</span>
<span class="c1"># Version 2, December 2004</span>
<span class="c1"># Copyright (C) 2018 Daniel Jakots</span>
<span class="kn">import</span> <span class="nn">binascii</span>
<span class="kn">import</span> <span class="nn">base64</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="k">try</span><span class="p">:</span>
<span class="kn">import</span> <span class="nn">qrcode</span>
<span class="k">except</span> <span class="ne">ModuleNotFoundError</span><span class="p">:</span>
<span class="k">print</span><span class="p">(</span><span class="s2">"pkg_add py3-qrcode"</span><span class="p">)</span>
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="n">seed_hex</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">"Key in hex format "</span><span class="p">)</span>
<span class="n">binary_string</span> <span class="o">=</span> <span class="n">binascii</span><span class="o">.</span><span class="n">unhexlify</span><span class="p">(</span><span class="n">seed_hex</span><span class="p">)</span>
<span class="n">seed_b32</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b32encode</span><span class="p">(</span><span class="n">binary_string</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s1">'utf-8'</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="s2">"The secret in a base32 encoded format"</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="n">seed_b32</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="s2">"The same, but with a space every three letters for readability"</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="s1">' '</span><span class="o">.</span><span class="n">join</span><span class="p">([</span><span class="n">seed_b32</span><span class="p">[</span><span class="n">i</span><span class="p">:</span><span class="n">i</span><span class="o">+</span><span class="mi">3</span><span class="p">]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">seed_b32</span><span class="p">),</span> <span class="mi">3</span><span class="p">)]))</span>
<span class="k">print</span><span class="p">(</span><span class="s2">"Let's create a QR code to import it into an app"</span><span class="p">)</span>
<span class="n">issuer</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">"'Issuer' (can be the server name) "</span><span class="p">)</span>
<span class="n">username</span> <span class="o">=</span> <span class="nb">input</span><span class="p">(</span><span class="s2">"Username "</span><span class="p">)</span>
<span class="n">uri</span> <span class="o">=</span> <span class="n">f</span><span class="s2">"otpauth://totp/{username}?secret={seed_b32}&issuer={issuer}"</span>
<span class="n">img</span> <span class="o">=</span> <span class="n">qrcode</span><span class="o">.</span><span class="n">make</span><span class="p">(</span><span class="n">uri</span><span class="p">)</span>
<span class="n">image_file</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">f</span><span class="s2">"qrcode-otp-{issuer}.jpg"</span><span class="p">,</span> <span class="s2">"wb"</span><span class="p">)</span>
<span class="n">img</span><span class="o">.</span><span class="n">save</span><span class="p">(</span><span class="n">image_file</span><span class="p">)</span>
</pre></div>
</td></tr></table>
<p>You can fetch this script using <code>ftp
https://chown.me/iota/blog/totp-hex-to-qrcode.py</code>. (The code isn't in any of
my public repositories for
<a href="https://chown.me/iota/blog/issues-public-repo.jpg">reasons</a>).</p>
<p>We can check to make sure everything went smoothly by comparing the code
provided by your mobile app to one generated by <em>oathtool</em> at the same time.
The <em>oathtool</em> binary is provided by the package <em>oath-toolkit</em> (which is the
dependency needed by <em>login_oath</em>). <em>oathtool</em> accepts the seed in either
hexadecimal or base32 format.</p>
<div class="highlight"><pre><span></span>$ oathtool --totp 0123456789abcdef0123
<span class="m">054640</span>
$ oathtool --totp -b AERUKZ4JVPG66AJD
<span class="m">054640</span>
</pre></div>
<p><em>0123456789abcdef0123</em> is the <em>seed</em> in hexadecimal format (as in
<code>~/.totp-key</code>) and <em>AERUKZ4JVPG66AJD</em> is the same data, but base32-encoded.</p>
<p>Alternatively, if you just want to do the hex -> b32 conversion, <em>login_oath</em>'s
README gives a Perl example (but it is not an unreadable one-liner, so you may
not want to use it):</p>
<div class="highlight"><pre><span></span><span class="n">Some</span> <span class="n">tokens</span> <span class="p">(</span><span class="n">e</span><span class="o">.</span><span class="n">g</span><span class="o">.</span> <span class="n">Google</span> <span class="n">Authenticator</span><span class="p">)</span> <span class="k">require</span> <span class="nn">secrets</span> <span class="n">in</span> <span class="n">base32</span> <span class="nb">format</span><span class="p">;</span>
<span class="n">you</span> <span class="n">can</span> <span class="n">convert</span> <span class="n">them</span> <span class="n">with</span> <span class="n">p5</span><span class="o">-</span><span class="n">Convert</span><span class="o">-</span><span class="n">Base32:</span>
<span class="k">use</span> <span class="nn">Convert::Base32</span><span class="p">;</span>
<span class="k">my</span> <span class="nv">$s</span> <span class="o">=</span> <span class="nb">pack</span><span class="p">(</span><span class="s">'H*'</span><span class="p">,</span> <span class="s">'99d12448129d1e8192e063d64714209137a13864'</span><span class="p">);</span>
<span class="k">print</span> <span class="n">encode_base32</span><span class="p">(</span><span class="nv">$s</span><span class="p">)</span><span class="o">.</span><span class="s">"\n"</span><span class="p">;</span>
</pre></div>
<h1>System configuration</h1>
<p>We can now move to the configuration of the system to put our new TOTP to use.
As you might guess, it's going to be quite close to what we did with the
yubikey.</p>
<p>We need to tweak <code>login.conf</code>. <strong>Be careful</strong> and keep a root shell open at all
times. The few times I broke my OpenBSD were because I messed with login.conf
without showing enough care.</p>
<p>After the lines:</p>
<div class="highlight"><pre><span></span># Default allowed authentication styles for authentication type ftp
auth-ftp-defaults:auth-ftp=passwd:
</pre></div>
<p>we add:</p>
<div class="highlight"><pre><span></span># Default allowed authentication styles for authentication type ssh
auth-ssh-defaults:auth-ssh=-totp:
</pre></div>
<p>and inside the class of the user account for which TOTP is being set, we add
the line <code>:tc=auth-ssh-defaults:\</code>. For instance, in my case it's:</p>
<div class="highlight"><pre><span></span>staff:\
:datasize-cur=1536M:\
:datasize-max=infinity:\
:maxproc-max=512:\
:maxproc-cur=256:\
:ignorenologin:\
:requirehome@:\
:tc=auth-ssh-defaults:\
:tc=default:
</pre></div>
<p>(Hint: it's the penultimate line). You can check the class of your user using
<code>id -c</code>.</p>
<h1>sshd configuration</h1>
<p>Again, keeping a root shell around decreases the risk of losing access to the
system and being locked outside.</p>
<p>A good standard is to use <code>PasswordAuthentication no</code> and to use public key
only. Except... have a guess what the <em>P</em> stands for in <em>TOTP</em>. Yes, congrats,
you guessed it!</p>
<p>We need to switch to <code>PasswordAuthentication yes</code>. However, if we made this
change alone, sshd would then accept a public key OR a password (which are TOTP
because of our <em>login.conf</em>). 2FA uses both at the same time.</p>
<p>To inform sshd we intend to use both, we need to set <code>AuthenticationMethods
publickey,password</code>. This way, the user trying to login will first need to
perform the traditional publickey authentication. Once that's done, ssh will
prompt for a password and the user will need to submit a valid TOTP for the
system.</p>
<p>We could do this the other way around, but I think bots could try passwords,
wasting resources. Evaluated in this order, failing to provide a public key leads to
sshd immediately declining your attempt.</p>
<p>Here's the diff of the output when testing with <code>ssh -v</code> using both public-key-only authentication and two-factor authentication:</p>
<div class="highlight"><pre><span></span><span class="p">-</span><span class="nf">debug1:</span> <span class="n">Authentication</span> <span class="n">succeeded</span> <span class="p">(</span><span class="n">publickey</span><span class="p">).</span>
<span class="o">+</span><span class="n">Authenticated</span> <span class="n">with</span> <span class="n">partial</span> <span class="n">success</span><span class="p">.</span>
<span class="o">+</span><span class="nl">debug1</span><span class="p">:</span> <span class="n">Authentications</span> <span class="n">that</span> <span class="n">can</span> <span class="k">continue</span><span class="o">:</span> <span class="n">password</span>
<span class="o">+</span><span class="nl">debug1</span><span class="p">:</span> <span class="n">Next</span> <span class="n">authentication</span> <span class="nl">method</span><span class="p">:</span> <span class="n">password</span>
<span class="o">+</span><span class="n">danj</span><span class="mf">@198.51.100.12</span><span class="err">'</span><span class="n">s</span> <span class="nl">password</span><span class="p">:</span>
<span class="o">+</span><span class="nl">debug1</span><span class="p">:</span> <span class="n">Authentication</span> <span class="n">succeeded</span> <span class="p">(</span><span class="n">password</span><span class="p">).</span>
</pre></div>
<h1>Improving security without impacting UX</h1>
<p>My phone has a long enough password that most of the time, I fail to type it
correctly on the first try. Of course, if I had to unlock my phone, launch my
TOTP app and use my keyboard to enter what I see on my phone's screen, I would
quickly disable 2FA.</p>
<p>To find a balance, I have whitelisted certain IP addresses and users. If I
connect from a particular IP address or as a specific user, I don't want to go
through 2FA. For some users, I might not even enable 2FA.</p>
<p>To whitelist, we can use the <em>Match</em> keyword. Here are two basic examples:</p>
<div class="highlight"><pre><span></span>Match User git
AuthenticationMethods publickey
</pre></div>
<div class="highlight"><pre><span></span>Match Address 203.0.113.47 # VPN
AuthenticationMethods publickey
</pre></div>
<p><br/></p>
<p>To sum up, we covered how to create a seed, how to perform a hexadecimal to
base32 conversion and how to create a <em>QR code</em> for mobile applications. We
configured the login system with <em>login.conf</em> so that ssh authentication uses
the TOTP login system, and we told sshd to ask for both the public key and the
Time-based One-Time Password. Now you should be all set to use two-factor
ssh authentication on OpenBSD!</p>
<p><br/></p>
<p><em>Thanks <a href="https://bsd.network/@pamela">Pamela</a> for the proof-reading!</em></p>The Effective Manager2018-08-13T10:20:00-04:002018-08-13T10:20:00-04:00Vigdistag:oldblog.chown.me,2018-08-13:/blog/the-effective-manager.html<p>I read The Effective Manager by Mark Horstman; here's my summary.</p><p><em>Note: this is also available in audio format: 3:49
<a href="https://chown.me/iota/blog/the-effective-manager.mp3">(1.6MB mp3)</a>
<a href="https://chown.me/iota/blog/the-effective-manager.ogg">(1.3MB ogg)</a></em></p>
<p><br/></p>
<p>A few months ago, I stumbled across <a href="https://jacobian.org/writing/engmanager-reading-list/">A reading list for new engineering
managers</a>. I'm not sure
that I want to become a manager, but even so, knowing how management tasks
should be approached is valuable. Knowing how things work from the other side
helps me to understand the bigger picture, so I try to do that with most things
in life.</p>
<p>I began by reading the first book on the list, <em>The Effective Manager</em> by Mark
Horstman. Here's what I found interesting:</p>
<p>Firstly, employees should be able to list their goals. If they can't, they
should ask "what results do you expect from me?" and "how will you measure my
performance?"</p>
<p>For the manager, the two main goals are:</p>
<ol>
<li>Achieve Results</li>
<li>Retain Employees</li>
</ol>
<p>To help the manager succeed in these goals, the book first gives some general
advice:</p>
<ol>
<li>Get to know your people</li>
<li>Communicate about performance</li>
<li>Ask for more</li>
<li>Push work down</li>
</ol>
<p>Their respective importance is set to 40%, 30%, 20% and 10%. (Isn't it great
when you add percentages and their sum is, indeed, 100%?)</p>
<p>When goals are clearly defined and the manager communicates about their
employee's performance, both are off to a good start!</p>
<p>"Generally, the more a team trusts its manager, the better the results will be,
and the better the retention as well."</p>
<p>The author advises managers to talk to their subordinates frequently about things
that are important to them. For those frequent discussions, his recommended
format is the <em>One-on-One</em>. One-on-ones are scheduled, weekly, 30-minute
meetings that managers have with each of their employees.</p>
<p>One-on-ones last thirty minutes at the most, but can end early if neither has
more to say. The thirty minutes are split into three ten-minute segments. The
first third is for what the subordinate wishes to discuss. The second third allows
the manager to provide feedback and instruction. The final third (hopefully
there's still some time left :-)) is designated for discussion about the future
... as it's not particularly useful to talk about the past.</p>
<p>The book has some tips for addressing the reasons why some might be reluctant
to attend one-on-ones. If they say their schedule is already fully booked, the
key is to say "ok, but look at your schedule. If in one month it's mostly free,
let's add a few weekly 30-minute slots then, to see how it goes."</p>
<p>Another problem that could arise is the employee being unwilling to talk or
dominating the conversation. Again, the book has some tips for that and in both
cases, it comes down to <strong>gently</strong> encouraging the behavior you want to see
<strong>without forcing</strong> the employee (at least, in the beginning).</p>
<p>For giving feedback, Horstman provides the following model:</p>
<ol>
<li>Ask if the person is open to receiving feedback. It's useless to give
feedback if one's not open to it. Also, hashtag consent.</li>
<li>Identify the behavior you've noticed.</li>
<li>Describe the impact of the behavior (positive or negative).</li>
<li>Encourage effective future behavior. If the feedback is positive, say "keep
up the good work!" and if it isn't, ask questions and work out a plan.</li>
</ol>
<p>One important thing about feedback is that you shouldn't be angry when you
deliver it. Bearing that in mind, you should still give it as soon as you can.</p>
<p>I didn't take any notes for the points "Ask for more" and "Push work down"
because I didn't feel I was learning anything. Of course, this is specific to
me. I'm sure plenty of people will find valuable advice in these sections.</p>
<p>I quite liked the book; it was full of interesting points. What I didn't like
was that sometimes the author repeated points that felt obvious to me. Also, I
felt like the author was a bit full of himself (though that may simply reflect
cultural differences).</p>
<p>Reading <em>The Effective Manager</em> will provide you with a lot of techniques as a
manager to complete your daily tasks. Even as someone without subordinates, I
found this a valuable read, as it allows for some management in reverse.</p>
<p>Finally, remember the saying: "people don't quit their jobs; they quit their
managers." ;)</p>
<p><br/></p>
<p><em>Thanks <a href="https://bsd.network/@pamela">Pamela</a> for the proof-reading and the audio recording!</em></p>The Checklist Manifesto2018-06-01T10:20:00-04:002018-06-01T10:20:00-04:00Vigdistag:oldblog.chown.me,2018-06-01:/blog/the-checklist-manifesto.html<p>I read The Checklist Manifesto</p><p>What is the best way to improve the quality of your actions? According to the
author of the book <a href="https://en.wikipedia.org/wiki/The_Checklist_Manifesto"><em>The Checklist
Manifesto</em></a>, it's with
checklists.</p>
<p>A few months ago, a <a href="https://instinctive.eu/">friend</a> wrote <a href="https://instinctive.eu/weblog/0AC-perte-de-memoire-II">a blog
article</a> about how her
memory began to fail her. <a href="https://blog.pasithee.fr/">Another friend</a>
<a href="https://instinctive.eu/weblog/0AC-perte-de-memoire-II#VXBU66HpV1Ds">commented</a> that
she wrote a checklist to avoid forgetting anything before a commit, after
having read <em>The Checklist Manifesto</em>. Another passion of mine is airplanes.
In the aviation world, there are checklists for everything. I was curious
what this book could say about this subject so I read it.</p>
<p>While reading the book was pleasant, if the author talked only about checklists,
I think it could have been only one chapter. The other things he wrote about
are communications and sharing—or spreading—responsibilities. These topics are also
very important but out of the scope in my opinion.</p>
<p><a href="https://en.wikipedia.org/wiki/Atul_Gawande">Atul Gawande</a> (the author)
is a surgeon, so obviously he talks about surgery but not only. For instance,
he talks about how aviation and construction firms started using checklists, who
writes them, and what they cover.</p>
<p>But why make checklists? The author
explains that over the last centuries we have learned many many things, but we
sometimes fail at doing them. Checklists are there to lower our fail rate.
They also help to be faster and more methodical.</p>
<p>Checklists don't improve our skills, they improve results. They are guards
against basic errors and oversights.</p>
<p>That sounds good, doesn't it? So how does one a do a good checklist? The author
gives a <em>rule of thumb</em>. The checklist must:</p>
<ul>
<li>be between 5 and 9 elements—it should take between 60 and 90 seconds to complete</li>
<li>have a clear <em>pause point</em> i.e. when to go through the checklist</li>
<li>be short and precise, they're not a how-to</li>
<li>have a publication date and be occasionally revised</li>
</ul>
<p>Atul Gawande lists two kinds of checklist:</p>
<ul>
<li>do-confirm: you do your stuff and once you think you're good, you go
through the checklist to verify you didn't forget anything</li>
<li>read-do: you do what the checklist says you have to do while reading it</li>
</ul>
<p>Checklists can be done during team briefing and it has the added benefit that it
improves communication among the team.</p>
<p>I liked this book and if you're curious about stories behind checklists, you
should definitely read it!</p>Hackathon report - p2k182018-05-03T10:20:00-04:002018-05-03T10:20:00-04:00Vigdistag:oldblog.chown.me,2018-05-03:/blog/p2k18.html<p>Another ports hackathon in Nantes, France</p><p>After two mostly boring flights, I was in Nantes on Sunday. I didn't do much
because I wanted to get some rest after an exhausting week and tried to get my
body into this new timezone. After a long night of sleep, I went to the hackroom.
It was already well crowded for the first morning.</p>
<p>On Friday the week before, I asked my boss at 5 pm if I had to take days off. He said
"no" as a way to support my work on Open Source—it had been the same for
<a href="./t2k17.html">t2k17</a>. I made a deal with myself that I would finish what I was
working on for a customer instead of asking my coworker. So a large part of my
Monday was finishing that stuff. Still, <a href="https://github.com/openbsd/ports/commit/a322d2ddc88df925eb9c719578e9f6aca0096298">I updated a port I maintain,
pqiv</a>.
I received a <a href="https://chown.me/iota/dmesg/dmesg-x1.txt">generous donation</a> from <a href="https://twitter.com/mischapeters">Mischa
Peters</a> so I installed OpenBSD on it (thanks
to jasper@ for carrying it!).</p>
<p>Installing OpenBSD was not that trivial because I didn't have any USB key and
the wired NIC required an adapter which I didn't have and the wifi NIC required
a firmware to work. Thanks to <a href="https://twitter.com/poolporg">our marvelous
organizer</a> for providing me a USB key and stsp@ for
lending me a USB NIC (which later <a href="https://undeadly.org/cgi?action=article;sid=20180430190108">krw@ used to debug a dhclient
bug</a>!). After that,
I installed the packages I use, rsync'ed my home from my work laptop I was
using until then like a lil' pig and felt immediately at home!</p>
<p>I really begin the ports hackathon on Tuesday when I committed an update for
py-setuptools. I had already <a href="./b2k16.html">updated them</a> 18 months ago. It was
easy to do it because I already did all the work a few weeks ago. My plan was
to commit it before the hackathon but the clang6 fallout decided otherwise. I
needed this setuptools to port upt. <a href="https://framagit.org/upt">upt</a> is a
"modular tool that helps people package software from PyPI/CPAN/etc. to
OpenBSD/GNU Guix/etc". It's made by a <a href="https://perso.aquilenet.fr/~steap/">very good friend of
mine</a> so I sent him a bunch of <a href="https://framagit.org/upt/upt-rubygems/commit/ccb5c2c1f9df2c383a02b2297f0354c3692757b4">really
nice</a>
<a href="https://framagit.org/upt/upt-cpan/commit/893ef4aed42a121fb2adb6412dd9c91f81a8e8f0">diffs</a>.</p>
<p>I imported spdx and spdx-lookup which are a database of licenses and a tool to
query it. That's the tool upt is using to
<a href="https://framagit.org/upt/upt/blob/master/upt/licenses.py#L702">guess</a> the
license used. Then, I decided to call it a day. The morning was stressful, and rain was forecasted for the next few days. This pushed me to go see the city. I went to
see <a href="https://www.lesmachines-nantes.fr/en/"><em>Les Machines De L'Île</em></a>. Sadly the
Elephant was sick so I couldn't ride him. He was fine enough to spit water on
kids though. What makes me even sadder is that I didn't photograph the
billboard saying it was sick. It would have been such a cool error page
for when PostgreSQL is down!</p>
<p>I also visited <em>Le Chateau des Ducs de Bretagne</em> and <em>Le Jardin des Plantes</em>
which both were awesome with the nice blue sky I had. It was also funny to
notice that the people of Nantes try to trick people, with putting "de Bretagne"
in various names, into thinking that Nantes is in Bretagne while it is not.
Yup, I'm pretty happy to have a static blog without any comments system so
there won't be any hateful reactions visible here :-)</p>
<p>Once I got back to the hackroom, I review-n-committed a couple of diffs for
python ports. I updated again pqiv as they released another bugfix release and
did some reviews for the <a href="https://undeadly.org/cgi?action=article;sid=20180429101745">boar port from solene@</a>.</p>
<p>I spent Wednesday only doing reviews for other devs—facette, influxdb for
landry@, and several python ports for pvk@. At 5 pm I was fed up, so I went to
the supermarket and bought some Belgian beers (<em>Trappe Quadrupel</em> and
<em>Westmalle</em> mainly but also some <em>Chimay</em>). Once drunk I went to play ping-pong
with other French hackers. A few hours—and less alcohol in my blood—later, I
finally updated my main server to OpenBSD 6.3 which went fine.</p>
<p>I also looked at setting <code>PORTS_PRIVSEP=Yes</code> being one of the <a href="https://undeadly.org/cgi?action=article;sid=20180429190200">"new
converts"</a>, but I
had some <a href="https://marc.info/?l=openbsd-ports-cvs&m=152466817003263&w=2">problems</a>
(this commit message actually makes me laugh so much) so I eventually decided to
rollback. Now, however, I know which permissions to set if I want to enable it
again so that's cool!</p>
<p>Thursday was low-hanging-fruit day. One of the commits renamed a package and so
I needed to add a quirks entry. I did all of it on my own and I was glad to see
how much more comfortable I was after two years (I got my <em>commit bit</em> shortly
before p2k16 which happened 2 years ago).</p>
<p>Until Friday, I didn't submit upt because I was waiting for Cyril to send an
email about it. He finally sent
<a href="https://marc.info/?l=openbsd-ports&m=152478073001511&w=2">it</a> so I submitted
it while replying to his email. I had already talked about it to landry@
because he wanted to port a dozen of python ports. I told him this tool
could help him so he was eager to try it. I finally imported it after a couple
of back and forth between landry@ and I.</p>
<p>Saturday was my last day as I was traveling on Sunday. I reviewed
collectd/liboping for landry@, looked at the new
<a href="https://www.palletsprojects.com/blog/flask-1-0-released/">Flask</a>. During
p2k16, I talked with eric@ about ports where he was listed as maintainer. This
time I succeeded in convincing him that his time was better spent on OpenSMTPD so
there was no need to for him to be listed as maintainer. My final commit for
p2k18 was freeing him from the ports tree :-) </p>
<p>A while ago, I bought two <a href="./playing-with-the-pine64.html">pine64</a> but they
were not that useful for my use cases—too slow and unreliable. For a few weeks,
semarie was using one of them remotely to work on rust/arm64. But when it
stopped working, I had to investigate which didn't please my laziness. I offered
him to take one and give it to him. He gladly accepted and then it was quickly <a href="https://marc.info/?l=openbsd-bugs&m=152526381422932&w=2">put to
use</a>!</p>
<p>It was very nice to see Nantes and my fellow OpenBSD hackers again. I could commit
the diffs I had for a few weeks and reviewed some submissions that enhance what
you can <code>pkg_add</code> on OpenBSD. Thanks to gilles@ for all the organization and to
Epitech for hosting us again and to the OpenBSD Foundation for the fundings!</p>New design2018-04-13T10:20:00-04:002018-04-13T10:20:00-04:00Vigdistag:oldblog.chown.me,2018-04-13:/blog/new-design.html<p>The blog has a new design!</p><p>In June this blog will be five years old. Since <a href="./blog.html">I created it</a>, it
has had the same design. A few weeks ago I looked for a new theme. I found
<a href="https://github.com/Parbhat/pelican-blue">pelican-blue</a> which I liked. For my
first theme, I took it from someone and shortly after someone took it from me.
This time I wanted something more unique.</p>
<p>I took pelican-blue and hammered the CSS so people would notice I love the
color <a href="https://en.wikipedia.org/wiki/Red"><em>red</em></a>. At home, my sheets are red, my bath towel is red, my couch is
red, my curtains are red. Even the ribbon Jean Canard plays with is <a href="https://pics.chown.me/Jean-Canard/IMG_0675.JPG">red</a>.</p>
<p>I noticed a couple of things that were broken with the theme so I had to fix
them. Now I have to go back to my commit log to tell the original author as a
way to contribute back.</p>
<p>At first, my blog URL was <code>blog.chown.me</code>. Then I wanted https but I couldn't
have another domain because back then free (and valid—hi cacert) certificates
weren't a thing, I moved it to <code>chown.me/blog</code>. To welcome stalk^Wvisitors I
had a landing page on <code>chown.me</code>. Now, however, I changed my mind and I prefer
to have my blog index page directly on <code>chown.me</code>.</p>
<p>I wanted to break as few links as possible—ain't nobody got time to write the
otherwise needed haproxy redirection. I think I tweaked enough of my
<a href="https://blog.getpelican.com/">pelican</a> config file so that most of them are fine.
Not all of them are; I had to break one or two because of translations.
Fortunately, I was lazy enough to translate only a handful of articles so the
breakage is minimal.</p>
<p>To fix some past mistakes I had to go through old articles. It was a weird
feeling to read my younger self. I wouldn't advise to read them haha. They're in
French anyway.</p>
<p>One of my 2018 New Year's resolution was to write more blog articles. With not a
single one for the first quarter, you can guess it's not my best
accomplishment. But hopefully, I'll finally do it.</p>Routing traffic with multiple OpenVPN2017-11-21T10:20:00-05:002017-11-21T10:20:00-05:00Vigdistag:oldblog.chown.me,2017-11-21:/blog/routing-traffic-with-multiple-openvpn.html<p>On my home router, I have multiple instances of OpenVPN, and here I describe how I route my traffic</p><h2>Why OpenVPN?</h2>
<p>For <a href="https://evolix.ca/en">my dayjob</a> we access the servers we manage
through OpenVPN. Of course it's not the only security measure, it's
yet another layer and it helps to cut a part of the
<a href="https://en.wikipedia.org/wiki/Internet_background_noise">IBN</a>. All of
our servers are registered in
<a href="https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol">LDAP</a>
and from this system we create some routes that the OpenVPN server
pushes to the OpenVPN clients.</p>
<h2>What did I need?</h2>
<h3>Follow the pushed routes, not always and not for all the hosts</h3>
<p>I work sometimes from home (for on-call or just remote work). I have a
IP phone which needs the VPN but of course I can't setup OpenVPN on
the phone directly, so the VPN has to go on my router. But let's say
some android phone (without security updates) connects to my wifi, I
don't want its traffic to go through the VPN.</p>
<p>But I also have my own desktop that I don't want any of its traffic to
go through the VPN, but sometimes I want it to use the routes if I
want to quickly check something on a server.</p>
<h3>Default route sometimes, sometimes not</h3>
<p>By default, clients don't set the gateway to the vpn, because we
have the routes. But sometimes, we need to access a host through the
VPN without having a route to it being pushed by the server. Hence I
need to be able to route all the traffic through the vpn if
needed. But not always because the vpn endpoint is 105ms away and
browsing with this increased latency is obviously a bit slower.</p>
<h3>Even with a default route, bypassing the VPN for some servers</h3>
<p>I have a VM in Montreal, 10ms away, and there's no reason that the
traffic should go through the VPN. Same goes for my OpenBSD mirror.</p>
<h3>Multiple VPN</h3>
<p>I also have another VPN which endpoints is in Montreal and I may want
to route some host from my lan through it. It must independant from
the other VPN.</p>
<h3>Don't touch the server side</h3>
<p>My coworkers use the VPN as well so I can't change the server
configuration just to suit my own need.</p>
<h2>Suiting all the needs \o/</h2>
<p>I will only talk about the client as there's nothing special on the
server side</p>
<h3>OpenVPN infrastructure</h3>
<div class="highlight"><pre><span></span>danj@pancake:/etc/openvpn$ ls
client-ca.conf client-fr.conf private-stuff/
</pre></div>
<p>Config files are as usual, the only special thing is that I force
the tun device used by the VPN (so I can use it in pf.conf):</p>
<div class="highlight"><pre><span></span>danj@pancake:/etc/openvpn$ grep dev *.conf
client-ca.conf:dev tun1
client-fr.conf:dev tun0
</pre></div>
<p>In <code>rc.conf.local</code>, I set the correct config file:</p>
<div class="highlight"><pre><span></span>openvpn_fr_flags="--config /etc/openvpn/client-fr.conf"
openvpn_ca_flags="--config /etc/openvpn/client-ca.conf"
</pre></div>
<p>now I can <code>rcctl start openvpn_fr</code> and <code>rcctl start openvpn_ca</code></p>
<h3>routing</h3>
<p>Spoiler alert, everything is done with pf.</p>
<p>I won't put my whole pf.conf but only the needed parts. First let's
describe the interface.</p>
<div class="highlight"><pre><span></span>vpnfr_if = "tun0"
vpnca_if = "tun1"
</pre></div>
<p>I have vlan-capable switch and wifi AP, so I have multiple networks.</p>
<div class="highlight"><pre><span></span>lan_net = $lan_if:network
wifilap_net = $wifilap_if:network
wifitel_net = $wifitel_if:network
windows_net = $windows_if:network
tel_net = $tel_if:network
</pre></div>
<p>I need some tables (don't worry, you'll understand later what purpose
they have).</p>
<div class="highlight"><pre><span></span>table <softvpnfr> { 10.20.20.20 } persist
table <vpnfr> { $phone } persist
table <vpnca> { 10.10.10.60 } persist
table <bypassfr> { 129.128.197.20, 129.128.5.191, 185.19.29.62, 167.114.216.84 } persist
table <forcevpnfr> { $mrs-fw2 }
table <nousautres> { 10.0.0.0/8, $home_ip } persist
</pre></div>
<p>Now we can see the ruleset. I let everything from the lan, that doesn't
go on the router itself or to another lan (so the traffic will need
another rules to be allowed) come through.</p>
<div class="highlight"><pre><span></span>pass in on $lan_if from $lan_net to ! <nousautres>
pass in on $wifilap_if from $wifilap_net to ! <nousautres>
pass in on $wifitel_if from $wifitel_net to ! <nousautres>
pass in on $tel_if from $tel to ! <nousautres>
pass in log on $windows_if proto { tcp, udp } from $windows_net to ! <nousautres>
</pre></div>
<p>I let everything going out</p>
<div class="highlight"><pre><span></span>pass out log on $ext_if proto { tcp, udp } all modulate state
pass out on $vpnfr_if proto { tcp, udp } all modulate state
pass out on $vpnca_if proto { tcp, udp } all modulate state
</pre></div>
<p>Now's the fun part.</p>
<ul>
<li><code><softvpn></code> is the hosts that can you the routes pushed by the VPN but
it doesn't use the VPN as the gw</li>
<li><code><vpnfr></code> and <code><vpnca></code> everything from the hosts in it goes through
the VPN (French or Canadian)</li>
<li><code><bypassfr></code> any traffic to host in the table won't go through the VPN</li>
<li><code><forcevpnfr></code> host that must be accessed through the VPN</li>
</ul>
<div class="highlight"><pre><span></span># disable the use of the routes if you're not in <softvpn>
pass in on { $lan_if, $wifilap_if, $wifitel_if, $atlas_if } \
from !<softvpnfr> to ! <nousautres> route-to ($ext_if $home_ip)
# force traffic through the French VPN
pass in on { $lan_if, $wifilap_if, $wifitel_if, $tel_if } \
from <vpnfr> to ! <nousautres> route-to ($vpnfr_if 192.168.125.61)
# traffic to hosts in <bypass> must not go through the VPN
pass in on { $lan_if, $wifilap_if, $wifitel_if, $tel_if } \
from <vpnfr> to <bypassfr> route-to ($ext_if $home_ip)
# force traffic through the Canadian VPN
pass in on { $lan_if, $wifilap_if, $wifitel_if, $tel_if } \
from <vpnca> to ! <nousautres> route-to ($vpnca_if 192.168.251.10)
# traffic from <softvpnfr> to hosts in <forcevpnfr> should really go through the VPN
pass in on { $lan_if, $wifilap_if, $wifitel_if } \
from <softvpnfr> to <forcevpnfr> route-to ($vpnfr_if 192.168.125.61)
</pre></div>
<p>But the real magic with pf, is that I can <strong>very easily</strong> change the
routing for any host :</p>
<div class="highlight"><pre><span></span># if I want everything to go through the Canadian VPN
root@pancake:~# pfctl -t vpnca -Ta 10.1.2.3
# or not
root@pancake:~# pfctl -t vpnca -Td 10.1.2.3
# through the French VPN
root@pancake:~# pfctl -t vpnfr -Ta 10.1.2.3
# ok not everything, just use the route pushed by the VPN
root@pancake:~# pfctl -t vpnfr -Td 10.1.2.3
root@pancake:~# pfctl -t softvpn -Ta 10.1.2.3
</pre></div>
<p>That's all! Of course, if anything goes wrong, I have
<a href="https://chown.me/iota/pics/IMG_0551.JPG">Jean Canard's Advanced Paws System (APS)</a>
that checks for anything.</p>Dumping pics2017-11-04T10:20:00-04:002017-11-04T10:20:00-04:00Vigdistag:oldblog.chown.me,2017-11-04:/blog/dumping-pics.html<p>I finally dumped the pics I took with my phone</p><p>A few years ago I bought a camera (a Canon 100D) and since that I take
pictures from time to time. I go through all the pics I take and I
pick the best then I enhance them a bit with rawtherapee and finally I
post them on <a href="http://piks.chown.me">500px</a>. This process is a bit
<em>relou</em> so I don't often do it. Of course I don't always have my camera
with me, but I do have my phone most of the time.</p>
<p>I take a lot of pictures with my phone and I sometimes post them on
some social networks. All these social networks I'm on, are based on
ephemeral publications so after a <strong>short</strong> while, the stuff goes out
of your mind and you never see it again.</p>
<p>I looked for a self-hostable solution. I found PHP-based software like
leetchi and piwigo but I wasn't fond of these. I looked at static
generators as I already use one (pelican) for this blog. Sadly, there
are maaaanyyyy of them for blogs and text-based publications but for
gallery there very few static generators. Finally I found
<a href="https://github.com/saimn/sigal">sigal</a> which is maintained, written
in python, quite nice and very straight forward to use.</p>
<p>Here's the result: <a href="https://pics.chown.me/">https://pics.chown.me/</a> (with among other themes,
as of now, 229 pics of my delicious kitten <em>Jean Canard</em>).</p>Playing with the pine642017-10-19T10:20:00-04:002017-10-19T10:20:00-04:00Vigdistag:oldblog.chown.me,2017-10-19:/blog/playing-with-the-pine64.html<p>Some notes about how to get started with OpenBSD on the pine64</p><h2>Finding something to install on it</h2>
<p>6 weeks ago, I ordered two pine64 units. I didn't (and still don't)
have much plan for them, but I wanted to play with some cheap
boards. I finally received them this week. Initially I wanted to
install some Linux stuff on it, I didn't have much requirement so I
thought I would just look what seems to be easy and/or the best
supported systemd flavour. I headed over their
<a href="http://wiki.pine64.org/index.php/Pine_A64_Software_Release">wiki</a>. Everything
seems either not really maintained, done by some random people or
both. I am not saying random people do bad things, just that
installing some random things from the Internet is not really my cup
of tea.</p>
<p>I heard about <a href="https://www.armbian.com/pine64/">Armbian</a> but the
server flavour seems to be experimental so I got scared of it. And
sadly, the whole things looks like to be alot undermanned.</p>
<p>So I went for OpenBSD because I know the stuff and who to har^Wkindly
ask for help. Spoiler alert, it's boring because it just works.</p>
<h2>Getting OpenBSD on it</h2>
<p>I downloaded miniroot62.fs, dd'ed it on the micro SD card. I was
afraid I'd need to fiddle with some things like sysutils/dtb because I
don't know what I would have needed to do. That's because I don't know
what it does and for this precise reason I was wrong and I didn't need
to do anything. So just dd the miniroot62.fs and you can go to next
checkpoint.</p>
<p>I plugged an HDMI cable, ethernet cable and the power, it booted, I
could read for 10 seconds but then it got dark. Of course it's because
you need a serial console. Of course I didn't have one.</p>
<p>I thought about trying to install OpenBSD blindly, I could have
probably succeeded with autoinstall buuuuuut...</p>
<p>Following some good pieces of advice from OpenBSD people I bought some
cp2102 (I didn't try to understand what it was or what were the other
possibilities, I just wanted something that would work :D).</p>
<p>I looked how to plug the thing. It appears you can plug it on <a href="http://linux-sunxi.org/File:Pine64_UART0.jpg">two
different places</a> but
if you plug it on the <em>Euler bus</em> it could power a bit the board so if
you try to reboot it, it would then mess with the power disruption and
could lead a unclean reboot.</p>
<p>You just need to plug three cables: GND, TXD and RXD. Of course, the
TXD goes on the RXD pin from the picture and the RXD goes on the TXD
pin. Guess why I'm telling you that!</p>
<h2>That's it</h2>
<p>Then you can connect with the usual</p>
<div class="highlight"><pre><span></span>$ cu -dl /dev/cuaU0 -s <span class="m">115200</span>
</pre></div>
<p>You can now install it and the reboot it:</p>
<div class="highlight"><pre><span></span><span class="nl">INFO</span><span class="p">:</span> <span class="n">PSCI</span> <span class="n">Affinity</span> <span class="nl">Map</span><span class="p">:</span>
<span class="nl">INFO</span><span class="p">:</span> <span class="nl">AffInst</span><span class="p">:</span> <span class="n">Level</span> <span class="mi">0</span><span class="p">,</span> <span class="n">MPID</span> <span class="mh">0x0</span><span class="p">,</span> <span class="n">State</span> <span class="n">ON</span>
<span class="nl">INFO</span><span class="p">:</span> <span class="nl">AffInst</span><span class="p">:</span> <span class="n">Level</span> <span class="mi">0</span><span class="p">,</span> <span class="n">MPID</span> <span class="mh">0x1</span><span class="p">,</span> <span class="n">State</span> <span class="n">OFF</span>
<span class="nl">INFO</span><span class="p">:</span> <span class="nl">AffInst</span><span class="p">:</span> <span class="n">Level</span> <span class="mi">0</span><span class="p">,</span> <span class="n">MPID</span> <span class="mh">0x2</span><span class="p">,</span> <span class="n">State</span> <span class="n">OFF</span>
<span class="nl">INFO</span><span class="p">:</span> <span class="nl">AffInst</span><span class="p">:</span> <span class="n">Level</span> <span class="mi">0</span><span class="p">,</span> <span class="n">MPID</span> <span class="mh">0x3</span><span class="p">,</span> <span class="n">State</span> <span class="n">OFF</span>
<span class="n">U</span><span class="o">-</span><span class="n">Boot</span> <span class="n">SPL</span> <span class="mf">2017.09</span> <span class="p">(</span><span class="n">Sep</span> <span class="mi">13</span> <span class="mi">2017</span> <span class="o">-</span> <span class="mo">04</span><span class="o">:</span><span class="mi">48</span><span class="o">:</span><span class="mi">58</span><span class="p">)</span>
<span class="nl">DRAM</span><span class="p">:</span> <span class="mi">2048</span> <span class="n">MiB</span>
<span class="n">Trying</span> <span class="n">to</span> <span class="n">boot</span> <span class="n">from</span> <span class="n">MMC1</span>
<span class="nl">NOTICE</span><span class="p">:</span> <span class="n">BL3</span><span class="o">-</span><span class="mi">1</span><span class="o">:</span> <span class="n">Running</span> <span class="n">on</span> <span class="n">A64</span><span class="o">/</span><span class="n">H64</span> <span class="p">(</span><span class="mi">1689</span><span class="p">)</span> <span class="k">in</span> <span class="n">SRAM</span> <span class="n">A2</span> <span class="p">(</span><span class="mh">@0x44000</span><span class="p">)</span>
<span class="nl">NOTICE</span><span class="p">:</span> <span class="n">Configuring</span> <span class="n">SPC</span> <span class="n">Controller</span>
<span class="nl">NOTICE</span><span class="p">:</span> <span class="n">BL3</span><span class="o">-</span><span class="mi">1</span><span class="o">:</span> <span class="n">v1</span><span class="mf">.0</span><span class="p">(</span><span class="n">debug</span><span class="p">)</span><span class="o">:</span><span class="mi">20170702</span>
<span class="nl">NOTICE</span><span class="p">:</span> <span class="n">BL3</span><span class="o">-</span><span class="mi">1</span><span class="o">:</span> <span class="nl">Built</span> <span class="p">:</span> <span class="mo">04</span><span class="o">:</span><span class="mi">34</span><span class="o">:</span><span class="mi">32</span><span class="p">,</span> <span class="n">Sep</span> <span class="mi">13</span> <span class="mi">2017</span>
<span class="nl">NOTICE</span><span class="p">:</span> <span class="n">Configuring</span> <span class="n">AXP</span> <span class="n">PMIC</span>
<span class="nl">NOTICE</span><span class="p">:</span> <span class="nl">PMIC</span><span class="p">:</span> <span class="n">setup</span> <span class="n">successful</span>
<span class="nl">NOTICE</span><span class="p">:</span> <span class="nl">SCPI</span><span class="p">:</span> <span class="n">dummy</span> <span class="n">stub</span> <span class="n">handler</span><span class="p">,</span> <span class="n">implementation</span> <span class="nl">level</span><span class="p">:</span> <span class="mo">000000</span>
<span class="nl">INFO</span><span class="p">:</span> <span class="n">BL3</span><span class="o">-</span><span class="mi">1</span><span class="o">:</span> <span class="n">Initializing</span> <span class="n">runtime</span> <span class="n">services</span>
<span class="nl">INFO</span><span class="p">:</span> <span class="n">BL3</span><span class="o">-</span><span class="mi">1</span><span class="o">:</span> <span class="n">Preparing</span> <span class="k">for</span> <span class="n">EL3</span> <span class="n">exit</span> <span class="n">to</span> <span class="n">normal</span> <span class="n">world</span>
<span class="nl">INFO</span><span class="p">:</span> <span class="n">BL3</span><span class="o">-</span><span class="mi">1</span><span class="o">:</span> <span class="n">Next</span> <span class="n">image</span> <span class="nl">address</span><span class="p">:</span> <span class="mh">0x4a000000</span><span class="p">,</span> <span class="nl">SPSR</span><span class="p">:</span> <span class="mh">0x3c9</span>
<span class="n">U</span><span class="o">-</span><span class="n">Boot</span> <span class="mf">2017.09</span> <span class="p">(</span><span class="n">Sep</span> <span class="mi">13</span> <span class="mi">2017</span> <span class="o">-</span> <span class="mo">04</span><span class="o">:</span><span class="mi">48</span><span class="o">:</span><span class="mi">58</span> <span class="o">-</span><span class="mo">0600</span><span class="p">)</span> <span class="n">Allwinner</span> <span class="n">Technology</span>
<span class="nl">CPU</span><span class="p">:</span> <span class="n">Allwinner</span> <span class="n">A64</span> <span class="p">(</span><span class="n">SUN50I</span><span class="p">)</span>
<span class="nl">Model</span><span class="p">:</span> <span class="n">Pine64</span><span class="o">+</span>
<span class="nl">DRAM</span><span class="p">:</span> <span class="mi">2</span> <span class="n">GiB</span>
<span class="nl">MMC</span><span class="p">:</span> <span class="n">SUNXI</span> <span class="n">SD</span><span class="o">/</span><span class="nl">MMC</span><span class="p">:</span> <span class="mi">0</span>
<span class="o">***</span> <span class="n">Warning</span> <span class="o">-</span> <span class="n">bad</span> <span class="n">CRC</span><span class="p">,</span> <span class="n">using</span> <span class="k">default</span> <span class="n">environment</span>
<span class="nl">In</span><span class="p">:</span> <span class="n">serial</span>
<span class="nl">Out</span><span class="p">:</span> <span class="n">serial</span>
<span class="nl">Err</span><span class="p">:</span> <span class="n">serial</span>
<span class="nl">Net</span><span class="p">:</span> <span class="n">phy</span> <span class="n">interface7</span>
<span class="nl">eth0</span><span class="p">:</span> <span class="n">ethernet</span><span class="mo">@01</span><span class="n">c30000</span>
<span class="n">starting</span> <span class="n">USB</span><span class="p">...</span>
<span class="nl">USB0</span><span class="p">:</span> <span class="n">USB</span> <span class="n">EHCI</span> <span class="mf">1.00</span>
<span class="nl">USB1</span><span class="p">:</span> <span class="n">USB</span> <span class="n">OHCI</span> <span class="mf">1.0</span>
<span class="n">scanning</span> <span class="n">bus</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">devices</span><span class="p">...</span> <span class="mi">1</span> <span class="n">USB</span> <span class="n">Device</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="n">found</span>
<span class="n">scanning</span> <span class="n">usb</span> <span class="k">for</span> <span class="n">storage</span> <span class="n">devices</span><span class="p">...</span> <span class="mi">0</span> <span class="n">Storage</span> <span class="n">Device</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="n">found</span>
<span class="n">Hit</span> <span class="n">any</span> <span class="n">key</span> <span class="n">to</span> <span class="n">stop</span> <span class="nl">autoboot</span><span class="p">:</span> <span class="mi">0</span>
<span class="k">switch</span> <span class="n">to</span> <span class="n">partitions</span> <span class="err">#</span><span class="mi">0</span><span class="p">,</span> <span class="n">OK</span>
<span class="n">mmc0</span> <span class="n">is</span> <span class="n">current</span> <span class="n">device</span>
<span class="n">Scanning</span> <span class="n">mmc</span> <span class="mi">0</span><span class="o">:</span><span class="mf">1.</span><span class="p">..</span>
<span class="n">Found</span> <span class="n">EFI</span> <span class="n">removable</span> <span class="n">media</span> <span class="n">binary</span> <span class="n">efi</span><span class="o">/</span><span class="n">boot</span><span class="o">/</span><span class="n">bootaa64</span><span class="p">.</span><span class="n">efi</span>
<span class="n">reading</span> <span class="n">efi</span><span class="o">/</span><span class="n">boot</span><span class="o">/</span><span class="n">bootaa64</span><span class="p">.</span><span class="n">efi</span>
<span class="mi">78335</span> <span class="n">bytes</span> <span class="n">read</span> <span class="k">in</span> <span class="mi">36</span> <span class="n">ms</span> <span class="p">(</span><span class="mf">2.1</span> <span class="n">MiB</span><span class="o">/</span><span class="n">s</span><span class="p">)</span>
<span class="n">libfdt</span> <span class="n">fdt_check_header</span><span class="p">()</span><span class="o">:</span> <span class="n">FDT_ERR_BADMAGIC</span>
<span class="cp">## Starting EFI application at 40080000 ...</span>
<span class="n">Scanning</span> <span class="n">disks</span> <span class="n">on</span> <span class="n">usb</span><span class="p">...</span>
<span class="n">Scanning</span> <span class="n">disks</span> <span class="n">on</span> <span class="n">mmc</span><span class="p">...</span>
<span class="n">MMC</span> <span class="n">Device</span> <span class="mi">1</span> <span class="n">not</span> <span class="n">found</span>
<span class="n">MMC</span> <span class="n">Device</span> <span class="mi">2</span> <span class="n">not</span> <span class="n">found</span>
<span class="n">MMC</span> <span class="n">Device</span> <span class="mi">3</span> <span class="n">not</span> <span class="n">found</span>
<span class="n">Found</span> <span class="mi">5</span> <span class="n">disks</span>
<span class="o">>></span> <span class="n">OpenBSD</span><span class="o">/</span><span class="n">arm64</span> <span class="n">BOOTAA64</span> <span class="mf">0.8</span>
<span class="n">boot</span><span class="o">></span>
<span class="n">booting</span> <span class="nl">sd0a</span><span class="p">:</span><span class="o">/</span><span class="nl">bsd</span><span class="p">:</span> <span class="mi">3861360</span><span class="o">+</span><span class="mi">574928</span><span class="o">+</span><span class="mi">511472</span><span class="o">+</span><span class="mi">807968</span> <span class="p">[</span><span class="mi">285863</span><span class="o">+</span><span class="mi">96</span><span class="o">+</span><span class="mi">451944</span><span class="o">+</span><span class="mi">239980</span><span class="p">]</span><span class="o">=</span><span class="mh">0x831130</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0x40000000</span> <span class="n">va</span> <span class="mh">0x40000000</span> <span class="n">pages</span> <span class="mh">0x4000</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x7</span> <span class="n">pa</span> <span class="mh">0x44000000</span> <span class="n">va</span> <span class="mh">0x40000000</span> <span class="n">pages</span> <span class="mh">0x4000</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x4</span> <span class="n">pa</span> <span class="mh">0x48000000</span> <span class="n">va</span> <span class="mh">0x48000000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x7</span> <span class="n">pa</span> <span class="mh">0x48005000</span> <span class="n">va</span> <span class="mh">0x40000000</span> <span class="n">pages</span> <span class="mh">0x70832</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8837000</span> <span class="n">va</span> <span class="mh">0xb8837000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb883b000</span> <span class="n">va</span> <span class="mh">0xb883b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb883f000</span> <span class="n">va</span> <span class="mh">0xb883f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8843000</span> <span class="n">va</span> <span class="mh">0xb8843000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8847000</span> <span class="n">va</span> <span class="mh">0xb8847000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb884b000</span> <span class="n">va</span> <span class="mh">0xb884b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb884f000</span> <span class="n">va</span> <span class="mh">0xb884f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8853000</span> <span class="n">va</span> <span class="mh">0xb8853000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8857000</span> <span class="n">va</span> <span class="mh">0xb8857000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb885b000</span> <span class="n">va</span> <span class="mh">0xb885b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb885f000</span> <span class="n">va</span> <span class="mh">0xb885f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8863000</span> <span class="n">va</span> <span class="mh">0xb8863000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8867000</span> <span class="n">va</span> <span class="mh">0xb8867000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb886b000</span> <span class="n">va</span> <span class="mh">0xb886b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb886f000</span> <span class="n">va</span> <span class="mh">0xb886f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8873000</span> <span class="n">va</span> <span class="mh">0xb8873000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8877000</span> <span class="n">va</span> <span class="mh">0xb8877000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb887b000</span> <span class="n">va</span> <span class="mh">0xb887b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb887f000</span> <span class="n">va</span> <span class="mh">0xb887f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8883000</span> <span class="n">va</span> <span class="mh">0xb8883000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8887000</span> <span class="n">va</span> <span class="mh">0xb8887000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb888b000</span> <span class="n">va</span> <span class="mh">0xb888b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb888f000</span> <span class="n">va</span> <span class="mh">0xb888f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8893000</span> <span class="n">va</span> <span class="mh">0xb8893000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8897000</span> <span class="n">va</span> <span class="mh">0xb8897000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb889b000</span> <span class="n">va</span> <span class="mh">0xb889b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb889f000</span> <span class="n">va</span> <span class="mh">0xb889f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88a3000</span> <span class="n">va</span> <span class="mh">0xb88a3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88a7000</span> <span class="n">va</span> <span class="mh">0xb88a7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88ab000</span> <span class="n">va</span> <span class="mh">0xb88ab000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88af000</span> <span class="n">va</span> <span class="mh">0xb88af000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88b3000</span> <span class="n">va</span> <span class="mh">0xb88b3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88b7000</span> <span class="n">va</span> <span class="mh">0xb88b7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88bb000</span> <span class="n">va</span> <span class="mh">0xb88bb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88bf000</span> <span class="n">va</span> <span class="mh">0xb88bf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88c3000</span> <span class="n">va</span> <span class="mh">0xb88c3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88c7000</span> <span class="n">va</span> <span class="mh">0xb88c7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88cb000</span> <span class="n">va</span> <span class="mh">0xb88cb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88cf000</span> <span class="n">va</span> <span class="mh">0xb88cf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88d3000</span> <span class="n">va</span> <span class="mh">0xb88d3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88d7000</span> <span class="n">va</span> <span class="mh">0xb88d7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88db000</span> <span class="n">va</span> <span class="mh">0xb88db000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88df000</span> <span class="n">va</span> <span class="mh">0xb88df000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88e3000</span> <span class="n">va</span> <span class="mh">0xb88e3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88e7000</span> <span class="n">va</span> <span class="mh">0xb88e7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88eb000</span> <span class="n">va</span> <span class="mh">0xb88eb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88ef000</span> <span class="n">va</span> <span class="mh">0xb88ef000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88f3000</span> <span class="n">va</span> <span class="mh">0xb88f3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88f7000</span> <span class="n">va</span> <span class="mh">0xb88f7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88fb000</span> <span class="n">va</span> <span class="mh">0xb88fb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb88ff000</span> <span class="n">va</span> <span class="mh">0xb88ff000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8903000</span> <span class="n">va</span> <span class="mh">0xb8903000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8907000</span> <span class="n">va</span> <span class="mh">0xb8907000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb890b000</span> <span class="n">va</span> <span class="mh">0xb890b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb890f000</span> <span class="n">va</span> <span class="mh">0xb890f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8913000</span> <span class="n">va</span> <span class="mh">0xb8913000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8917000</span> <span class="n">va</span> <span class="mh">0xb8917000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb891b000</span> <span class="n">va</span> <span class="mh">0xb891b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb891f000</span> <span class="n">va</span> <span class="mh">0xb891f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8923000</span> <span class="n">va</span> <span class="mh">0xb8923000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8927000</span> <span class="n">va</span> <span class="mh">0xb8927000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb892b000</span> <span class="n">va</span> <span class="mh">0xb892b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb892f000</span> <span class="n">va</span> <span class="mh">0xb892f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8933000</span> <span class="n">va</span> <span class="mh">0xb8933000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8937000</span> <span class="n">va</span> <span class="mh">0xb8937000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb893b000</span> <span class="n">va</span> <span class="mh">0xb893b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb893f000</span> <span class="n">va</span> <span class="mh">0xb893f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8943000</span> <span class="n">va</span> <span class="mh">0xb8943000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8947000</span> <span class="n">va</span> <span class="mh">0xb8947000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb894b000</span> <span class="n">va</span> <span class="mh">0xb894b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb894f000</span> <span class="n">va</span> <span class="mh">0xb894f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8953000</span> <span class="n">va</span> <span class="mh">0xb8953000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8957000</span> <span class="n">va</span> <span class="mh">0xb8957000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb895b000</span> <span class="n">va</span> <span class="mh">0xb895b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb895f000</span> <span class="n">va</span> <span class="mh">0xb895f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8963000</span> <span class="n">va</span> <span class="mh">0xb8963000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8967000</span> <span class="n">va</span> <span class="mh">0xb8967000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb896b000</span> <span class="n">va</span> <span class="mh">0xb896b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb896f000</span> <span class="n">va</span> <span class="mh">0xb896f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8973000</span> <span class="n">va</span> <span class="mh">0xb8973000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8977000</span> <span class="n">va</span> <span class="mh">0xb8977000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb897b000</span> <span class="n">va</span> <span class="mh">0xb897b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb897f000</span> <span class="n">va</span> <span class="mh">0xb897f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8983000</span> <span class="n">va</span> <span class="mh">0xb8983000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8987000</span> <span class="n">va</span> <span class="mh">0xb8987000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb898b000</span> <span class="n">va</span> <span class="mh">0xb898b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb898f000</span> <span class="n">va</span> <span class="mh">0xb898f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8993000</span> <span class="n">va</span> <span class="mh">0xb8993000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8997000</span> <span class="n">va</span> <span class="mh">0xb8997000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb899b000</span> <span class="n">va</span> <span class="mh">0xb899b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb899f000</span> <span class="n">va</span> <span class="mh">0xb899f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89a3000</span> <span class="n">va</span> <span class="mh">0xb89a3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89a7000</span> <span class="n">va</span> <span class="mh">0xb89a7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89ab000</span> <span class="n">va</span> <span class="mh">0xb89ab000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89af000</span> <span class="n">va</span> <span class="mh">0xb89af000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89b3000</span> <span class="n">va</span> <span class="mh">0xb89b3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89b7000</span> <span class="n">va</span> <span class="mh">0xb89b7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89bb000</span> <span class="n">va</span> <span class="mh">0xb89bb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89bf000</span> <span class="n">va</span> <span class="mh">0xb89bf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89c3000</span> <span class="n">va</span> <span class="mh">0xb89c3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89c7000</span> <span class="n">va</span> <span class="mh">0xb89c7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89cb000</span> <span class="n">va</span> <span class="mh">0xb89cb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89cf000</span> <span class="n">va</span> <span class="mh">0xb89cf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89d3000</span> <span class="n">va</span> <span class="mh">0xb89d3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89d7000</span> <span class="n">va</span> <span class="mh">0xb89d7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89db000</span> <span class="n">va</span> <span class="mh">0xb89db000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89df000</span> <span class="n">va</span> <span class="mh">0xb89df000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89e3000</span> <span class="n">va</span> <span class="mh">0xb89e3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89e7000</span> <span class="n">va</span> <span class="mh">0xb89e7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89eb000</span> <span class="n">va</span> <span class="mh">0xb89eb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89ef000</span> <span class="n">va</span> <span class="mh">0xb89ef000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89f3000</span> <span class="n">va</span> <span class="mh">0xb89f3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89f7000</span> <span class="n">va</span> <span class="mh">0xb89f7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89fb000</span> <span class="n">va</span> <span class="mh">0xb89fb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb89ff000</span> <span class="n">va</span> <span class="mh">0xb89ff000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a03000</span> <span class="n">va</span> <span class="mh">0xb8a03000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a07000</span> <span class="n">va</span> <span class="mh">0xb8a07000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a0b000</span> <span class="n">va</span> <span class="mh">0xb8a0b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a0f000</span> <span class="n">va</span> <span class="mh">0xb8a0f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a13000</span> <span class="n">va</span> <span class="mh">0xb8a13000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a17000</span> <span class="n">va</span> <span class="mh">0xb8a17000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a1b000</span> <span class="n">va</span> <span class="mh">0xb8a1b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a1f000</span> <span class="n">va</span> <span class="mh">0xb8a1f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a23000</span> <span class="n">va</span> <span class="mh">0xb8a23000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a27000</span> <span class="n">va</span> <span class="mh">0xb8a27000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a2b000</span> <span class="n">va</span> <span class="mh">0xb8a2b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a2f000</span> <span class="n">va</span> <span class="mh">0xb8a2f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a33000</span> <span class="n">va</span> <span class="mh">0xb8a33000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a37000</span> <span class="n">va</span> <span class="mh">0xb8a37000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a3b000</span> <span class="n">va</span> <span class="mh">0xb8a3b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a3f000</span> <span class="n">va</span> <span class="mh">0xb8a3f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a43000</span> <span class="n">va</span> <span class="mh">0xb8a43000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a47000</span> <span class="n">va</span> <span class="mh">0xb8a47000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a4b000</span> <span class="n">va</span> <span class="mh">0xb8a4b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a4f000</span> <span class="n">va</span> <span class="mh">0xb8a4f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a53000</span> <span class="n">va</span> <span class="mh">0xb8a53000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a57000</span> <span class="n">va</span> <span class="mh">0xb8a57000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a5b000</span> <span class="n">va</span> <span class="mh">0xb8a5b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a5f000</span> <span class="n">va</span> <span class="mh">0xb8a5f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a63000</span> <span class="n">va</span> <span class="mh">0xb8a63000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a67000</span> <span class="n">va</span> <span class="mh">0xb8a67000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a6b000</span> <span class="n">va</span> <span class="mh">0xb8a6b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a6f000</span> <span class="n">va</span> <span class="mh">0xb8a6f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a73000</span> <span class="n">va</span> <span class="mh">0xb8a73000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a77000</span> <span class="n">va</span> <span class="mh">0xb8a77000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a7b000</span> <span class="n">va</span> <span class="mh">0xb8a7b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a7f000</span> <span class="n">va</span> <span class="mh">0xb8a7f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a83000</span> <span class="n">va</span> <span class="mh">0xb8a83000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a87000</span> <span class="n">va</span> <span class="mh">0xb8a87000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a8b000</span> <span class="n">va</span> <span class="mh">0xb8a8b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a8f000</span> <span class="n">va</span> <span class="mh">0xb8a8f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a93000</span> <span class="n">va</span> <span class="mh">0xb8a93000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a97000</span> <span class="n">va</span> <span class="mh">0xb8a97000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a9b000</span> <span class="n">va</span> <span class="mh">0xb8a9b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8a9f000</span> <span class="n">va</span> <span class="mh">0xb8a9f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8aa3000</span> <span class="n">va</span> <span class="mh">0xb8aa3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8aa7000</span> <span class="n">va</span> <span class="mh">0xb8aa7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8aab000</span> <span class="n">va</span> <span class="mh">0xb8aab000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8aaf000</span> <span class="n">va</span> <span class="mh">0xb8aaf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ab3000</span> <span class="n">va</span> <span class="mh">0xb8ab3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ab7000</span> <span class="n">va</span> <span class="mh">0xb8ab7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8abb000</span> <span class="n">va</span> <span class="mh">0xb8abb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8abf000</span> <span class="n">va</span> <span class="mh">0xb8abf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ac3000</span> <span class="n">va</span> <span class="mh">0xb8ac3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ac7000</span> <span class="n">va</span> <span class="mh">0xb8ac7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8acb000</span> <span class="n">va</span> <span class="mh">0xb8acb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8acf000</span> <span class="n">va</span> <span class="mh">0xb8acf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ad3000</span> <span class="n">va</span> <span class="mh">0xb8ad3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ad7000</span> <span class="n">va</span> <span class="mh">0xb8ad7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8adb000</span> <span class="n">va</span> <span class="mh">0xb8adb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8adf000</span> <span class="n">va</span> <span class="mh">0xb8adf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ae3000</span> <span class="n">va</span> <span class="mh">0xb8ae3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ae7000</span> <span class="n">va</span> <span class="mh">0xb8ae7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8aeb000</span> <span class="n">va</span> <span class="mh">0xb8aeb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8aef000</span> <span class="n">va</span> <span class="mh">0xb8aef000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8af3000</span> <span class="n">va</span> <span class="mh">0xb8af3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8af7000</span> <span class="n">va</span> <span class="mh">0xb8af7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8afb000</span> <span class="n">va</span> <span class="mh">0xb8afb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8aff000</span> <span class="n">va</span> <span class="mh">0xb8aff000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b03000</span> <span class="n">va</span> <span class="mh">0xb8b03000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b07000</span> <span class="n">va</span> <span class="mh">0xb8b07000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b0b000</span> <span class="n">va</span> <span class="mh">0xb8b0b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b0f000</span> <span class="n">va</span> <span class="mh">0xb8b0f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b13000</span> <span class="n">va</span> <span class="mh">0xb8b13000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b17000</span> <span class="n">va</span> <span class="mh">0xb8b17000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b1b000</span> <span class="n">va</span> <span class="mh">0xb8b1b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b1f000</span> <span class="n">va</span> <span class="mh">0xb8b1f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b23000</span> <span class="n">va</span> <span class="mh">0xb8b23000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b27000</span> <span class="n">va</span> <span class="mh">0xb8b27000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b2b000</span> <span class="n">va</span> <span class="mh">0xb8b2b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b2f000</span> <span class="n">va</span> <span class="mh">0xb8b2f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b33000</span> <span class="n">va</span> <span class="mh">0xb8b33000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b37000</span> <span class="n">va</span> <span class="mh">0xb8b37000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b3b000</span> <span class="n">va</span> <span class="mh">0xb8b3b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b3f000</span> <span class="n">va</span> <span class="mh">0xb8b3f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b43000</span> <span class="n">va</span> <span class="mh">0xb8b43000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b47000</span> <span class="n">va</span> <span class="mh">0xb8b47000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b4b000</span> <span class="n">va</span> <span class="mh">0xb8b4b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b4f000</span> <span class="n">va</span> <span class="mh">0xb8b4f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b53000</span> <span class="n">va</span> <span class="mh">0xb8b53000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b57000</span> <span class="n">va</span> <span class="mh">0xb8b57000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b5b000</span> <span class="n">va</span> <span class="mh">0xb8b5b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b5f000</span> <span class="n">va</span> <span class="mh">0xb8b5f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b63000</span> <span class="n">va</span> <span class="mh">0xb8b63000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b67000</span> <span class="n">va</span> <span class="mh">0xb8b67000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b6b000</span> <span class="n">va</span> <span class="mh">0xb8b6b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b6f000</span> <span class="n">va</span> <span class="mh">0xb8b6f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b73000</span> <span class="n">va</span> <span class="mh">0xb8b73000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b77000</span> <span class="n">va</span> <span class="mh">0xb8b77000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b7b000</span> <span class="n">va</span> <span class="mh">0xb8b7b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b7f000</span> <span class="n">va</span> <span class="mh">0xb8b7f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b83000</span> <span class="n">va</span> <span class="mh">0xb8b83000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b87000</span> <span class="n">va</span> <span class="mh">0xb8b87000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b8b000</span> <span class="n">va</span> <span class="mh">0xb8b8b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b8f000</span> <span class="n">va</span> <span class="mh">0xb8b8f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b93000</span> <span class="n">va</span> <span class="mh">0xb8b93000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b97000</span> <span class="n">va</span> <span class="mh">0xb8b97000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b9b000</span> <span class="n">va</span> <span class="mh">0xb8b9b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8b9f000</span> <span class="n">va</span> <span class="mh">0xb8b9f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ba3000</span> <span class="n">va</span> <span class="mh">0xb8ba3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ba7000</span> <span class="n">va</span> <span class="mh">0xb8ba7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bab000</span> <span class="n">va</span> <span class="mh">0xb8bab000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8baf000</span> <span class="n">va</span> <span class="mh">0xb8baf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bb3000</span> <span class="n">va</span> <span class="mh">0xb8bb3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bb7000</span> <span class="n">va</span> <span class="mh">0xb8bb7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bbb000</span> <span class="n">va</span> <span class="mh">0xb8bbb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bbf000</span> <span class="n">va</span> <span class="mh">0xb8bbf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bc3000</span> <span class="n">va</span> <span class="mh">0xb8bc3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bc7000</span> <span class="n">va</span> <span class="mh">0xb8bc7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bcb000</span> <span class="n">va</span> <span class="mh">0xb8bcb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bcf000</span> <span class="n">va</span> <span class="mh">0xb8bcf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bd3000</span> <span class="n">va</span> <span class="mh">0xb8bd3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bd7000</span> <span class="n">va</span> <span class="mh">0xb8bd7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bdb000</span> <span class="n">va</span> <span class="mh">0xb8bdb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bdf000</span> <span class="n">va</span> <span class="mh">0xb8bdf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8be3000</span> <span class="n">va</span> <span class="mh">0xb8be3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8be7000</span> <span class="n">va</span> <span class="mh">0xb8be7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8beb000</span> <span class="n">va</span> <span class="mh">0xb8beb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bef000</span> <span class="n">va</span> <span class="mh">0xb8bef000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bf3000</span> <span class="n">va</span> <span class="mh">0xb8bf3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bf7000</span> <span class="n">va</span> <span class="mh">0xb8bf7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bfb000</span> <span class="n">va</span> <span class="mh">0xb8bfb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8bff000</span> <span class="n">va</span> <span class="mh">0xb8bff000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c03000</span> <span class="n">va</span> <span class="mh">0xb8c03000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c07000</span> <span class="n">va</span> <span class="mh">0xb8c07000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c0b000</span> <span class="n">va</span> <span class="mh">0xb8c0b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c0f000</span> <span class="n">va</span> <span class="mh">0xb8c0f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c13000</span> <span class="n">va</span> <span class="mh">0xb8c13000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c17000</span> <span class="n">va</span> <span class="mh">0xb8c17000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c1b000</span> <span class="n">va</span> <span class="mh">0xb8c1b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c1f000</span> <span class="n">va</span> <span class="mh">0xb8c1f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c23000</span> <span class="n">va</span> <span class="mh">0xb8c23000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c27000</span> <span class="n">va</span> <span class="mh">0xb8c27000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c2b000</span> <span class="n">va</span> <span class="mh">0xb8c2b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c2f000</span> <span class="n">va</span> <span class="mh">0xb8c2f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c33000</span> <span class="n">va</span> <span class="mh">0xb8c33000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c37000</span> <span class="n">va</span> <span class="mh">0xb8c37000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c3b000</span> <span class="n">va</span> <span class="mh">0xb8c3b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c3f000</span> <span class="n">va</span> <span class="mh">0xb8c3f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c43000</span> <span class="n">va</span> <span class="mh">0xb8c43000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c47000</span> <span class="n">va</span> <span class="mh">0xb8c47000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c4b000</span> <span class="n">va</span> <span class="mh">0xb8c4b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c4f000</span> <span class="n">va</span> <span class="mh">0xb8c4f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c53000</span> <span class="n">va</span> <span class="mh">0xb8c53000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c57000</span> <span class="n">va</span> <span class="mh">0xb8c57000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c5b000</span> <span class="n">va</span> <span class="mh">0xb8c5b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c5f000</span> <span class="n">va</span> <span class="mh">0xb8c5f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c63000</span> <span class="n">va</span> <span class="mh">0xb8c63000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c67000</span> <span class="n">va</span> <span class="mh">0xb8c67000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c6b000</span> <span class="n">va</span> <span class="mh">0xb8c6b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c6f000</span> <span class="n">va</span> <span class="mh">0xb8c6f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c73000</span> <span class="n">va</span> <span class="mh">0xb8c73000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c77000</span> <span class="n">va</span> <span class="mh">0xb8c77000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c7b000</span> <span class="n">va</span> <span class="mh">0xb8c7b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c7f000</span> <span class="n">va</span> <span class="mh">0xb8c7f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c83000</span> <span class="n">va</span> <span class="mh">0xb8c83000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c87000</span> <span class="n">va</span> <span class="mh">0xb8c87000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c8b000</span> <span class="n">va</span> <span class="mh">0xb8c8b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c8f000</span> <span class="n">va</span> <span class="mh">0xb8c8f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c93000</span> <span class="n">va</span> <span class="mh">0xb8c93000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c97000</span> <span class="n">va</span> <span class="mh">0xb8c97000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c9b000</span> <span class="n">va</span> <span class="mh">0xb8c9b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8c9f000</span> <span class="n">va</span> <span class="mh">0xb8c9f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ca3000</span> <span class="n">va</span> <span class="mh">0xb8ca3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ca7000</span> <span class="n">va</span> <span class="mh">0xb8ca7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cab000</span> <span class="n">va</span> <span class="mh">0xb8cab000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8caf000</span> <span class="n">va</span> <span class="mh">0xb8caf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cb3000</span> <span class="n">va</span> <span class="mh">0xb8cb3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cb7000</span> <span class="n">va</span> <span class="mh">0xb8cb7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cbb000</span> <span class="n">va</span> <span class="mh">0xb8cbb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cbf000</span> <span class="n">va</span> <span class="mh">0xb8cbf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cc3000</span> <span class="n">va</span> <span class="mh">0xb8cc3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cc7000</span> <span class="n">va</span> <span class="mh">0xb8cc7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ccb000</span> <span class="n">va</span> <span class="mh">0xb8ccb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ccf000</span> <span class="n">va</span> <span class="mh">0xb8ccf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cd3000</span> <span class="n">va</span> <span class="mh">0xb8cd3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cd7000</span> <span class="n">va</span> <span class="mh">0xb8cd7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cdb000</span> <span class="n">va</span> <span class="mh">0xb8cdb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cdf000</span> <span class="n">va</span> <span class="mh">0xb8cdf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ce3000</span> <span class="n">va</span> <span class="mh">0xb8ce3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ce7000</span> <span class="n">va</span> <span class="mh">0xb8ce7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ceb000</span> <span class="n">va</span> <span class="mh">0xb8ceb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cef000</span> <span class="n">va</span> <span class="mh">0xb8cef000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cf3000</span> <span class="n">va</span> <span class="mh">0xb8cf3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cf7000</span> <span class="n">va</span> <span class="mh">0xb8cf7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cfb000</span> <span class="n">va</span> <span class="mh">0xb8cfb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8cff000</span> <span class="n">va</span> <span class="mh">0xb8cff000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d03000</span> <span class="n">va</span> <span class="mh">0xb8d03000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d07000</span> <span class="n">va</span> <span class="mh">0xb8d07000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d0b000</span> <span class="n">va</span> <span class="mh">0xb8d0b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d0f000</span> <span class="n">va</span> <span class="mh">0xb8d0f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d13000</span> <span class="n">va</span> <span class="mh">0xb8d13000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d17000</span> <span class="n">va</span> <span class="mh">0xb8d17000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d1b000</span> <span class="n">va</span> <span class="mh">0xb8d1b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d1f000</span> <span class="n">va</span> <span class="mh">0xb8d1f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d23000</span> <span class="n">va</span> <span class="mh">0xb8d23000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d27000</span> <span class="n">va</span> <span class="mh">0xb8d27000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d2b000</span> <span class="n">va</span> <span class="mh">0xb8d2b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d2f000</span> <span class="n">va</span> <span class="mh">0xb8d2f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d33000</span> <span class="n">va</span> <span class="mh">0xb8d33000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d37000</span> <span class="n">va</span> <span class="mh">0xb8d37000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d3b000</span> <span class="n">va</span> <span class="mh">0xb8d3b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d3f000</span> <span class="n">va</span> <span class="mh">0xb8d3f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d43000</span> <span class="n">va</span> <span class="mh">0xb8d43000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d47000</span> <span class="n">va</span> <span class="mh">0xb8d47000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d4b000</span> <span class="n">va</span> <span class="mh">0xb8d4b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d4f000</span> <span class="n">va</span> <span class="mh">0xb8d4f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d53000</span> <span class="n">va</span> <span class="mh">0xb8d53000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d57000</span> <span class="n">va</span> <span class="mh">0xb8d57000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d5b000</span> <span class="n">va</span> <span class="mh">0xb8d5b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d5f000</span> <span class="n">va</span> <span class="mh">0xb8d5f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d63000</span> <span class="n">va</span> <span class="mh">0xb8d63000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d67000</span> <span class="n">va</span> <span class="mh">0xb8d67000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d6b000</span> <span class="n">va</span> <span class="mh">0xb8d6b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d6f000</span> <span class="n">va</span> <span class="mh">0xb8d6f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d73000</span> <span class="n">va</span> <span class="mh">0xb8d73000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d77000</span> <span class="n">va</span> <span class="mh">0xb8d77000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d7b000</span> <span class="n">va</span> <span class="mh">0xb8d7b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d7f000</span> <span class="n">va</span> <span class="mh">0xb8d7f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d83000</span> <span class="n">va</span> <span class="mh">0xb8d83000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d87000</span> <span class="n">va</span> <span class="mh">0xb8d87000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d8b000</span> <span class="n">va</span> <span class="mh">0xb8d8b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d8f000</span> <span class="n">va</span> <span class="mh">0xb8d8f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d93000</span> <span class="n">va</span> <span class="mh">0xb8d93000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d97000</span> <span class="n">va</span> <span class="mh">0xb8d97000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d9b000</span> <span class="n">va</span> <span class="mh">0xb8d9b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8d9f000</span> <span class="n">va</span> <span class="mh">0xb8d9f000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8da3000</span> <span class="n">va</span> <span class="mh">0xb8da3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8da7000</span> <span class="n">va</span> <span class="mh">0xb8da7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dab000</span> <span class="n">va</span> <span class="mh">0xb8dab000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8daf000</span> <span class="n">va</span> <span class="mh">0xb8daf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8db3000</span> <span class="n">va</span> <span class="mh">0xb8db3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8db7000</span> <span class="n">va</span> <span class="mh">0xb8db7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dbb000</span> <span class="n">va</span> <span class="mh">0xb8dbb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dbf000</span> <span class="n">va</span> <span class="mh">0xb8dbf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dc3000</span> <span class="n">va</span> <span class="mh">0xb8dc3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dc7000</span> <span class="n">va</span> <span class="mh">0xb8dc7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dcb000</span> <span class="n">va</span> <span class="mh">0xb8dcb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dcf000</span> <span class="n">va</span> <span class="mh">0xb8dcf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dd3000</span> <span class="n">va</span> <span class="mh">0xb8dd3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dd7000</span> <span class="n">va</span> <span class="mh">0xb8dd7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ddb000</span> <span class="n">va</span> <span class="mh">0xb8ddb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8ddf000</span> <span class="n">va</span> <span class="mh">0xb8ddf000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8de3000</span> <span class="n">va</span> <span class="mh">0xb8de3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8de7000</span> <span class="n">va</span> <span class="mh">0xb8de7000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8deb000</span> <span class="n">va</span> <span class="mh">0xb8deb000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8def000</span> <span class="n">va</span> <span class="mh">0xb8def000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8df3000</span> <span class="n">va</span> <span class="mh">0xb8df3000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8df7000</span> <span class="n">va</span> <span class="mh">0xb8df7000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8df8000</span> <span class="n">va</span> <span class="mh">0xb8df8000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dfc000</span> <span class="n">va</span> <span class="mh">0xb8dfc000</span> <span class="n">pages</span> <span class="mh">0x2</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dfe000</span> <span class="n">va</span> <span class="mh">0xb8dfe000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8dff000</span> <span class="n">va</span> <span class="mh">0xb8dff000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e00000</span> <span class="n">va</span> <span class="mh">0xb8e00000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e01000</span> <span class="n">va</span> <span class="mh">0xb8e01000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e05000</span> <span class="n">va</span> <span class="mh">0xb8e05000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e06000</span> <span class="n">va</span> <span class="mh">0xb8e06000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e0a000</span> <span class="n">va</span> <span class="mh">0xb8e0a000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e0b000</span> <span class="n">va</span> <span class="mh">0xb8e0b000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e0f000</span> <span class="n">va</span> <span class="mh">0xb8e0f000</span> <span class="n">pages</span> <span class="mh">0x2</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e11000</span> <span class="n">va</span> <span class="mh">0xb8e11000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e12000</span> <span class="n">va</span> <span class="mh">0xb8e12000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e13000</span> <span class="n">va</span> <span class="mh">0xb8e13000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e14000</span> <span class="n">va</span> <span class="mh">0xb8e14000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e18000</span> <span class="n">va</span> <span class="mh">0xb8e18000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e19000</span> <span class="n">va</span> <span class="mh">0xb8e19000</span> <span class="n">pages</span> <span class="mh">0x4</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e1d000</span> <span class="n">va</span> <span class="mh">0xb8e1d000</span> <span class="n">pages</span> <span class="mh">0x2</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e1f000</span> <span class="n">va</span> <span class="mh">0xb8e1f000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e20000</span> <span class="n">va</span> <span class="mh">0xb8e20000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8e21000</span> <span class="n">va</span> <span class="mh">0xb8e21000</span> <span class="n">pages</span> <span class="mh">0x100</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x6</span> <span class="n">pa</span> <span class="mh">0xb8f21000</span> <span class="n">va</span> <span class="mh">0xb8f21000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8000000000000008</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8f22000</span> <span class="n">va</span> <span class="mh">0xb8f22000</span> <span class="n">pages</span> <span class="mh">0x13</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xb8f35000</span> <span class="n">va</span> <span class="mh">0xb8f35000</span> <span class="n">pages</span> <span class="mh">0x5085</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="n">type</span> <span class="mh">0x5</span> <span class="n">pa</span> <span class="mh">0xbdfba000</span> <span class="n">va</span> <span class="mh">0xbdfba000</span> <span class="n">pages</span> <span class="mh">0x1</span> <span class="n">attr</span> <span class="mh">0x8000000000000008</span>
<span class="n">type</span> <span class="mh">0x2</span> <span class="n">pa</span> <span class="mh">0xbdfbb000</span> <span class="n">va</span> <span class="mh">0xb8f35000</span> <span class="n">pages</span> <span class="mh">0x2045</span> <span class="n">attr</span> <span class="mh">0x8</span>
<span class="p">[</span> <span class="n">using</span> <span class="mi">978720</span> <span class="n">bytes</span> <span class="n">of</span> <span class="n">bsd</span> <span class="n">ELF</span> <span class="n">symbol</span> <span class="n">table</span> <span class="p">]</span>
<span class="n">Copyright</span> <span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="mi">1982</span><span class="p">,</span> <span class="mi">1986</span><span class="p">,</span> <span class="mi">1989</span><span class="p">,</span> <span class="mi">1991</span><span class="p">,</span> <span class="mi">1993</span>
<span class="n">The</span> <span class="n">Regents</span> <span class="n">of</span> <span class="n">the</span> <span class="n">University</span> <span class="n">of</span> <span class="n">California</span><span class="p">.</span> <span class="n">All</span> <span class="n">rights</span> <span class="n">reserved</span><span class="p">.</span>
<span class="n">Copyright</span> <span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="mi">1995</span><span class="o">-</span><span class="mi">2017</span> <span class="n">OpenBSD</span><span class="p">.</span> <span class="n">All</span> <span class="n">rights</span> <span class="n">reserved</span><span class="p">.</span> <span class="nl">https</span><span class="p">:</span><span class="c1">//www.OpenBSD.org</span>
<span class="n">OpenBSD</span> <span class="mf">6.2</span><span class="o">-</span><span class="n">current</span> <span class="p">(</span><span class="n">GENERIC</span><span class="p">)</span> <span class="err">#</span><span class="mi">47</span><span class="o">:</span> <span class="n">Wed</span> <span class="n">Oct</span> <span class="mi">18</span> <span class="mi">11</span><span class="o">:</span><span class="mi">56</span><span class="o">:</span><span class="mi">57</span> <span class="n">MDT</span> <span class="mi">2017</span>
<span class="n">deraadt</span><span class="p">@</span><span class="n">arm64</span><span class="p">.</span><span class="n">openbsd</span><span class="p">.</span><span class="nl">org</span><span class="p">:</span><span class="o">/</span><span class="n">usr</span><span class="o">/</span><span class="n">src</span><span class="o">/</span><span class="n">sys</span><span class="o">/</span><span class="n">arch</span><span class="o">/</span><span class="n">arm64</span><span class="o">/</span><span class="n">compile</span><span class="o">/</span><span class="n">GENERIC</span>
<span class="n">real</span> <span class="n">mem</span> <span class="o">=</span> <span class="mi">2021859328</span> <span class="p">(</span><span class="mi">1928</span><span class="n">MB</span><span class="p">)</span>
<span class="n">avail</span> <span class="n">mem</span> <span class="o">=</span> <span class="mi">1935818752</span> <span class="p">(</span><span class="mi">1846</span><span class="n">MB</span><span class="p">)</span>
<span class="n">mainbus0</span> <span class="n">at</span> <span class="nl">root</span><span class="p">:</span> <span class="n">Pine64</span><span class="o">+</span>
<span class="n">cpu0</span> <span class="n">at</span> <span class="nl">mainbus0</span><span class="p">:</span> <span class="n">ARM</span> <span class="n">Cortex</span><span class="o">-</span><span class="n">A53</span> <span class="n">r0p4</span>
<span class="n">psci0</span> <span class="n">at</span> <span class="n">mainbus0</span>
<span class="n">agtimer0</span> <span class="n">at</span> <span class="nl">mainbus0</span><span class="p">:</span> <span class="n">tick</span> <span class="n">rate</span> <span class="mi">24000</span> <span class="n">KHz</span>
<span class="n">simplebus0</span> <span class="n">at</span> <span class="nl">mainbus0</span><span class="p">:</span> <span class="s">"soc"</span>
<span class="n">sxiccmu0</span> <span class="n">at</span> <span class="n">simplebus0</span>
<span class="n">sxipio0</span> <span class="n">at</span> <span class="nl">simplebus0</span><span class="p">:</span> <span class="mi">103</span> <span class="n">pins</span>
<span class="n">sximmc0</span> <span class="n">at</span> <span class="n">simplebus0</span>
<span class="n">sdmmc0</span> <span class="n">at</span> <span class="nl">sximmc0</span><span class="p">:</span> <span class="mi">4</span><span class="o">-</span><span class="n">bit</span><span class="p">,</span> <span class="n">sd</span> <span class="n">high</span><span class="o">-</span><span class="n">speed</span><span class="p">,</span> <span class="n">mmc</span> <span class="n">high</span><span class="o">-</span><span class="n">speed</span><span class="p">,</span> <span class="n">dma</span>
<span class="n">ehci0</span> <span class="n">at</span> <span class="n">simplebus0</span>
<span class="n">usb0</span> <span class="n">at</span> <span class="nl">ehci0</span><span class="p">:</span> <span class="n">USB</span> <span class="n">revision</span> <span class="mf">2.0</span>
<span class="n">uhub0</span> <span class="n">at</span> <span class="n">usb0</span> <span class="n">configuration</span> <span class="mi">1</span> <span class="n">interface</span> <span class="mi">0</span> <span class="s">"Generic EHCI root hub"</span> <span class="n">rev</span> <span class="mf">2.00</span><span class="o">/</span><span class="mf">1.00</span> <span class="n">addr</span> <span class="mi">1</span>
<span class="n">com0</span> <span class="n">at</span> <span class="nl">simplebus0</span><span class="p">:</span> <span class="n">ns16550</span><span class="p">,</span> <span class="n">no</span> <span class="n">working</span> <span class="n">fifo</span>
<span class="nl">com0</span><span class="p">:</span> <span class="n">console</span>
<span class="n">ampintc0</span> <span class="n">at</span> <span class="n">simplebus0</span> <span class="n">nirq</span> <span class="mi">224</span><span class="p">,</span> <span class="n">ncpu</span> <span class="mi">4</span><span class="o">:</span> <span class="s">"interrupt-controller"</span>
<span class="n">sxirtc0</span> <span class="n">at</span> <span class="n">simplebus0</span>
<span class="n">dwxe0</span> <span class="n">at</span> <span class="nl">simplebus0</span><span class="p">:</span> <span class="n">address</span> <span class="mo">02</span><span class="o">:</span><span class="nl">ba</span><span class="p">:</span><span class="nl">b0</span><span class="p">:</span><span class="mi">1</span><span class="nl">b</span><span class="p">:</span><span class="nl">de</span><span class="p">:</span><span class="mi">88</span>
<span class="n">rgephy0</span> <span class="n">at</span> <span class="n">dwxe0</span> <span class="n">phy</span> <span class="mi">0</span><span class="o">:</span> <span class="n">RTL8169S</span><span class="o">/</span><span class="mi">8110</span><span class="n">S</span><span class="o">/</span><span class="mi">8211</span> <span class="n">PHY</span><span class="p">,</span> <span class="n">rev</span><span class="p">.</span> <span class="mi">5</span>
<span class="n">rgephy1</span> <span class="n">at</span> <span class="n">dwxe0</span> <span class="n">phy</span> <span class="mi">1</span><span class="o">:</span> <span class="n">RTL8169S</span><span class="o">/</span><span class="mi">8110</span><span class="n">S</span><span class="o">/</span><span class="mi">8211</span> <span class="n">PHY</span><span class="p">,</span> <span class="n">rev</span><span class="p">.</span> <span class="mi">5</span>
<span class="n">gpio0</span> <span class="n">at</span> <span class="nl">sxipio0</span><span class="p">:</span> <span class="mi">32</span> <span class="n">pins</span>
<span class="n">gpio1</span> <span class="n">at</span> <span class="nl">sxipio0</span><span class="p">:</span> <span class="mi">32</span> <span class="n">pins</span>
<span class="n">gpio2</span> <span class="n">at</span> <span class="nl">sxipio0</span><span class="p">:</span> <span class="mi">32</span> <span class="n">pins</span>
<span class="n">gpio3</span> <span class="n">at</span> <span class="nl">sxipio0</span><span class="p">:</span> <span class="mi">32</span> <span class="n">pins</span>
<span class="n">gpio4</span> <span class="n">at</span> <span class="nl">sxipio0</span><span class="p">:</span> <span class="mi">32</span> <span class="n">pins</span>
<span class="n">gpio5</span> <span class="n">at</span> <span class="nl">sxipio0</span><span class="p">:</span> <span class="mi">32</span> <span class="n">pins</span>
<span class="n">gpio6</span> <span class="n">at</span> <span class="nl">sxipio0</span><span class="p">:</span> <span class="mi">32</span> <span class="n">pins</span>
<span class="n">gpio7</span> <span class="n">at</span> <span class="nl">sxipio0</span><span class="p">:</span> <span class="mi">32</span> <span class="n">pins</span>
<span class="n">scsibus0</span> <span class="n">at</span> <span class="nl">sdmmc0</span><span class="p">:</span> <span class="mi">2</span> <span class="n">targets</span><span class="p">,</span> <span class="n">initiator</span> <span class="mi">0</span>
<span class="n">sd0</span> <span class="n">at</span> <span class="n">scsibus0</span> <span class="n">targ</span> <span class="mi">1</span> <span class="n">lun</span> <span class="mi">0</span><span class="o">:</span> <span class="o"><</span><span class="n">SD</span><span class="o">/</span><span class="n">MMC</span><span class="p">,</span> <span class="n">USD00</span><span class="p">,</span> <span class="mo">0010</span><span class="o">></span> <span class="n">SCSI2</span> <span class="mi">0</span><span class="o">/</span><span class="n">direct</span> <span class="n">removable</span>
<span class="nl">sd0</span><span class="p">:</span> <span class="mi">15080</span><span class="n">MB</span><span class="p">,</span> <span class="mi">512</span> <span class="n">bytes</span><span class="o">/</span><span class="n">sector</span><span class="p">,</span> <span class="mi">30883840</span> <span class="n">sectors</span>
<span class="n">vscsi0</span> <span class="n">at</span> <span class="n">root</span>
<span class="n">scsibus1</span> <span class="n">at</span> <span class="nl">vscsi0</span><span class="p">:</span> <span class="mi">256</span> <span class="n">targets</span>
<span class="n">softraid0</span> <span class="n">at</span> <span class="n">root</span>
<span class="n">scsibus2</span> <span class="n">at</span> <span class="nl">softraid0</span><span class="p">:</span> <span class="mi">256</span> <span class="n">targets</span>
<span class="nl">bootfile</span><span class="p">:</span> <span class="nl">sd0a</span><span class="p">:</span><span class="o">/</span><span class="n">bsd</span>
<span class="n">boot</span> <span class="nl">device</span><span class="p">:</span> <span class="n">sd0</span>
<span class="n">root</span> <span class="n">on</span> <span class="n">sd0a</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">a</span><span class="p">)</span> <span class="n">swap</span> <span class="n">on</span> <span class="n">sd0b</span> <span class="n">dump</span> <span class="n">on</span> <span class="n">sd0b</span>
<span class="n">Automatic</span> <span class="n">boot</span> <span class="k">in</span> <span class="nl">progress</span><span class="p">:</span> <span class="n">starting</span> <span class="n">file</span> <span class="n">system</span> <span class="n">checks</span><span class="p">.</span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sd0a</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">a</span><span class="p">)</span><span class="o">:</span> <span class="n">file</span> <span class="n">system</span> <span class="n">is</span> <span class="n">clean</span><span class="p">;</span> <span class="n">not</span> <span class="n">checking</span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sd0l</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">l</span><span class="p">)</span><span class="o">:</span> <span class="n">file</span> <span class="n">system</span> <span class="n">is</span> <span class="n">clean</span><span class="p">;</span> <span class="n">not</span> <span class="n">checking</span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sd0d</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">d</span><span class="p">)</span><span class="o">:</span> <span class="n">file</span> <span class="n">system</span> <span class="n">is</span> <span class="n">clean</span><span class="p">;</span> <span class="n">not</span> <span class="n">checking</span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sd0f</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">f</span><span class="p">)</span><span class="o">:</span> <span class="n">file</span> <span class="n">system</span> <span class="n">is</span> <span class="n">clean</span><span class="p">;</span> <span class="n">not</span> <span class="n">checking</span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sd0g</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">g</span><span class="p">)</span><span class="o">:</span> <span class="n">file</span> <span class="n">system</span> <span class="n">is</span> <span class="n">clean</span><span class="p">;</span> <span class="n">not</span> <span class="n">checking</span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sd0h</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">h</span><span class="p">)</span><span class="o">:</span> <span class="n">file</span> <span class="n">system</span> <span class="n">is</span> <span class="n">clean</span><span class="p">;</span> <span class="n">not</span> <span class="n">checking</span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sd0k</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">k</span><span class="p">)</span><span class="o">:</span> <span class="n">file</span> <span class="n">system</span> <span class="n">is</span> <span class="n">clean</span><span class="p">;</span> <span class="n">not</span> <span class="n">checking</span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sd0j</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">j</span><span class="p">)</span><span class="o">:</span> <span class="n">file</span> <span class="n">system</span> <span class="n">is</span> <span class="n">clean</span><span class="p">;</span> <span class="n">not</span> <span class="n">checking</span>
<span class="o">/</span><span class="n">dev</span><span class="o">/</span><span class="n">sd0e</span> <span class="p">(</span><span class="n">aad98897a9859bd0</span><span class="p">.</span><span class="n">e</span><span class="p">)</span><span class="o">:</span> <span class="n">file</span> <span class="n">system</span> <span class="n">is</span> <span class="n">clean</span><span class="p">;</span> <span class="n">not</span> <span class="n">checking</span>
<span class="n">setting</span> <span class="n">tty</span> <span class="n">flags</span>
<span class="n">pf</span> <span class="n">enabled</span>
<span class="n">starting</span> <span class="n">network</span>
<span class="nl">dwxe0</span><span class="p">:</span> <span class="n">DHCPREQUEST</span> <span class="n">to</span> <span class="mf">255.255.255.255</span>
<span class="nl">dwxe0</span><span class="p">:</span> <span class="n">DHCPNACK</span> <span class="n">from</span> <span class="mf">10.20.20.254</span> <span class="p">(</span><span class="mo">00</span><span class="o">:</span><span class="mi">0</span><span class="nl">d</span><span class="p">:</span><span class="nl">b9</span><span class="p">:</span><span class="mi">43</span><span class="o">:</span><span class="mf">9f</span><span class="o">:</span><span class="n">fc</span><span class="p">)</span>
<span class="nl">dwxe0</span><span class="p">:</span> <span class="n">DHCPDISCOVER</span> <span class="o">-</span> <span class="n">interval</span> <span class="mi">1</span>
<span class="nl">dwxe0</span><span class="p">:</span> <span class="n">DHCPOFFER</span> <span class="n">from</span> <span class="mf">10.20.20.254</span> <span class="p">(</span><span class="mo">00</span><span class="o">:</span><span class="mi">0</span><span class="nl">d</span><span class="p">:</span><span class="nl">b9</span><span class="p">:</span><span class="mi">43</span><span class="o">:</span><span class="mf">9f</span><span class="o">:</span><span class="n">fc</span><span class="p">)</span>
<span class="nl">dwxe0</span><span class="p">:</span> <span class="n">DHCPREQUEST</span> <span class="n">to</span> <span class="mf">255.255.255.255</span>
<span class="nl">dwxe0</span><span class="p">:</span> <span class="n">DHCPACK</span> <span class="n">from</span> <span class="mf">10.20.20.254</span> <span class="p">(</span><span class="mo">00</span><span class="o">:</span><span class="mi">0</span><span class="nl">d</span><span class="p">:</span><span class="nl">b9</span><span class="p">:</span><span class="mi">43</span><span class="o">:</span><span class="mf">9f</span><span class="o">:</span><span class="n">fc</span><span class="p">)</span>
<span class="nl">dwxe0</span><span class="p">:</span> <span class="n">bound</span> <span class="n">to</span> <span class="mf">10.20.20.15</span> <span class="o">--</span> <span class="n">renewal</span> <span class="k">in</span> <span class="mi">21600</span> <span class="n">seconds</span>
<span class="n">reordering</span> <span class="nl">libraries</span><span class="p">:</span> <span class="n">done</span><span class="p">.</span>
<span class="nl">openssl</span><span class="p">:</span> <span class="n">generating</span> <span class="n">isakmpd</span><span class="o">/</span><span class="n">iked</span> <span class="n">RSA</span> <span class="n">keys</span><span class="p">...</span> <span class="n">done</span><span class="p">.</span>
<span class="n">ssh</span><span class="o">-</span><span class="nl">keygen</span><span class="p">:</span> <span class="n">generating</span> <span class="n">new</span> <span class="n">host</span> <span class="nl">keys</span><span class="p">:</span> <span class="n">RSA</span> <span class="n">DSA</span> <span class="n">ECDSA</span> <span class="n">ED25519</span>
<span class="n">starting</span> <span class="n">early</span> <span class="nl">daemons</span><span class="p">:</span> <span class="n">syslogd</span> <span class="n">pflogd</span> <span class="n">ntpd</span><span class="p">.</span>
<span class="n">starting</span> <span class="n">RPC</span> <span class="nl">daemons</span><span class="p">:.</span>
<span class="nl">savecore</span><span class="p">:</span> <span class="n">no</span> <span class="n">core</span> <span class="n">dump</span>
<span class="n">checking</span> <span class="nl">quotas</span><span class="p">:</span> <span class="n">done</span><span class="p">.</span>
<span class="n">clearing</span> <span class="o">/</span><span class="n">tmp</span>
<span class="n">kern</span><span class="p">.</span><span class="nl">securelevel</span><span class="p">:</span> <span class="mi">0</span> <span class="o">-></span> <span class="mi">1</span>
<span class="n">creating</span> <span class="n">runtime</span> <span class="n">link</span> <span class="n">editor</span> <span class="n">directory</span> <span class="n">cache</span><span class="p">.</span>
<span class="n">preserving</span> <span class="n">editor</span> <span class="n">files</span><span class="p">.</span>
<span class="n">starting</span> <span class="n">network</span> <span class="nl">daemons</span><span class="p">:</span> <span class="n">sshd</span> <span class="n">smtpd</span> <span class="n">sndiod</span><span class="p">.</span>
<span class="n">running</span> <span class="n">rc</span><span class="p">.</span><span class="n">firsttime</span>
<span class="n">Path</span> <span class="n">to</span> <span class="nl">firmware</span><span class="p">:</span> <span class="nl">http</span><span class="p">:</span><span class="c1">//firmware.openbsd.org/firmware/snapshots/</span>
<span class="n">No</span> <span class="n">devices</span> <span class="n">found</span> <span class="n">which</span> <span class="n">need</span> <span class="n">firmware</span> <span class="n">files</span> <span class="n">to</span> <span class="n">be</span> <span class="n">downloaded</span><span class="p">.</span>
<span class="n">starting</span> <span class="n">local</span> <span class="nl">daemons</span><span class="p">:</span> <span class="n">cron</span><span class="p">.</span>
<span class="n">Wed</span> <span class="n">Oct</span> <span class="mi">18</span> <span class="mi">17</span><span class="o">:</span><span class="mi">52</span><span class="o">:</span><span class="mi">37</span> <span class="n">MDT</span> <span class="mi">2017</span>
<span class="n">OpenBSD</span><span class="o">/</span><span class="n">arm64</span> <span class="p">(</span><span class="n">alpaga</span><span class="p">.</span><span class="n">chown</span><span class="p">.</span><span class="n">me</span><span class="p">)</span> <span class="p">(</span><span class="n">console</span><span class="p">)</span>
<span class="nl">login</span><span class="p">:</span>
</pre></div>
<p>And now, I just have to wait for
<a href="https://chown.me/iota/pics/IMG_0675.JPG">Jean Canard</a> to destroy the
whole thing.</p>Hackathon report - t2k172017-08-21T10:20:00-04:002017-08-21T10:20:00-04:00Vigdistag:oldblog.chown.me,2017-08-21:/blog/t2k17.html<p>I slacked so much that even <a href="https://portroach.openbsd.org/">portroach</a> stopped mailing the outdated ports I maintained as it noticed how pointless it was :-)</p><p>I also wrote <a href="http://undeadly.org/cgi?action=article&sid=20170821231153">a shorter and less personal report on undeadly</a>, feel free
to read it rather than this one if you don't want to know about other things than
the hackathon.</p>
<p>August was a busy month events-wise. I had the visit of coworkers who
work in France, because <a href="https://debconf17.debconf.org/">this year's Debconf</a> took place here, in Montreal.</p>
<p>After a week of fun activities,
<a href="https://twitter.com/Vigdis_/status/894318053093146624">I went to debconf</a>
with them.
<a href="https://twitter.com/Vigdis_/status/893877976235991042">With my badge</a>,
people noticed I liked OpenBSD and during the 'Wine and Cheese' event,
someone came to me to talk about OpenBSD. In fact he was
<a href="https://qa.debian.org/developer.php?login=sf">sf@debian.org</a> who is also
<a href="https://v4.freshbsd.org/search?committer=sf&project=openbsd">sf@openbsd.org</a>. I
was very surprised to meet another OpenBSD developer at debconf!</p>
<p>I finally left debconf on Tuesday evening because I had to take the
train on Wednesday morning with mpi@ to go to Toronto. In the train I
was slacking on the Internet when I noticed mpi@ was already hacking
with his $EDITOR. I felt guilty so I began to update
graphics/pqiv. Fortunately, jca@ was already in the hackroom so he was
available to help/review. It was cool to begin with that port because
it's a very simple port and I had to learn about the new COMPILER
variable, thus I could easily focus just on that.</p>
<p>I also took the opportunity of the train journey to ask mpi@ questions
about networking stuff which leaded to more things I want to dig in.</p>
<p>Once I arrived in the hackroom, I committed a duplicity update I had
in my tree for a long time. I also looked at a submission on ports@
which needed some help because of libressl vs openssl and once I
received some ok I put it in the tree.</p>
<p>Over the last few weeks I've been looking at porting some OpenBGPD
check for nagios-like monitoring system to improve my <a href="https://evolix.ca/">dayjob</a>'s
monitoring system. I realized then that I didn't even check what we
already had in the ports tree. We had a check that I quickly tested
and it appeared to be broken. afresh1@, who is the check maintainer
and upstream hadn't arrived yet, I asked other developers that I know
they run BGPd in production what they use. I got to know about how
they did their monitoring which was pretty interesting!</p>
<p>To look at something else than the ports tree, I began to look at
updating xkeyboard-config which is one of the tool used by xenocara. I
already did the last update but at the time I didn't notice we had
some local patches so I wanted to do it more carefully this time. I
had some troubles doing this update so I took care of writing some
notes about how I did it so next time should be easier.</p>
<p>Finally afresh1@ arrived and I told him about the bgpd check problem
and in fact he had fixed it two years ago but forgot to update the
port. He quickly committed an update to close the case.</p>
<p>One thing I wanted to do during this hackathon was updating
haproxy. A few months ago when they release the latest branch, I
didn't succeed to update our port to it because of libressl vs
openssl. It wasn't such a big deal because old-stable branch was still
supported. After waiting 9 months, I just grabbed
<a href="https://github.com/trueos/freebsd-ports/blob/3745ead2e0f43985c3647e1e3aecae2751decfda/net/haproxy/files/patch-src_ssl__sock.c">the patch Bernard Spil did for TrueOS</a>
and it just worked so I was really happy!</p>
<p>In addition of that, I updated the other ports I maintained and I
finally reached a state where all the ports I maintained were up to
date \o/</p>
<p>To sum up, I did everything I wanted during this hackaton, with more
ease than I thought. I had the opportunity to have really interesting
discussions with a lot of other developers (during <a href="https://twitter.com/Vigdis_/status/895794041450897408">our social event</a> but not only). Thanks a lot to the
University of Toronto for hosting us (in a
<a href="https://twitter.com/Vigdis_/status/896356797988167681">very nice part of the city</a>
and krw@ for organizing!</p>My recent journey with 2FA2017-02-26T10:20:00-05:002017-02-26T10:20:00-05:00Vigdistag:oldblog.chown.me,2017-02-26:/blog/my-recent-journey-with-2FA.html<p>I recently begin to increase my use of 2FA so here's my report about it.</p><h2>2FA</h2>
<p>Of course by 2FA I mean
<a href="https://en.wikipedia.org/wiki/Multi-factor_authentication">two-factor authentication</a>.</p>
<p>I've been using that for a long time for ssh with
<a href="./yubikey-en.html">my yubikey on OpenBSD</a> but I've never enabled 2FA
on the online services I use. The main reason for not doing it before was
that I thought that my phone had to play a central role (which in fact
is not much the case). While it's the most critical device I have, my
phone is the device I trust the least.</p>
<p>However, yesterday I saw a comment on lobste.rs asking about
<a href="https://lobste.rs/s/1cyltz/two_factor_authentication_now_available/comments/a9xvvg#c_a9xvvg">how to use TOTP on OpenBSD</a>.
In addition to that, I guess seeing
<a href="https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/">what happened to cloudflare</a>
and everything what's happening if you want to cross the US border
made me more interested in 2FA than before.</p>
<p>So I began to look into how it works.</p>
<h2>How it works</h2>
<p>The concept of 2FA is that you may lose your password (or your ssh
key) and in that case the person who takes control of it can
successfully impersonate you. The goal is that a login system will
require something else to verify that it's really you.</p>
<p>One way to achieve this is to use SMS but that sucks: <a href="http://www.baltimoresun.com/features/baltimore-insider-blog/bal-black-lives-matter-activist-deray-mckesson-s-twitter-hacked-friday-morning-20160610-story.html">circumventing it
is not even restricted to Nation State Actors</a>.</p>
<p>Another can be something biometric but then users need to access to a
scanner which is quite impractical in every day life. Even if iPhones
have a fingerprint reader, it's not usable by third parties.</p>
<p>It must be something that keeps changing otherwise it's both
subject to replay attack and it's just another password.</p>
<p>Here comes the OTP.</p>
<h2>One Time Password</h2>
<p>One Time Password was defined in
<a href="https://tools.ietf.org/html/rfc2289">RFC2289</a> (which is quite old:
February 1998). Then they made HOTP (H is for <em>HMAC-Based</em>) in
<a href="https://tools.ietf.org/html/rfc4226">RFC4226</a> and finally the TOTP (T
is for <em>Time-Based</em>) in <a href="https://tools.ietf.org/html/rfc6238">RFC</a>
which is an extension of the HOTP to support the time-based moving
factor.</p>
<p>To understand in more details you can either read in the RFC4226
<a href="https://tools.ietf.org/html/rfc4226#page-7">5.4. Example of HOTP Computation for Digit = 6</a>
and then the short RFC6238 or you can just read this <a href="https://pthree.org/2014/04/15/time-based-one-time-passwords-how-it-works/">random blog
article on the Internet which explains clearly the same thing</a>.</p>
<h3>tl;dr</h3>
<p>There's a secret shared and then you compute the HMAC-SHA1 of the
shared secret and epoch.</p>
<h3>Wait, did you just say sha1?!?1?</h3>
<p>Even if there's now a sha1 collision, it's not really a problem. To
quote Schneier: "[collision] pretty much puts a bullet into
SHA-1 as a hash function for digital signatures (although it doesn't
affect applications such as HMAC where collisions aren't important)."
(<a href="https://www.schneier.com/blog/archives/2005/02/sha1_broken.html">source</a>)</p>
<p>And for a more complete answer, see this
<a href="http://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-considered-secure">answer</a>.</p>
<h2>How to use it</h2>
<h3>Don't be locked out</h3>
<p>I wanted to use my phone (something distinct that my computer to
compartment things a bit). Obviously the goal is to secure your
account without losing it so that means that losing your phone
shouldn't prevent you to retrieve access to your accounts. Unusable
security is unusable.</p>
<p>If you read about 2FA, you'll see that some services that provide it,
give you some backup code to not to be locked out. But I don't want to
locked out from services don't provide backup codes either.</p>
<p>So my phone must not be a single point of failure.</p>
<p>We saw earlier that {T,H}OTP are based on a shared secret so let's
backup it.</p>
<h3>Backuping shared secrets and backup codes</h3>
<p>For my regular passwords, I use keepassx which is shared/backuped across my
different computers. I created another database to store those. Of
course you shouldn't use the same database to keep your passwords and the
other secrets in case of you leak one of the two database's password.</p>
<h3>Clients</h3>
<h4>Android phone</h4>
<p>Now that I'm ready to activate 2FA, let's see how to use it. The plan
is to use my android phone. On the
<a href="https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm">Time-based One-time Password Algorithm Wikipedia page</a>
there was a list of clients but sadly it was deleted.
You can still find it
<a href="https://en.wikipedia.org/w/index.php?title=Time-based_One-time_Password_Algorithm&oldid=724156353#Client_implementations">in the history</a>.</p>
<p>I wanted a FOSS application and Google Authenticator is now closed
source so I went with FreeOTP which is not completely dead compared to
others (but it's not thriving either), so far it works good.</p>
<h4>OpenBSD</h4>
<p>In the case I don't have a phone, I still want to be able to
log in my different accounts. In the lobste.rs' link that I gave at the
beginning of this article, someone mentioned oath-toolkit which works
very easily:</p>
<div class="highlight"><pre><span></span>$ oathtool --totp -b deafcafe
<span class="m">405723</span>
</pre></div>
<p>(with deafcafe being the shared secret).</p>
<h2>Activating it</h2>
<p>Now that we're ready to use it, let's do it. So where to activate
it? Actually, there's <a href="https://twofactorauth.org/">a cool site</a> that
lists services that provide or not (and then you can shame them on
twitter) 2FA with a link to the service's documentation.</p>
<h3>My Feedback</h3>
<p>So far I activated 2FA on about half a dozen of website. The first one was
the <a href="https://www.ripe.net/">RIPE NCC</a> (if you don't want people to
steal your precious IP addresses and/or your atlas credit) and it was
actually a good one to try it.</p>
<p>To activate it usually the website gives you a qrcode which is in fact
just a URL looking like:</p>
<div class="highlight"><pre><span></span>otpauth://totp/Example:foo@example.com?secret=DEAFCAFE&issuer=Example
</pre></div>
<p>which is fine for my phone but sadly my eyes can't decode qrcode and I
need the shared secret to put it my keepassx. Most of the time
websites gives you by default the qrcode but also gives you the
possibility to access the shared secret.</p>
<p>For now, everything works fine, I use my phone to unlock my different
accounts and if anything happens to it, I can just unlock my second
keepassx database and use oathtool (or use a backup code) to get my
account back.</p>Voir Morlaix et mourir2017-02-19T10:20:00-05:002017-02-19T10:20:00-05:00Vigdistag:oldblog.chown.me,2017-02-19:/blog/voir-Morlaix-et-mourir.html<p>The fuck who knows</p><p>Cet article est écrit le 22/11/16, je viens de quitter Rennes, je suis
dans le TGV pour Paris. Cet article est dans la catérogie Mylife, et
il est possible que tu le trouves ennuyeux. Si tu veux plutôt de
l'action clique <a href="https://gfycat.com/WellgroomedFatalBrontosaurus">ici</a>.</p>
<h2>2015</h2>
<p>Je suis à Rouen. J'ai envie de partir à l'étranger, voir si l'herbe
est plus verte ailleurs. J'ai même trouvé une offre d'emploi (à
Amsterdam) et l'offre parle même d'OpenBSD. Je ne postule pas, mais je
regarde de temps en temps si l'offre est toujours là.</p>
<p>Peu après je vais au Jardin Entropique (fin juin 2015, Rennes). J'y
rencontre une délicieuse jeune femme. On tombe amoureux l'un de
l'autre. Partir à l'étranger serait la quitter. Such nope.</p>
<p>Je vais donc m'installer à Rennes pour me rapprocher d'elle et parce
que Rennes a l'air d'être une chouette ville. Je trouve assez
facilement un taf. Tout va bien.</p>
<h2>Fast forward.</h2>
<p>Les prises de tête ont pris la place des papillons dans le ventre. La
séparation arrive doucement comme la seule issue possible.</p>
<p>L'idée de partir à l'étranger n'a jamais vraiment disparu. Quelques
mois avant, à un <a href="http://actux.eu.org/apero-du-libre/">apéro du libre</a>,
<a href="https://twitter.com/AmarOk1412">AmarOk</a> m'annonce qu'il part
au Canada, j'imagine que cela a beaucoup joué inconsciemment. Fun
fact, c'est ce même AmarOk qui m'a hébergé quand je suis allé au
Jardin Entropique.</p>
<p>J'aime Rennes, c'est une ville cool mais j'ai pas plus d'attache que
ça. J'envisage à nouveau de partir à l'étranger. Cette fois, l'Europe
ne me dit plus trop. Je me dis pourquoi pas le Canada.</p>
<p>En plus d'être un male, blanc, cis genre, hétéro, potent et ayant un
diplôme d'ingé en info, la vie n'est pas trop difficile. Mais en plus
j'ai la nationalité Canadienne (bien que je n'y sois jamais allé).</p>
<p>Point de visa, de PVT, de je ne sais quoi.</p>
<p>Je me pose quand même des questions, "est ce que je peux vraiment y
aller ?" "est ce qu'il ne me faut pas des papiers quand même ?" en
plus de mon passeport etc. Bien évidemment qui se pose ce genre de
question ? Du coup le site de l'immigration n'a bien évidemment pas de
réponse pour moi.</p>
<p>Je me dis que si j'allais à l'étranger et que j'y rencontrais
quelqu'un qui me dit "je suis d'ici, mais j'ai la nationalité
Française, tu crois que je peux venir travailler en France ?", ma
réaction serait "t'es con ? bah oui, c'est bon".</p>
<h2>Let's fucking do it.</h2>
<p>De toute façon mes préavis pour le taf et pour mon appartement (dont
soit dit en passant, j'étais totalement fan) sont donnés. Je n'ai donc
plus qu'à tenter ma chance au Canada.</p>
<h2>Et c'est le drame</h2>
<p>Tout doucement, je commence à faire du tri, virer les affaires dont je
n'ai plus besoin. Un jour, j'ouvre un placard pour regarder ce que
j'ai dans ma cuisine (dans l'optique de savoir ce que je vais devoir
jeter etc). Et là gros pincement au coeur. Me dire que tout ça va
prendre fin m'attriste fortement.</p>
<h3>Mes affaires chéries</h3>
<p>Je vends deux choses dont je sais consciemment que je les aime, ma
<a href="https://twitter.com/Vigdis_/status/627153939771838465">machine</a> à
<a href="https://twitter.com/Vigdis_/status/795698555726000128">écrire</a> et mon
<a href="https://twitter.com/Vigdis_/status/696614633730400256">single</a>
<a href="https://twitter.com/Vigdis_/status/799994595161600000">speed</a>.</p>
<p>Sauf qu'en fait, c'est tout mon cadre dont je ne pensais pas tellement
être attaché auquel je le suis pourtant.</p>
<p>Je vends aussi ma tour. Je l'ai eu à Noël quand j'étais en classe de
seconde. Bien qu'elle a subi plusieurs changements internes, c'est
toujours "ma tour" puisque le boitier n'a pas changé. Une fois en
faisant des trucs, je me dis que ça fait longtemps que je n'ai pas
joué à CSS (ça tourne bien sur lolbuntu et ça me détend). Et non. Je
n'ai plus la possibilité de jouer à CSS puisque je n'ai plus ma tour.</p>
<h3>Ce qui rentre dans les valises.</h3>
<p>Peu de temps avant de faire mes valises, je contemple toutes* mes
affaires. Plein de trucs que je ne pense pas prendre. Puis au fur et à
mesure, je réfléchis, je me dis que tel ou tel truc peut être utile là
bas. Voir même que ça serait bien que je les prenne. J'arrive à me
convaincre qu'il faut que je les prenne.</p>
<p>*ou pas....</p>
<p>Puis arrive le temps des valises, et là tu vois qu'en fait il y a
plein d'autres affaires. Et que tout ne va pas du tout
rentrer. <em>Vigdis, le spécialiste de l'ascenseur émotionnel.</em></p>
<p>Enfin, tu te rends compte que tu as tellement plus de place, que même
ton gel douche et ton shampoing, ça sera plus simple d'en toper ici et
là jusqu'à ce que tu ais de nouveau un «chez moi».</p>
<p>Je suis toujours dans mon train. Et la seule chose dont vers laquelle
je me dirige est l'incertitude.</p>Hackathon report - b2k162016-11-12T10:20:00-05:002016-11-12T10:20:00-05:00Vigdistag:oldblog.chown.me,2016-11-12:/blog/b2k16.html<p>I just assisted to b2k16, here's my report</p><h2>tl;dr</h2>
<p>This post is quite long, I wrote <a href="http://undeadly.org/cgi?action=article&sid=20161112141429">another report much shorter for
undeadly</a>
so pick the one you prefer.</p>
<h2>Setuptools</h2>
<p>For me hacking stuff began a bit earlier. In september I sent a diff
to update py-setuptools, it even got in a bulk but the update was
discussed a bit slowly so it never hit the tree. py-setuptools is the
package used to create most of python packages. Currently 635 ports have
py-setuptools as a build depends. Serious sh^Htuff.</p>
<p>So, on the week before going to Budapest, I took another shot at
updating this port. naddy@ kindly put my diff in a bulk. Two ports
got their py3 flavors broken. In their py3 flavor, for these two ports
the .so now would have an abi tag. Fixing them was very simple though
it took me quite a long time (compared to how simple the fix was) to
understand the proposal by sthen@. I hope I'll do better next time...</p>
<p>The update diff and fixes were committed on saturday evening, that was
a good appetizer!</p>
<h2>In Paris</h2>
<p>On sunday evening I met with landry@ at a RER B (our lovely rail
system to go the airport) station so we could talk during the journey.
At the airport we met with
<a href="https://twitter.com/Vigdis_/status/792806986727456768">ajacoutot@ and espie@</a>.</p>
<h2>In Budapest</h2>
<p>Going to the hackroom from the hotel, was quite easy, you just had to
cross the street.</p>
<h3>Monday</h3>
<p>I began the hackathon with updating a few ports that I often update
though I'm not listed as maintainer (hidden maintainer). Scapy had
released a new version the week before and so I began to work on it.</p>
<p>Scapy usually publishes a new release more or less around every
Christmas. This year they released it a bit early. I already did the
previous upgrade back in January so I already knew the port and
upstream (while taking care of a port, I really mind about the ease to
work with upstream) and scapy's contributors are cool!</p>
<p>Scapy is not a random port regarding OpenBSD. Under /usr/src/regress,
65 files do "import" something from scapy. I asked bluhm@ to test my
diff as he has some setups do it automatically. I had a few issues,
one was a bit frustrating because the problem came from a dependency
and I solved it with <code>make uninstall && doas pkg_add matplotlib</code>. I
reported the other issues to upstream and they nicely helped me. For
now the diff is still on ports@ as I'm waiting for the feedback
armani@ (he's the maintainer).</p>
<p>But, secretly I was slacking about my main goal for this hackathon.</p>
<h3>Tuesday</h3>
<p>My main goal for this hackathon was updating py-flask. Flask is a
python web framework very easy to use and to get your hands on. For three
years they didn't create any new release but finally at the end of May
they released a new version. I sent a diff to update it but I only got
reluctant answer for the update.</p>
<p>This time, I really wanted to get it in. Getting a diff was quite easy
as I already did most of the work back in June. I improved it a bit
and sent it back to ports@. While waiting for some feedback I updated
some other ports I'm familiar with.</p>
<h3>Wednesday</h3>
<p>A few weeks ago, I noticed in the commit message that czarkoff@ added
a py3 flavor to a port which the name isn't py-foobar but just
foobar, this doesn't work as the port system creates py3-foobar in
the py3 flavor. He pointed out that puppetboard was in the same case
and fixed the port but nothing changed regarding puppetboard. I raised
the issue to jasper@ and sebastia@ (previous and current
maintainers). Finally I sent two diffs to sebastia@ one to move to
py2, the other to move to py3 but in either case dropping the useless
flavor.</p>
<p>As sebastia@ didn't mind, he followed my preference and tried the py3
diff, he noticed that the rcscript provided by the port needed to be
updated (not because of this change, it was overlooked when the py3
flavor was added: if you installed puppetboard through the port to
have the py3 flavor, it would have installed py3-gunicorn but the
rcscript called the binary provided by the py2 gunicorn).</p>
<p>Finally my py-flask diff went in, partly because I traded a review from
rpointel@: he reviewed my flask diff and I reviewed his django diff :D</p>
<p>As ajacoutot@ was working on syspatch, he wanted to make an <a href="https://asciinema.org/a/4mp06buzc9wetwv5qwn7tt59w">asciinema
of a demo</a>, so he
created a port and he asked me to review it. He's often giving me ok
and testing diff in bulk builds, so I was happy to help him back.</p>
<p>I also reviewed a couple of updates sent by florian@ for ports related
to the <a href="https://atlas.ripe.net">RIPE atlas</a>, I'm always happy to help
src hackers in the ports tree because I think the less time they spend
in the ports tree, the more time they have to hack in src.</p>
<p>A long time ago, I had a python3 project with these ports, so I wanted
to add a py3 flavor to all of them. I added py3 flavors to their
dependencies, they went in; but the diffs for py-ripe.atlas.* were never
committed for some reasons. I took another shot and now libraries
supports both python versions and the tools package uses python3
(because it's 2016).</p>
<p>During the day some of us went to
<a href="http://www.szechenyibath.hu/">the bath</a> so for the evening we ordered
pizzas and watched some funny videos on youtube. While watching the
videos, I updated another of low hanging fruits.</p>
<h3>Thursday</h3>
<p>To find the low hanging fruits that need some love, I extensively use
<a href="http://portroach.openbsd.org">portroach</a>. Some maintainers' name were
noted with non-ascii characters, I noticed that because portroach
didn't like it. I talked about it with other hackers and eventually
removed non-ascii characters.</p>
<p>After that, I found another reason to bother landry@. We have a port
geo/openbsd-developers where developers can put their locations. With
the data, landry@ created
<a href="https://rhaalovely.net/openbsd-developers.html">a map</a> which is cool
but sometimes it doesn't get updated and the technology behind are
quite old. A few months ago he created
<a href="https://umap.openstreetmap.fr/en/map/openbsd-developers-map_89555#2/40.6/-3.2">a new map</a>
that uses more a up to date OSM frontend. I told him that the map were
using old data from the port so he fixed that and he also added the
link on <a href="https://rhaalovely.net/">its webpage</a> so I can find the map
easily. Thanks Landry!</p>
<p>Then I updated another python port. This port was doing something
weird regarding the dependencies it needs. I patched the setup.py file
but... naddy@ told me that it broke during the bulk.</p>
<p>It was a very good thing that different people were always running bulk
builds along the whole week so whenever you broke something, you
quickly knew it. Landry really appreciated! :D</p>
<h3>Friday</h3>
<p>I had my plane on the afternoon, so the day was short. I was slacking
a bit on twitter when I saw a tweet about a newer version of py-pip. I
already updated a couple of times in the past. So I looked at it and
quickly cooked a diff which was, shortly after ok'ed by shadchin@ \o/</p>
<p>I asked ajacoutot to put a diff for cython in a bulk, so I was often
looking for any possible breakage.</p>
<h3>Saturday</h3>
<p>Back in France, the bulk finally finished without problem and I could
commit my cython update.</p>
<h2>Sum up</h2>
<p>I had a really good time, I talked quite a lot with all the different
people. Thanks to all people who made it possible!</p>How to update an OpenBSD port2016-08-26T10:20:00-04:002016-08-26T10:20:00-04:00Vigdistag:oldblog.chown.me,2016-08-26:/blog/how-to-update-an-openbsd-port.html<p>Here's the guide I follow to update/verify an OpenBSD port</p><p>Here's a quick summary of what I do to update a port. This
will be enough for simple updates. For more complicated ones, you may have to find your own way. This guide is only directed toward
non-library ports, except for python ports. I've
never updated a perl or ruby port, so some details may not apply. (I
simply don't know).</p>
<h2>Collect some tools</h2>
<p>I created a bunch of tools to help me with ports work. They are published on
<a href="https://github.com/danieljakots/obsd-ports-tools/">github</a>. You can
remove or update the portscp script if it suits your need.</p>
<p>Put two things in /etc/mk.conf :</p>
<div class="highlight"><pre><span></span>SUDO=/usr/bin/doas
PATCH_DEBUG=Yes
</pre></div>
<p>The first one allows you do do all the work with your user, becoming root as needed. Such easy, much secure, wow.</p>
<h2>Keep your ports tree clean</h2>
<div class="highlight"><pre><span></span>cd /usr/ports && mkdir mystuff
</pre></div>
<p>Then you'll have to create the category directory of the port you
want to update. If you want to update devel/foo ports :</p>
<div class="highlight"><pre><span></span>cd /usr/ports/mystuff && mkdir devel && cd devel
# copy the ports directory
cp -R /usr/ports/devel/foo .
cd foo
</pre></div>
<p>Now you have a directory you can safely trash. </p>
<h2>Find out what you're going to need</h2>
<p>Take a look at the Changelog from upstream and see what sort of developments there have been. You should check, also, whether the port needs new dependencies that
you may have to port first. For python ports, I usually read setup.py
and look for "req," and then I follow the white rabbit to see where it
leads.</p>
<h2>Update the port</h2>
<p>First, bump the version in Makefile to the one you to which you're updating. Then, run make makesum. It will fetch the distfiles (upstream
code) and update distinfo (size and checksum of the distfiles).</p>
<p>If there's a REVISION, remove it (or them, in case of subpackages), but
don't touch EPOCH.</p>
<p>Check whether the patch needed to be regenerated. (That's why PATCH_DEBUG is
needed):</p>
<div class="highlight"><pre><span></span>make patch
</pre></div>
<p>and look for "offset". If there is some, you have to run <code>make
update-patches</code> (and possibly edit the file getting patched). You
can run <code>portsdiff</code> to verify that there were no substitutions made that you will have to undo by hand.</p>
<h2>Simulate the port installation</h2>
<p>Just run:</p>
<div class="highlight"><pre><span></span>make fake
</pre></div>
<p>If it doesn't succeed, you'll have to debug this. I have no special advice
for that.</p>
<h2>Update the plist if needed</h2>
<p>For non-python ports:</p>
<div class="highlight"><pre><span></span>make update-plist
</pre></div>
<p>For a python2-only port:</p>
<div class="highlight"><pre><span></span>make REVISION=999 plist
</pre></div>
<p>For a python ports with a py3 flavor:</p>
<div class="highlight"><pre><span></span>portspy3plist
</pre></div>
<p>It sets everything how it needs to be thanks to a regex (so be
careful ;)).</p>
<p>Use portsdiff again to check for anything unusual. <code>make plist</code> is not
perfect; you'll probably have to correct it by hand.</p>
<h2>Check WANTLIB is ok</h2>
<div class="highlight"><pre><span></span>portsldc
</pre></div>
<p>If there's something missing, one possible solution is to comment everything
then run <code>portsldc</code> again and copy the WANTLIB += lines.</p>
<h2>SHARED_LIBS ?</h2>
<p>Just follow the
<a href="https://openbsd.org/faq/ports/specialtopics.html#SharedLibs">FAQ</a>, it's
very clear and easy.</p>
<p>What I usually do is just <code>make fake</code> in both /usr/ports/foo/bar
and /usr/ports/mystuff/foo/bar, and then <code>cd
/usr/ports/pobj/whatever-before-update/fake-amd64/usr/local/lib</code> run
the nm command from the FAQ, redirecting the output into
/tmp/before and doing the same <code>cd
/usr/ports/pobj/whatever-after-update/fake-amd64/usr/local/lib</code> then
run nm again, redirecting the output into /tmp/after and finally
<code>diff -up /tmp/before /tmp/after</code> should show you whether functions
were added or removed.</p>
<h2>Test it</h2>
<p>If the port comes with a test suite, the best thing you can do is to
run it on the port before and after the update to see the changes. A
failing test doesn't mean the software won't work, and a working test
doesn't mean the software will work either, but these results can be interesting.</p>
<p>Also, the goal of a port is that the software be usable, so
you can either test it yourself, or you can ask on ports@ for users of this
software to test it for you.</p>
<p>If the port is used by other ports, you'd better verify that your
update doesn't break anything. How can you tell which ports depend on the
one you're updating? I created a small python script that uses sqlports
to find them. It's called "showvictims.py" for obvious reasons and
you can find it on the github repository I linked at the beginning of
this article.</p>
<h2>Comparing Makefiles</h2>
<p>grep is my friend. I mean if I see something in particular, I won't try
to be clever. I just search to see whether a similar case exists in the
ports tree (hint: it surely did) and just do the same thing. Feel free
to do the same.</p>
<h2>Everything looks good</h2>
<p>When you're satisfied with the status of the port, just send the
update to ports@ (if there is a maintainer, you must at least Cc them
). Wait for a committer to pick it up. If there has been no progress after a week, send a ping to the mailing list.</p>
<h2>Why this guide and not the OpenBSD FAQ?</h2>
<p>Because they're my personal notes. You can send a diff to ports@ if
you want to.</p>Hackathon report - p2k162016-08-11T10:20:00-04:002016-08-11T10:20:00-04:00Vigdistag:oldblog.chown.me,2016-08-11:/blog/p2k16.html<p>A few months ago I was at an OpenBSD hackathon, here's my ((very) late) report for it.</p><h2>Getting an account</h2>
<p>Since end of March I have had an OpenBSD account which means that I can do
some commits on my own, the login I use is <em>danj</em>. I was then invited
to <a href="https://www.openbsd.org/images/hackathons/p2k16.gif">p2k16</a> which
took place in Nantes, about 100kms from where I live (Rennes).</p>
<h2>Planning</h2>
<p>I read most of hackathons report (if not all) on undeadly, and people
often says that they had plans. So I thought I was going to do the
same. Finally I did only a few things that I planned and other things
I didn't plan at all :)</p>
<h2>Meeting people</h2>
<p>Since 2013 I've been talking with jca@ (mainly about OpenBSD but not only),
though I never had the chance to meet him. Finally at p2k16 I could
finally meet him.</p>
<p>I've also been talking on irc with landry@ for quite a long time, I
was eager to meet him as I really appreciate him because we laugh
together.</p>
<p>I could also see again mpi@, who I didn't saw since my
<a href="./some-news-from-my-internship.html">internship</a>.</p>
<p>During the hackathon I could also talk with people that I had never
talked to, before like espie@ or eric@. It was both funny and
interesting as I learnt a couple of things while I was chatting with
them.</p>
<h2>Even teaching people</h2>
<p>I was still heavily learning at lot of things, whatever I was doing,
though I was looking forward to share my (little) knowledge. I could
show some tricks to tsg@ who was porting some python ports and at the
same time working on
<a href="http://man.openbsd.org/OpenBSD-current/man1/portgen.1">portgen</a> to
teach it to handle python ports. I was really happy/proud to be able to
help him.</p>
<p>I even could teach eric@ how to use cvs again :D. He didn't touch cvs
for a while and in the mean time, new tools were created to help us like
<a href="http://man.openbsd.org/OpenBSD-current/man1/portimport.1">portimport</a>
and he didn't know its existence so I showed him thus he could use it
rather than importing his port (that I reviewed as it was a python
port :3) manually.</p>
<h2>The work</h2>
<p>I begun the week with committing an update to legit and its chains of
*_DEPS, it was quite a pain so I was happy to be over. After that, I
updated a bunch of little ports. I reviewed a few ports for
shadchin@. Python ports are usually easy (IMO) but the problem is
that there are always tons of *_DEPS which quickly sums up.</p>
<p>I left a bit the python ports to update osm2pgsql. They switched their
build system from autotools to cmake. Some people don't like
autotools, other don't like cmake and many hate both but in my case I
don't know them well so it doesn't make a lot of difference. At first
I didn't succeed to make the test pass (but of course osm2pgsql was
tested to be working), but after being home I worked on it again, and
I was glad of my work.</p>
<p>One of my plan was to port py-tox as it's used by nearly all python
software for the tests. jca@ told me to look into
<a href="https://github.com/jasperla/openbsd-wip">openbsd-wip</a> and indeed it
was already done by shadchin@, I bring it to ports@ and ok'ed it so he
imported it.</p>
<p>Finally, I begin to work on poezio, a python3 xmpp client. I needed
some directions as some of its *_DEPS were python3-only and currently
the port infrastructure for python ports is mainly axed towards
python2, and sthen@ kindly helped me.</p>
<h2>The end</h2>
<p>Of course, I was sad when it ended, seeing people leaving
gradually. I was really happy of the whole week, meeting people I was
quite fond of. The meals were goods, with lots of
<a href="https://fr.wikipedia.org/wiki/Galette_de_sarrasin">galettes</a> and
<a href="https://en.wikipedia.org/wiki/Cr%C3%AApe">crepes</a> (even though we
were not in Brittany). Thanks to all who made it possible! Would
definitely do again.</p>Stop losing interesting links2016-07-16T10:20:00-04:002016-07-16T10:20:00-04:00Vigdistag:oldblog.chown.me,2016-07-16:/blog/stop-losing-interesting-links.html<p>I set up a shaarli instace</p><h2>EBADMEM</h2>
<p>When I was younger, I had a very good memory. When I read something
interesting, I would remember what was I reading and where was I reading
it (some blog, some newspaper etc). But as time passes, I have more
and more difficulties to remember where I read things (and it makes me
sad :().</p>
<h2>Twitter and fav/likes</h2>
<p>I spend a lot of time on twitter (at least too much for a closed
platforms). I find a lot of good reads there and as I don't always have time
to read them at the moment, I just like the tweet and when I have time, I go to my
liked tweets and depending on my mood I read such and such articles.</p>
<p>And once I read it, I usually unlike the tweet so I don't have
thousands likes that I've already read. But I'd better remember where I
read it because I won't really be able to find it again (at least at
will) and that sucks.</p>
<h2>Shaarli</h2>
<p>Here comes
<a href="http://sebsauvage.net/wiki/doku.php?id=php:shaarli">shaarli</a>. I won't
describe everything it does (you can read the page) but basically you
put a link, give a title and a description and done (and you can tag them).</p>
<p>So now whenever I read interesting things, I put them there and if I
need to read it again, I know where to find it.</p>
<p>Of course, the goal is to share my valuable reading so
<a href="https://ln.chown.me">you can access it</a>. Right now there are not many
links but I'll keep adding then gradually.</p>Le refactoring2016-01-06T10:20:00-05:002016-01-06T10:20:00-05:00Vigdistag:oldblog.chown.me,2016-01-06:/blog/le-refactoring.html<p>Qu'est ce que le refactoring ?</p><p>Mon amoureuse m'a demandé ce week-end ce qu'était le refactoring. Je
lui ai donné une réponse mais elle n'était que partielle. La vraie
réponse est :</p>
<p>Tu commences un projet. Tu es jeune insouciant, tu découvres un peu ce
que tu fais - c'est ta première fois. Tu tentes des trucs, jusqu'à ce
qu'ils finissent par marcher. Et ça continue. Et ça continue jusqu'à
ce que tu aies un tel tas de boue que tu te dis "<strong>stop</strong>".</p>
<p>Là, c'est le début de la fin ou la fin du début. Tu commences par y
aller tout doucement. Puis tu te dis "fuck, je refactorise ou quoi
?". Et là tu commences à changer tout, pour que ça prenne forme comme
tu l'avais imaginé avant de commencer à refactorer. Tu arrives à un
point que tu as des trucs partout, tu ne sais plus qui va avec quoi
mais osef, tu te dis que c'est bientôt fini.</p>
<p>Puis tu commences par attraper le bout. Tu commences par y voir de
plus en plus clair. Un peu comme si tu jouais avec une pelotte de
laine dont le gros était démêlé et que tu voyais la fin.</p>
<p>Enfin tu te dis que tu as fini. Tu t'apprêtes à relancer pour voir ce
que tu as oublié. Tu as un peu peur d'avoir foiré un truc même si au
fond de toi tu te dis que ça devrait être bon.</p>
<p>Tu le lances, et <strong>paf</strong>, du premier coup c'est passé : <em>le bonheur</em>.</p>Sortie de Let's Encrypt2015-12-05T10:20:00-05:002015-12-05T10:20:00-05:00Vigdistag:oldblog.chown.me,2015-12-05:/blog/sortie-de-lets-encrypt.html<p>Enfin, Let's Encrypt est dispo. Bien que toujours en beta, elle est néanmoins ouverte à tous.</p><h2>\o/</h2>
<p>Enfin. On l'attendait depuis longtemps. À chaque message publié sur leur
blog, je lisais vite pour voir s'illes parlent d'une date de sortie. Il
y avait d'abord eu une beta fermée (avec inscription sur un google docs),
puis avant-hier, jeudi 3 décembre la beta a été ouverte à
tou⋅te⋅s. Enfin.</p>
<h2>Les révélations de Snowden</h2>
<p>Snowden a révélé l'espionnage massif des télécommunications. On entend
parfois certaines personnes dire "moui, ça n'a rien changé". Et
pourtant il y a eu plein de changements. Certains ne sont pas du tout
visible, tels que le chiffrement des connexions entre les datacenters
de Google (vous vous souvenez peut-être du "<em>SSL added and removed
here</em>"). Il y en a aussi moins visibles (enfin surtout "vues") pour le
profane, comme le travail qui est en train d'être fait pour chiffrer
les requêtes DNS (non je ne parle pas de dnscrypt). Enfin il y a
<em>let's encrypt</em>.</p>
<p>Le nombre de fois que j'ai dû accepter des certificats parce que :</p>
<ul>
<li>CAcert</li>
<li>la personne fait sa propre PKI</li>
<li>auto-signé.</li>
</ul>
<p>Il y avait déjà des méthodes pour avoir des certificats pas cher voire
gratuit mais elles n'étaient pas forcément utilisable par tout le
monde.</p>
<p>J'espère vraiment que ces conneries vont rapidement être terminées.</p>
<h2>Puis Let's encrypt est arrivé</h2>
<p>Maintenant Let's Encrypt est là et avec un nouveau protocole, ACME. Il y a une
page sur le site qui explique plutôt bien
<a href="https://letsencrypt.org/howitworks/technology/">comment ça marche</a>. Ce
protocole permet de simplifier grandement le fait de se faire signer
son certificat par une autorité de certification.</p>
<h3>La durée de validité des certificats Let's Encrypt</h3>
<p>La durée des certificats délivrés par Let's encrypt est de 90
jours. Pour certaines personnes, cela est trop court. Néanmoins je
trouve ça plutôt positif.</p>
<p>Parfois il arrive qu'on ne veuille plus qu'un certificat puisse
fonctionner (car on a perdu le contrôle de la clé privée par exemple).</p>
<p>Il y a alors deux moyens que le certificat ne soit plus valide. La
première est de le révoquer. Mais comme l'explique
<a href="https://twitter.com/agl__">Adam Langley</a>,
<a href="https://www.imperialviolet.org/2011/03/18/revocation.html">cela</a>
<a href="https://www.imperialviolet.org/2011/04/29/filters.html">ne</a>
<a href="https://www.imperialviolet.org/2012/02/05/crlsets.html">marche</a>
<a href="https://www.imperialviolet.org/2014/04/19/revchecking.html">pas</a>
(et encore
<a href="https://www.imperialviolet.org/2014/04/29/revocationagain.html">un autre article pour la route</a>).
Pour la petite anecdote, j'ai révoqué une clé gpg il y a 6+ mois, y a
deux semaines j'ai encore reçu un mail chiffré avec...</p>
<p>L'autre moyen, c'est tout simplement que le certificat arrive à
expiration et donc un temps de validité restreint permet de réduire la
durée du problème, s'il se passe quelque chose.</p>
<h2>Les clients</h2>
<p>Ils ont donc créé une autorité de certification et afin de distribuer
les certificats, illes ont créé le protocole ACME, il a fallu donc un
client pour utiliser ce nouveau protocole. Illes ont donc développé un
<a href="https://github.com/letsencrypt/letsencrypt">client</a> qui a l'air
d'être assez complexe (#alerteeuphémisme).</p>
<p>J'ai préféré utiliser un
<a href="https://github.com/diafygi/acme-tiny/">petit client</a> (200 lignes de
python2.7). Il suffit de suivre le README tout simple et ça marche
plutôt bien.</p>
<p>J'ai écrit un petit script (en gros copié/collé des commandes du
readme :o).</p>
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre> 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63</pre></div></td><td class="code"><div class="highlight"><pre><span></span><span class="ch">#!/bin/sh</span>
<span class="nv">PATH</span><span class="o">=</span><span class="s1">'/bin:/usr/bin:/usr/local/bin'</span>
<span class="c1"># needs https://github.com/diafygi/acme-tiny/</span>
<span class="c1"># if it's the first time</span>
<span class="c1"># openssl genrsa 4096 > master.key</span>
<span class="c1"># ftp -o - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem \</span>
<span class="c1"># > intermediate.pem</span>
<span class="nv">LEdir</span><span class="o">=</span>/home/danj/LE
<span class="nv">ACME_TINY</span><span class="o">=</span>/home/danj/acme-tiny/acme_tiny.py
<span class="nv">_date</span><span class="o">=</span><span class="k">$(</span>date <span class="s2">"+%Y-%m-%d"</span><span class="k">)</span>
<span class="k">if</span> <span class="o">[[</span> -z <span class="si">${</span><span class="nv">1</span><span class="si">}</span> <span class="o">||</span> -z <span class="si">${</span><span class="nv">2</span><span class="si">}</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">echo</span> <span class="s2">"usage: </span><span class="si">${</span><span class="nv">0</span><span class="p">##*/</span><span class="si">}</span><span class="s2"> FQDN new"</span>
<span class="nb">echo</span> <span class="s2">" </span><span class="si">${</span><span class="nv">0</span><span class="p">##*/</span><span class="si">}</span><span class="s2"> FQDN update"</span>
<span class="nb">exit</span> <span class="m">1</span>
<span class="k">fi</span>
<span class="nv">_FQDN</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">1</span><span class="si">}</span><span class="s2">"</span>
<span class="nv">_mode</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">2</span><span class="si">}</span><span class="s2">"</span>
<span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="si">${</span><span class="nv">_mode</span><span class="si">}</span><span class="s2">"</span> <span class="o">=</span> new <span class="o">]]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">echo</span> <span class="s2">"new domain"</span>
<span class="c1"># generate a domain private key (if you haven't already)</span>
openssl genrsa <span class="m">4096</span> > <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/key/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">.key"</span>
<span class="c1"># for a single domain</span>
openssl req -new -sha256 <span class="se">\</span>
-key <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/key/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">.key"</span> <span class="se">\</span>
-subj <span class="s2">"/CN=</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">"</span> > <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/csr/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">.csr"</span>
<span class="k">elif</span> <span class="o">[[</span> <span class="s2">"</span><span class="si">${</span><span class="nv">_mode</span><span class="si">}</span><span class="s2">"</span> <span class="o">=</span> update <span class="o">]]</span><span class="p">;</span> <span class="k">then</span>
<span class="nb">echo</span> <span class="s2">"update"</span>
<span class="k">else</span>
<span class="nb">echo</span> <span class="s2">"which mode?"</span>
<span class="nb">exit</span> <span class="m">1</span>
<span class="k">fi</span>
<span class="c1"># make some challenge folder (modify to suit your needs)</span>
mkdir -p <span class="s2">"/var/www/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">/.well-known/acme-challenge/"</span>
<span class="c1"># run the script on your server</span>
python2.7 <span class="s2">"</span><span class="si">${</span><span class="nv">ACME_TINY</span><span class="si">}</span><span class="s2">"</span> <span class="se">\</span>
--account-key <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/key/master.key"</span> <span class="se">\</span>
--csr <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/csr/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">.csr"</span> <span class="se">\</span>
--acme-dir <span class="s2">"/var/www/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">/.well-known/acme-challenge/"</span> <span class="se">\</span>
> <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/cert/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">-</span><span class="si">${</span><span class="nv">_date</span><span class="si">}</span><span class="s2">.crt"</span>
<span class="o">[[</span> -d <span class="s2">"/var/www/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">/.well-known"</span> <span class="o">]]</span> <span class="se">\</span>
<span class="o">&&</span> rm -rf <span class="s2">"/var/www/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">/.well-known"</span>
<span class="k">if</span> <span class="o">[[</span> <span class="si">${</span><span class="nv">_mode</span><span class="si">}</span> <span class="o">=</span> update <span class="o">]]</span><span class="p">;</span> <span class="k">then</span>
cp <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/pem/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">.pem"</span> <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/pem/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">.pem.old"</span>
<span class="k">fi</span>
cat <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/cert/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">-</span><span class="si">${</span><span class="nv">_date</span><span class="si">}</span><span class="s2">.crt"</span> <span class="se">\</span>
<span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/pem/intermediate.pem"</span> <span class="se">\</span>
<span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/key/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">.key"</span> <span class="se">\</span>
> <span class="s2">"</span><span class="si">${</span><span class="nv">LEdir</span><span class="si">}</span><span class="s2">/pem/</span><span class="si">${</span><span class="nv">_FQDN</span><span class="si">}</span><span class="s2">-</span><span class="si">${</span><span class="nv">_date</span><span class="si">}</span><span class="s2">.pem"</span>
</pre></div>
</td></tr></table>
<p>L'exécution du script se fait tout simplement (il suffit comme vous
pouvez le lire de lui donner le domaine).</p>
<div class="highlight"><pre><span></span>$ ksh script.sh chown.me new
new domain
Generating RSA private key, <span class="m">4096</span> bit long modulus
.............++
..................................................++
e is <span class="m">65537</span> <span class="o">(</span>0x10001<span class="o">)</span>
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying chown.me...
chown.me verified!
Signing certificate...
Certificate signed!
</pre></div>
<p>On rajoute ensuite ce qu'il faut dans le soft qui va gérer la
connexion TLS (dans mon cas haproxy) et <a href="https://test.chown.me">ça marche</a></p>
<p>Il ne reste plus qu'à faire en sorte de renouveler le certificat tous
les deux mois, comme il est valide trois mois et qu'on veut se donner
de la marge.</p>
<p>Gros bisous et prenez soin de vous.</p>Passage du blog en https-only2015-05-15T10:21:00-04:002015-05-15T10:21:00-04:00Vigdistag:oldblog.chown.me,2015-05-15:/blog/passage-du-blog-en-https-only.html<p>Les configs que j'ai faites pour passer mon blog en https-only.</p><h2>Contexte</h2>
<p>Cet article est la suite du <a href="./migration-du-blog.html">précédent</a></p>
<h2>Création du certificat</h2>
<h3>fichier de conf</h3>
<p>J'ai crée un fichier de conf .cnf principalement basé sur <a href="https://www.eff.org/deeplinks/2015/04/effs-updated-ssl-configuration">les conseils
de l'EFF</a>
mais aussi en prenant des trucs chez
<a href="https://www.jeveuxhttps.fr/Obtenir_un_certificat_SSL_chez_Gandi">jeveuxhttps.fr</a>
:</p>
<div class="highlight"><pre><span></span><span class="k">[req]</span>
<span class="na">distinguished_name</span> <span class="o">=</span> <span class="s">req_distinguished_name</span>
<span class="na">req_extensions</span> <span class="o">=</span> <span class="s">v3_req</span>
<span class="na">default_md</span> <span class="o">=</span> <span class="s">sha256</span>
<span class="na">default_bits</span> <span class="o">=</span> <span class="s">4096</span>
<span class="k">[req_distinguished_name]</span>
<span class="na">countryName</span> <span class="o">=</span> <span class="s">FR</span>
<span class="na">countryName_default</span> <span class="o">=</span> <span class="s">FR</span>
<span class="na">stateOrProvinceName</span> <span class="o">=</span> <span class="s">France</span>
<span class="na">stateOrProvinceName_default</span> <span class="o">=</span> <span class="s">France</span>
<span class="na">localityName</span> <span class="o">=</span> <span class="s">France</span>
<span class="na">localityName_default</span> <span class="o">=</span> <span class="s">France</span>
<span class="na">organizationalUnitName</span> <span class="o">=</span> <span class="s">Vigdis</span>
<span class="na">organizationalUnitName_default</span> <span class="o">=</span> <span class="s">Vigdis</span>
<span class="na">commonName</span> <span class="o">=</span> <span class="s">chown.me</span>
<span class="na">commonName_default</span> <span class="o">=</span> <span class="s">chown.me</span>
<span class="na">commonName_max</span> <span class="o">=</span> <span class="s">64</span>
<span class="k">[ v3_req ]</span>
<span class="na">basicConstraints</span> <span class="o">=</span> <span class="s">CA:FALSE</span>
<span class="na">keyUsage</span> <span class="o">=</span> <span class="s">digitalSignature, keyEncipherment</span>
</pre></div>
<p>Toutes les options sont données comme ça lors qu'on génère le cert on
a plus qu'à appuyer sur <em>entrée</em> de manière répétitive (un peu comme
quand on installe/upgrade une OpenBSD :p)</p>
<h3>création de la clé</h3>
<p>Il ne reste plus à créer une clé puis générer une demande de signature
de certificat (le .csr) qu'on peut vérifier avant de la donner à gandi.</p>
<div class="highlight"><pre><span></span>openssl genrsa -out chown.key 4096
openssl req -new -out chown.csr -key chown.key -config chown.cnf
openssl req -in chown.csr -noout -text |less
</pre></div>
<h3>Obtention du certificat chez gandi</h3>
<p>C'est vraiment simple à suivre, et sinon c'est bien expliqué sur la
page de jeveuxhttps.</p>
<h2>modification de httpd.conf</h2>
<p>Comme je n'ai plus qu'un domaine, j'ai transformé les domaines en
"location" : coincoin.chown.me devient donc chown.me/coincoin :</p>
<div class="highlight"><pre><span></span> location "/blog*" {
root "/blog"
root strip 1
}
location "/iota*" {
root "/iota"
root strip 1
directory auto index
}
location "/obsd*" {
root "/obsd/www"
root strip 1
}
</pre></div>
<p>etc.</p>
<p>Merci à quinq pour son aide sur ce point j'ai du mal à cause d'une
erreur de jugement :p</p>
<h2>Un petit coup de neuf sur haproxy</h2>
<p>J'ai lu
<a href="https://certsimple.com/blog/chrome-outdated-cryptography">Why your A grade SSL is 'outdated cryptography' on Chrome</a>
qui dit du bien du
<a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/">générateur de config de mozilla</a>. J'ai
donc modifié légèrement ma conf de haproxy pour prendre celle de
<a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-2.2.15&openssl=1.0.1e&hsts=yes&profile=modern"><em>modern</em></a>. C'est
cool, ça désactive le tls 1.0 :) (et j'ai un A+ sur ssllabs mais pas
la peine d'essayer, je ratelimit mes connexions http donc l'ip de
ssllabs va se faire bannir et le test ne pourra pas finir).</p>Migration du blog2015-05-15T10:20:00-04:002015-05-15T10:20:00-04:00Vigdistag:oldblog.chown.me,2015-05-15:/blog/migration-du-blog.html<p>Mon blog ne sera plus joignable à l'adresse blog.chown.me.</p><h2>https</h2>
<p>Cela fait un moment que je rêve de passer mes sites au full https
(le contenu est servi uniquement avec l'utilisation de TLS),
malheureusement pour des mauvaises raisons je ne m'en suis jamais
occupé.</p>
<p>Le projet de loi renseignement m'a motivé à le faire pour de bon.</p>
<h3>Certificats reconnus ou non</h3>
<p>Mes sites/services ont toujours été accessibles via https mais les certificats
étaient signés par
<a href="./pika-pika-pki.html">ma propre autorité de certification (AC)</a> donc
comme je me fais confiance, je l'ajoutais sur mes pc donc je n'ai pas
de messages d'alertes. Bien évidemment, les gens n'ajoutaient pas mon AC
donc s'ils tentaient d'utiliser du TLS, illes allaient avoir un message
d'erreur.</p>
<p>Certaines personnes redirigent automatiquement leurs sites vers https avec un
certificat signé par une AC non reconnue par mon navigateur
(auto-signé ou CACert) et je sais que ça me gonfle d'avoir à valider
manuellement, donc je n'ai jamais imposé ce genre de chose à mes
lecteurs.</p>
<p>La solution est donc d'avoir un certificat signé par une AC reconnue
par la majorité des navigateurs.</p>
<h3>Gandi</h3>
<p>Gandi propose gratuitement pour les domaines qu'on a chez eux de
signer un certificat pour le domaine qu'on a, et l'AC est reconnue.</p>
<h3>Un seul domaine</h3>
<p>Le problème c'est que l'AC signe un seul domaine. Bien sûr c'est
possible d'avoir plusieurs domaines ou un wildcard, mais ce n'est plus
gratuit.</p>
<p>Jusqu'à maintenant j'utilisais un sous-domaine pour chaque site. Dont
un pour ce blog. Comme je ne peux faire signer qu'un domaine, j'ai
migré chaque domaine : coincoin.chown.me devient chown.me/coincoin.</p>
<p>L'adresse du blog devient donc
<a href="https://chown.me/blog">https://chown.me/blog</a>.</p>
<h2>un article pour ça ???</h2>
<p>En fait, j'ai pas mal de personnes qui se sont abonné⋅e⋅s au feed atom
et donc cet article sert à les (vous) prévenir de migrer.</p>
<p>Pour vous donner envie de changer le lien dans votre lecteur de flux,
j'ai déjà écrit un autre article qui n'est disponible qu'à la nouvelle
adresse :)</p>
<p>Pour l'instant cette version du blog reste là, mais je vais la
supprimer sous peu.</p>Bring SNI to OpenBSD's httpd2015-04-25T10:20:00-04:002015-04-25T10:20:00-04:00Vigdistag:oldblog.chown.me,2015-04-25:/blog/bring-sni-to-openbsd-httpd.html<p>httpd doesn't support (yet) SNI, so I'll show you how to use haproxy to bring SNI and more.</p><h2>What is this language?!</h2>
<p>Yeah, I usually write my blog posts in French but this time as I
think the people who can be interested by this topic are more to be
English readers than French readers, it's in English.</p>
<h2>What's the problem?</h2>
<p>nginx for several reasons has been removed from base between 5.6 and
5.7, and like many people I prefer to use software present in base
rather than in ports/package. So the replacement is httpd. My problem,
mmmh I mean my first problem (:p) was that
<a href="http://www.openbsd.org/papers/httpd-slides-asiabsdcon2015.pdf">httpd doesn't support SNI</a>
and as I have two certificates for all my vhost, it couldn't work.</p>
<h2>The solution</h2>
<p>The solution I wanted was something which would terminate the TLS
connection then forward it to the httpd.</p>
<h3>relayd !!!</h3>
<p>As httpd code base comes for a big part from relayd, if httpd doesn't
support it yet, you can guess that relayd doesn't neither. As for httpd,
<a href="https://www.mail-archive.com/misc@openbsd.org/msg130738.html">support is planned though</a>.</p>
<h3>nginx in reverse proxy</h3>
<p>If I don't want to use it anymore for the http daemon part, it's
mainly to not to have it on my system.</p>
<h3>haproxy</h3>
<p>I've heard many times that it was a cool piece of software so I wanted
to use it for a while but I never had any reason to use it.</p>
<p>I read that haproxy works fine as a TLS termination proxy so this is
the one I chose.</p>
<h2>Use haproxy</h2>
<h3>Or try to</h3>
<p>I installed haproxy on my system, tried to have a config parsable but
it didn't want the keyword ssl. After looking at the
net/haproxy/Makefile, I saw that haproxy wasn't compiled with
libressl.</p>
<h4>Patch the port</h4>
<p>jca@ gave me some advice to make a diff I could post to ports@
to add tls support. By the time gonzalo@ (who isn't marked as
maintainer but who has been updating haproxy for a while) sent
another diff that took in account my diff and updated haproxy to
1.5.11 the latest stable version.</p>
<p><a href="https://marc.info/?l=openbsd-ports-cvs&m=142953858009713&w=2">It has been commited in -current</a>
though I backported the diff to 5.7 -stable and it works fine.</p>
<h3>Write haproxy.cfg</h3>
<h4>General part</h4>
<p>There are a couple of general things fine for the two use-cases I'll
talk about. They're mainly from the haproxy.cfg that comes with the
port.</p>
<pre>
global
log 127.0.0.1 local0 debug
maxconn 1024
chroot /var/haproxy
uid 604
gid 604
daemon
pidfile /var/run/haproxy.pid
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
defaults
log global
mode http
option httplog
log-format %ci:%cp\ %ft\ %b/%s\ %ST\ %hr\ %hs\ %{+Q}r
option dontlognull
option redispatch
retries 3
maxconn 2000
</pre>
<p>I added some ssl-default options with some cipherlists I found
somewhere on the web. I tested it with ssllabs and got an <em>A</em> (if I
ignore my self-signed cert otherwise it's a <em>T</em> yeah). I have no doubt
that you can find something better :)</p>
<p>I tweaked the log-format so it's not too verbose.</p>
<h4>First use case (basic)</h4>
<p>My first use case was I have httpd which will answer to http request
and haproxy which will terminate the TLS connection if needed. Before
that I have <a href="./https-sslh-et-bypass-de-proxy.html">sslh</a> which listens
to the 443 to enable me ssh my server on port 443 while running an
httpd server on that port too.</p>
<p>Here's a schema:</p>
<pre>
80 + +------------+ +----------+
| 80 | | 8080 | |
+---------------------------------> +-------> httpd |
| | haproxy | | |
| +--------------+ | | | |
| | | 8443 | | +----------+
+-----------> sslh +------> |
| | | | |
443 + +-----+--------+ +------------+
|
22 |
+----v-----+
| |
| sshd |
| |
| |
+----------+
</pre>
<p>In addition to the <em>global</em> and <em>default</em> section, I had:</p>
<pre>
frontend http
bind *:80
bind 2001:910:1322:1:dead:beef:cafe:1:80
http-request redirect scheme https if { hdr(host) -i somesikritdomain.chown.me } !{ ssl_fc }
default_backend httpd
frontend https
bind *:8443 ssl crt /etc/ssl/pki/server-haproxy.pem crt /etc/ssl/pki/wild-haproxy.pem accept-proxy
rspadd Strict-Transport-Security:\ max-age=31536000
default_backend httpd
backend httpd
option forwardfor
option httpchk GET /check/index.html HTTP/1.0
server www 127.0.0.1:8080 check
</pre>
<p>Haproxy listens both on http port 80 and https port 8443 (because that's
the port I used with sslh, 443 is perfectly fine if there's nothing
between) and then it forwards the traffic to httpd.</p>
<p>I also added some HSTS header for https. For a specific domain I
redirect automatically to https (because the page has an
authentication method and I don't want my password to be sent on
clear).</p>
<p>To get the <em>server.pem</em> it's just <code>cat server.crt server.key > server.pem</code>.</p>
<h4>Second use case</h4>
<p>While I was setting up the first use case, someone pasted
<a href="http://blog.manty.net/2014/12/haproxy-as-very-very-overloaded-sslh.html">a link</a>
on irc from someone's blog saying that he used haproxy as a
replacement for sslh. So let's try to remove another package from the
server.</p>
<p>What I wanted to achieve this time:</p>
<pre>
80 + +------------+ +----------+
| | | 8080 | |
+------------------> +-------> httpd |
| | haproxy | | |
| | | | |
| | | +----------+
+------------------> |
| | |
443 + +------+-----+
|
22 |
+------+------+
| |
| sshd |
| |
+-------------+
</pre>
<p>So in addition to the <em>global</em> and <em>default</em> section, I added:</p>
<pre>
listen front
bind *:443
bind 2001:910:1322:1:dead:beef:cafe:1:443
mode tcp
option tcplog
tcp-request inspect-delay 2s
acl is_ssl req.ssl_ver gt 0
tcp-request content accept if is_ssl
use_backend loop_ssl if is_ssl
server local 127.0.0.1:22
backend loop_ssl
mode tcp
server ssl 127.0.0.1:1443 send-proxy
frontend http
bind *:80
bind 2001:910:1322:1:dead:beef:cafe:1:80
http-request redirect scheme https if { hdr(host) -i somesikritdomain.chown.me } !{ ssl_fc }
default_backend httpd
frontend https
bind 127.0.0.1:1443 ssl crt /etc/ssl/pki/server-haproxy.pem crt /etc/ssl/pki/wild-haproxy.pem accept-proxy
rspadd Strict-Transport-Security:\ max-age=31536000
default_backend httpd
backend httpd
option forwardfor
option httpchk GET /check/index.html HTTP/1.0
server www 127.0.0.1:8080 check
</pre>
<p>A listen section is equal to a duo backend/frontend. The listen
section here listens for connections and then checks if it's a TLS
one. If it is, it will send it to the backend <em>loop_ssl</em>. If it's not a
TLS connection, then it assumes it's an SSH one and forward it to
<em>sshd</em>.</p>
<p>From the backend <em>loop_ssl</em> we forward it to the frontend <em>https</em> with
the
<a href="http://blog.haproxy.com/haproxy/proxy-protocol/">"PROXY" protocol</a>
(that's what the two keyworkds <em>send-proxy</em> and <em>accept-proxy</em> are
there for). The backend <em>loop_ssl</em> is here because we can't go
directly from a listen to a frontend, it should first go to a backend,
seems logical, doesn't it?</p>
<h4>What about the check?</h4>
<p>Of course, they're not mandatory but I prefer to have some.</p>
<p>There's two type of check: tcp and http. There's a bug in httpd of 5.7 which
will make it segfault if the check is tcp. I reported it and it has
been fixed so if you plan to use tcp check, you should backport
<a href="https://marc.info/?l=openbsd-cvs&m=142980842022822&w=2">this commit</a>. <strong>Edit:</strong>
<a href="http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/005_httpd.patch.sig">an errata was finally released</a></p>
<p>Since I had this problem, I moved to http check. Then, as <em>haproxy</em>
accesses every two seconds the httpd, <em>access.log</em> get filled. So I
simply added in the vhost:</p>
<div class="highlight"><pre><span></span>location "/check/*" {
no log
}
</pre></div>
<h2>The end.</h2>
<p>I'm not talking about everything, so if you can't find something, go read
<a href="https://cbonte.github.io/haproxy-dconv/configuration-1.5.html">the documentation</a>
it's pretty eye-candy but stays handy.</p>
<p>Many thanks to <a href="https://twitter.com/vihaire">vr</a> for his kind help
setting up this and for all the explanations he provided me.</p>
<p>And please remember that if you backport any diff from -current to
-stable, you do it at your own risk.</p>Des nouvelles de wonderlan2015-04-06T10:20:00-04:002015-04-06T10:20:00-04:00Vigdistag:oldblog.chown.me,2015-04-06:/blog/des-nouvelles-de-wonderlan.html<p>Upgrade de mon routeur</p><h2>Wonderlan ?</h2>
<h3>Old OpenBSD is old</h3>
<p>Il y a quasi deux ans,
<a href="./alice-in-wonderlan.html">je vous avais parlé</a> de la mise en place
d'une Alix sous OpenBSD comme routeur. J'avais un certain nombre de
limitation avec cette carte, comme le fait qu'elle est mon routeur
donc si j'upgrade je n'ai plus de réseau. De plus, elle est en i386
et c'est la seule machine de mon lan avec cette architecture donc je ne
peux pas compiler sur une autre pour lui donner des binaires ; avec
les perfs du CPU et la carte CF pour la mémoire, je ne voulais/pouvais
pas compiler avec et comme le projet ne fournit pas des patchs binaires
.... Résultat des courses, j'ai pas upgradé pendant longtemps j'avais
pas mal de patchs de sécu non appliqués (je sais, c'est mal :().</p>
<p>Je suis quand même arrivé à 255 jours d'uptime, ce qui en dit long
aussi sur la stabilité de la machine (et non, l'uptime n'est pas codé
sur 8 bits :p).</p>
<h3>Des envies de jouer</h3>
<p>Cela fait un moment que j'ai envie de jouer avec diverses choses
présentes dans OpenBSD, tel que vlan(4), trunk(4) (j'veux dire,
davantage que
<a href="./de-la-haute-dispo-sur-mon-lappy.html">sur un laptop</a>), carp(4),
toute la stack ipsec et les daemons de routage openbgpd et ospfd. Mon
réseau était trop limité pour faire tout ça.</p>
<h2>Quel hardware ?</h2>
<h3>Pour le switch</h3>
<p>J'ai donc acheté un switch TL-SG3424 pour avoir plein de ports et
arrêter de passer mon temps à brancher/débrancher des
<a href="./pages/machines.html">machines</a>. Le switch est aussi manageable,
contrairement à mon switch précédent et me permet de faire des vlans,
du trunk lacp etc.</p>
<h3>Pour le routeur</h3>
<p>A vrai dire, la question ne s'est pas vraiment posée, j'ai toujours
été satisfait de l'alix donc je me suis naturellement dirigé vers son
successeur, l'apu. La machine est plus puissante, a des NIC gigabit et
supporte même le boot usb. Quand je repense à l'installation de l'alix
qui avait du se faire via le pxe, le boot usb devrait faciliter quand
même les débutants à franchir le pas :p
Et surtout son architecture est de l'amd64, donc ça me permet
d'homogénéiser mon lan \o/</p>
<h2>Ok ok, et concrètement</h2>
<h3>On installe -stable</h3>
<p>Je vais éviter de compiler dessus, j'ai des machines plus rapides dans
mon lan. Même si 5.7 sort dans même pas un mois, je voulais du -stable
donc j'ai choisi 5.6. 5.6 ayant pas mal de patchs de sécu à appliquer,
j'ai donc commencé par builder une -stable afin de partir avec du
neuf.</p>
<p>On crée la clé usb bootable avec <code>dd if=$RELEASEDIR/miniroot56.fs
of=/dev/rsd2c</code>.</p>
<p>Pour se connecter en serial à la machine, on utilise</p>
<div class="highlight"><pre><span></span>cu -s 115200 -l /dev/ttyU0
</pre></div>
<p>On devrait voir les messages de boot. On peut appuyer sur F12 pour
avoir la liste des périphériques USB puis on boote sur la clé USB. Au
prompt <code>boot></code> on indique à OpenBSD qu'on est sur une console serial
avec une vitesse de 115200 bauds</p>
<div class="highlight"><pre><span></span>stty com0 115200
set tty com0
</pre></div>
<p>Puis on installe OpenBSD, comme d'hab.</p>
<h3>On choisit comment on va faire son réseau</h3>
<h4>Répartition des interfaces</h4>
<p>J'ai dit précédemment que je voulais jouer avec du trunk(4) et des
vlan(4). Sur l'alix j'avais sur les trois interfaces :</p>
<ul>
<li>un switch pour mon lan</li>
<li>un ap wifi pour mon wifi et faire mes trunk(4) failover sur mes
lappy</li>
<li>mon modem en mode bridge pour monter une session pppoe pour mon adsl</li>
</ul>
<p>Sur les trois interfaces, je ne sais jamais laquelle est la 0 et
laquelle est la 2, seule la 1 étant au milieu je sais avec certitude
laquelle c'est.</p>
<p>Mon but étant de faire un trunk(4) avec deux interfaces et de connecter la
troisième au modem, j'ai choisi de faire le trunk(4) sur les
interfaces 0 et 2, et d'utiliser la 1 pour le modem car l'ordre des
interfaces pour un trunk lacp n'a pas d'importance (malin comme un
singe, t'as vu).</p>
<h4>Les vlans</h4>
<p>J'avais donc deux réseaux :</p>
<ul>
<li>un pour mon lan</li>
<li>un pour mon wifi</li>
</ul>
<p>J'ai donc décidé de mettre ces deux réseaux sous forme de
vlan(4). Hébergeant aussi
<a href="https://atlas.ripe.net/probes/17564/">une probe atlas</a>, je me suis
dit que ça pouvait être mieux de la mettre dans un vlan(4) séparé <em>for
moar fun</em>.</p>
<p>Donc cela donne :</p>
<ul>
<li>lan = vlan 10</li>
<li>wifi = vlan 20</li>
<li>probe atlas = vlan 30</li>
</ul>
<h3>non mais j'ai dit concrètement</h3>
<div class="highlight"><pre><span></span># ls hostname*
hostname.pppoe0 hostname.re0 hostname.re1 hostname.re2 hostname.trunk0 hostname.vlan10 hostname.vlan20 hostname.vlan30
</pre></div>
<p>Dans l'ordre (du plus simple au plus compliqué), re1 c'est donc celle pour le modem, rien ne change sur celle-là. re0
et re2 servent à faire le trunk(4) lacp et ne contiennent donc
seulement : <code>up</code>. Le trunk(4) lacp :</p>
<div class="highlight"><pre><span></span>trunkproto lacp trunkport re0 trunkport re2
up
</pre></div>
<p>Maintenant, on peut mettre les vlans avec les adresses
IP. hostname.vlan10 est simplement un copié collé de
hostname.vrmachin de l'alix, préfixé de <code>vlandev
trunk0</code>. hostname.vlan20 pareil, copié/collé de hostname.vrautremachin
de l'alix préfixé de <code>vlandev trunk0</code>. Un exemple concret avec hostname.vlan30 :</p>
<div class="highlight"><pre><span></span>vlandev trunk0
inet 10.250.250.1/24
inet6 2001:910:1322:250::1 64
</pre></div>
<h3>les autres confs</h3>
<p>On récupère de l'alix :</p>
<ul>
<li>/etc/pf.conf</li>
<li>/etc/dhcpd.conf</li>
<li>toutes les merdes qu'il y a dans les $HOME</li>
</ul>
<p>On installe tout ça sur l'apu, on reboot en la branchant comme il
faut, et on debug ce qui ne marche pas.</p>
<h3>Mais tout ça c'est vraiment utile ?</h3>
<p>Typiquement le trunk(4) lacp, ne me sert pas à grand chose, mais comme
dit au début de l'article mon but est de jouer :)</p>
<p>Et ça ne fait que commencer. J'espère.</p>Installer OpenBSD sur une octane SGI2015-03-11T10:20:00-04:002015-03-11T10:20:00-04:00Vigdistag:oldblog.chown.me,2015-03-11:/blog/installer-openbsd-octane-sgi.html<p>On m'a donné une Octane SGI pour jouer avec OpenBSD, j'ai donc installé OpenBSD</p><h2>Une octane ? en 2015 ?</h2>
<p>Oui, c'est rigolo de jouer avec des vieilles machines. Un grand merci
à <a href="https://twitter.com/MiodVallat">Miod Vallat</a> pour me l'avoir donnée.</p>
<h2>Mais tu penses que ça va me servir cette doc ?</h2>
<p>Non, mais à moi certainement. Vu que j'ai un peu eu du mal à
l'installer.</p>
<p>On commence par essayer de booter, forcément elle arrive pas à booter
sur le disque on a un menu avec 5 options qui sont :</p>
<ol>
<li>Boot sur le disque</li>
<li>On</li>
<li>S'en</li>
<li>Fout</li>
<li>Config</li>
</ol>
<p>On commence par préparer la machine donc on choisit l'option 5. On
obtient un prompt ">>". On découvre quel modèle exacte d'Octane on a
avec <code>version</code>. Ce sera nécessaire pour télécharger les bons noyaux
correspondants.</p>
<p>Il est possible qu'on doive enlever la valeur de la variable "netaddr"
(on peut vérifier avec <code>printenv</code> si c'est le cas) : <code>unsetenv netaddr</code>.</p>
<p>Ensuite on monte un tftp (qu'on indiquera avec 'next-server' dans
dhcpd.conf). On pensera à autoriser les connexions avec pf. Et pas que
pour tcp hein (protip). Si on est frileux on lance <code>sysctl
net.inet.ip.portlast</code>, on note la valeur pour la remettre après et on
lance <code>sysctl net.inet.ip.portlast=32767</code>. Ensuite on debug avec
tcpdump tout ce qu'on aurait pu oublier en lançant simultanément
<code>bootp()bsd.rd.IP30</code> avec bien sûr la bonne version de votre kernel.</p>
<p>Finalement ça boot, une fois que bsd.rd est lancé, c'est comme d'hab.</p>
<p>Une fois l'installation faite, on reboot mais la machine ne va sans
doute pas réussir à booter à cause des options. Il faut vérifier que
"OSLoader" vaut bien "boot" avec <code>printenv</code>. Si ce n'est pas le cas,
il suffit de <code>setenv OSLoader boot</code>, on peut vérifier avec <code>printenv</code>
que c'est bon.</p>
<p>Le kernel qui est lancé est dans la variable "OSLoadFilename". C'est
avec cette variable qu'on indique si on prend <code>/bsd</code> ou <code>/bsd.rd</code>.</p>
<p>Enfin, il y a la variable "AutoLoad" pour que la machine boot toute
seule comme une grande sans qu'on ait besoin du serial.</p>
<h2>Mais euh ... t'inventes rien en fait, tout est dans INSTALL.sgi</h2>
<p>Exactement. <a href="http://ftp.fr.openbsd.org/pub/OpenBSD/5.6/sgi/INSTALL.sgi">Source</a></p>Monter automatiquement un disque chiffré sur OpenBSD au boot2014-11-09T10:20:00-05:002014-11-09T10:20:00-05:00Vigdistag:oldblog.chown.me,2014-11-09:/blog/monter-automatiquement-un-disque-chiffre-sur-OpenBSD-au-boot.html<p>Comment monter automatiquement lors du boot un disque chiffré avec softraid</p><h2>Ce que je veux faire</h2>
<p>J'ai récemment changé mon desktop de xubuntu à OpenBSD car suite à
l'achat d'un clavier mécanique, je l'utilise plus sérieusement. Je
compte utiliser un disque de 500 Go pour le système et un disque d'1
To pour les données. Bien évidemment les deux disques sont chiffrés
avec softraid.</p>
<p>Mon but est que le deuxième disque soit monté automatiquement au boot,
sans même me demander la phrase de passe.</p>
<h2>On formate le disque</h2>
<p>On commence par chiffrer le nouveau disque. On suppose que c'est
wd1. Je suppose que les commandes données sont connues :</p>
<div class="highlight"><pre><span></span>$ fdisk -e wd1
$ disklabel -E wd1 <span class="c1"># on créé juste la partition p en RAID</span>
$ bioctl -c C -l /dev/wd1p softraid0
</pre></div>
<p>à ce moment là, le disque chiffré va être monté sur (supposons) sd1.</p>
<div class="highlight"><pre><span></span>$ dd <span class="k">if</span><span class="o">=</span>/dev/zero <span class="nv">of</span><span class="o">=</span>/dev/rsd1c <span class="nv">bs</span><span class="o">=</span>1m <span class="nv">count</span><span class="o">=</span><span class="m">1</span>
$ fdisk -e sd1 <span class="c1"># on créé la partition a</span>
$ disklabel -E sd1
</pre></div>
<p>Mais ça c'est dans la FAQ sinon.</p>
<h2>L'automount.</h2>
<h3>la phrase de passe</h3>
<p>On commence par mettre la phrase de passe dans un fichier sur le
disque. On s'en fiche car 1) le disque est chiffré 2) c'est pas des
données vraiment confidentielles (on a rien à cacher, n'est ce pas ?).</p>
<div class="highlight"><pre><span></span>$ <span class="nb">echo</span> <span class="s2">"92915934093122c04f4711291f8fae282ef56022"</span> > /etc/passphrase
</pre></div>
<p>Ensuite on utilise chown(8) et chmod(8) pour arriver à</p>
<div class="highlight"><pre><span></span>-rw------- 1 root wheel 123 Nov 8 17:59 /etc/passphrase
</pre></div>
<p>(sinon de toute façon, bioctl va râler).</p>
<h3>Identifions les disques</h3>
<p>À partir de maintenant, on va utiliser des
<a href="http://openbsd.org/faq/faq14.html#intro">DUIDs</a> et non plus le device
car les disques et les volumes créés par softraid peuvent changer,
mais pas les DUIDs.</p>
<p>Il y a deux volumes, le physique <code>/dev/wd1</code> et le logique
<code>/dev/sd1</code>. Les deux ont bien évidemment chacun leur propre DUID.</p>
<p>Pour trouver le DUID d'un disque, c'est dans disklabel(8) :</p>
<div class="highlight"><pre><span></span>$ disklabel wd1 <span class="p">|</span> grep duid
duid: 4d498d4248c8d056
$ disklabel sd1 <span class="p">|</span> grep duid
duid: 384c27964f6e987d
</pre></div>
<h3>On choisit comment on va le monter</h3>
<p>On indique dans <code>/etc/fstab</code> comment on veut le monter. Dans mon cas à
la fin du fichier c'est :</p>
<div class="highlight"><pre><span></span>$ tail -n <span class="m">1</span> /etc/fstab
b1e264fc29000110.a /dataporn ffs rw,nodev,nosuid,softdep,noauto <span class="m">0</span> <span class="m">0</span>
</pre></div>
<p>On voit au début de la ligne le DUID suivi de la lettre "a" car j'ai
utilisé (à tort, c'est réservé pour / normalement) la partition "a"
pour mes données. Par contre attention, c'est <strong>le DUID du volume monté
par softraid</strong>, pas celui du volume physique.</p>
<p>Je vous laisse lire les mans de mount(8) et de fstab(5) si vous ne
comprenez pas les options. On termine par "0 0" pour dire ne pas
tenter de le fsck pour la même raison qu'on le met en noauto, car au
boot le volume n'a pas encore été monté donc pour le système il
n'existe pas (vous pouvez essayer, <a href="https://twitter.com/Vigdis_/status/531042628625002497">je l'ai
fait</a> :p).</p>
<h3>On déchiffre et on monte le disque</h3>
<p>On va donc utiliser le fichier <code>/etc/rc.local</code> pour déchiffrer et monter
le disque et il puisera les informations dans <code>/etc/fstab</code> pour monter
le volume au bon endroit.</p>
<p>La différence entre -current et -stable est que le script
<code>/etc/rc.local</code> n'est plus dans <code>/etc</code> mais dans <code>/etc/examples</code>.</p>
<p>On rajoute dans ce fichier les lignes :</p>
<div class="highlight"><pre><span></span>bioctl -c C -l 4d498d4248c8d056.p -p /etc/passphrase softraid0
echo "check /dataporn"; fsck -p /dataporn; mount -s /dataporn
</pre></div>
<p>Cette fois, c'est <strong>le DUID du volume physique</strong>. On monte le volume
chiffré puis on lance un petit fsck (comme le fait le système au boot)
et enfin, on monte le volume suivant <code>/etc/fstab</code>.</p>
<p>On peut lancer les commandes à la main pour vérifier que ça se passe
bien puis on reboot pour tester et ça devrait marcher.</p>
<h2>Les bisous</h2>
<p>Merci à <a href="https://twitter.com/_semarie">semarie</a> et landry@ pour l'aide
et les conseils.</p>Some news from my internship2014-09-25T10:20:00-04:002014-09-25T10:20:00-04:00Vigdistag:oldblog.chown.me,2014-09-25:/blog/some-news-from-my-internship.html<p>I just finished a two-month internship, so here's the story.</p><p>I don't often write my articles in English (yeah, there are some in
English), but as this time some people concerned don't speak French,
it makes more sense to write it in English.</p>
<h2>Why this internship?</h2>
<p>To graduate my engineering school, I have to do a two-month internship
abroad (so anywhere but not in France).</p>
<h3>Why THIS internship?</h3>
<p>Because as you may be aware, I <strong>really</strong> like OpenBSD so what's
better than doing it with OpenBSD developpers?</p>
<h3>OpenBSD developpers?</h3>
<p>I did the internship at vantronix/Compumatica where mpi@, mikeb@ and
(former) mickey@ work. (I can't say if a first name beginning with the
letter "m" is mandatory or not :p).</p>
<h3>Where?</h3>
<p>So it was in Aachen (or known as Aix la Chapelle for French people) in
Germany. The city is really nice. A huge and nice park was at only ten
minutes on foot with a bunch of cute squirrels and it was really cool
to go there when the run shone (yeah, it happened sometimes).</p>
<h2>What did you do?</h2>
<h3>Working on a OpenBSD computer <3</h3>
<p>The first thing I did was installing OpenBSD on the laptop they
provided me (which was a x201, as the one I own). I copied my ~/.config
on the freshly installed laptop (and it just worked, I was amazed) so
it was configured exactly as I like.</p>
<p>I really appreciated to work on an OpenBSD computer with the settings
I want. I'm so fed up to use windows as well in school that in my
apprenticeship.</p>
<h3>Showing some love to the documentation</h3>
<p>I then fixed and updated the documentation they provide to customers
for the products the company sells. The patchs related to OpenBSD
(like for man pages) were merged upstream, of course.</p>
<h3>Establishing IPSEC tunnels</h3>
<p>Mike asked me to set up some ipsec tunnels (both with isakmpd and
iked) because he wanted to see something. I was scared because I know
how complicate ipsec standards are, but it just worked. Quite
astonished.</p>
<h3>xkeyboard</h3>
<p>At first I thought there was a bug laying in OpenBSD xkeyboard because
when I used Debian on my laptop I saw a difference. It was just
because they don't have the same layout by default.</p>
<p>I mailed the Xorg maintener to know why the difference and why not
choose a better default for every one. I try to argue why fr-oss would
be better but after being answered a couple of times "we should do as
Windows do", I stop replying to not to be rude.</p>
<p>I finally did the change on my computers. I noticed that there was a
bug which was fixed upstream, so I looked for the git repo then looked
for the patch and then tried it on OpenBSD xenocara, it was a great
experience.</p>
<h3>sikrit project</h3>
<p>I begin to work on a project but as long it's not finished, I don't
want to talk about it. :)</p>
<h3>Preview of mpi's talk to EuroBSDcon</h3>
<p>He did a talk to show his slides and have feedback, mainly from mikeb@
and mickey@, for the talk he's doing at EuroBSDcon in Sofia. It was
interesting to attend.</p>
<h2>Sum up</h2>
<p>I learnt a lot of things, had a couple of really interesting
discussions (about OpenBSD, private stuff (aka life), free software and
so on). I also had a lot of fun because they're funny guys like when
mpi@ did his pre-talk or in various occasion.</p>
<p>One time I remember is when
<a href="http://marc.info/?l=openbsd-cvs&m=140851530004726&w=2">mikeb unlinked crypto(4)</a>. He
said "oh, it wasn't present on Vax, I know, I'll call that the
<a href="https://en.wikipedia.org/wiki/Vaccination">vaxination</a>" :D</p>
<p>I think how much I'm sad right now is pretty meaningful about how much I
loved it.</p>
<h2>Thanks</h2>
<p>This internship wouldn't have happened without the help of
<a href="https://twitter.com/lucilefalg_">Lucile</a> and stsp@. I'm really
grateful for their help.</p>
<p>Obviously, I'd like to thank mikeb@, mpi@ and mickey@ for their
reception, their support, all the things they taught me and making me
go ahead. And also, mikeb for his advice to what to order for lunch, I
usually followed it blindly even I didn't know what I would get, but
I've never been disappointed :D</p>
<p>And in broader way, to all the staff of Compumatica for all their
welcome, their tries to talk with me in French (that was funny).</p>
<h2>Some links</h2>
<p><a href="http://marc.info/?l=openbsd-cvs&m=140725646723662&w=2">http://marc.info/?l=openbsd-cvs&m=140725646723662&w=2</a></p>
<p><a href="http://marc.info/?l=openbsd-cvs&m=140725660023766&w=2">http://marc.info/?l=openbsd-cvs&m=140725660023766&w=2</a></p>
<p><a href="http://marc.info/?l=openbsd-cvs&m=140746716804227&w=2">http://marc.info/?l=openbsd-cvs&m=140746716804227&w=2</a></p>
<p><a href="http://marc.info/?l=openbsd-cvs&m=140952023712487&w=2">http://marc.info/?l=openbsd-cvs&m=140952023712487&w=2</a></p>
<p><a href="http://marc.info/?l=openbsd-cvs&m=141043410332344&w=2">http://marc.info/?l=openbsd-cvs&m=141043410332344&w=2</a></p>
<p><a href="http://marc.info/?l=openbsd-cvs&m=141097034506575&w=2">http://marc.info/?l=openbsd-cvs&m=141097034506575&w=2</a></p>
<p><a href="http://marc.info/?l=openbsd-cvs&m=141091440819059&w=2">http://marc.info/?l=openbsd-cvs&m=141091440819059&w=2</a></p>
<p><a href="http://marc.info/?l=openbsd-cvs&m=141091837920339&w=2">http://marc.info/?l=openbsd-cvs&m=141091837920339&w=2</a></p>
<p>(they may not all be there).</p>xmpp-client sur OpenBSD2014-09-21T10:20:00-04:002014-09-21T10:20:00-04:00Vigdistag:oldblog.chown.me,2014-09-21:/blog/xmpp-client-sur-OpenBSD.html<p>Utilisation d'un remplaçant à pidgin : xmpp-client</p><h2>Comment elle commence ton histoire ?</h2>
<p>Pidgin est cassé. C'est pas nouveau, c'est régulièrement
répété. L'avant dernière fois que je l'ai lu, c'était dans le très bon
article everything is
broken (<a href="https://medium.com/message/everything-is-broken-81e5f33a24e1">en</a>|<a href="http://www.framablog.org/index.php/post/plus-rien-ne-marche-que-faire">fr</a>)
de Quinn Norton.</p>
<p>Sur OpenBSD, régulièrement, quand OTR intervient pour générer une clé
ou authentifier un contact, pouf, il segfault. Rassurant, non ?</p>
<p>La dernière fois, c'était dans
<a href="https://twitter.com/csoghoian/status/510812616630206464">un tweet de Christopher Soghoian</a>
et dans lequel, il dit du bien (dire qu'il peut être utilisé par des
journaleux, c'est dire du bien :)) de xmpp-client d'Adam Langley (dev
qui bosse chez google, qui bosse sur la sécurité de chrome pour la
stack SSL/TLS, qui a forké openssl en boringssl etc).</p>
<p>J'ai eu envie de tester, d'où cet article.</p>
<h2>Mais pourquoi ce client, y a plein de client xmpp</h2>
<p>Mon besoin est simple "<a href="https://otr.cypherpunks.ca/">OTR</a>". Lecteur, tu rigoles
peut-être, mais juste ces trois lettres en enlèvent une grosse partie.</p>
<p>C'est pour ça par exemple, que <a href="https://twitter.com/falzm/status/510885976068333568">je n'utilise pas bitlbee</a>.</p>
<h3>Et ne pas utiliser OTR ?</h3>
<p>Nope, nope nope.</p>
<p>Je ne fais pas confiance à tls/ssl pour xmpp. Pas dans un cas général,
mais dans mon cas. Parce que la version de prosody que j'utilise est
vieille, que ceci que cela, que le s2s est sujet à du mitm etc.</p>
<p>Mais bon, c'est pas une nouveauté que le chiffrement bout à bout, est
une nécessité.</p>
<div class="highlight"><pre><span></span> “Encryption works. Properly implemented strong crypto systems are
one of the few things that you can rely on. Unfortunately,
endpoint security is so terrifically weak that NSA can frequently
find ways around it.”
</pre></div>
<p>D'ailleurs, on en revient à ce que je disais avant "endpoint security
is so terrifically weak" COUCOU PIDGIN §§§.</p>
<p>Donc ceinture, bretelle, toussa toussa. Je veux OTR.</p>
<h3>ok ok, mais y a plus d'un client xmpp qui gère OTR</h3>
<p>On va lister ceux qui gèrent OTR d'après
<a href="https://otr.cypherpunks.ca/software.php">https://otr.cypherpunks.ca/software.php</a></p>
<ul>
<li>adium == libpurple, donc même chose que pidgin</li>
<li>climm, mcabber, centerim et profanity j'avoue j'ai pas testé, mais de ce que je
vois sur leurs sites, ça ne me fait pas rêver</li>
<li>kopete ouais ça marchouille, avec le plaisir que comme tous softs
kde/gnome tu bouffes trois brouettes de dépendances, merci bisous</li>
<li>jitsi == java ... désolé, firefox a déjà pris toute la ram</li>
</ul>
<p>via plugins :</p>
<ul>
<li>pidgin, ouais, on sait ce que ça vaut</li>
<li>irssi euh ouais, j'ai tenté d'utiliser, mmmh j'ai pas
particulièrement aimé, je ne sais plus trop pourquoi</li>
<li>psi j'ai testé y a longtemps, la gui n'était pas intuitive,
j'arrivais à rien</li>
<li>gajim euh, <a href="https://en.wikipedia.org/wiki/Gajim#Security">hum</a></li>
</ul>
<p>Je suis sans doute difficile.</p>
<h2>Donc xmpp-client</h2>
<p>C'est un client cli-only, donc pas d'interface graphique.</p>
<p>On commence par installer les paquets nécessaires :</p>
<div class="highlight"><pre><span></span>pkg_add go mercurial
</pre></div>
<p>On set un GOPATH, dans mon cas :</p>
<div class="highlight"><pre><span></span>export GOPATH=/home/myuser/gocode
</pre></div>
<p>Ensuite on applique la commande magique :</p>
<div class="highlight"><pre><span></span>go get github.com/agl/xmpp-client
</pre></div>
<p>on se retrouve avec dans le gopath :</p>
<div class="highlight"><pre><span></span>$ ls gocode/
bin/ pkg/ src/
</pre></div>
<p>dans bin il y a l'éxécutable qu'on va lancer.</p>
<p>Une fois l'exécutable lancé, il nous pose des questions et génère le
fichier de config dans <code>~/.xmpp-client</code></p>
<p>On va modifier deux choses.</p>
<h3>La première</h3>
<p>La première est l'ajout du mot de passe. agl ne le fait pas pour être
sûr que la personne qui le fait sait qu'il met son mot de passe en
clair dans un fichier sur son disque. Mais si quelqu'un a accès à ce
fichier, j'aurais bien d'autres problèmes avant. Et de toute façon
<a href="http://blog.chown.me/utiliser-openbsd-sur-un-laptop.html">j'ai du FDE</a>.</p>
<p>On ajoute donc la ligne</p>
<div class="highlight"><pre><span></span>"Password": "f6fab8747331ca8fc8b7fdabf81f822f256d647e",
</pre></div>
<p>Hahaha tu as vu, il est trop con, il a mis son vrai mot de passe !!1!
<code>openssl rand -hex 20</code> est ton ami.</p>
<h3>La deuxième</h3>
<p>La deuxième chose,
<a href="http://blog.chown.me/pika-pika-pki.html">j'utilise ma propre maf^WAC</a>,
et donc avec xmpp-client, s'il ne trouve pas l'AC dans
/etc/ssl/jesaispasquelfichieràlacon, il ne veut pas se
connecter. Soit, on jette un rapide coup d'oeil dans les sources</p>
<div class="highlight"><pre><span></span>ServerCertificateSHA256 string `json:",omitempty"`
</pre></div>
<p>ça tombe bien,
<a href="https://chown.me/iota/fingerprint.asc.txt">je les donne</a>.</p>
<p>On rajoute donc (dans mon cas, tu es invité·e à changer les valeurs
chez toi) :</p>
<div class="highlight"><pre><span></span>"ServerCertificateSHA256": "5c5f28ea20b09c71fca7442569b8d56f11907a1ab0ce2ada998755b1d755b207"
</pre></div>
<p>Et voilà ça se connecte.
On parle qqn en mettant sont adresse par exemple randomuser@chown.me
et le prompt va passer de ">" à "randomuser@chown.me"</p>
<p>Le client permet de faire pas mal de chose :</p>
<div class="highlight"><pre><span></span>> /help
* (9:51PM) /add <user> Request a subscription to another user's presence
* (9:51PM) /away Set your status to Away
* (9:51PM) /chat Set your status to Available for Chat
* (9:51PM) /confirm <user> Confirm an inbound subscription request
* (9:51PM) /deny <user> Deny an inbound subscription request
* (9:51PM) /dnd Set your status to Busy / Do Not Disturb
* (9:51PM) /help List known commands
* (9:51PM) /nopaste Stop interpreting text verbatim
* (9:51PM) /online Set your status to Available / Online
* (9:51PM) /otr-auth <user> <secret> Authenticate a secure peer with a mutual, shared secret
* (9:51PM) /otr-authoob <user> <fingerprint> Authenticate a secure peer with out-of-band fingerprint verification
* (9:51PM) /otr-authqa <user> <question> <secret> Authenticate a secure peer with a question and answer
* (9:51PM) /otr-end <user> End an OTR session
* (9:51PM) /otr-info Print OTR information such as OTR fingerprint
* (9:51PM) /otr-start <user> Start an OTR session with the given user
* (9:51PM) /paste Start interpreting text verbatim
* (9:51PM) /quit Quit the program
* (9:51PM) /rostereditdone Load the edited roster from disk
* (9:51PM) /rosteredit Write the roster to disk
* (9:51PM) /roster [--online] Display the current roster
* (9:51PM) /statusupdates Toggle if status updates are displayed
* (9:51PM) /version <user> Ask a Jabber client for its version
* (9:51PM) /xa Set your status to Extended Away
</pre></div>
<h3>La troisième</h3>
<p>Et la troisième chose, c'est juste
<a href="http://martinfowler.com/bliki/TwoHardThings.html">une erreur off-by-one</a>.</p>
<h2>Et l'utilisation ?</h2>
<p>Déjà ça change de mon client graphique. Avec pidgin, l'icone se met en
haut à droite dans ma barre des tâches de xfce et l'avantage c'est que
quand je reçois un message, l'icone change. Le problème c'est quand
j'utilise une application en plein-écran (à peu près toute, en fait),
je ne la vois pas.</p>
<p>Avec xmpp-client, le problème sera le même, parce que je le lance dans
un onglet du terminal et même si avec xfce la couleur des titres des term
changent selon l'activité de ce dernier, si je ne suis pas dans mon
espace de travail consacré au terminal je ne le verrais pas. Cela dit,
je ne crois pas que mes contacts doivent me contacter en toute
urgence.</p>
<p>Par rapport à pidgin où une fenêtre est dédiée à l'affichage des
contacts et une fenêtre pour les conversations (chaque conversation a
lieu dans un onglet), sur xmpp-client, tout se passe au même endroit,
ce qui est un peu surprenant : on peut avoir à la suite des messages
de différentes personnes, les réponses qu'on envoie et les changements
de statuts des gens (connectés, déconnectés et away).</p>JE fais ce que JE veux avec MA vie privée2014-06-24T10:20:00-04:002014-06-24T10:20:00-04:00Vigdistag:oldblog.chown.me,2014-06-24:/blog/je-fais-ce-que-je-veux-avec-ma-vie-privee.html<p>Que quelqu'un accepte de sacrifier sa vie privée auprès des GAFA ne vous autorise pas à l'exploiter</p><h2>Contexte</h2>
<p>Hier soir en organisant <a href="http://gitoyen.net/">un truc</a> pour ce week-end (parallèlement à PSES), j'ai regardé la page "<a href="http://www.passageenseine.org/Passage/le-spot">Le Spot</a>" du site passageenseine.org pour savoir où ont lieu les confs. Il y avait l'adresse, la station de métro .... et un plan google map.</p>
<p>Un peu amusé je <a href="https://twitter.com/Vigdis_/status/481132195789426688">tweet</a></p>
<blockquote>
<p>Ce week end @passageenseine avec plein de conf pour t'expliquer la surveillance et pour s'y rendre un plan google map http://www.passageenseine.org/Passage/le-spot</p>
</blockquote>
<p>Ce message était sarcastique mais avec la limite des 140 caractères, j'ai pas réussi à le tourner de manière à ce que ce soit claire.</p>
<p>Le compte twitter de PSES met en copie <a href="https://twitter.com/bluetouff">bluetouff</a> qui me répond (entre autre) 3 tweets (du plus récent au plus vieux) :</p>
<!---->
<p><img alt="twitter" src="https://chown.me/iota/twitter.png"></p>
<p>Sur le premier tweet (le plus vieux), c'est une imprim'écran du code source de twitter.</p>
<h2>Pourquoi ces tweets sont stupides</h2>
<p>Déjà parce qu'ils ont changé le plan, donc ça montre que j'ai raison mais que non, fallait quand même qu'il fasse le beau sur twitter.</p>
<h3>OpenBSD et javascript</h3>
<p>Elle est amusante sa blague non ? Même venant de la part de quelqu'un qui gère <a href="http://reflets.info/apple-brevete-le-kill-switch-dans-votre-poche/">un média qui dénonce la politique d'Apple</a> et qui utilise un mac ? (tant qu'à parler des OS des uns, parlons des OS des autres)</p>
<h3>Le CMS fait par un mec ayant travaillé chez Google</h3>
<blockquote>
<p>Le développeur du CMS sur lequel est réalisé le site de PSES a même bossé chez Google</p>
</blockquote>
<p>Ah donc ça veut dire quoi ? Il y a d'autres surprises sur le site ?</p>
<p>J'sais pas, un des devs d'OpenSSH travaille chez google ça veut dire que je dois arrêter d'utiliser OpenSSH ? ....</p>
<h3>On est sur twitter</h3>
<p>Je prends la peine de détailler ce point, car c'est visiblement pas clair pour tout le monde (j'en ai encore discuté récemment avec Orphée).</p>
<blockquote>
<p>(ps : on est sur twitter là)</p>
</blockquote>
<p>Ce propos est stupide. C'est moi qui ai choisi d'être sur twitter, je l'ai fait de mon plein gré en toute connaissance de cause, et c'est tout à fait mon droit. Par contre que lorsque je me renseigne sur un évènement avec un certain nombre de conf qui parlent à propos de la surveillance de masse, ça me fait doucement rire d'utiliser (sauf si tu as une panoplie de plugins sur ton browser qui va bloquer) un des partenaires clés de la NSA.</p>
<p>Quitte à faire une analogie douteuse, si une fille couche avec plein de mecs, vous la forcez sous prétexte qu'elle couche avec des gens en pensant que ça rend légitime ce rapport ? Non, c'est un <strong>viol</strong>.</p>
<p><a href="./pages/blog.html">Pour moi</a> c'est juste une question de respect que de ne pas utiliser des services qui vont espionner mes visiteurs, peu importe s'ils utilisent facebook ou google + ou autre, tout simplement ça ne me regarde pas.</p>
<h2>Bref</h2>
<p>Mais bon, je sais qu'on parle des gens qui ont dénoncé la surveillance tout en utilisant les serveurs mails de gmail et qui vont jusqu'à t'<a href="http://cypherpunk.fr/la-nouvelle-boite-p0rn-de-reflets-info/">expliquer que ce n'est pas grave</a>, mais en les changeant quand même ... (même si on peut me répondre que c'est toujours mieux que le parti pirate qui utilise toujours les serveurs de gmail).</p>De la haute dispo sur ton lappy2014-06-07T10:20:00-04:002014-06-07T10:20:00-04:00Vigdistag:oldblog.chown.me,2014-06-07:/blog/de-la-haute-dispo-sur-mon-lappy.html<p>Comment faire du failover sur son laptop entre les interfaces filaire et wifi</p><h2>De la haute dispo ?</h2>
<p>Le titre est un peu accrocheur et t'a peut-être fait remplir une case de ton <a href="https://en.wikipedia.org/wiki/Buzzword_bingo"><em>bullshit bingo</em></a>, certes.</p>
<p>Mais du trunk failover est quand même de la "haute dispo".</p>
<h2>Hein ? du trunk failover ?</h2>
<p><code>man 4 trunk</code></p>
<h3>trunk</h3>
<div class="highlight"><pre><span></span> The trunk interface allows aggregation of multiple network interfaces as
one virtual trunk interface.
</pre></div>
<h3>failover</h3>
<div class="highlight"><pre><span></span> failover Sends and receives traffic only through the master port. If
the master port becomes unavailable, the next active port is
used. The first interface added is the master port; any
interfaces added after that are used as failover devices.
</pre></div>
<h3>mmmh, j'ai pas tout compris</h3>
<p>aka le relou qui ne va pas me laisser m'en tirer juste en copiant/collant des bouts de la man page</p>
<p>Un trunk est une interface (virtuelle) qui va aggréger plusieurs interfaces. Un failover est un des modes de trunk.</p>
<div class="highlight"><pre><span></span> The driver currently supports the trunk protocols broadcast, failover,
lacp, loadbalance, none, and roundrobin (the default).
</pre></div>
<p>Dans notre cas les autres modes ne sont pas utiles donc je n'en parlerai pas. Le failover, comme dit la man, consiste à lister des interfaces. Si lors de l'utilisation de <em>cette liste</em> d'interfaces, celle actuelle n'est plus active, on essaie la suivante et ainsi de suite tant qu'il y en a. Cela permet de redonder une interface (mais c'est la solution du pauvre, car le riche redonde toute la machine avec <a href="http://www.openbsd.org/faq/faq6.html#CARP">carp</a>).</p>
<h3>Tes explications ne sont que moyennement claires, concrètement ?</h3>
<p>Concrètement, le but recheché c'est que si un cable ethernet est branché sur mon laptop celui-ci utilise l'interface filaire, sinon il utilise le wifi.</p>
<p>Concrètement si je fais la commande <code>ifconfig trunk0</code> elle donne entre autre</p>
<div class="highlight"><pre><span></span>$ ifconfig trunk0
trunk0: <span class="nv">flags</span><span class="o">=</span><span class="m">8843</span><UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu <span class="m">1500</span>
lladdr f0:de:f1:09:c7:94
priority: <span class="m">0</span>
trunk: trunkproto failover
trunkport iwn0
trunkport em0 master,active
groups: trunk egress
</pre></div>
<p>ou dans l'autre cas</p>
<div class="highlight"><pre><span></span>$ ifconfig trunk0
trunk0: <span class="nv">flags</span><span class="o">=</span><span class="m">8843</span><UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu <span class="m">1500</span>
lladdr f0:de:f1:09:c7:94
priority: <span class="m">0</span>
trunk: trunkproto failover
trunkport iwn0 active
trunkport em0 master
groups: trunk egress
</pre></div>
<p>La seule différence entre les deux, c'est quelle interface qui est active, dans la première c'est <code>em0</code> la filaire et dans la deuxième <code>iwn0</code> mon wifi.</p>
<h2>C'est bien rigolo mais si tu me racontais ta vie</h2>
<p>Habituellement, en plus du clavier/souris et de l'écran de ma tour, j'ai mon laptop sur mon bureau (à défaut de faire du multi-écrans on fait du multi pc :p). Sauf que quand ma chérie est là faut que je vire le laptop parce que <a href="https://fr.wiktionary.org/wiki/étudiant">ce bureau est accessoirement ma table à manger</a>. Et donc rapidement les cables ethernet sont ingérables et donc je passe en wifi. Sauf que c'est chiant, entre ma route ipv6 qui expire rapidement (tu veux les détails ? t'as qu'à lire misc@), les priorités des routes qui font que c'est plus simple de redémarrer le laptop pour tout nettoyer plutôt que de se prendre la tête avec les différentes commandes et le débit asthmatique en wifi.</p>
<p>Comme dit dans <a href="./du-wifi-sur-l-alix.html">mon article à propos du wifi sur mon routeur</a>, j'utilise une clé USB wifi et dont le débit est limité à 100ko/s en down (en up c'est l'inverse) et dont je n'ai jamais trouvé la cause.</p>
<p>J'ai vu récemment que dans la <a href="http://www.openbsd.org/faq/index.html">FAQ d'OpenBSD</a> ils expliquent comment faire un trunk failover entre les interfaces filaire et wifi d'un laptop.</p>
<p>Sauf que, contrairement à ce que font les modem-routeurs des FAIs commerciaux, mon réseau filaire n'est pas le même que le réseau wifi. Non pas pour des raisons de sécurités (les règles pf sont quasi identiques pour les deux interfaces) juste que je suis pas chaud pour les bridger. Et donc de ce fait, je ne pouvais pas me faire un trunk puisqu'un trunk se fait forcément avec des interfaces présentes sur un même réseau.</p>
<p>Je me suis donc acheté une borne wifi avec un switch intégré.</p>
<p>Sur les conseils de zorun, je me suis acheté un TP-Link TL-WR841N (pour moins de 20€) afin de remplacer ma NIC USB. Après m'être lancé sans réfléchir et avoir tenté de désactiver le routage, le nat et les autres cochonneries dont je n'ai pas besoin (je préfère quand même gérer tout ça avec pf, étonnant hein) je me suis dit "et si je n'utilisais pas le port wan du machin, et seulement ceux du switchs". Bingo. Ensuite j'ai juste dû configurer les options du wifi (clé wep, filtrage mac etc ... (je déconne hein)). </p>
<h2>Bon et sinon ça se configure comment ?</h2>
<p>Je vais me contenter de copier coller les fichiers de conf de la FAQ :</p>
<h3>L'interface filaire</h3>
<div class="highlight"><pre><span></span># cat /etc/hostname.em0 # l'interface filaire
up
</pre></div>
<h3>Celle du wifi</h3>
<p>On lui indique le nom du wifi et le mot de passe.</p>
<div class="highlight"><pre><span></span># cat /etc/hostname.iwn0
nwid puffynet
wpakey mysecretkey
up
</pre></div>
<h3>On mélange le tout</h3>
<div class="highlight"><pre><span></span># cat /etc/hostname.trunk0
trunkproto failover trunkport em0
trunkport iwn0
dhcp
rtsol # on est en 2014 quand même
</pre></div>
<p>On a mis en premier l'interface filaire parce que c'est elle la master.</p>
<h2>Et dans les faits ?</h2>
<p>Bah comme d'hab sur OpenBSD, <em>it just works</em>.</p>
<p>Si j'en crois les secondes qui défilent dans mon irssi qui tourne dans mon tmux, lors d'un (dé)branchement du cable ethernet, y a un petit flop de 3-4 secondes (sachant que ça doit être probablement la reconnexion ssh) je trouve ça <strong>plus</strong> que <strong>bien</strong>.</p>
<h2>C'est ça ton article ? Des copiés-collés de la FAQ et des man ???</h2>
<p>J'en conviens, cet article n'est pas folichon niveau originalité du contenu, mais c'est juste un rappel pour ceux qui croient qu'OpenBSD est compliqué et pas à la portée des débutants.</p>
<p>Je ne parle pas du fait que c'est génial, car tout le monde sait qu'OpenBSD est génial, non ?</p>Réponse à la "lettre aux barbus"2014-06-07T10:20:00-04:002014-06-07T10:20:00-04:00Vigdistag:oldblog.chown.me,2014-06-07:/blog/reponse-a-la-lettre-aux-barbus.html<p>Article pour répondre à la lettre aux barbus de Laurent Chemla</p><h2>Hein ? quelle lettre ?</h2>
<p>Il y a quelques jours, reflets.info a publié un article de <a href="https://twitter.com/laurentchemla">Laurent Chemla</a> qui s'intitule <a href="http://reflets.info/lettre-aux-barbus/">Lettre aux barbus</a>.</p>
<p>Cet article me pose un certain nombre de problèmes et je préfère éviter de commenter sur le site, mes commentaires que j'y ai fait par le passé ne constituent pas une expérience que j'estime concluante.</p>
<h2>So what ?</h2>
<p>J'ai relevé divers points avec lesquels je ne suis pas d'accord, ils seront une mise en bouche pour le point important abordé ensuite.</p>
<h3>Le trafic Tor</h3>
<p>Je cite :</p>
<blockquote>
<p>Le trafic de TOR a augmenté considérablement juste après les révélations de Snowden, mais décroit depuis pour revenir à un niveau d’a peine deux fois plus qu’avant. Même à son maximum (6 millions), le nombre d’utilisateurs de TOR restait négligeable par rapport aux utilisateurs d’Internet (plusieurs milliards).</p>
</blockquote>
<p>Alors là j'ai bien ri. J'adore quand on parle de quelques choses sans s'être renseigné préalablement dessus.</p>
<p>On parle de quoi exactement ? <a href="https://metrics.torproject.org/userstats-relay-country.png?start=2013-03-09&events=off&end=2014-06-07&country=all">D'un pic de connexions Tor</a>. Parler de pic d'utilisateurs est pas vraiment précis car les mesures consistent à compter le nombre de connexions et à diviser par le nombre moyen de connexions qu'un utilisateur de Tor génère. Cela permet de donner des chiffres mais il faut bien comprendre que c'est un indice, le nombre n'est pas précis (et c'est tant mieux).</p>
<h4>Bah et alors ? Y a bien un pic non ?</h4>
<p>Certes, mais de dire que ce sont des utilisateurs <em>humains</em> qui sont responsables est faux tout comme dire que ce sont les révélations de Snowden la cause. Pourquoi ? Regardez <a href="https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2013-07-09&end=2013-09-07&country=all&events=off#userstats-relay-country">le pic précisément</a>. Le pic a commencé à mi-aout (<a href="https://lists.torproject.org/pipermail/tor-talk/2013-August/029582.html">un des devs parle du 19 août</a>). Les révélations de Snowden le 5 (?) Juin. Donc deux mois après, sursaut des gens paf, ils se mettent à utiliser Tor. Tellement crédible. </p>
<p>Pour plus d'info, je vous invite à lire <a href="https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients">l'article du même dev Tor</a> et à regarder autour du <a href="http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx">botnet Sefnit</a>.</p>
<p>Pour info, <a href="https://nos-oignons.net/Donnez/index.fr.html">ça m'aurait vraiment fait plaisir</a> de voir que les gens se réveillent et se mettent à utiliser Tor, mais juste ce n'est pas ce qu'il s'est passé.</p>
<p>J'aborde longuement ce point, mais c'est aussi pour en parler une bonne fois pour toute.</p>
<h3>Les nouveaux outils qui ont vu le jour et qui sont des succès</h3>
<blockquote>
<p>De nombreux projets d’outils de protection de la vie privée ont vu le jour. Rien que dans le domaine de la messagerie, Mailpile, BitMessage, la Dark Mail Alliance… La plupart sont des succès, mais restent largement réservés à un public très restreint.</p>
</blockquote>
<p><img alt="lolwut" src="https://poolp.org/~vigdis/lolwut.jpg"></p>
<p>Alors on va les prendre dans l'ordre.</p>
<h4>Mailpile</h4>
<p>Ouais, ils ont sorti une alpha, que ... personne (ouais à 15 personnes près) n'a installé ... succès ?</p>
<h4>BitMessage</h4>
<p>Quand c'est sorti j'en ai entendu beaucoup parlé, depuis euh ... plus rien ... succès ?</p>
<p>Je sais pas, ptet que tout le monde l'utilise et que je suis à côté de la plaque, juste je n'en ai pas l'impression.</p>
<h4>Dark Mail Alliance</h4>
<p>Marrant, j'avais vu le truc à la sortie et j'avais complètement oublié ça (à tel point qu'en lisant l'article je ne savais même plus ce que c'était). Là en regardant un peu j'ai l'impression que c'est autant un succès que la FreedomBox (ouais je voulais publier l'article hier).</p>
<p>Bref pour reprendre la phrase de Laurent Chemla</p>
<blockquote>
<p>La plupart sont des succès, mais restent largement réservés à un public très restreint.</p>
</blockquote>
<p>je ne sais pas, j'ai compris son article comme un appel à faire en sorte que les gens, tous, utilisent des logiciels qui protègent leurs vies privées, par conséquent je ne vois pas comment ça peut-être un succès alors que seul un public restreint l'utilise ?</p>
<h3>Security ? Not my problem</h3>
<p>(Les geeks auront reconnus l'accronyme trollesque de <a href="https://en.wikipedia.org/wiki/Snmp">SNMP</a>.)</p>
<blockquote>
<p>Nous avons laissé faire. Trop longtemps. Nous avons négligé la sécurité, remis
« ça » à plus tard, oublié de nous en occuper.</p>
</blockquote>
<p>Ça me fait rire cette phrase. Pendant des années les gens se sont moqués <a href="http://www.openbsd.org">des paranos</a> mais là depuis Snowden les "bah ils avaient raison en fait" me procurent un mélange de joie et de tristesse, tout dépend à qui je pense.</p>
<h2>Le vrai problème</h2>
<p>J'arrive au point qui me gène vraiment dans l'article.</p>
<blockquote>
<p>Lettre aux barbus</p>
</blockquote>
<p>[...]</p>
<blockquote>
<p>Nous avons laissé faire. Trop longtemps. Nous avons négligé la sécurité, remis « ça » à plus tard, oublié de nous en occuper.</p>
</blockquote>
<p>[...]</p>
<blockquote>
<p>Nous ne sommes pas les seuls: chacun, à son niveau, partout dans nos sociétés, nous sommes responsables d’avoir laissé faire, d’avoir accepté la surveillance. Pour quelques euros de réduction mensuelle, pour une sécurité théorique, par paresse ou parce que « ça ne nous concerne pas », nous avons accepté les cartes de réduction nominatives, les moyens de paiement électroniques, les caméras et le reste.</p>
<p>Revenir à une société un peu moins folle ne se fera pas en un jour. Il y faudra du temps, de l’énergie, et de l’espoir. De la pédagogie, des scandales, et quelques autres héros de la trempe de Snowden. Ce sera long, difficile et c’est un combat presque perdu d’avance.</p>
</blockquote>
<p>:(</p>
<p>Le fait d'appeler son article "Lettre aux barbus" fait qu'à chaque fois les "nous", les "on" signifient "nous les barbus".</p>
<p>Or c'est tout le problème. Les barbus, les geeks (peu importe comment on les appelle) ne règleront pas la situation.</p>
<p>C'est d'ailleurs la conclusion de l'article (qui est <3) de Quinn Norton (<a href="https://medium.com/message/81e5f33a24e1">VO</a> et <a href="http://www.framablog.org/index.php/post/plus-rien-ne-marche-que-faire">VF</a>) :</p>
<blockquote>
<p>Mais le plus gros de tous les problèmes culturels repose toujours sur les épaules du seul groupe que je n’aie pas encore pris à partie – les gens normaux, qui vivent leurs vies dans cette situation démentielle. Le problème des gens normaux avec la technologie est le même qu’avec la politique, ou la société en général. Les gens pensent être isolés et sans pouvoir, mais la seule chose qui maintient les gens seuls et sans pouvoir est cette même croyance. Ceux qui travaillent ensemble ont un énorme et terrible pouvoir. Il existe certainement une limite à ce que peut faire un mouvement organisé de personnes qui partagent un rêve commun, mais nous ne l’avons pas encore trouvée.</p>
</blockquote>
<p>Pour commencer, le terme "barbus" donc les filles font quoi ? elles restent dans la cuisine ? C'est ça ? .........</p>
<p>Il faut vraiment que les gens arrêtent de se reposer sur d'autres personnes et se prennent en main. <a href="http://blog.spyou.org/wordpress-mu/2014/04/08/pffff-cest-complique/">Surtout pour la technologie</a> (lisez cet article, vraiment).</p>
<p>Il suffit d'être membre d'une asso pour se rendre compte en deux minutes que si tu veux que quelchose soit fait, tu as plus vite fait de le faire toi-même et ça se passera mieux ainsi pour tout le monde.</p>
<p>Juste un exemple, ma copine ne se doutait pas qu'utiliser des services gérés (ex: gmail) par des tiers pouvait poser des problèmes de confidentialité, qu'elle m'envoie des <em>photos</em> sur gmail ne lui posait aucun problème. Moi ça me posait problème.</p>
<p>Bah au lieu de me lamenter, je lui ai expliqué, j'ai pris son pc, j'ai installé les logiciels qu'il faut et je les ai configuré pour qu'on utilise <a href="./tag/auto-hebergement.html">les services fournis par mon serveur</a> et que ça les chiffre par défaut et le tout de manière transparente pour elle. Maintenant à la place d'ouvrir son chrome pourri puis d'aller sur gmail, elle ouvre Claws-mail qui est tout configuré bien comme il faut. Non je n'ai pas attendu que quelqu'un propose un super truc trop bien et qu'elle l'installe <em>(rêve toujours pour ça)</em>. Juste ma copine a d'autres passions que l'informatique et qu'elle n'aime pas ça alors je fais avec. (Non je ne suis pas un héros, je me prends juste en main.)</p>
<p><a href="https://fr.wiktionary.org/wiki/imberbe">Et tout ça, alors que je ne me considère même pas comme barbu</a>.</p>
<p>Bref, croire que les geeks sont superhéros et qu'ils vont vous sauver est la pire erreur que vous puissiez faire, sans vous, rien ne se passera.</p>Utiliser OpenBSD sur un laptop2014-04-06T10:20:00-04:002014-04-06T10:20:00-04:00Vigdistag:oldblog.chown.me,2014-04-06:/blog/utiliser-openbsd-sur-un-laptop.html<p>Les différentes étapes pour utiliser OpenBSD sur un laptop</p><h2>De la doc, encore de la doc \o/</h2>
<p>La raison de cet article est que j'ai installé OpenBSD sur un laptop
récemment et que ça m'aurait été pratique d'avoir cet article pour
être sûr de ne rien oublier. Au moins pour la prochaine fois, j'aurais
déjà ça.</p>
<p>Je fais certains choix car je pense que ce sont les meilleurs, libre à
vous d'en faire d'autres (et
<a href="./pages/Contact.html">je suis ouvert à la discussion</a>).</p>
<h2>Ce que je veux</h2>
<p>Le but est d'arriver à un laptop avec OpenBSD avec les logiciels
courants (web, mail, office etc), avec un système facile à maintenir
et avec du chiffrement de disque.</p>
<h2>Pré-installation d'OpenBSD</h2>
<h3>Le media d'installation</h3>
<p>Soit on grave un CD, soit on peut
<a href="http://undeadly.org/cgi?action=article&sid=20140228231258">utiliser une clé USB</a>.</p>
<p>Ensuite on boot sur le media, on arrive rapidement au choix, on
choisit de prendre un shell.</p>
<h3>Le chiffrement de disque</h3>
<p>Le swap sur OpenBSD est chiffré par défaut. J'ai pris le parti de le
rechiffrer. Principalement parce que le moins je touche à
disklabel(8), le mieux je me porte et de toute façon mon CPU a du
<em>AES-NI</em> d'Intel donc ça ne va ajouter que très peu de charge en
plus.</p>
<p>On commence par trouver le nom du disque, puis on crée la MBR.</p>
<div class="highlight"><pre><span></span>dmesg | grep wd
dmesg | grep sd
fdisk -i sd0
</pre></div>
<p>On partitionne le disque (je pars du principe que le disque est sd0)</p>
<div class="highlight"><pre><span></span>disklabel -E sd0
a # on crée un nouvelle partition
p # on prend la lettre p
# on laisse l'offset par défaut
# on prend tout le disque
RAID
w
q
</pre></div>
<p>On chiffre alors le disque dur avec</p>
<div class="highlight"><pre><span></span>bioctl -c C -l sd0p softraid0
</pre></div>
<p>Il va demander d'entrer une passphrase, on en choisit une de courte et
qu'on utilise partout afin d'être gentil avec
<a href="https://fr.wikipedia.org/wiki/DCRI">les gens qui ne veulent que <strong>notre</strong> bien et <strong>notre</strong> sécurité</a>. Ou
pas.</p>
<p>Le système va nous dire sur quoi il a attaché le nouveau volume. Je
vais supposer que c'est <em>sd1</em>.</p>
<p>Voilà, le disque est chiffré, on tape <code>exit</code> et on tape i pour
installer.</p>
<h2>Installation d'OpenBSD</h2>
<p>L'installation se fait comme d'habitude (facilement quoi), faut juste
choisir comme disque <em>sd1</em> (ou celui sur lequel softraid a attaché le
nouveau volume).</p>
<p>Puis on redémarre.</p>
<h2>Installation des paquets utiles.</h2>
<p>J'utilise <a href="//iota.chown.me/capture-ardoine.png">XFCE 4</a> sur toutes mes machines.</p>
<div class="highlight"><pre><span></span>pkg_add xfce xfce-extras
</pre></div>
<p>J'utilise un ensemble de logiciels qui sont plus ou moins nécessaires.</p>
<div class="highlight"><pre><span></span>pkg_add claws-mail emacs evince firefox keepassx libreoffice mplayer mumble nmap pidgin pidgin-otr vim vlc youtube-dl
</pre></div>
<p>Bien sûr cette liste n'est pas exhaustive mais c'est un bon début.</p>
<h2>Dotfiles</h2>
<p>J'utilise <a href="https://chown.me/iota/util/">plusieurs dotfiles</a> pour améliorer
l'ergonomie du système. Rien de bien magique, mais ça me permet de
bien me simplifier la vie.</p>
<p>Il y a certainement des choses qui peuvent être améliorables,
n'hésitez pas à
<a href="./pages/Contact.html">me faire part de vos remarques</a>.</p>
<p>Il y a vraiment plein de choses dedans, comme des fonctions qui me
permettent d'installer le snapshot suivant sans retenir l'enchainement
des commandes qu'il faudrait taper. vie_facilitee++</p>
<h2>Les petites modifs ici et là</h2>
<p>Il y a pas mal de choses à changer ici et là</p>
<h3>machdep.allowaperture</h3>
<p>Avant, si on voulait utiliser X sur OpenBSD, il fallait mettre
machdep.allowaperture à 2 (sauf quand 1 suffisait). Cette distinction
est expliquée par Theo dans
<a href="http://marc.info/?l=openbsd-misc&m=114233317926101">ce mail</a>.</p>
<p>Sauf que grâce au travail des devs
<a href="http://undeadly.org/cgi?action=article&sid=20140223112426">c'est plus nécessaire</a>
\o/</p>
<p>On peut donc repasser la valeur à 0 et ainsi on ne fait pas tourner X
en root.</p>
<h3>softdep, noatime</h3>
<p>Ce sont deux options à rajouter dans <code>/etc/fstab</code></p>
<p>La première sert à améliorer les perfs du stockages (HDD, SSD, CF etc).</p>
<p>La deuxième est importante quand on utilise un SSD (ou une carte CF)
afin de ne pas diminuer la durée de vie avec des écritures inutiles.</p>
<p>Pour plus d'info,
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mount&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html">man mount(8)</a>.</p>
<h3>apmd</h3>
<p>On peut utiliser apmd pour réduire la chaleur, le bruit et la conso
électrique :</p>
<div class="highlight"><pre><span></span>echo "apmd_flags=\"-C\"" >> /etc/rc.conf.local
</pre></div>
<h3>verrouiller l'écran lors de la mise en veille</h3>
<p>Ce qu'il faut avoir :</p>
<div class="highlight"><pre><span></span>canouan@ardoine:/etc/apm$ ls -l
total 4
-rwxr--r-- 1 canouan canouan 86 Mar 26 07:44 suspend*
canouan@ardoine:/etc/apm$ cat suspend
#!/bin/sh
sudo -u canouan env DISPLAY=:0 XAUTHORITY=/home/canouan/.Xauthority xlock &
</pre></div>
<p>et il faut que <code>machdep.lidsuspend</code> soit à 1 pour qu'en fermant le
laptop, celui-ci se mette en veille.</p>
<h2>Le reste</h2>
<p>Il reste plein de choses à faire (créer une nouvelle clé ssh,
récupérer l'ancienne clé gpg, configurer les logiciels installés etc)
mais ce n'est pas spécifique à OpenBSD donc je ne vais pas en parler.</p>Avoir de l'IPv6 via un tunnel VPN2014-03-28T10:20:00-04:002014-03-28T10:20:00-04:00Vigdistag:oldblog.chown.me,2014-03-28:/blog/avoir-de-l-ipv6-via-un-tunnel-vpn.html<p>J'ai depuis quelques temps de l'IPv6 chez moi via un tunnel vpn, voici donc l'article récapitulatif.</p><h2>Note avant propos</h2>
<p>J'ai pour habitude d'écrire un article sur un setup une fois qu'il est propre. Ce n'est pas le cas de celui-ci (j'ai encore plusieurs choses que je voudrais résoudre). Mais <a href="https://twitter.com/tristanpilat">Tristan</a> m'a harcelé (:p) pour que je publie cet article donc le voilà.</p>
<p>Cela faisait un moment que je voulais avoir de l'IPv6, <a href="http://imil.net/wp/2013/01/05/ipv6-je-taime-mais-tout-le-monde-sen-fout/">certains s'en foutent</a>, <a href="https://www.bidon.ca/files/tmp/WorldIPv6Congress-IPv6_LH_v2.pdf">d'autres non</a>.</p>
<h2>Comment</h2>
<h3>Via un tunnel ?</h3>
<p>Oui je suis chez OVH, ils m'en fournissent, mais depuis que j'ai passé ma 'box' en mode bridge (puisque <a href="./alice-in-wonderlan.html">je route avec l'Alix</a>) je n'ai jamais réussi à faire marcher l'IPv6 d'OVH dessus. J'ai pas trop longtemps essayé certes.</p>
<h3>Ah donc tu as pris ton tunnel chez HE</h3>
<p>Non (ni chez sixxs), principalement parce que je n'ai pas réussi à le faire marcher non plus, sans doute une raison conne, mais idem pas motivé à chercher d'avantage.</p>
<h3>Chez qui alors ??</h3>
<p>Chez FDN. Depuis un petit moment (même s'ils n'en font pas la pub) <a href="http://www.fdn.fr/-VPN-.html">ils proposent un service de VPN</a>. Le service n'est pas là juste pour de l'IPv6, ils fournissent aussi une IPv4. L'avantage comme c'est de l'openvpn c'est que la connexion est chiffrée jusqu'à eux, donc par exemple si OVH écoutait mon trafic, ils ne pourraient voir ce que je fais. (c'est pas un gros avantage vu la quantité d'IPv6 qui circule chez moi).</p>
<h2>Comment on fait alors ?</h2>
<h3>Sur quelle machine ?</h3>
<p>Étant donné que je veux pouvoir faire profiter du tunnel à l'ensemble de mes machines, tout va se faire sur mon routeur, ma p'tite Alice.</p>
<h3>On monte le VPN</h3>
<p>FDN donne un fichier de configuration pour le client d'OpenVPN. On commence donc par installer le client avec un habituel <code>pkg_add openvpn</code>. Ensuite on lit les commentaires dans le fichier de configuration, on configure ce dont on a besoin, c'est vraiment pas compliqué et si jamais vous avez un doute vous pouvez demander sur leur chan (#fdn, geeknode), vous devriez avoir une réponse rapidement.</p>
<p>Une fois qu'il est installé et que le fichier de conf est réglé aux petits oignons, on lance openvpn avec la commande</p>
<div class="highlight"><pre><span></span>sudo openvpn /root/ovpn.fdn
</pre></div>
<h3>Côté réseau</h3>
<h4>On calcule son bloc</h4>
<p>La configuration n'est pas encore automatique pour l'IPv6, il va donc falloir le monter à la main. Il faut aussi calculer son bloc IPv6 (un /48) en prenant le dernier chiffre de son adresse IPv4 et en le passant en hexadécimal.</p>
<p>Par exemple, mon IPv4 est <em>80.67.179.34</em>, 34 = 0x22, sachant qu'on rajoute avant <em>2001:910:13</em>, mon range va être 2001:910:1322::/48.</p>
<h4>On découpe son bloc</h4>
<p>Comme on a plusieurs interfaces, à moins de bridger ça comme un goret, on va avoir plusieurs réseaux. J'ai par exemple 3 réseaux chez moi</p>
<ul>
<li>un tout petit, l'interface OpenVPN (parait qu'on peut faire sans, mais en tout cas avec, ça marche)</li>
<li>mon lan</li>
<li>mon wifi</li>
</ul>
<p>Je ne me suis pas pris la tête, 2001:910:1322::1 sera l'IPv6 de l'interface du VPN, 2001:910:1322:1::/64 pour mon lan et 2001:910:1322:2::/64 pour mon wifi.</p>
<h4>On s'occupe de l'IPv6 sur le routeur</h4>
<p>On ajoute l'adresse IPv6 sur l'interface puis on ajoute la route par défaut :</p>
<div class="highlight"><pre><span></span>ifconfig tun0 inet6 2001:910:1322::1/128
route add -inet6 -iface default 2001:910:1322::1
</pre></div>
<p>A partir de ce moment là, on doit pouvoir ping6 -I tun0 www.kame.net.</p>
<h4>Cool, mais moi je veux de l'IPv6 sur mon lan</h4>
<h5>Côté serveur</h5>
<p>Comme il n'y a pas de <a href="http://www.openbsdfoundation.org/gsoc2014.html#dhcp6-server">dhcp6d dans base</a> (<a href="http://www.openbsdfoundation.org/gsoc2014.html#dhcp6-client">ni de client t'façon</a>) et que l'autoconf me va bien, je me suis contenté de l'autoconf. Bref, j'accède à mon résolveur (qui est dans mon lan) en IPv4, le lan full-IPv6, c'est pas pour tout de suite mais tant pis.</p>
<p>(j'explique que pour le lan, pour le wifi, c'est pareil faut juste changer les variables)</p>
<p>On ajoute une IPv6 sur l'interface interne</p>
<div class="highlight"><pre><span></span>ifconfig vr2 inet6 2001:910:1322:1::1/64
</pre></div>
<p>Ensuite, on lance <em>rtadvd</em> qui va s'occuper de faire les <a href="https://en.wikipedia.org/wiki/ICMP_Router_Discovery_Protocol">router advertisements</a></p>
<div class="highlight"><pre><span></span>rtadvd vr2 # vr2 aka $int_if
</pre></div>
<p>On laisse passer avec pf, le trafic icmp6</p>
<div class="highlight"><pre><span></span>pass on $int_if proto icmp6
</pre></div>
<h5>Côté client</h5>
<h6>IP dynamique</h6>
<p>Il n'y a plus qu'à lancer <code>rtsol $if</code> sur les différents PCs dans le lan et l'ajouter dans le <code>/etc/hostname.$if</code>. Il faut des options sysctl particulières pour que ça marche :</p>
<div class="highlight"><pre><span></span> rtsold should be used on IPv6 hosts (non-router nodes) only. The
net.inet6.ip6.forwarding sysctl(8) should be set to zero and the
net.inet6.ip6.accept_rtadv and net.inet6.icmp6.rediraccept sysctl(8)
should be set to a non-zero value (see also the -F option below).
</pre></div>
<h6>IP fixe</h6>
<p>Pour les hôtes comme des serveurs, on préfèrera donner des adresses IPv6 fixes puis ajouter la route.</p>
<div class="highlight"><pre><span></span>ifconfig jme0 inet6 2001:910:1322:1:dead:beef:cafe:1
route add -inet6 default 2001:910:1322:1::1
</pre></div>
<p>Ensuite on ajoute ces infos à <code>/etc/hostname.$if</code> et à <code>/etc/mygate</code> pour que ce soit effectif lors du prochain reboot.</p>
<p>Enfin, sur OpenBSD, la priorité par défaut est donné à l'IPv4 (<a href="http://marc.info/?l=openbsd-misc&m=139275883700662&w=2">pour ceux qui se demandent pourquoi</a>)</p>
<div class="highlight"><pre><span></span> family Specify which type of Internet protocol family to prefer, if
a host is reachable using different address families. By
default IPv4 addresses are queried first, and then IPv6
addresses. The syntax is:
family family [family]
A maximum of two families can be specified, where family can
be any of:
inet4 IPv4 queries.
inet6 IPv6 queries.
</pre></div>
<p>On ajoute donc, soit directement dans /etc/resolv.conf pour les machines qui ne feront pas de requêtes dhcp, sinon dans /etc/resolv.conf.tail</p>
<div class="highlight"><pre><span></span>family inet6 inet4
</pre></div>
<h2>Les PTRs</h2>
<p>Autant faire les choses proprement, et mettons des reverses à nos IPv6, d'autant plus que certains (comme gmail) classent en spam ceux qui n'en ont pas. Deux possibilités, soit on demande à fdn de les gérer pour nous, soit on demande la main dessus. J'ai donc mailé adminsys@ et en même pas une demi heure, j'avais la gestion de ces derniers.</p>
<p>On ajoute dans <code>/var/named/etc/named.conf</code></p>
<div class="highlight"><pre><span></span>zone "2.2.3.1.0.1.9.0.1.0.0.2.ip6.arpa" {
type master;
file "master/db.rev.vpn6";
allow-transfer {adresse.ip.du.ns2;};
allow-query{any;};
notify yes;
};
</pre></div>
<p>puis dans le fichier <code>/var/named/master/db.rev.vpn6</code> on ajoute <a href="https://chown.me/iota/db.rev.vpn6.txt">la zone</a></p>
<h2>L'état actuel</h2>
<p>Mon tunnel IPv6 est un peu à l'arrache sur mon routeur, lorsque je vais rebooter (sans doute pour passer à OpenBSD 5.5) le tunnel ne se remontera plus, mais je préfère ça, qu'une conf à la con qui bloque le boot (coucou Francinet :D). J'aurais pu redémarrer mon alix pour voir, <a href="https://xkcd.com/705/">mais non</a>.</p>Pika, Pika PKI2014-03-23T10:20:00-04:002014-03-23T10:20:00-04:00Vigdistag:oldblog.chown.me,2014-03-23:/blog/pika-pika-pki.html<p>Court article à propos du des certificats de mon infra</p><p>(désolé pour ce titre stupide, ça me faisait rire et j'ai pas trouvé
mieux)</p>
<h2>Ma grande passion pour les ACs</h2>
<p>Je vous avais déjà expliqué
<a href="./https-sslh-et-bypass-de-proxy.html">ce que je pense</a> des
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=647959">Autorités de Certification</a>
mais j'en avais marre de gérer des problèmes de certs.</p>
<p>J'ai donc crée mon AC \o/</p>
<h2>Création d'une AC</h2>
<p>J'ai suivi grosso modo ce qui est écrit là :
<a href="http://pki-tutorial.readthedocs.org/en/latest/simple/index.html">http://pki-tutorial.readthedocs.org/en/latest/simple/index.html</a>. Je
ne vais pas en parler plus que ça comme ça se fait bien.</p>
<h2>Mon AC, mes fingerprints</h2>
<p>Vous pouvez installer mon AC afin de pouvoir utiliser mes services
avec
TLS. <a href="https://chown.me/iota/root-ca.crt">Elle est disponible en téléchargement</a>
(ayez le bon goût de vérifier les fingerprints).</p>
<p>J'ai donc crée deux certificats, un pour chown.me et un avec un
wildcard.</p>
<p><a href="https://chown.me/iota/fingerprint.asc.txt">J'ai signé avec ma clé OpenPGP les empreintes</a>
pour que (si vous faites confiance à ma clé) vous puissiez valider les
empreintes.</p>Mes débuts avec Unix et l'auto-hébergement2014-03-15T10:20:00-04:002014-03-15T10:20:00-04:00Vigdistag:oldblog.chown.me,2014-03-15:/blog/mes-debuts-avec-unix-et-l-auto-hebergement.html<p>Premier article de la rubrique mylife. Petite histoire sur comment je me suis mis à aimer Unix et l'adminsys</p><h2>Avant-propos</h2>
<p>Pour faire une petite introspection, je retrace par écrit ma
découverte d'Unix et de l'adminsys et ma progression, alors autant le
publier sur mon blog. Cela a aussi pour but de convaincre les gens qui
n'ont jamais touché à un Unix, mais qui souhaitent le faire, de se
lancer.</p>
<h2>Le commencement (avec Debian)</h2>
<h3>Pourquoi l'adminsys</h3>
<h4>C'est fun</h4>
<p>A ce moment là, je regardais pas mal ce que faisait Telecomix et
(entre autre) <a href="https://twitter.com/Okhin">Okhin</a> disait qu'il était
adminsys et que c'était marrant. Je me suis dit que ça devait être
cool donc fallait que je regarde.</p>
<h4>Avec du linux dedans</h4>
<p>J'avais pas trop envie de continuer sur windows car je me sentais vite
limité et j'entendais du bien de la part de personnes qui aimaient
l'info. J'accorde de l'importance aux gens passionnés, car je leur
fais confiance pour chercher ce qu'il se fait de mieux. Je me suis
donc dirigé vers Ubuntu.</p>
<h4>Pour des convictions</h4>
<p>J'ai aussi découvert à cette époque Benjamin Bayart. J'ai vu sa
conférence
<a href="http://www.fdn.fr/Internet-Libre-ou-Minitel-2,94.html">"Internet libre ou minitel 2.0</a>
et j'ai adopté sa vision des choses. Je me suis dit que ça serait cool
d'auto-héberger mes services (blog, mail, xmpp etc).</p>
<p>Bref, fallait que je me mette à Unix.</p>
<h3>Mes anciennes expériences sur des distribs basées sur Linux</h3>
<p>(le titre est un peu long, mais j'aime pas "GNU/Linux" et dire juste
Linux est faux).</p>
<h4>Mandriva</h4>
<p>Bien avant, (j'étais encore au collège) mon père avait acheté pour
environ 90€ une clé USB de 2Gio (ça montre à quel point c'est vieux
:p) avec Mandriva installé dessus. J'aimais bien l'interface, mais
j'étais vite perdu et au final personne ne l'a jamais trop utilisé.</p>
<h4>Kubuntu</h4>
<p>Quand j'étais au lycée ou en début de prépa j'avais essayé Kubuntu
(i.e. Ubuntu avec KDE) 10.04 (de mémoire). J'avais choisi KDE car
c'était ce qui me faisait le plus penser à Windows et comme je ne
voulais pas être perdu, je l'ai choisi. Malheureusement, à cause d'un
bug sur ma CG je ne l'ai jamais utilisé.</p>
<h3>C'est pas grave, reessayons</h3>
<h4>En machine virtuelle ...</h4>
<p>Donc en Février 2012, j'ai eu envie de réessayer, et de découvrir la
console. Je suis tombé sur un tuto sur le site du zero. J'ai suivi le
tuto, je testais en même temps les commandes sur une Ubuntu
virtualisée sur du Vista.</p>
<h4>... puis sur un laptop ...</h4>
<p>J'ai récupéré en juin de la même année, un eeepc (vieux pour l'époque,
c'est dire la puissance du laptop) et j'y ai mis Debian, ça a été mon
premier pc sans windows. Là j'ai vraiment commencé à utiliser
sérieusement un OS autre que windows. J'avais les bases de ce que
j'avais appris sur les machines virtuelles mais rien de plus.</p>
<h4>... puis le serveur auto-hébergé ...</h4>
<p>Un petit peu plus tard, j'ai récupéré une tour de mon frère et j'y ai
mis Debian aussi, pour l'utiliser comme serveur.</p>
<p>Petite anecdote : pour une (mauvaise) raison, j'ai installé un FTPD
(proftpd il me semble) et j'ai été bluffé qu'il suffisait de faire
<code>apt-get install proftpd</code> puis lancer le daemon pour que ce soit
fonctionnel. Sur du windows, je n'avais jamais eu la même expérience
...</p>
<h4>... et sur un Rasperry Pi ...</h4>
<p>Puis j'ai eu un raspberry pi. Ça faisait longtemps que j'attendais la
sortie. Je prévoyais de mettre un irssi dans un screen pour mes
connexions à des réseaux IRC. Puis j'ai fait une petite page web avec
juste du HTML servie par apache2. J'ai découvert aussi à ce moment là
<a href="https://en.wikipedia.org/wiki/Cjdns">CJDNS</a> sur lequel je me suis un
peu amusé avec des personnes trainant sur l'irc de Telecomix.</p>
<h4>... et enfin sur mon desktop</h4>
<p>Finalement, j'en ai eu marre de ce fichu Vista qui ramait, bootait une
fois sur deux etc, j'ai fini par le remplacer sur Debian en
Octobre 2012. Voilà, plus de windows chez moi. Bonheur.</p>
<p>FWIW, sur mon laptop et sur le desktop, j'étais en Wheezy (testing à
l'époque) avec du XFCE.</p>
<h2>Mais je croyais que tu n'utilisais qu'OpenBSD ????</h2>
<h3>Découverte d'OpenBSD</h3>
<p>Toujours en Octobre 2012 (simple c'était à quelques jours d'une
release (elles se font le 1er Mai et le 1er Novembre)) je parle sur
IRC, et je dis que je tenterais bien du FreeBSD et
<a href="https://twitter.com/bigou_de">Bigou</a> me répond que lui serait plutôt
tenté par OpenBSD puisqu'ils disent sur leur site qu'ils utilisent
beaucoup de crypto. Du coup j'ai regardé, j'ai commencé à lire la
FAQ. A l'époque <a href="http://www.22decembre.eu">_22decembre</a> essayait,
OpenBSD sur son serveur et donc je lisais ce qu'il racontait.</p>
<p>J'ai aussi découvert que l'asso
<a href="http://www.franciliens.net">franciliens.net</a> utilisait OpenBSD pour
ses serveurs du coup je me suis rapproché d'eux (j'ai adhéré à l'asso
le 12/12/12 \o/).</p>
<p>J'ai bien aimé l'état d'esprit des gens qui travaillent dessus donc je
me suis dit que j'allais essayer.</p>
<h3>Sur serveur</h3>
<h4>Test d'OpenBSD ...</h4>
<p>Mi-décembre, je me suis acheté
<a href="./pages/machines.html">la machine qui me sert de serveur</a> et j'y
ai mis OpenBSD. J'avais essayé un peu avant avec des machines
virtuelles mais rien de plus. J'ai bien cradossé l'install mais j'ai
appris pas mal de chose</p>
<h4>... puis la prod</h4>
<p>Puis en Mai, lors de la release suivante, j'ai réinstallé l'OS et
depuis je fais les choses proprement. Comme j'en ai déjà parlé sur ce
blog, j'héberge chez moi mon blog, mes mails, mon xmpp, de la voip (et
à un moment, même du gopher).</p>
<h3>Sur routeur</h3>
<p>Depuis avril 2013,
<a href="./alice-in-wonderlan.html">j'utilise OpenBSD sur mon routeur</a>. C'est
lui qui gère le firewall, le nat (et les redirections de ports) et
plein d'autres choses encore.</p>
<h3>Sur laptop</h3>
<p>En octobre 2013, ayant marre de mon vieux eeepc, j'en ai racheté un
autre plus récent pour mettre OpenBSD. J'utilise la branche current
(c'est du <em>rolling release</em>).</p>
<h2>Analyse</h2>
<p>C'est la raison d'être de cet article, ce qui précède n'est
qu'anecdote.</p>
<p>Dès le début, je me suis fixé des buts qui n'étaient pas atteignables
tout de suite. Je savais avant de commencer ce que je voulais faire et
je savais que ça allait prendre du temps.</p>
<p>Plusieurs fois j'ai envié des gens pour leurs compétences "wah, tout
ce qu'il sait faire" et ça m'a motivé à continuer et à apprendre
toujours plus.</p>
<p>Je sais que j'ai bien progressé quand j'arrive à aider des gens à
propos de PF (sur #gcu :p), à gérer les sudoers ou à voir du premier
coup d'oeil que quelqu'un confond un numéro de port et un numéro de
protocole.</p>
<p>J'ai encore plein de choses à apprendre (que je souhaite apprendre en
tout cas), et ça prendra encore du temps.</p>
<p>Bref, ne jamais avoir peur de se lancer dans un grand projet et ne
jamais arrêter d'apprendre.</p>Choisir PGP/MIME ou PGP/Inline2014-02-09T10:20:00-05:002014-02-09T10:20:00-05:00Vigdistag:oldblog.chown.me,2014-02-09:/blog/choisir-pgp-mime-ou-pgp-inline.html<p>Court article un peu coup de gueule</p><h2>Contexte</h2>
<p>Pour chiffrer ses mails, il existe deux standards de chiffrement, PGP/MIME ou PGP/Inline.</p>
<h2>Les différences</h2>
<p>PGP/MIME va mettre les données relatives à la signature (et au chiffrement ?) d'un mail dans une pièce jointe de type application/pgp-signature et va l'appeler signature.asc.</p>
<p>PGP/Inline va mettre les données relatives dans le corps de l'email. Par exemple :</p>
<div class="highlight"><pre><span></span>-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This is a uselesss text.
- --
Vigdis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTD4LGAAoJEKqftJ/c7dF4IJEQAIkR7lTR/ppi/vlDG2N7s9Xu
DH0N40WvnFto8m+2W9JNECaE7V7N4emrbVSqFx90jyRYE0qbX9g6ssXRerwDyWDq
0+vt/lme+DTmqMhadwsLoXsi3tZKJ7RZNJAtYxa420zFCwQfoWf0BgUQ/QmzZHuR
Y2xIjw5guqEAyjn8mS7m3Kac4zO2+S1wGB28jHwiTOn8dJKk0pgOP8T7QLGTC/Y+
1b7ywbusZCSSDJIKvHAj4YfnWVd/U2VxHjBZhUtYP351tEAcf1zNGsnj8YU13C4v
TBP4EXYHV+60UZFy53oBRwLqLgKploGvI4F+cQxLFtpw+g09FKb41bLPhNSKf7IR
gft0KXoHG1OQ7/aNrVvbLR5qiNOCAHy9SC5OPQv08qccesbkMlXw45vQefGQhqT/
RW2rZsLAQfT8jHz/TivFf5y2x8KpnZ7kVTp4uc1fydeV8mpvMhs+QLqCADF16dWp
k+UKrz7ozrWbYcOXeaoZaF2fu0XcLkS6xhOCqPUYayRA/0cf6PNZlakSK8UDS/nZ
mYqYyxN6cmS7Ov+EOISP0j8mdChZXb2i+TW2Zc4WGIRuNY5Szz/7Pn5Jgjvh6eS7
psS3KIXJHNW5wEtlUKhsN4wRdG0FAwnMifz/KGpEP533p1PMUAxrhXPTQHbt1YPb
7rz404v+cwAuTArpSHq2
=yvt4
-----END PGP SIGNATURE-----
</pre></div>
<p>Vous pouvez tester, la signature doit être bonne :)</p>
<h2>So what ?</h2>
<h3>YUNOCHOOSEPGP/MIME</h3>
<p>Le choix par défaut sur enigmail est d'utiliser Inline. Et comme la majorité des utilisateurs d'enigmail utilisent thunderbird + enigmail pour découvrir les mails chiffrés (pour quelles autres raisons peut on utiliser ce <strong>gros</strong> logiciel :p), ils utilisent les options par défaut donc Inline.</p>
<h3>ETOOMUCHVERBOSITY</h3>
<p>Le problème c'est que ça pollue le mail. L'autre jour sur une ML, plusieurs participants ont envoyé une série de très courts mails lors d'une discussion (vu les échanges (tailles, rapidité de réponses) on aurait pu se croire sur un chat (xmpp ou irc)). La plupart utilisait PGP/Inline et au final je passais plus de temps dans chaque mail à chercher où était le contenu écrit par l'humain qu'à lire le message en lui même.</p>
<h3>Pauvre M{me,.} Michu</h3>
<p>De plus pour quelqu'un qui ne sait pas vérifier une signature, dans le cas de PGP/MIME, la personne ne saura pas ce qu'est cette pièce jointe et l'ignorera, dans l'autre cas, elle verra un mail dégueulassé par ces caractères aléatoires et ne va pas comprendre.</p>
<p>Qu'on ne me dise pas "ouais mais dans ce cas je lui parlerai du chiffrement des mails", si vous voulez convaincre, mettez en signature une rapide explication et invitant à vous demander plus d'explications.</p>
<h2>Pénibles mais en plus dangeureuses ?</h2>
<p>Et pour finir, un article qui considère que les signatures avec PGP/Inline sont dangeureuses : <a href="https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/">https://dkg.fifthhorseman.net/notes/inline-pgp-harmful/</a> (en aglais)</p>Auto-héberger ses mails avec OpenSMTPD2014-01-31T10:20:00-05:002014-01-31T10:20:00-05:00Vigdistag:oldblog.chown.me,2014-01-31:/blog/auto-heberger-ses-mails-avec-opensmtpd.html<p>Article sur l'auto-hébergement de mails</p><h2>Background</h2>
<p>Quand j'ai commencé à m'intéresser à l'auto-hébergement, le service que je trouvais le plus important à auto-héberger, était les mails. C'est aussi le service qui m'a posé le plus problème. MTA, MUA, MDA (ces sigles existent vraiment, je déconne pas :p), antispam etc ... je savais que j'avais besoin de certaines de ces briques, mais aucune idée desquelles, ni quels soft prendre.</p>
<p><strong>Mise en garde</strong> : cet article comporte pas mal de prosélitisme, désolé, j'utilise des logiciels que j'apprécie. :p</p>
<h2>Technique</h2>
<h3>Infrastructure</h3>
<p>Alors l'infra, rien de bien compliqué, mon <a href="./pages/Machine.html">serveur</a>, <a href="https://twitter.com/Aurphee">deux</a> ou <a href="https://twitter.com/Vigdis_">trois</a> utilisateurs, accessible en imap ("un jour" j'aimerais avoir un webmail), bien sûr un antispam et c'est tout.</p>
<h3>Quelles implémentations ?</h3>
<p>Alors, j'ai fini par comprendre (après que des gens de <a href="http://franciliens.net">franciliens.net</a> me l'aient expliqué 3 ou 4 fois :p) qu'il me fallait :</p>
<ul>
<li>un MTA, le serveur mail à proprement dit, celui qui parle SMTP</li>
<li>un MDA, le serveur qui livre les mails, qui parle IMAP</li>
<li>un MUA, un client mail (qui <a href="http://www.mutt.org/">craint moins</a> <em>ou pas</em>)</li>
<li>un antispam</li>
</ul>
<h4>MTA</h4>
<p>Pour le MTA, ça faisait un moment que j'entendais du bien d'<a href="http://opensmtpd.org">OpenSMTPD</a>. La conf est comme le reste d'<a href="./pourquoi-j-adore-openbsd.html">OpenBSD : simple</a> et les dévs sont adorables (<a href="https://twitter.com/PoolpOrg">au moins un, en tout cas</a> je connais pas trop les autres) :p</p>
<h4>MDA</h4>
<p>J'ai entendu beaucoup de bien de dovecot, donc j'ai choisi lui mais sans avoir trop regardé à côté.</p>
<h4>MUA</h4>
<p>J'utilise Claws-mail, mais ce n'est pas (vraiment) le sujet de cet article.</p>
<h4>Un antispam</h4>
<p>J'avais lu dans le bouquin de <a href="http://www.nostarch.com/pf2.htm">pf</a> que le greylisting avait l'avantage d'être simple et efficace. Je me suis dit que dans un premier temps, ça suffirait. Au niveau de l'efficacité (après 7 mois, j'ai eu un seul spam, et c'était un mail de phishing edf (ivre, il croit que j'ai donné vigdis@ à edf ...)) rien à redire.</p>
<h3>La conf</h3>
<h4>MTA</h4>
<p>Alors, la conf d'OpenSMTPD est lisible (:p) si je me souviens bien, dans le <em>BSDnow</em> où les dévs ont été interviewés, ils ont dit qu'un de leurs buts était d'avoir une conf lisible comme pf, ceci explique cela.</p>
<p>Comme j'avais du mal au début, j'ai mailé Gilles avec des questions et il m'a bien expliqué.</p>
<p>Je vais tricher un peu, ma conf au départ était pour OpenSMTPD 5.3.3 (la version présente dans OpenBSD 5.4) mais je viens de passer à 5.4.1 (il faut télécharger les sources sur le site et compiler pour l'avoir) donc autant vous donner la conf la plus à jour. Elle n'est pas beaucoup différente de la 2e conf donnée dans la section <em>Example</em> de la man page.</p>
<div class="highlight"><pre><span></span>pki chown.me certificate "/etc/mail/certs/chown.me.crt"
pki chown.me key "/etc/mail/certs/chown.me.key"
listen on lo0
listen on egress tls pki chown.me
listen on egress port submission tls pki chown.me auth
table aliases db:/etc/mail/aliases.db
accept for local alias <aliases> deliver to maildir
accept from any for domain chown.me alias <aliases> deliver to maildir
accept for any relay
</pre></div>
<p>La conf me semble claire mais je vais quand même l'expliciter.</p>
<p>Les deux premières lignes servent à indiquer où est le certificat et où est la clé. </p>
<p>Les trois lignes suivants disent sur quoi on écoute et de quelle manière : on écoute en local, sur l'interface du serveur avec les cert et clé donné précedemment (sur le port 25) et enfin la même chose mais sur le port submission pour les clients mails. </p>
<p>La 6e ligne définit la table qui contient les alias. Les alias ce sont les adresses mails, je définis là si l'adresse envoiemoiduspam@chown.me existe ou non. Si on me mail à une adresse qui n'existe pas, la personne se prendre un code d'erreur (550 de mémoire). </p>
<p>Le 4e groupe de ligne sert à définir ce qu'on fait avec les mails qu'on reçoit.</p>
<h4>MDA</h4>
<p>Alors je ne vais pas parler de la configuration de dovecot, parce qu'en fait c'est très simple, dovecot est installé avec tous les fichiers de conf remplis (au moins sur OpenBSD), il ne reste plus qu'à les modifier (dire où est le cert SSL, dire si on veut IMAP et/ou POP etc ...).</p>
<p>La principale difficulté que j'ai eu a été de ne pas me compliquer la vie ... je ne pouvais pas croire que c'était si simple ...</p>
<h4>Greylisting</h4>
<p>D'abord une petite explication sur ce qu'est le greylisting (n'hésitez pas à passer au prochain paragraphe pour ceux qui savent). Ça part du principe que les devs de MTA spammeurs ont codé à l'arrache et donc qu'ils n'ont pas implémenté le respect des codes d'erreurs. Quand un serveur inconnu contacte mon MTA, celui-ci va lui dire qu'il ne se sent pas bien, et va lui demander de repasser plus tard. Un MTA bien élevé, va revenir plus tard comme demandé, alors que le spammeur va continuer de vouloir entrer. On autorise celui qui revient comme demandé et on bloque celui qui insiste.</p>
<p>J'utilise spamd parce que c'est dans OpenBSD par défaut. Pour le mettre dans la boucle, il suffit juste de dévier l'arrivée des mails par spamd avec pf avec la conf qui est dans <code>man spamd</code> (qui a parlé d'assisté ? :p), on rajoute dans /etc/rc.conf.local</p>
<div class="highlight"><pre><span></span>spamd_flags="-v -G 3:4:864"
</pre></div>
<p>pour définir passtime, greyexp et whiteexp.</p>
<ul>
<li>passtime c'est pour dire on accepte à partir de quand s'il reessaie (y a une explication plus claire dans la man, si vous n'avez pas compris :p) en minutes</li>
<li>greyexp c'est combien de temps une entrée reste greylistée en minutes</li>
<li>whiteext c'est combien de temps une entrée restera whitelistée en heures</li>
</ul>
<p>Il y a deux problèmes avec le greylisting, le premier c'est que lors du premier échange, ça bloque, donc on ne reçoit pas le mail tout de suite, c'est pas bien grave, mais ça peut être frustrant quand on attend un mail et qu'on le voit se faire bloquer.</p>
<p>Le deuxième est un peu plus chiant, cela vient du fait que les gens ne gèrent pas leurs mails. Vu que tout le monde utilise des services (gmail, hotmail, yahoo et autres), ils ne tiennent plus sur un serveur, mais plusieurs. Le problème vient du fait que le serveur qui réessaie est rarement celui qui a essayé la première fois et que spamd ne fait pas le lien entre les deux donc il faut whitelister à la main. </p>
<p>Il y a deux solutions. La première pas parfaite est de whitelister les IPs de ces grands groupes. Vu que je n'aime pas réinventer la roue, j'utilise <a href="http://www.bsdly.net/~peter/nospamd">le travail de Peter N.M. Hansteen</a>. L'autre solution est d'utiliser postgrey qui lui permet de whitelister un domaine directement.</p>
<h4>Users qui peuvent recevoir des mails</h4>
<p>Il faut créer des users pour pouvoir récupérer les mails en IMAP et envoyer les mails. Pour cela on crée un user unix tout simplement mais pour plus de sécurité on met comme shell <code>/sbin/nologin</code> comme ça même si quelqu'un arrive à avoir le mot de passe il ne pourra rien faire au serveur.</p>
<h3>Dernières choses</h3>
<p>Il y a cependant certaines choses à faire que je n'ai pas décrites dans cet article car c'est plutôt simple. Je pense à créer les certs ssl, faire un enregistrement MX pour son domaine etc.</p>
<h2>Feedback</h2>
<p>Cela fait 7 mois que j'auto-héberge mes mails. J'ai eu <strong>un seul et unique spam</strong>, et aucun problème. Au niveau des autres, chez gmail je n'arrive pas dans les spams chez hotmail/outlook si, mais est ce vraiment un mal ? :p</p>
<h2>Derniers mots</h2>
<p>Le fait de gérer ses mails est vraiment quelque chose d'important, ça empêchera (un peu) les grosses boites à attenter à votre vie privée.</p>
<p>Non je déconne, faites-le parce que les grosses boites merdent avec mon greylisting, merci :p</p>
<h2>Bonus</h2>
<p>J'ai relu pour ne pas trop dire de bêtise, les réponses que Gilles m'avait faites. Je vous les donne. C'est vraiment pour les débutants, pas la peine de les lire pour les autres.</p>
<h3>Explication sur l'architecture de ceux qui parlent SMTP</h3>
<p>En fait dans une archi mail, tu as la partie SMTP en charge de transmettre
le mail d'un point A a un point B. Chaque noeud du reseau SMTP est soit un
relay, soit une destination. En mode relay, le noeud accepte un mail et va
se transformer en client SMTP pour l'envoyer ailleurs. En destination, les
noeuds file le message a un MDA qui se charge de le mettre quelque part ou
l'utilisateur pourra le recuperer <em>d'une facon ou d'une autre</em>. Le serveur
SMTP a juste la charge de le stocker quelque part pour l'utilisateur, son
boulot s'arrete la.</p>
<p>Si tes utilisateurs accedent a leur boite mail en local, comme sur poolp,
tu peux te contenter de la couche SMTP, et leur client mail ira tapper le
repertoire directement, genre ~/Maildir ou /var/mail/${USER}.</p>
<p>Pour envoyer un message, le client parlera SMTP de la meme facon que s'il
etait lui meme un serveur qui relay vers un autre.</p>
<p>En general, les gens veulent pouvoir acceder a leur boite mail depuis une
autre machine, du coup on ajoute un serveur IMAP ou POP dont le seul but
est d'exposer le ~/Maildir ou le /var/mail/${USER} mais qui ne tiens pas
le moindre role dans les echanges de mail.</p>
<p>Quand tu lances ton client thunderbird par exemple, les envois de mails
se font par SMTP, mais la recuperatin se fait par IMAP ou POP.</p>
<h3>Différence entre smtps et tls</h3>
<p>smtps et tls c'est globalement la meme chose mais a un niveau
different. smtps tu te connectes en SSL, tls tu etablis une connexion en
clair et tu declenches un passage en SSL par la suite.</p>
<p>tls est le mode le plus courant et generalement supporte, smtps l'es moins.</p>
<h3>Je ne veux pas pouvoir m'authentifier en clair</h3>
<p>Ca tombe bien, smtpd supporte pas l'auth sur canal clair ;-)
Tant que tu n'as pas etabli de session ssl, il ne dira pas au client qu'il
supporte l'AUTH et refusera de debuter une authentification.</p>
<h2>Ajout du 22/04/14</h2>
<h3>Bonus bis</h3>
<p>Pour rajouter un peu de sécurité, on peut ajouter un autre utilisateur avec <code>vipw</code> :</p>
<div class="highlight"><pre><span></span>_smtpq:*:103:103::0:0:SMTP Daemon:/var/empty:/sbin/nologin
</pre></div>
<p>On ajoute à <code>/etc/group</code></p>
<div class="highlight"><pre><span></span>_smtpq:*:103:
</pre></div>
<p>Et enfin on chown (<3) les queue au nouvel utilisateur</p>
<div class="highlight"><pre><span></span>cd /var/spool/smtpd
chown -R _smtpq corrupt incoming purge queue temporary
</pre></div>
<p>Enfin, on redémarre le daemon pour être sûr que c'est pris en compte.</p>
<div class="highlight"><pre><span></span>/etc/rc.d/smtpd restart
</pre></div>
<h3>Bonus ter</h3>
<p>Je demande à gilles@ de vérifier que je n'ai pas dit de bêtise, il me demande si j'ai compris pourquoi on faisait ça. Du coup je copie && colle l'échange :</p>
<p>__gilles : tu as compris pourquoi on fait ca ?</p>
<p>Vigdis : je suppose que c'est parce qu'avant c'était géré par _smtpd (qui est déjà <em>unprivledged</em>) mais que c'est mieux que ce soit un autre user qui gère les queues pour compartimenter</p>
<p>Vigdis : j'ai bon ?</p>
<p>__gilles : exact</p>
<p>__gilles : en fait les process qui font face au reseau sont dans un chroot, donc ils sont pas un risque</p>
<p>__gilles : mais le process qui s'occupe de lire les ~/.forward</p>
<p>__gilles : et de resoudre les aliases, il peut pas etre chroot</p>
<p>Vigdis : ok</p>
<p>__gilles : et s'il tourne avec le meme user que la queue, si quelqu'un trouve un bug exploitable, il pourrait provoquer la suppression de la queue</p>
<p>__gilles : la il peut plus</p>
<p>__gilles : (enfin, pas aussi facilement)</p>
<p>(encore une raison pourquoi j'adore OpenBSD, les devs sont <3)</p>Pourquoi le safeplug est une mauvaise idée2013-11-25T10:20:00-05:002013-11-25T10:20:00-05:00Vigdistag:oldblog.chown.me,2013-11-25:/blog/pourquoi-le-safeplug-est-une-mauvaise-idee.html<p>Depuis quelques jours j'entends parler du safeplug, dont certaines personnes chantent les louanges, à tort (amha)</p><h2>Mmmhh c'est quoi ?</h2>
<p>Le <a href="http://pogoplug.com/safeplug">produit</a> est vendu comme "A revolutionary device to protect your family and your home.".</p>
<p>En gros, <em>Safeplug</em> utilise le réseau Tor pour "sécuriser" la connexion Internet de l'utilisateur. Donc dès que la personne va aller sur le site, la boite va rediriger le traffic web vers le réseau Tor. Il est surtout vendu comme une solution qui rend anonyme l'utilisateur.</p>
<h2>Pourquoi ce n'est pas une idée</h2>
<h3>Closed source</h3>
<p>Déjà a priori la machine est une boite noire (si vous trouvez le code source, ça m'intéresse). Vous ne savez absolument pas si les dévs qui ont fait ça, n'ont pas fait ça n'importe comment et que la moitié des paquets vont leaker.</p>
<p>Vous ne savez pas s'ils n'ont pas inclus une backdoor qui permettra au mieux de mettre à jour la machine, au pire de désactiver Tor sur demande d'une <em>Agence</em>.</p>
<h3>Les personnes derrières ça</h3>
<p>Les personnes derrière ce produit ne m'inspirent vraiment pas :</p>
<blockquote>
<p>The good news is that the more people use Tor the faster the service runs, so by using Safeplug you are helping the Internet community protect itself from tracking and surveillance.</p>
</blockquote>
<p>Suprise ! je t'ai mis un relais Tor sans te demander ton avis, heureux ? Y a juste à espérer qu'ils ne se plantent pas et qu'ils n'en fassent pas un exit node (pour l'acheteur, pour toutes les conséquences légales que ça peut avoir).</p>
<p>De plus, à la question "How can I ensure that my browsing is really anonymous?" ils répondent :</p>
<blockquote>
<p>To ensure that your online activity cannot be tracked, we recommend that you clear your cookies between anonymous browsing sessions. Cookies could allow a site or organization to trace your Internet activity back to you. Additionally, we recommend disabling browser plugins like Flash Player and QuickTime. Using browser plugins with Safeplug could present a security risk to you while browsing.</p>
</blockquote>
<p><a href="https://www.torproject.org/docs/faq.html.en#TBBFlash">Ce problème est clairement décrit dans la FAQ de Tor</a> mais ne concerne pas les utilisateurs du safeplug puisque <strong>tout</strong> le traffic est sensé passer par Tor ce qui ne serait pas forcément le cas avec le Tor Browser Bundle. J'ai pas l'impression qu'ils comprennent ce qu'ils ont fait.</p>
<h3>Les fuites applicatives</h3>
<p>Et enfin, le pire.</p>
<blockquote>
<p>Safeplug sets up in 60 seconds and allows you to use your existing web browser, and even your phone, to browse the Internet with complete anonymity and peace of mind.</p>
</blockquote>
<p>your existing browser" et "complete anonymity" dans une même phrase devrait vous faire fuir. L'anonymat via Tor ne marche pas magiquement pouf tu l'utilises ça détruit le user agent, les plugins du navigateur, la résolution etc. Non, Tor ne cachera pas que vous l'utilisez et ce n'est pas son but. L'anonymat de Tor consiste à cacher tout le monde derrière la même chose, i.e. je sais que la personne qui vient de lire mon blog utilise Tor, mais je ne sais pas qui elle est parmi les 500 000 utilisateurs.</p>
<p>Or là, si tu surfes avec ton navigateur habituel, on peut aisément t'identifier. Pour prendre un cas un peu extrême, vous croyez qu'il y a combien de personne derrière l'user agent :</p>
<div class="highlight"><pre><span></span>Mozilla/5.0 (X11; OpenBSD amd64; rv:25.0) Gecko/20100101 Firefox/25.0
</pre></div>
<p>Certes là je parle d'un user-agent, mais <a href="https://panopticlick.eff.org/">les navigateurs laissent filtrer</a> tout un tas d'informations qui permettent, dans le pire des cas, à le rendre unique.</p>
<h2>Arf, pourtant l'idée me plaisait bien</h2>
<p>Il y a projet qui a le même concept et qui lui est open source : <a href="https://github.com/grugq/portal">PORTAL</a>, à utiliser uniquement en connaissance de cause.</p>
<p>tl;dr, si vous voulez mettre toutes les chances de votre côté au niveau anonymat, utilisez le <a href="https://www.torproject.org/download/download-easy.html.en">Tor Browser Bundle</a> ou <a href="https://tails.boum.org">Tails</a></p>Umurmur, Mumble et OpenBSD2013-11-23T10:20:00-05:002013-11-23T10:20:00-05:00Vigdistag:oldblog.chown.me,2013-11-23:/blog/umurmur-mumble-et-openbsd.html<p>Je viens d'installer Umurmur, petite doc^Wrécit rapide sur son installation</p><h2>La raison du pourquoi</h2>
<p>Je suis en couple à distance donc on s'appelle sur nos téléphones
fixes et ainsi on peut se parler si besoin sinon chacun vaque à ses
occupations.</p>
<p>Et parce que Skype n'est pas libre/propre.</p>
<h2>La voix sur IP</h2>
<h3>Qu'est ce qu'on utilise ?</h3>
<p>Je demande si quelqu'un a un serveur mumble pour que je puisse parler
avec ma copine, <a href="https://twitter.com/trismegiste">Agarwaën</a> (ouais
maintenant je donne les noms des coupables :p) me dit "bah pourquoi
t'utilises pas xmpp ?".</p>
<p>J'utilise pidgin (client qui est pas top, mais le moins pire des
clients xmpp à mon gout :/) parce qu'il y a OTR dessus. Visiblement la
voix nécessite un plugin qui n'est pas porté sur OpenBSD, tant pis
j'ai une autre machine avec Ubuntu.</p>
<h3>Perdons du temps avec cette mer^W^W^W</h3>
<p>Après de <strong>plusieurs</strong> essais, impossible de le faire marcher. Je
m'énerve, tant pis ça ne sera pas xmpp.</p>
<h3>Mumble</h3>
<p>On me donne finalement les infos d'un serveur mumble que je peux
utiliser temporairement. De nouveau sur Ubuntu ça ne marche
pas. Visiblement le son c'est pas leur fort.</p>
<p>J'installe mumble sur OpenBSD, ça juste marche ...</p>
<h3>Autohébergeons nous</h3>
<p>Comme vous savez
<a href="../faisabilité-de-l'auto-hébergement.html">ma volonté de m'auto-héberger</a>,
j'ai regardé comment je pouvais faire. Sur OpenBSD, il y a umurmur qui
est un <em>Minimalistic Murmur (Mumble Server)</em> vu les conditions, ça me
va très bien.</p>
<p>On install via <code>pkg_add</code> ou via les ports, au choix (comme d'hab).</p>
<p>On va dans <code>/etc/umurmur</code> pour modifier <em>umurmur.conf</em>.</p>
<p>On a juste à modifier quelques champs (qui sont <strong>très</strong> simples, vraiment).</p>
<p>On va voir la
<a href="http://www.openbsd.org/faq/fr/faq10.html#HTTPS">FAQ qui explique comment configurer HTTP avec SSL</a>
vu que c'est expliqué comment créer un certificat (cette méthode a
<a href="http://www.byatoo.com/la-rache/">un nom</a>).</p>
<div class="highlight"><pre><span></span>openssl genrsa -out /etc/ssl/private/server.key 2048
</pre></div>
<p>Vu qu'il fait froid on peut passer à 4096, ça réchauffera un peu la pièce :).</p>
<div class="highlight"><pre><span></span>openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
</pre></div>
<p>Et comme <a href="../https-sslh-et-bypass-de-proxy.html">je n'ai pas de CA</a></p>
<div class="highlight"><pre><span></span>openssl x509 -sha256 -req -days 365 -in /etc/ssl/private/server.csr \
-signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt
</pre></div>
<p>On n'oublie pas de mettre dans <em>umurmur.conf</em> les emplacements du
certificat et de la clé privée.</p>
<h2>Un article pour ... ça ?</h2>
<p>Je ne comptais pas écrire d'article à la base parce que c'était
vraiment très simple et très rapide (ce qui prend le plus de temps
c'est créer le certificat et installer umurmur, c'est dire) : faut
compter une dizaine de minutes pour avoir quelque chose de
fonctionnel, mais comme je me suis bien pris la tête à cause d'Ubuntu
alors qu'à côté OpenBSD "juste marche" et qu'en plus
<a href="https://twitter.com/iMilnb">iMil</a> venait de dire sur le chan de
<a href="http://www.gcu-squad.org/">GCU</a> que je faisais "du prosel
poissonpiquant de qualitay", je me suis dit que je pouvais en
<a href="../pourquoi-j-adore-openbsd.html">remettre une couche</a>.</p>
<h3>TL;DR</h3>
<p>L'auto-hébergement est faisable même pour mumble et OpenBSD ça "juste marche".</p>Pourquoi j'adore OpenBSD2013-10-11T10:20:00-04:002013-10-11T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-10-11:/blog/pourquoi-j-adore-openbsd.html<p>J'utilise OpenBSD depuis un peu moins d'un an et plus le temps passe, plus j'apprécie ce système.</p><p>Avant toute chose, je ne dis pas qu'OpenBSD est meilleur qu'un autre OS, je dis juste pourquoi <strong>je</strong> l'apprécie plus que les autres.</p>
<h2>La documentation</h2>
<h3>La FAQ</h3>
<p>La documentation de cet OS est géniale. Avant de l'avoir installé, j'avais lu la <a href="http://openbsd.org/faq/index.html">FAQ</a>, même si je n'avais pas tout compris (il y a des choses que j'ai compris seulement bien longtemps après), ça a déjà été une bonne base. Cette FAQ explique énormément de choses et comporte un certain nombre de <em>how-to</em> bien utiles. Plusieurs fois j'ai cherché des tutos sur Internet sur comment faire certaines choses, les tutos que j'ai trouvé comportaient des choses bizarres, et en recherchant, je suis tombé sur la FAQ qui expliquaient exactement ce que je voulais faire (notamment du pxeboot) ; le tuto trouvé précedemment était (en gros), ce qu'expliquait la FAQ, plus <em>les choses bizarres</em>.</p>
<h3>Les manpages</h3>
<p>Les pages <em>man</em> sont aussi très complètes et bien faites. Avant d'utiliser OpenBSD, j'utilisais beaucoup Debian. Jamais (ou très rarement) il ne me venait à l'esprit de lire une page man. Si j'avais un problème, je googlais pour trouver la solution. OpenBSD, du fait que personne ne l'utilise (mouarf) et que les pages <em>man</em> sont complètes, personne n'écrit de tuto pour faire ceci ou cela. Plusieurs fois, je me suis dit, tiens je devrais faire un article sur $chose, puis j'ai vu qu'il y avait une page <em>man</em> qui expliquait comment faire. Un exemple ? Pour ma connexion ADSL, je devais gérer la session PPP avec mon routeur. Si on choisit ppp(4) (à l'inverse de celui qui est en userland, ppp(8)) il suffit de lire la page man, il n'y a guère plus à faire que recopier et juste changer le login et le mot de passe.</p>
<h3>La communauté</h3>
<p>Enfin, vu que je fais face souvent à des problèmes de couche 8 (PEBKAC toussa), genre une page <em>man</em> que j'ai mal lue, ou une partie de la FAQ que je n'ai pas compris, il m'arrive souvent de demander de l'aide. Vu qu'à part les 3 utilisateurs <em>normaux</em> d'OpenBSD (:p) les autres sont les committers, ça permet d'avoir des gens à qui demander qui savent de quoi ils parlent vu que ce sont eux qui ont écrit le code. Bien sûr, si on demande sans avoir cherché un minimum avant, on risque de se prendre quelques remarques dans les dents, mais sinon, les personnes sont très serviables (si vous avez une meilleur traduction de <em>helpful</em> ..).</p>
<h2>Les petites attentions</h2>
<h3>Afterboot</h3>
<p>Suite à une installation, le système envoie (de mémoire) deux mails, avec l'un des deux qui conseille de lire afterboot(8). Cette page <em>man</em> décrit toutes les petites actions à faire quand on vient d'installer OpenBSD.</p>
<h3>Daily output (et /etc/weekly et /etc/monthly)</h3>
<p>Le système comporte de base des scripts de maintenance. Il y a trois scripts, un qui doit s'exécuter quotidiennement (daily), un autre de manière hebdomadaire (weekly) et le dernier mensuellement (monthly).</p>
<p>Ils font chacun des actions qui ont besoin d'avoir lieu à ces différentes fréquences. Par exemple daily va vérifier les permissions des fichiers du système, il envoie un mail qui comporte l'uptime, l'état du partitionnement (ça permet de s'apercevoir que par exemple il n'y a plus de place sur une partition :p) et donner des infos sur le réseau (nb de paquets entrants, sortant, les erreurs etc) et enfin, il fait une série <code>diff</code>. Si ces diff ne sont pas vide cela déclenche un autre mail "daily insecurity outpput" qui comporte ces diffs. C'est utile dans le cas d'admin à plusieurs, afin de pouvoir ce que l'autre admin a modifié. </p>
<p>Weekly fait des choses qui n'ont pas besoin d'être fait souvent, comme mettre à jour la base données de locate(1). </p>
<p>Pour rajouter des choses, c'est très simple, il suffit juste de créer un fichier {daily,weekly,monthly}.local qui comporte les actions à effectuer, le système les fera avant de faire le script à la base. </p>
<p>Bref, du bonheur.</p>
<h3>/var/backups/</h3>
<p>Une fois j'ai cassé le système (\o/), je ne sais plus comment j'ai fait, je me rappelle juste des grandes lignes. Mon système ne marche plus, seule possibilité c'est de booter en single user mode. Je connais le fichier que j'ai modifié, je sais ce que j'ai modifié, mais je ne sais plus ce qui était mis à la base ... c'est là qu'en demandant de l'aide, on me dit "bah récupère la version précédente dans /var/backups/" ... wut ? Quand tu as ton système qui ne veut plus booter parce que tu as fait une connerie, tu es sacrément heureux de voir que le système, de base, sauvegarde les fichiers importants (et garde les checksums pour d'autres). </p>
<h3>Les noms des interfaces réseaux</h3>
<p>Contrairement aux autres systèmes où les interfaces filaires s'appellent eth et les wifi wlan, sous OpenBSD, les interfaces sont issues du nom des drivers. Du coup il est aisé de savoir quel est le driver utilisé pour l'interface. À quoi ça sert ? Parfois on rencontre des problèmes et dans ce cas il suffit de faire man $driver et de lire la section bug pour savoir si le problème est connu ou si ça vaut la peine de faire un rapport de bug.</p>
<h2>La politique</h2>
<h3>Rien d'activé par défaut</h3>
<p>Avec OpenBSD vient avec quelques logiciels, tel que Apache 1, Nginx etc. La plupart sont par défaut désactivé. Les seuls activés sont ceux de confiance comme sshd (et encore à l'installation, on nous demande si on veut l'activer). Cela évite d'avoir des logiciels qui tournent sans raison.</p>
<h3>La sécurité</h3>
<p>OpenBSD est un système simple (note: comme on l'a fait remarqué sur un chan irc, simple != facile). La sécurité d'un système vient aussi de la bonne compréhension du système afin de permettre d'auditer les choses. Ce n'est certainement pas en rajoutant de la compléxité qu'un système sera plus sûr.</p>
<p>Typiquement avoir des syntaxes simples pour des logiciels aident grandement. Regardez les syntaxes des fichiers de configuration d'OpenSSH, OpenSMTPD, Open^W PF et montrez moi d'autres logiciels ayant une syntaxe aussi claire.</p>
<p>Petit détail qui fait tout, durant l'installation de l'OS, on nous demande si on veut activer sshd, si on crée un user, il nous propose directement de mettre un <code>PermitRootLogin no</code>. </p>
<p>Tout ça fait au final que même sans forcément rechercher un système sûr, les choses font qu'on finit par en avoir un.</p>
<h3>Les licences</h3>
<p>Étant un peu intégriste^W^W^W libriste, j'aime bien leur principe de ne pas intégrer à la base des logiciels dont la licence n'est pas correcte. Oui on a des vieux trucs comme UFS/FFS, alors que FreeBSD a ZFS, on a Apache 1 et pas 2 à cause de ce problème de licence (cependant la version 2 est disponible via les packages).</p>
<p>Je vous invite aussi à lire dans la FAQ la partie à propos de Flash, ça vaut son pesant de cacahuètes.</p>
<h2>Cool tout ça, mais ça tourne sur quoi ?</h2>
<h3>Firewall, routeur</h3>
<p>OpenBSD est plus qu'adapté pour tout ce qui est firewall (carp + pfsync = <3) et plus généralement à tout ce qui a trait au réseau. Vous en connaissez beaucoup des systèmes qui intégrent une implémentation <strong>libre</strong> de MPLS, de base ? Idem pour IPSEC (le premier qui me parle de la backdoor, je lui fais manger la page FUD de wikipédia).</p>
<h3>Workstation</h3>
<p>OpenBSD est très bien utilisable comme workstation, je vous laisse regarder les vidéos que ajacoutot@ fait pour Gnome, c'est beau (troll mis à part à propos de Gnome).</p>
<h3>Laptop</h3>
<p>Les commiters d'OpenBSD utilisent sur leur laptop ... OpenBSD (contrairement à certains développeurs d'autres OS qui se sont tournés vers Apple). Ce qui fait qu'OpenBSD est bien utilisable sur des pc portables.</p>
<h3>Et même de l'arm !</h3>
<p>OpenBSD tourne même sur de l'arm. Non pas sur le Raspberry Pi (dont je ne vais pas prendre la peine de dire du mal car j'ai l'impression que les fanboys de RPi sont encore pire que ceux d'Apple), mais sur d'autres plateformes c'est en cours de portage (même si ça marche déjà plutôt bien) et vu la dynamique des commits, j'ai bon espoir qu'il y ait quelque chose de complet rapidement.</p>
<h2>Pour finir</h2>
<p>Une citation de Theo de Raadt que j'aime bien : "Linux people do what they do because they hate Microsoft. We do what we do because we love Unix."</p>
<p><code></propaganda></code></p>Comment traverser du NAT avec Tor2013-08-15T10:20:00-04:002013-08-15T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-08-15:/blog/comment-traverser-du-nat-avec-Tor.html<p>Comment se connecter à une machine derrière du NAT sans redirection de port.</p><h2>Mais pourquoi tu es derrière du NAT ?</h2>
<ul>
<li>Parce qu'il y a trop peu d'IPv4 pour en donner des routables à tout le monde.</li>
<li><a href="http://imil.net/wp/2013/01/05/ipv6-je-taime-mais-tout-le-monde-sen-fout/">Parce que l'IPv6 c'est pas encore ça.</a></li>
</ul>
<h2>Bah tu rediriges ton port sur la machine</h2>
<p>Oui, sauf qu'on a pas toujours la main sur le routeur. D'autant plus que vu l'engouement des telcos pour l'IPv6, on va vraisemblablement bouffer du <a href="https://en.wikipedia.org/wiki/Carrier-grade_NAT">CGN</a>.</p>
<h2>Concrètement, on fait comment ? Exemple pour ssh</h2>
<p>Je vais vous expliquer comment faire pour ssh, pour les autres services, c'est encore plus court.</p>
<p>D'abord on commence par installer Tor (je te laisse voir ça avec la documentation de ton système).</p>
<h3>Création d'un hidden service</h3>
<p><em>Note, si tu penses que récemment il y a une faille sur les hidden services de Tor, je t'invite à fermer cette page puisque tu ne sais pas lire.</em></p>
<p>Une fois qu'on a installé Tor, il a du mettre dans <code>/etc/tor</code> son fichier de configuration, <code>torrc</code>. Dedans tu dois avoir </p>
<div class="highlight"><pre><span></span>#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 22 127.0.0.1:22
</pre></div>
<p>Il suffit de décommenter les lignes, changer le port si sshd n'écoute pas sur le port 22. On relance Tor et normalement on a </p>
<div class="highlight"><pre><span></span>/var/lib/tor/hidden_service# ls
hostname private_key
</pre></div>
<p>Dans hostname se situe l'adresse du hidden service (et dans private_key, ô surprise, la clé privée).</p>
<div class="highlight"><pre><span></span># cat hostname
l4dr3ss3duH5.onion
</pre></div>
<p>Une fois qu'on l'a récupéré, on installe socat si ce n'est déjà fait. Puis dans un terminal on entre la commande</p>
<div class="highlight"><pre><span></span>socat TCP4-LISTEN:4252,fork SOCKS4A:127.0.0.1:l4dr3ss3duH5.onion:22,socksport=9050
</pre></div>
<p>Pour se connecter en ssh on tape </p>
<div class="highlight"><pre><span></span><span class="n">ssh</span> <span class="n">user</span><span class="mf">@127.0.0.1</span> <span class="o">-</span><span class="n">p</span> <span class="mi">4252</span>
</pre></div>
<h3>Mais c'est inutilisable /o\ !</h3>
<p>ssh sur une mauvaise connexion, c'est chiant. Tu te dis "pfff, je vais installer mosh", montre moi comment tu fais passer tes paquets UDP de mosh sur Tor qui est tcp-only.</p>
<p>Quand je disais que pour les autres services, c'était plus simple, c'est parce que les autres services ne sont pas interactif comme ssh. Donc ça sera plus lent que sur vanilla net mais ça marche.</p>
<h3>Que faire ?</h3>
<p>C'est là qu'on reconnait qu'OpenSSH-server a été codé par quelqu'un d'OpenBSD : il est complet et a une syntaxe simple <code></prosélitisme></code>.</p>
<div class="highlight"><pre><span></span>$ man ssh
<span class="o">[</span>...<span class="o">]</span>
-R <span class="o">[</span>bind_address:<span class="o">]</span>port:host:hostport
Specifies that the given port on the remote <span class="o">(</span>server<span class="o">)</span> host is to be forwarded to the given host
and port on the <span class="nb">local</span> side. This works by allocating a socket to listen to port on the remote
side, and whenever a connection is made to this port, the connection is forwarded over the
secure channel, and a connection is made to host port hostport from the <span class="nb">local</span> machine.
<span class="o">[</span>...<span class="o">]</span>
</pre></div>
<p>On est connecté sur la machine derrière le NAT et on entre la commande :</p>
<div class="highlight"><pre><span></span>machinenatée$ ssh -R 19999:localhost:22 user@pclocal
</pre></div>
<h3>Boooootstrap \o/</h3>
<p>Dans un autre terminal, on tape </p>
<div class="highlight"><pre><span></span>pclocal$ ssh user@localhost -p 19999
</pre></div>
<p>Et hop on est connecté directement sans passer par Tor.</p>
<h2>Petite précaution</h2>
<p>Les hidden services sont récupérables plutôt facilement (on monte un relais, on attend 24 heures pour avoir le flag HSDIR et ... je ne sais pas la suite mais il me semble que c'est simple à faire :p).</p>
<p>Quand on se connecte sur le .onion, la machine voit comme hote distant localhost. Comme il y a toutes les chances que vous ne filtrez pas sur <code>lo0</code>, rien n'empêche le bruteforce.</p>
<p>On peut sans doute faire écouter l'<em>hidden service</em> sur une IP locale qu'on met en alias sur l'interface du serveur comme ça on peut filtrer sur cette IP. Mais là encore, si quelqu'un la brute force et il ne faut pas qu'elle soit bloquée éternellement sinon vous subirrez aussi le blocage.</p>Vive les gauffres2013-08-02T10:20:00-04:002013-08-02T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-08-02:/blog/vive-les-gauffres.html<p>Auto-héberger son serveur gopher chez soi c'est inut^W possible</p><h2>Installons un serveur gopher</h2>
<p>Il y a un petit moment <a href="http://wxcvbn.org/~jca/">jca</a> a pasté gopher://tetaneutral.net sur un des chans irc. Le temps de trouver un navigateur qui permet encore d'utiliser gopher et je trouvais ça marrant.</p>
<h2>Tu n'as vraiment que ça à faire ? <code>insert clueless smiley</code></h2>
<p>Ouais je trouvais ça marrant à faire.</p>
<p>J'y ai repensé hier en voyant <a href="https://image.guim.co.uk/sys-images/Guardian/Pix/audio/video/2013/7/31/1375269604628/KS8-001.jpg">cette slide</a> de xkeyscore. </p>
<div class="highlight"><pre><span></span>Why are we interested in HTTP ?
Because nearly everything a typical user does on the Internet uses HTTP
</pre></div>
<p>Je me suis dit que même si c'était techniquement super facile d'intercepter ce qu'il se passe sur gopher:// vu que personne (ou presque) ne l'utilise, en pratique personne ne doit écouter ce qu'il se passe.</p>
<p>Protip: On est vendredi.</p>
<h2>Installons le serveur gopher</h2>
<p>On regarde ce qu'il y a dans l'arbre des ports :</p>
<div class="highlight"><pre><span></span>/usr/ports$ make search key=gopher
Port: gophernicus-1.4p0
Path: net/gophernicus
Info: modern gopher server
</pre></div>
<p>Pour l'installer on utilise soit les ports</p>
<div class="highlight"><pre><span></span>cd net/gophernicus
make install
</pre></div>
<p>ou les packages</p>
<div class="highlight"><pre><span></span>pkg_add gophernicus
</pre></div>
<p>On lit la doc qui explique comment faire, c'est à dire copier une ligne de conf (quand je vous dis qu'OpenBSD c'est facile).</p>
<h2>Et tu lis comment ton gopher ?</h2>
<ul>
<li>Via <a href="https://en.wikipedia.org/wiki/Lynx_%28web_browser%29">lynx</a>.</li>
<li>Via <a href="https://addons.mozilla.org/fr/firefox/addon/overbiteff/">un plugin pour Firefox</a></li>
<li>Via <a href="http://gopherproxy.meulie.net/chown.me/">un proxy</a> </li>
</ul>
<p>Et oui, installer un serveur gopher m'a permis de <a href="https://twitter.com/meulie/status/363053305703833601">me faire un copaing sur twitter</a>.</p>
<h2>Todo</h2>
<p>Bah rajouter du contenu sur le serveur, j'ai pas encore très bien compris comment fonctionnait la <em>gophermap</em>. </p>
<h2>Note</h2>
<p>Le titre de l'article vient <a href="http://chiliproject.tetaneutral.net/projects/tetaneutral/wiki/Gopher">du nom du serveur gopher qu'a installé tetaneutral.net</a></p>Faire des graphes à partir des infos de pf2013-07-27T10:20:00-04:002013-07-27T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-07-27:/blog/faire-des-graphes-a-partir-des-infos-de-pf.html<p>Avoir des beaux (ou pas) graphes à partir des infos que donne pf.</p><h2>pfstat</h2>
<p>Comme je l'ai dit dans <a href="du-wifi-sur-l-alix.html">mon article sur le wifi et l'alix</a>, dans le bouquin sur <a href="https://en.wikipedia.org/wiki/PF_%28firewall%29">pf</a> que j'ai, un certain nombre d'outils est évoqué dont <a href="http://www.benzedrine.cx/pfstat.html">pfstat</a>. Ça avait l'air marrant à faire surtout avec mes contraintes donc je me suis lancé.</p>
<h3>Quelles contraintes ?</h3>
<p>Sur mon alix, le seul moyen de stockage que j'ai, c'est la carte CompactFlash. Or ces cartes CF sont connues pour ne pas supporter trop d'écriture. Il existe <a href="http://blog.spoofed.org/2007/12/openbsd-on-soekris-cheaters-guide.html">des possibilités pour utiliser la carte en read only</a> mais j'ai la flemme de m'en occuper et puis <a href="http://openbsd.org/faq/fr/faq14.html#flashmemBoot">ce problème n'en est qu'un parmi d'autres</a>. De plus pfstat génère des images dont le but est quand même d'y accéder depuis le web et sachant que j'ai déjà nginx sur mon serveur, autant s'en occuper sur mon serveur.</p>
<h2>pfstat et pfstatd, copains comme cochons</h2>
<p>(Je tire cette utilisation de <a href="http://www.unixgarden.com/index.php/gnu-linux-magazine-hs/ipsec-sous-openbsd-40#5-ipsecctl-et-isakmpd-copains-comme-cochons">cet article</a>. Je trouve ça marrant de mettre des expressions comme celle-ci dans un article technique.)</p>
<p>Le but est de récupérer les données de pf de l'alix <em>sur</em> le serveur. C'est là qu'intervient pfstatd. On lit la description dans la <a href="http://www.benzedrine.cx/pfstatd.txt">man page</a>.</p>
<div class="highlight"><pre><span></span> The pfstatd daemon queries statistics from the packet filter device pf(4)
and returns them in text form to network clients (like pfstat) connecting
through TCP.
</pre></div>
<p>On installe donc pfstatd sur l'alix. On ajoute dans <code>/etc/rc.conf.local</code></p>
<div class="highlight"><pre><span></span>pfstatd_flags="-a 10.19.18.1"
</pre></div>
<p>Ensuite on lance le daemon avec <code>/etc/rc.d/pfstatd start</code></p>
<p>On peut tester avec un telnet 10.19.18.1 9999, normalement ça donne <em>plein</em> de lignes. </p>
<p>Il faut bien dire à pf, quelle interface il faut logguer, donc dans <code>/etc/pf.conf</code> il faut quelque chose du genre</p>
<div class="highlight"><pre><span></span>set loginterface pppoe0
</pre></div>
<p>Ensuite, sur le serveur, on install pfstat.</p>
<p>Dans <code>/etc/pfstat.conf</code> on met ce qu'on souhaite comme courbes. <a href="http://www.benzedrine.cx/pfstat.conf">Un exemple est disponible sur le site de l'auteur</a> et je vous mets <a href="http://chown.me/pfstat.conf.txt">celui que j'utilise actuellement</a>.</p>
<p>Ensuite on utilise les commandes :</p>
<div class="highlight"><pre><span></span>pfstat -q -d /var/db/pfstat.db -r 10.19.18.1
pfstat -p -d /var/db/pfstat.db
</pre></div>
<p>La première sert à créer pfstat.db en prenant les infos de l'alix. La deuxième sert à créer les courbes à partir de la DB. Si tout se passe bien, on crontab tout ça.</p>
<div class="highlight"><pre><span></span>* * * * * /usr/local/bin/pfstat -q -d /var/db/pfstat.db -r 10.19.18.1
*/5 * * * * /usr/local/bin/pfstat -p -d /var/db/pfstat.db
25 3 * * * /usr/local/bin/pfstat -t 30 -d /var/db/pfstat.db
</pre></div>
<p>Vu que la DB grandit indéfiniment, ce n'est pas bon. On rajoute donc la dernière ligne pour qu'elle supprime les données de plus de 30 jours.</p>
<h2>Et pour le web</h2>
<p>On crée un sous domaine, par exemple, pfstat.tondomaine.tld. Ensuite on rajoute dans nginx.conf les vhosts et on reload. Enfin, on crée une page index.html qui affiche les images.</p>
<p>On obtient <a href="http://pfstat.chown.me/">ça</a>. Je vais peut-être changer les courbes que j'affiche.</p>
<p>Voilà, je vais pouvoir faire comme Octave interdire github et regarder les mails sortants^W^W^W^W^W^W^W et <a href="https://twitter.com/olesovhcom/status/358680999162433536/photo/1">tweeter des courbes de traffic</a>.</p>Du Wifi sur l'alix2013-07-14T10:20:00-04:002013-07-14T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-07-14:/blog/du-wifi-sur-l-alix.html<p>Un peu marre des noeuds avec mon RJ45, je me suis fait du wifi avec mon Alix.</p><h2>L'ethernet c'est bien mais ...</h2>
<p>Ayant marre des noeuds quand je vais dans mon lit avec mon laptop, je me suis fait du wifi. Bon bien sûr ce n'est qu'un prétexte, la vraie raison c'est que j'adore apprendre, donc je lis des bouquins comme <a href="http://nostarch.com/pf2.htm"><em>A No-Nonsense Guide to the OpenBSD Firewall</em></a>. Le problème avec ce genre de bouquins, c'est qu'ils décrivent un certain nombre de setups et ce, suffisamment bien pour me donner envie de <a href="alice-in-wonderlan.html">les reproduire même si j'en ai pas besoin</a>. Mais bon c'est fun, je m'amuse donc je le fais. </p>
<h2>Le setup</h2>
<p>Possédant une clé wifi D-Link DWA-110 (avant mon desktop étant loin de la box, j'utilisais du wifi) ne servant à rien je me suis dit que j'allais la réutiliser.</p>
<h3>Hahaha ... hum. OpenBSD a vraiment des drivers pour les clés wifi ?</h3>
<p><a href="http://openbsd.org/faq/fr/faq6.html#Wireless">Oui OpenBSD supporte des clés wifi</a>. En lisant les manpages des drivers on a la liste des models supportés. Dans <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rum&sektion=4">rum(4)</a> on voit <code>D-Link DWA-110</code>.</p>
<h3>Et ensuite ?</h3>
<p>Une fois branchée sur l'alix on devrait la voir dans ifconfig.</p>
<p>Pour créer l'AP wifi, on crée un fichier /etc/hostname.rum0</p>
<div class="highlight"><pre><span></span>up mediaopt hostap mode 11g chan 1 nwid ILovePuffy
inet 10.19.19.1/24
</pre></div>
<p>Ici on crée un AP sur le canal 1, en mode 11g et avec comme nom "ILovePuffy" (j'avais la flemme de réfléchir à nom, du coup j'ai pris celui du noeud Tor).</p>
<p>Ensuite on ajoute dans /etc/dhcpd.conf</p>
<div class="highlight"><pre><span></span><span class="nt">subnet</span> <span class="nt">10</span><span class="p">.</span><span class="nc">19</span><span class="p">.</span><span class="nc">19</span><span class="p">.</span><span class="nc">0</span> <span class="nt">netmask</span> <span class="nt">255</span><span class="p">.</span><span class="nc">255</span><span class="p">.</span><span class="nc">255</span><span class="p">.</span><span class="nc">0</span> <span class="p">{</span>
<span class="err">option</span> <span class="err">routers</span> <span class="err">10.19.19.1</span><span class="p">;</span>
<span class="err">range</span> <span class="err">10.19.19.101</span> <span class="err">10.19.19.221</span><span class="p">;</span>
<span class="err">host</span> <span class="err">laptopwifi</span> <span class="err">{</span>
<span class="err">hardware</span> <span class="err">ethernet</span> <span class="err">00:11:22:33:44:55</span><span class="p">;</span>
<span class="err">fixed-address</span> <span class="err">10.19.19.40</span><span class="p">;</span>
<span class="p">}</span>
<span class="err">}</span>
</pre></div>
<h3>Mais tu ne vas pas laisser tout le monde se connecter, si ?</h3>
<p>Je ne crois pas en la sécurité des wifi tels que <em>WEP</em> (:p). Par contre j'ai confiance en SSH. Oui SSH, je te vois hausser les sourcils, mais <a href="http://openbsd.org/faq/pf/fr/authpf.html">oui avec OpenBSD on peut</a>.</p>
<p>Du coup ça se fait avec /etc/pf.conf. J'ai pas mal galéré à vouloir faire quelque chose de compliqué. Je suis revenu à quelque chose de plus <a href="https://en.wikipedia.org/wiki/KISS_principle">KISS</a>.</p>
<p>Quand un user se connecte, son ip va automatiquement dans la table <code><authpf_users></code>.</p>
<div class="highlight"><pre><span></span>match out on $ext_if inet from <authpf_users> nat-to $ip_publique
pass in on $wifi_if proto tcp from !<authpf_users> to any rdr-to $server port 9050
pass in on $wifi_if proto tcp from !<authpf_users> to any port { 80, 443 } rdr-to (self) port 80
pass in on $wifi_if proto tcp to 10.19.19.1 port ssh
pass in on $wifi_if proto { tcp, udp } to $server port domain
pass on $wifi_if from <authpf_users>
</pre></div>
<p>Je pense que pf est assez clair pour ne pas expliquer les règles. Vous devez vous demander pourquoi je redirige tout le traffic qui n'est pas web vers mon serveur sur le port 9050 et le traffic web vers l'alix sur le port 80.</p>
<h3>Fournir (temporairement) un accès internet, oui, assumer les conneries des autres non.</h3>
<p>Du coup, le traffic web je le redirige vers une page web sur l'alix qui explique que l'user n'aura pas accès à Internet sans passer par Tor que pour se faire il doit configurer son navigateur pour utiliser un proxy socks 4a ou 5 sur l'ip de mon serveur et le port 9050. <a href="http://www.unixgarden.com/index.php/gnu-linux-magazine/mise-en-place-d-un-reseau-wifi-ouvert#r%C3%A9sultats-et-premiers-tests-monde-de-m">Étant confiant dans le fait que les gens n'y arriveront pas</a> j'ai aussi expliqué comment me contacter.</p>
<p>Du coup on edit /etc/tor/torrc pour que Tor sur mon serveur accepte de faire passer le traffic venant du wifi.</p>
<div class="highlight"><pre><span></span>SocksPort 9050
SocksPort 10.19.18.17:9050
SocksPolicy accept 10.19.18.0/23
</pre></div>
<h3>Pour finir, on crée les users</h3>
<p>Pour que l'authentification par SSH fonctionne, il faut que l'user soit dans une classe de login particulière <code>authpf</code></p>
<p>Quand on crée un user via adduser(8) on a </p>
<div class="highlight"><pre><span></span>Login class authpf bgpd daemon default staff [default]:
</pre></div>
<p>Il suffit de choisir authpf et c'est bon. On peut personnalisser la classe comme je vous en ai parlé rapidement <a href="utiliser-une-yubikey-sur-OpenBSD.html">là</a></p>
<p>On peut personnaliser le MOTD par exemple, je me suis crée un user wifi pour mon laptop :</p>
<div class="highlight"><pre><span></span>$ cat /etc/authpf/users/wifi/authpf.message
Attention au cresson !!
</pre></div>
<p><a href="http://blogs.univ-poitiers.fr/n-yeganefar/2013/06/02/wifi-et-cresson-ne-maltraitons-pas-la-science/">(C'est une petite private joke, à propos d'une pseudo-expérience sur la nocivité du wifi)</a>.</p>
<h3>Et finalement</h3>
<p>On se connecte au wifi qui n'a pas de mot de passe puis sur le laptop :</p>
<div class="highlight"><pre><span></span><span class="err">$</span> <span class="n">ssh</span> <span class="n">wifi</span><span class="mf">@10.19.19.1</span>
<span class="n">Last</span> <span class="nl">login</span><span class="p">:</span> <span class="n">Sun</span> <span class="n">Jul</span> <span class="mi">14</span> <span class="mi">18</span><span class="o">:</span><span class="mo">04</span><span class="o">:</span><span class="mo">07</span> <span class="mi">2013</span> <span class="n">from</span> <span class="mf">10.19.19.40</span>
<span class="n">Hello</span> <span class="n">wifi</span><span class="p">.</span> <span class="n">You</span> <span class="n">are</span> <span class="n">authenticated</span> <span class="n">from</span> <span class="n">host</span> <span class="s">"10.19.19.40"</span>
<span class="n">Attention</span> <span class="n">au</span> <span class="n">cresson</span> <span class="o">!!</span>
</pre></div>
<h2>Ce qu'il reste à faire</h2>
<p>Changer l'antenne, la portée de la clé est désastreuse. La vitesse est limitée à 100 ko/s je ne sais pas pourquoi et quand la limite est atteinte, c'est du First In First Out pas du tout efficace (et je ne me vois pas mettre de la QoS sur mon LAN).</p>
<p>Rajouter des warnings pour les éventuels users sur ce qu'est Tor et les problèmes qu'il peut causer. Mais bon vu la portée je ne crois pas qu'il y a vraiment des gens qui puissent se connecter à mon AP wifi, pour l'instant.</p>Comment puis-je aider le réseau Tor2013-07-10T10:20:00-04:002013-07-10T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-07-10:/blog/comment-puis-je-aider-le-reseau-tor.html<p>À force d'avoir toujours cette même question, je vais y répondre une fois pour toute.</p><p>Autour de <a href="https://nos-oignons.net/">nos-oignons</a> (sur des <a href="https://nos-oignons.net/Contact/index.fr.html">chans</a>, sur des <a href="https://nos-oignons.net/mailman/listinfo">mailing lists</a> ou même à PSES) j'entends souvent "comment puis-je aider ? en ayant un noeud de sorti Tor chez moi ?" Voici mes réponses.</p>
<h2>Avoir un noeud Tor sur ma ligne ADSL ou autre techno avec < 6mbps de upload</h2>
<p>Déjà, cela se fait à condition d'avoir un serveur <a href="faisabilit%C3%A9-de-l%27auto-h%C3%A9bergement.html">auto-hébergé</a> (mais ça peut très bien être un Raspberry Pi). Si vous pensez mettre le noeud sur un pc qui tournera uniquement s'il est allumé/connecté, perdez pas votre temps, votre relais ne sera pas utilisé :</p>
<p>Quand un noeud se connecte il s'annonce aux serveurs Tor qui font autorité tel que <a href="https://atlas.torproject.org/#details/7BE683E65D48141321C5ED92F075C55364AC7123">Dannenberg</a>. Ces serveurs établissent un consensus avec le poids des différents relais. Ensuite lorsqu'un client Tor se connecte, il construit ses circuits en fonction du poids de se relais. </p>
<p>Afin de résister aux attaques, le poids augmente avec le temps (jusqu'à une limite hein). Pour arriver à utiliser toute la capacité d'un petit noeud, c'est un ou deux jours, pour les gros noeuds (100Mbps ou +) c'est au moins de l'ordre de la semaine.</p>
<p>Sauf que si le noeud se coupe à chaque fois (je passe sur le fait que si vous ne laissez pas les 30 secondes au noeud pour s'arrêter, vous coupez des connexions) le noeud n'aura jamais beaucoup de poids donc les clients éviteront de créer des circuits avec. CQFD.</p>
<h3>Un noeud de sorti</h3>
<p>Je trouve ça totalement stupide de faire tourner un noeud de sorti Tor chez soit. Cela vous amuse peut-être de prendre le risque de vous faire saisir votre matériel informatique, pas moi.
Pour info c'est déconseillé dans la <a href="https://www.torproject.org/eff/tor-legal-faq.html.en">FAQ de Tor</a>.</p>
<h3>Un relais simple alors ?</h3>
<p>Non, je ne pense pas que ça vaille la peine d'en configurer un (à la limite faites le pour le fun). Ça apporte très peu de <a href="http://www.bortzmeyer.org/capacite.html">capacité</a> au réseau et avec de la latence (25 ms au mieux, beaucoup plus éventuellement). Cette latence multipliée par tous les <a href="https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment">handshakes</a> peut ralentir une connexion, pas de beaucoup mais quand même. </p>
<p>Malgré tout ça, j'ai un <a href="https://atlas.torproject.org/#details/9AFB2C97F17D85795DF4FFE87206BEE42126B957">relais chez moi</a> mais je ne pense pas que ce soit vraiment le meilleur moyen d'aider (le réseau) Tor.</p>
<h2>Et sur ma fibre ? (avec 50 Mbps de upload)</h2>
<p>Là c'est déjà mieux puisqu'on peut atteindre des débits beaucoup plus important et avec beaucoup moins de latence. Mais gardez en tête ce que j'ai expliqué avant, ne le faites pas sur un pc qui n'a pas vocation à avoir du réseau H24 ni en noeud de sorti si vous voulez éviter les problèmes.</p>
<h2>Qu'est ce que je peux faire alors ?</h2>
<h3>Monter de gros relais</h3>
<p>Je ne vais pas vous en parler parce que <a href="http://koolfy.be">koolfy</a> a déjà fait <a href="http://koolfy.be/2013/01/27/well-need-a-bigger-onion/">un très bon article dessus</a></p>
<h3>Mais j'ai pas les connaissances techniques /o\ !</h3>
<p>Dans ce cas tu peux <a href="https://nos-oignons.net/Donnez/index.fr.html">donner à Nos oignons</a> ou à <a href="http://www.indiegogo.com/projects/tor-anti-censorship-and-anonymity-infrastructure">l'ensemble des <em>Not for profit</em> dans son genre et recevoir des goodies</a> ou en <a href="http://www.printfection.com/torprojectstore">achetant les goodies du Tor project</a></p>
<h3>Mais je suis pôôôvre /o\^2</h3>
<p>Tu peux parler autour de toi du réseau Tor, le plus de personnes l'utilisent, meilleur est l'anonymat. </p>
<p>Tu peux aussi <a href="https://nos-oignons.net/Participez/">t'investir dans les assos qui supportent Tor</a>.</p>
<h3>C'est tout ?</h3>
<p>Non bien sûr que non. </p>
<p>Tu peux (source <a href="https://www.torproject.org/getinvolved/volunteer.html.en">cette page</a>) :</p>
<ul>
<li>Traduire les pages et compléter la documentation déjà existante (par exemple, comment utilisez tel logiciel avec Tor, quel logiciel est utile dans quelle situation etc).</li>
<li>Créer une vidéo sur les utilisations positives de Tor</li>
<li>Créer des posters ayant pour thème "Tor for Freedom"</li>
<li>etc ...</li>
</ul>
<p>Pour finir, depuis le 03 juillet, il y a le <a href="https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews">Tor weekly news</a>. La petite équipe qui a fait les deux premier épisodes (<a href="https://lists.torproject.org/pipermail/tor-talk/2013-July/028770.html">premier</a> et <a href="https://lists.torproject.org/pipermail/tor-talk/2013-July/028898.html">deuxième</a>) a vraiment fait un travail <strong>génial</strong>. C'est vraiment beaucoup de boulot donc n'hésitez pas à participer à la conception.</p>HTTPS, sslh et bypass de proxy2013-07-06T10:20:00-04:002013-07-06T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-07-06:/blog/https-sslh-et-bypass-de-proxy.html<p>Mise en place du ssl pour mon blog, tout en gardant la possibilité de faire du ssh sur le port 443 pour outrepasser les proxys</p><h2>Petites explications</h2>
<p>Je passe une partie de ma vie derrière un proxy qui bloque le
port 22. Ce n'est pas une raison pour ne pas me connecter en ssh à mon
serveur. Jusqu'à maintenant, j'avais une redirection sur mon routeur
443 -> 22. Sauf que depuis que j'ai mon blog, je me suis dit que ça
serait cool d'avoir du ssl (parce que c'est bien, et parce que le
mettre en place, me ferait apprendre des choses) d'autant plus que je
compte un jour avoir un webmail (mais c'est pas pour tout de suite).</p>
<p>Un jour <a href="https://twitter.com/vivienmoreau">vpm</a> m'a parlé de sslh qui
permet d'avoir du ssh et du ssl sur le port 443. N'ayant pas l'utilité
à l'époque, j'ai gardé le nom en me disant que ça pouvait être
pratique.</p>
<h2>Mise en place du https sur OpenBSD</h2>
<p>As usual c'est dans la
<a href="http://openbsd.org/faq/fr/faq10.html#HTTPS">FAQ</a>. Juste pour les
commandes d'openssl car j'utilise nginx.</p>
<p>Pour nginx il suffit juste de rajouter dans /etc/nginx/nginx.conf</p>
<div class="highlight"><pre><span></span><span class="nt">server</span> <span class="p">{</span>
<span class="err">listen</span> <span class="err">8443</span><span class="p">;</span>
<span class="err">server_name</span> <span class="err">blog.chown.me</span><span class="p">;</span>
<span class="err">root</span> <span class="err">/var/www/pelican</span><span class="p">;</span>
<span class="err">ssl</span> <span class="err">on</span><span class="p">;</span>
<span class="err">ssl_certificate</span> <span class="err">/etc/ssl/server.crt</span><span class="p">;</span>
<span class="err">ssl_certificate_key</span> <span class="err">/etc/ssl/private/server.key</span><span class="p">;</span>
<span class="err">ssl_session_timeout</span> <span class="err">5m</span><span class="p">;</span>
<span class="err">ssl_protocols</span> <span class="err">SSLv2</span> <span class="err">SSLv3</span> <span class="err">TLSv1</span> <span class="err">TLSv1.1</span> <span class="err">TLSv1.2</span><span class="p">;</span>
<span class="err">ssl_ciphers</span> <span class="n">HIGH</span><span class="p">:</span><span class="o">!</span><span class="n">aNULL</span><span class="o">:!</span><span class="n">MD5</span><span class="p">;</span>
<span class="err">ssl_prefer_server_ciphers</span> <span class="err">on</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
<p>Ensuite on peut vérifier avec
https://www.ssllabs.com/ssltest/analyze.html?d=blog.chown.me (je
remercie <a href="https://twitter.com/PoolpOrg">Gilles</a> pour le lien) que les
options marchent bien. Ça ne sert à rien de cliquer, j'ai des règles
anti-ddos (me demandez pas pourquoi) et donc ssllabs se fait bloquer
rapidement.</p>
<p>Dans mon cas j'ai un F parce que mon cert n'est pas signé et un A si
on ne prend pas en compte ce problème.</p>
<h2>Bah pourquoi tu n'as pas de certificat signé ?</h2>
<p>Parce que :</p>
<ul>
<li>c'est payant</li>
<li>j'ai la flemme de m'en faire un via CACERT</li>
</ul>
<p>Et surtout parce que c'est une histoire de confiance. Je n'ai aucune
raison d'avoir confiance en une boite pour un certificat. Qui me dit
qu'elle ne va pas vendre (ou donner) un faux certificat à un état pour
faire du
<a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">MITM</a> sans
problème ? Oui à l'échelle d'un blog comme le mien la proba est de 0
pour un site comme gmail, la question c'est juste combien ils en font
par an.</p>
<p>Ensuite on peut prendre en compte le fait qu'elles se font de temps en
temps trouer. Bref, je n'ai aucune raison de leur donner de l'argent.</p>
<p>Je fais beaucoup plus confiance aux chiffres (je suis plutôt
cartésien). Du coup je donne les fingerprints signés par ma clé gpg :
<a href="https://chown.me/iota/fingerprint.asc.txt">iota.chown.me/fingerprint.asc.txt</a></p>
<p>On en revient à une question de confiance, comment savez vous que
c'est bien ma clé ? Bah simple y a des gens qui l'ont signé (pas
beaucoup mais ça progresse).</p>
<h2>«Talk is cheap show me the code»</h2>
<p>Maintenant qu'on a un serveur qui acceptent du HTTPS sur le port 8443
(c'est bloqué par pf, donc n'essayez pas) installons sslh qui est dans
les ports en version 1.11 (la dernière version est la 1.14 :/)</p>
<div class="highlight"><pre><span></span>cd /usr/port/net/sslh
make install
</pre></div>
<p>À la fin de l'install on est notifié de l'installation de deux scripts
dans /etc/rc.d/ : sslh_fork et sslh_select</p>
<p>En lisant la man page de sslh</p>
<div class="highlight"><pre><span></span> sslh comes in two versions: sslh-fork forks a new process for each
incoming connection. It is well-tested and very reliable, but incurs
the overhead of many processes. sslh-select uses only one thread, which
monitors all connections at once. It is more recent and less tested,
but only incurs a 16 byte overhead per connection. Also, if it stops,
you'll lose all connections, which means you can't upgrade it remotely.
</pre></div>
<p>N'étant pas d'humeur joueuse, j'ai choisi de prendre sslh_fork.</p>
<p>On édite /etc/rc.conf.local par rapport à la conf de nginx</p>
<div class="highlight"><pre><span></span>sslh_fork_flags="--user=_sslh --listen :::443 --listen 0.0.0.0:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:8443"
</pre></div>
<p>C'est peut-être possible de laisser en 443 pour ssl, mais pas envie
d'avoir à débugger donc je ne me prends pas la tête.</p>
<h3>Conclusion</h3>
<p>J'ai donc du ssl (avec du
<a href="https://en.wikipedia.org/wiki/Perfect_forward_secrecy">Perfect Forward Secrecy</a>
\o/) et en même temps je garde la capacité à outrepasser le blocage du
port 22.</p>
<p><a href="https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/tumblr_m1opajuXEU1qixcq1.jpg">Great success!</a></p>
<h2>Oups j'ai pas tout vérifié</h2>
<p>Quand je publie un article, je regarde son <em>succès</em> avec tail -f
/var/www/logs/access.log. Là en même temps je vérifiais que https
marchait bien (toujours publier avant de vérifier, sinon c'est pas
marrant (oui je sais, je suis d'humeur joueuse, mais c'est <em>après
coup</em>)). En regardant les logs que vois-je ? Des accès de
127.0.0.1. Ce qui est logique puisque les requêtes viennent de sslh,
qui est sur la machine.</p>
<p>Du coup ça rend caducs mes logs puisque je ne peux pas dire qui a
accédé au serveur.</p>
<h3>Logons sur sslh</h3>
<p>On ajoute dans /etc/syslog.conf</p>
<div class="highlight"><pre><span></span><span class="sx">!sslh-fork</span>
<span class="o">*.*</span> <span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="nb">log</span><span class="o">/</span><span class="n">sslh</span>
</pre></div>
<p>Comme ça on obtient les ips dans ce fichier. (Faudra ptet que je tweak
un peu le logging parce que là je vais avoir <strong>beaucoup</strong> de choses).</p>
<h3>Hum, et ta règle anti ddos ?</h3>
<p>Je vous parlais de ma règle anti-ddos du coup elle est inefficace
puisque j'ai un <code>set skip on lo0</code>. Donc si on me bruteforce mon ssh
via le port 443, je ne peux rien faire (même si au final il n'y a que
peu de risque, puisqu'il faudrait trouver un
<a href="utiliser-une-yubikey-sur-OpenBSD.htm">OTP valide</a> mais bon.</p>
<p>La solution m'est venue de vpm (toujours le même)</p>
<div class="highlight"><pre><span></span><span class="mi">14</span><span class="o">:</span><span class="mi">18</span><span class="o">:</span><span class="mi">05</span> <span class="o"><</span><span class="n">vpm</span><span class="o">></span> <span class="n">Par</span> <span class="n">contre</span><span class="o">,</span> <span class="n">pourquoi</span> <span class="n">est</span><span class="o">-</span><span class="n">ce</span> <span class="n">que</span> <span class="err">ç</span><span class="n">a</span> <span class="n">rend</span> <span class="n">caduque</span> <span class="n">l</span><span class="s1">'anti ddos ? Tu ne filtres pas sur l'</span><span class="k">if</span> <span class="n">externe</span> <span class="o">?</span>
</pre></div>
<p>Donc non sur mon serveur j'ai qu'une interface, mais ... mais je peux
filtrer sur l'<a href="alice-in-wonderlan.html">alix</a>. \o/</p>
<p>Je rajoute juste</p>
<div class="highlight"><pre><span></span>pass in on $ext_if proto tcp to $ext_if port { www, https } rdr-to $server \
keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <brutewww> flush global)
</pre></div>
<p>Et voilà <em>problem solved</em>.</p>
<h2>Et sous Debian ?</h2>
<p>Pour les gens sous Debian
<a href="https://twitter.com/iMilnb/status/353986782288814080">iMil</a> m'a fait
remarquer
<a href="http://bernaerts.dyndns.org/linux/210-debian-sslh">ce lien</a>.</p>Pelican tl;dr2013-07-06T10:20:00-04:002013-07-06T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-07-06:/blog/pelican-tldr.html<p>Comment lancer son blog avec Pelican rapidement</p><h2>Disclaimer</h2>
<p>Cet article a pour but de me rappeler (au cas où) comment mettre en
place rapidement un blog sous Pelican. En aucun cas, cela vous donne
le droit de ne pas lire
<a href="https://pelican.readthedocs.org/en/latest/">la doc</a>.</p>
<h2>Installation</h2>
<p>Pour installer ce soft en python, on utilise la commande</p>
<div class="highlight"><pre><span></span>pip install pelican
</pre></div>
<p>Si on souhaite écrire nos articles en utilisant la syntaxe Markdown</p>
<div class="highlight"><pre><span></span>pip install Markdown
</pre></div>
<p>Si jamais vous voulez changer le thème</p>
<div class="highlight"><pre><span></span>git clone https://github.com/getpelican/pelican-themes
</pre></div>
<h2>Mise en place du blog</h2>
<div class="highlight"><pre><span></span>mkdir blog ; cd blog
</pre></div>
<p>On crée le squelette du site</p>
<div class="highlight"><pre><span></span>pelican-quickstart
</pre></div>
<p>en répondant aux questions.</p>
<h2>Configuration</h2>
<p>Pour changer le thème, on ajoute la ligne dans pelicanconf.</p>
<div class="highlight"><pre><span></span>THEME = "/répertoire-où-vous-avez-passé-la-commande-git-clone/pelican-themes/dev-random"
</pre></div>
<p>(en remplaçant par le nom du thème que vous voulez prendre).</p>
<h2>Commencer le blog</h2>
<p>On écrit éventuellement un à propos qu'on met dans</p>
<div class="highlight"><pre><span></span>blog/content/pages/apropos.md
</pre></div>
<p>avec l'extension .md si vous utilisez le markdown.</p>
<p>On écrit le premier article qu'on met dans</p>
<div class="highlight"><pre><span></span>blog/content/premierarticle.md
</pre></div>
<p>Ensuite, pour créer les articles/pages on lance la commande</p>
<div class="highlight"><pre><span></span>make html
</pre></div>
<p>Il suffit d'indiquer à votre serveur http (Apache, nginx etc)
d'utiliser le répertoire</p>
<div class="highlight"><pre><span></span>blog/output/
</pre></div>
<p>Et normalement, c'est bon le blog doit être disponible à l'adresse que
vous avez avec votre serveur http.</p>Alice in wonderlan2013-07-05T10:20:00-04:002013-07-05T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-07-05:/blog/alice-in-wonderlan.html<p>Avant d'ouvrir ce blog, j'ai fait un certain nombre de choses sur mon LAN, en voici une petite description.</p><h2>Avant propos - pourquoi faire tout ça ?</h2>
<p>Ce que j'ai fait sur mon réseau n'a aucune nécessité pour mon
<a href="faisabilité-de-l'auto-hébergement.html">auto-hébergement</a>. Si je l'ai
fait c'est plus par amusement, pour apprendre des choses et pour des
projets futurs. C'est aussi pour reprendre la main sur mon
réseau. J'ai ma ligne ADSL chez OVH (qui passent par SFR), et j'ai
donc une de leurs boxs. À l'époque je n'avais pas envie de faire tout
ce que j'ai finalement fait quelques mois plus tard sinon j'aurais
pris leur forfait sans box.</p>
<p>La box n'étant pas super pratique (telnet buggé, mais apparemment que
chez moi, <a href="https://en.wikipedia.org/wiki/User_error">pebkac</a> et
interface web pas super conviviale) comme : jamais trouvé comment
choisir moi même l'ip que le dhcp distribue pour une mac-address,
juste pouvoir passer le lease en statique. Rien de grave, mais un peu
chiant à force. J'ai cherché à remplacer ma box.</p>
<p>Mon but étant de trouver un routeur qui gère la session PPP (puisque
la box d'OVH en mode bridge ne le fait pas), qui firewall et NAT mon lan.</p>
<h2>Quel remplacement pour la box</h2>
<p>À l'époque étant déjà depuis un petit moment sur OpenBSD et
connaissant déjà les facultés de cet OS pour le réseau (en gros, c'est
juste génial) le choix de l'OS était fait.</p>
<p>J'ai, par contre, longuement hésité sur le matériel :</p>
<ul>
<li>Soekris</li>
<li>Alix</li>
<li>Rajouter une carte réseau USB-RJ45 sur mon serveur</li>
</ul>
<p>La soekris ça coûtait cher, et à l'époque un peu trop évoluée pour ce que je voulais faire (à l'époque je ne comprenais pas l'utilité d'avoir 4 cartes réseaux :p).</p>
<p>L'alix, plus simple et moins cher que la soekris, par contre le
stockage uniquement sur carte CompactFlash (sur un chan on m'a dit que
c'était «un peu vieux quand même», ce qui m'a bien fait hésité
:D). Par contre une faible consommation donc intéressante de ce point
de vue là. Mais le seul moyen d'installer l'OS c'est via pxeboot (ou
via lecteur de carte, mais j'en ai pas pour les CF) donc un peu
repoussant, ayant suffisamment de choses à apprendre.</p>
<p>Rajouter une carte réseau, j'ai failli le faire, puis ça ne s'est pas
fait, j'avais pas envie de mettre les services sur le routeur et puis
c'est moins classe :p.</p>
<p>J'ai finalement opté pour l'alix, la voyant dans
<a href="https://www.youtube.com/watch?v=qYpLeqnp3ME">cette jolie rob^W boite rouge</a>
j'ai pas pu résister. Je l'ai donc commandée chez
<a href="http://www.gooze.eu/">gooze.eu</a> étant les moins chers et vu qu'ils
sont pro-libres. J'ai été satisfait, en tout cas. Le pxeboot n'avait
pas l'air si difficile (pour cause, c'est même très simple) et ça me
ferait découvrir la préhist^W^W des choses.</p>
<h2>Installation de l'OS sur l'Alix</h2>
<p>Alors j'ai suivi un tuto où la personne a utilisé une Ubuntu pour
faire le pxe (i.e. tftp, dhcp etc), je me suis donc dit que j'allais
le faire avec ma Debian ... grave erreur. J'ai galéré, j'ai essayé
diverses méthodes toutes aussi infructueuses les unes que les
autres. Je me suis résigné à utiliser mon serveur sous OpenBSD, ça a
marché du premier coup ... (aucun lien avec le fait que ce soit pour
installer OpenBSD, là c'est juste donner un bail dhcp et ensuite
fournir les fichiers en tftp).</p>
<p>Comment faire ? Tout est décrit dans la
<a href="http://openbsd.org/faq/fr/faq6.html#PXE">FAQ d'OpenBSD</a>, je ne vais
donc pas en parler plus que ça.</p>
<h2>Mise en place du réseau</h2>
<p>On a donc maintenant l'alix qui est sous OpenBSD. On prépare la conf
réseau pour préparer l'alix à s'occuper du PPP.</p>
<p>Dans /etc/hostname.pppoe0</p>
<div class="highlight"><pre><span></span>inet 0.0.0.0 255.255.255.255 NONE \
pppoedev vr0 authproto pap \
authname 'login' authkey 'password' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
</pre></div>
<p>(notez, que c'est donné dans le man de pppoe(4))</p>
<p>Dans /etc/hostname.vr0 on met juste <em>up</em>. Dans /etc/hostname.vr2,
l'interface vers mon lan</p>
<div class="highlight"><pre><span></span>inet 10.19.18.1 255.255.255.0
up
</pre></div>
<p>J'ai choisi de prendre des IPs dans les 10 (for the lulz, pas de
raisons particulières) et en
<a href="https://tools.ietf.org/html/rfc1918">19.18 pour faire un clin d'oeil</a>
à la <a href="https://en.wikipedia.org/wiki/Request_for_Comments">RFC</a> qui
définit
l'<a href="https://en.wikipedia.org/wiki/Private_network">adressage privé</a>.</p>
<p>Une fois que tout ceci est fait, on configure la box en bridge (je ne
sais plus où c'est mais y a "Setup my technicolor" et ça marche assez
bien). On branche vr0 sur le port 1 de la box et</p>
<div class="highlight"><pre><span></span>sh /etc/netstart
</pre></div>
<p>Perso la session PPP a marché du premier coup. Je m'y attendais
tellement pas que quand ça pingait pas dehors, j'ai cru que c'était le
problème alors que c'était mon firewall/NAT (oui, c'est pf (<3) qui
gère le NAT) qui posait problème ...</p>
<h2>Distribuons des IPs</h2>
<p>On modifie /etc/dhcpd.conf</p>
<div class="highlight"><pre><span></span><span class="nt">option</span> <span class="nt">domain-name</span> <span class="s2">"chown.me"</span><span class="o">;</span>
<span class="nt">option</span> <span class="nt">domain-name-servers</span> <span class="nt">10</span><span class="p">.</span><span class="nc">19</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">17</span><span class="o">,</span> <span class="nt">8</span><span class="p">.</span><span class="nc">8</span><span class="p">.</span><span class="nc">8</span><span class="p">.</span><span class="nc">8</span><span class="o">;</span>
<span class="nt">subnet</span> <span class="nt">10</span><span class="p">.</span><span class="nc">19</span><span class="p">.</span><span class="nc">18</span><span class="p">.</span><span class="nc">0</span> <span class="nt">netmask</span> <span class="nt">255</span><span class="p">.</span><span class="nc">255</span><span class="p">.</span><span class="nc">255</span><span class="p">.</span><span class="nc">0</span> <span class="p">{</span>
<span class="err">option</span> <span class="err">routers</span> <span class="err">10.19.18.1</span><span class="p">;</span>
<span class="err">range</span> <span class="err">10.19.18.201</span> <span class="err">10.19.18.221</span><span class="p">;</span>
<span class="err">host</span> <span class="err">pcfixe</span> <span class="err">{</span>
<span class="err">hardware</span> <span class="err">ethernet</span> <span class="err">00:</span><span class="n">aa</span><span class="p">:</span><span class="n">bb</span><span class="o">:</span><span class="n">cc</span><span class="o">:</span><span class="n">dd</span><span class="o">:</span><span class="n">ee</span><span class="p">;</span>
<span class="err">fixed-address</span> <span class="err">10.19.18.30</span><span class="p">;</span>
<span class="p">}</span>
<span class="err">}</span>
</pre></div>
<p>et dans /etc/rc.conf.local</p>
<div class="highlight"><pre><span></span>dhcpd_flags=""
</pre></div>
<p>On démarre le serveur</p>
<div class="highlight"><pre><span></span>/etc/rc.d/dhcpd start
</pre></div>
<h2>Mise en place du NAT et du firewall</h2>
<p>J'ai fait ce setup depuis 2 mois et demi maintenant ce qui fait que j'ai rajouté pas mal de choses dans mon pf.conf (de la QoS par exemple) et donc c'est éloigné du simple firewall avec NAT.</p>
<p>Cependant je vais juste vous donner les lignes pertinentes (par
rapport au sujet). C'est pas forcément utile pour quelqu'un qui veut
faire le même setup (mais dans ce cas, envoyez moi un mail, je vous
enverrais le tout) sachant que tout est expliqué dans la FAQ d'OpenBSD
(on dit que c'est la meilleure documentation d'OS qui existe :)) mais
c'est utile pour faire de la pub pour OpenBSD/pf :p.</p>
<p>La ligne pour le NAT</p>
<div class="highlight"><pre><span></span>match out on $ext_if inet from $lan_net nat-to $ip_publique
</pre></div>
<p>Ensuite pour le firewall</p>
<div class="highlight"><pre><span></span>block all
pass in on $int_if from $lan_net
pass out on $int_if to $lan_net
pass out on $ext_if
</pre></div>
<p>Pour les redirections de port</p>
<div class="highlight"><pre><span></span>pass in on $ext_if proto tcp to $ext_if port $redirection_port rdr-to $server
pass in on $ext_if proto udp to $ext_if port domain rdr-to $server
</pre></div>
<p>Voilà en gros.</p>
<p>Notez que c'est une version très épurée, mon pf.conf contient beaucoup
plus de lignes, ici c'est juste un aperçu.</p>
<h2>Pour finir</h2>
<p>On n'oublie pas de passer</p>
<div class="highlight"><pre><span></span>net.inet.ip.redirect=0
</pre></div>
<p>à 1 (dans /etc/sysctl.conf pour que ça reste au reboot et via la
commande <code>sysctl net.inet.ip.redirect=1</code>)</p>
<h2>Bilan</h2>
<p>Je suis satisfait de mon setup même si j'ai quelques problèmes :</p>
<ul>
<li>la QoS : le téléphone quand transmission et mon client bitcoin
tourne, ça micro-coupe :/</li>
<li>ipv6 : OVH fournit de l'ipv6, là j'ai pas encore pris le temps pour
le faire tomber en marche</li>
</ul>
<p>Mis à part ça, c'est sympa d'avoir juste à se connecter en ssh et à
éditer un fichier texte pour modifier le firewall, faire des
translations de ports etc.</p>
<div class="highlight"><pre><span></span>alice:~$ uptime
10:23PM up 32 days, 3:55, 2 users, load averages: 0.19, 0.16, 0.16
</pre></div>
<h3>Et le titre de cet article alors ?</h3>
<p>C'est un jeu de mot qui fait évidemment référence à <em>Alice in Wonderland</em>, vu que ma machine s'appelle <em>alice</em> et qu'elle est dans mon <a href="https://en.wikipedia.org/wiki/Local_area_network">LAN</a>.</p>How to use a yubikey on OpenBSD2013-06-29T10:20:00-04:002013-06-29T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-06-29:/blog/yubikey.html<p>How to use a yubikey on OpenBSD</p><h2>What is a yubikey</h2>
<p>A yubikey is a cryptography token. It works by emitting a one time password (OTP). For more informations, you can look on <a href="http://www.yubico.com/about/intro/yubikey/">their site</a>.</p>
<p>My goal is to connect with ssh to my server without trusting the computer I'm on. So it's not possible to have a keypair neither to be sure there isn't any keylogger. This can be accomplished with the OTP as it's valid only once. If one try to use an OTP already use, the authentication system won't accept it making keyloggers useless.</p>
<h2>Setting it up on OpenBSD</h2>
<p>Sometimes, before I get into system administration, I think "oww I will have a hard time to make it working on OpenBSD" et most of the time, I'm wrong and it's really simple (that's one of the reason I love this OS). </p>
<p>For each step, I write what I remember (I may forget things) but <strong>read the man pages</strong> of the different software/config file which are needed in this how to, you'll certainly learn things which are usefull.</p>
<h2>Installation</h2>
<p>In fact, everything is already present in the system.</p>
<h3>Be carefull</h3>
<p>The software present on OpenBSD only enable to verify that the OTP comes from the right yubikey and that's valid (i.e. that it wasn't already used) but it won't communicate with any server. If you apply the setup the same thing on anoter server, ince they don't communicate with each other (this might possible, but as I didn't need it, I didn't look for it) you can use an OTP that was already used on another server, it won't be able to know it.</p>
<h3>Tell the system which key you use</h3>
<p>You need to indicate the informations about your key : in the <em>Yubikey Personalization Tool</em>, you need to look for <em>Private identity</em> and <em>Secret key</em> fields that you put in <code>/var/db/yubikey/user.uid</code> and <code>/var/db/yubikey/user.key</code> (with the name of <strong>your</strong> user, of course). Next we verify that the file is owned by root:auth.</p>
<h3>Choosing for the login you want</h3>
<p>Everything related to the configuration of the login is in <code>/etc/login.conf</code>. I've modified/added the following lines.</p>
<div class="highlight"><pre><span></span>auth-defaults:auth=passwd,yubikey:
auth-ssh-defaults:auth-ssh=yubikey:
auth-su-defaults:auth-su=yubikey,passwd:
auth-sudo-defaults:auth-sudo=passwd,yubikey:
</pre></div>
<p>The first line is the different way to be authenticated by default. By default it's by password, but we can use the yubikey. For SSH it's only via yubikey. For <em>su</em> and <em>sudo</em>, it's with either the password or the yubikey (the default here is the yubikey for <code>su</code> and the password for <code>sudo</code>, you use the second way with the <code>-a passwd</code> or <code>-a yubikey</code>.</p>
<p>Then you just need to add theses to auth classes. For instance in the default classe I added the following:</p>
<div class="highlight"><pre><span></span>:tc=auth-defaults:\
:tc=auth-ftp-defaults:\
:tc=auth-su-defaults:\
:tc=auth-ssh-defaults:\
:tc=auth-sudo-defaults:
</pre></div>
<h2>Conclusion</h2>
<p>Now you should be able to log in your OpenBSD system with your yubikey.</p>
<p>In <em>/var/log/authlog</em> you should see:</p>
<div class="highlight"><pre><span></span>Jun 28 12:38:41 manoir yubikey: user monuser: counter 300.0 > 299.0
Jun 28 12:38:41 manoir yubikey: user monuser: authorize
Jun 28 12:38:41 manoir sshd[1405]: Accepted password for monuser from ip.src.v.4 port 34567 ssh2
</pre></div>
<p>We can see the counter being incremented so the OTV is valid only once. If you try to use a OTP already used, you will see:</p>
<div class="highlight"><pre><span></span>Jun 29 20:28:21 manoir yubikey: user monuser: counter 306.0 <= 306.0 (REPLAY ATTACK!)
Jun 29 20:28:21 manoir yubikey: user monuser: reject
Jun 29 20:28:21 manoir sshd[640]: Failed password for monuser from 10.19.18.1 port 55526 ssh2
</pre></div>
<p>So you can connect from any computer without giving it your password \o/</p>Faisabilité de l'auto-hébergement2013-06-28T10:20:00-04:002013-06-28T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-06-28:/blog/auto-herbergement.html<p>J'entends souvent des gens qui disent que l'autohébergement est compliqué, voire impossible, voici ma réponse.</p><p>J'ai lu plusieurs fois "ouais l'auto-hébergement ça ne marche pas" suivi de tout un tas d'arguments fallacieux. C'est (entre autre) l'envie de pouvoir répondre à ces arguments qui m'a motivé à monter mon blog. Manque de bol, entre temps j'ai perdu les dits-arguments, donc je vais tenter d'y répondre, je compléterai plus tard si besoin.</p>
<h2>Les compétences techniques</h2>
<p>Oui, pour s'auto-héberger il faut des compétences techniques en adminsys et autre. Je trouve ça marrant mais je sais que ce n'est pas le cas de tout le monde. Cet article s'adressant plus aux gens qui conseillent de s'héberger sur un serveur dédié, je ne vais pas passer plus de temps à convaincre les gens que l'informatique <em>c'esttropgénial</em>. </p>
<p>Pour ceux qui veulent apprendre, c'est possible, j'en suis la preuve (rien que ça :p). Il y a multitude de ressources, aussi bien des sites qui proposent des tutoriels que des gens prêts à vous aider. Les assos de la <a href="http://www.ffdn.org/">FFDN</a> sont aussi là pour vous aider à vous auto-héberger. </p>
<p>En pratique, les gens de <a href="http://www.franciliens.net">franciliens.net</a> ont toujours répondu à mes questions. J'ai aussi envoyé des mails pour la configuration de mon <a href="https://en.wikipedia.org/wiki/Message_transfer_agent">MTA</a> à quelqu'un (je ne dirais pas qui pour que vous ne puissiez pas le submerger de demande (:p), ce n'est pas un manque de reconnaissance, au contraire) et à chaque fois j'avais ma réponse en moins de deux heures.
Bref il y a tout un tas de ressources pour apprendre, alors ne dites pas qu'il n'y a rien, mais plutôt que vous ne voulez pas apprendre.</p>
<h2>La bande passante</h2>
<p>Ça c'est un argument qui revient souvent. Certes, je connais la signification du "A" de <a href="https://en.wikipedia.org/wiki/Asymmetric_digital_subscriber_line">ADSL</a> mais je ne pense pas que ce soit une limite même si c'est déplorable. Les services que je pense être les services les plus importants à auto-héberger sont les mails et si besoin jabber. Ce sont deux services qui ne consomment que très peu de bande passante (je parle d'auto-hébergement pour une personne ou une famille hein, après c'est de nouveau de la centralisation de services). </p>
<p>Dans le cas d'un blog, c'est quand même possible de l'auto-héberger. C'est sûr que si vous commencez à avoir autant de visiteurs que <a href="http://seteici.ondule.fr/">Jujusete</a> (:p) ça peut devenir compliqué. Cependant ça reste une exception et je ne pense pas que le <em>netizen</em> (terme issu du mélange de Citizen, citoyen, et Internet fait par RSF, si je ne dis pas de bêtises) moyen soit concerné par cette problématique. Quand bien même, il le serait, il peut quand même auto-héberger ses mails et son jabber.</p>
<h2>Disponibilité</h2>
<p>Je sais que l'adsl n'est pas super fiable, pas de SLA toussa, cependant ce n'est pas un argument. Si vous êtes dans un FAI de la FFDN, il y a de forte chance qu'il vous propose de vous servir de NS et de MX secondaire. Si jamais ce n'est pas le cas, je suis sûr que vous pouvez facilement trouver quelqu'un qui accepte de vous servir de NS et MX secondaire et inversement (je veux dire que vous deveniez à votre tour son NS et MX secondaire) (ce à quoi les trolls répondront "tu lis mon courrier et je lis le tien" :p).
Même sans MX secondaire les MTA retentent d'envoyer les mails pendant une assez grande durée (i.e. plusieurs jours de mémoire).</p>
<p>Pour le blog, est ce que vous pensez vraiment que c'est grave si votre blog n'est pas accessible pendant quelques heures ? Je ne pense pas.</p>
<h2>Impossibilité(s) technique(s) dûe(s) au FAI, genre blocage du port 25</h2>
<p>Mauvais FAI, changer FAI.
Pour ceux qui ne peuvent pas, VPN. Next.</p>
<h2>C'est cher</h2>
<h3>Petite estimation des coûts</h3>
<p>Alors pour s'auto-héberger, il faut un serveur. Un <a href="http://www.raspberrypi.org/faqs">raspberry pi</a> peut suffire, ça coute (FdP inclus) entre 40 et 50 euros mais ça ne sera pas forcément assez puissant pour tout le monde. Personnellement j'ai payé 250 euros <a href="pages/Machines.html">mon serveur</a> chez moi (tout inclus, ram, HDD, carte mère, cpu etc...).</p>
<p>Il faut de l'électricité, via <a href="http://wiki.tetaneutral.net/index.php/Mod%C3%A8le_%C3%A9conomique#Electricit.C3.A9">un savant calcul</a> 1 watt en continu sur une année, ça coute 1 euros. Mon serveur consomme une vingtaine de watt, un raspberry pi en consomme 5.</p>
<p>Il faut de la bande passante, mais je <strong>ne pense pas</strong> que vous preniez votre ligne adsl juste pour l'auto-hébergement, donc je ne le compte pas dedans.</p>
<p>De l'autre côté soit vous utilisez gmail ou autre et dans ce cas vous ne payez rien en euros mais vous n'avez plus de vie privée, soit vous avez un serveur dédié/vps ou autre et dans ce cas, sur le long terme je pense que l'auto-hébergement est moins cher.</p>
<h2>Conclusion</h2>
<p>D'autre part je mets ça en conclusion même si ça n'a pas vraiment sa place, à écouter les gens c'est soit j'utilise gmail, soit je m'auto-héberge. Et bien non. On peut très bien utiliser des services <strong>fiables</strong> fournis par des gens sérieux, pour héberger ses mails. Par exemple, riseup, toile-libre, etc ... il y en a plein.</p>
<p>Je vous ai présenté ma réponse aux arguments, si vous n'êtes pas d'accord, <a href="pages/Contact.html">envoyez moi un mail, parlez moi sur irc ou n'importe</a>, je vous répondrais. ;)</p>Ouverture du blog2013-06-15T10:20:00-04:002013-06-15T10:20:00-04:00Vigdistag:oldblog.chown.me,2013-06-15:/blog/blog.html<p>Voilà, dans la suite de mon travail sur l'autohébergement, je me fais un blog.</p><p>Voilà, dans la suite de mon travail sur l'autohébergement, je me fais un blog. Après l'hébergment de mon serveur xmpp, de mes mails (bien qu'une partie soit encore sous gmail et sous riseup :( ), c'est au tour du blog. Le blog est statique (généré par Pelican, comme le dit le footer) avec le thème "dev-random" que j'ai découvert (même s'il l'a modifié) sur <a href="http://dustri.org/b/">le blog de jvoisin</a> (l'auteur de <a href="https://mat.boum.org">MAT</a> que je vous invite à découvrir si vous ne le connaissez pas (mat, pas jvoisin :p)). Les pages statiques sont servies par nginx et mon serveur sous OpenBSD.</p>