MidnightBSD Developer Journal

We just added the F-PROT antivirus comamnd line scanner for BSD systems to mports under security/f-prot.

I recently setup a new system with the FreeBSD 9 32bit scanner. I was able to get it to work on a modern 64bitsystem with a few caveats.

As it's an old school FreeBSD package and not using the modern pkg, I extracted it at / and then removed the "+INSTALL, +DESC" and other + files from /.

First, the binary requires libintl.so and libiconv.so which are external dependencies not included with the compat32 system in FreeBSD. Normally one would install some packages to get those. gettext-runtime and libiconv i think. It would be nice if the binary was either static linked or at least mentioned these need to be installed. You can get packages from a 32bit version of freebsd 10.x or MidnightBSD 1.2.x for these and install them and it will just work.

Second, since I was trying to run on a 64bit system, I had to install compat9x, compat8x and manually copy the above mentioned libraries into /usr/local/lib32/compat/ and then update the runtime path. I set the following in /etc/rc.conf to get it to run easier

ldconfig32_paths="$ldconfig32_paths /usr/local/lib32/compat /usr/local/lib"

ldconfig_local32_dirs="$ldconfig_local32_dirs /usr/local/libdata/ldconfig"

Then I ran /etc/rc.d/ldconfig restart

I found that I had to make two directories that are included in the +INSTALL script including one for license files and one for logging. You'll see errors when running the tools that tell you what to make if you forget.

I was then able to import the license file and startup the daemon using the rc.d script and then perform a manual scan.

It would be really nice of the binary was static linked and also if a 64bit version could be created.

I technically did this on a MidnightBSD 1.2 amd64 system, but it would also work on FreeBSD 10.x or 11.x.

Folks have been asking me about webcams lately. I've previously gotten an integrated cam on my thinkpad working, but decided to try to get my logitech 920 usb camera working on my desktop.

I've installed the following packages:

webcamd, cuse4bsd, pwcview (new port), v4l-utils (new port), v4l_compat

I then did

kldload cuse4bsd

also added it to /boot/loader.conf

Then I did

webcamd scan

I found the camera line and copied the -N line for it into /etc/rc.conf as
webcamd_o_flags="-N ... "
webcamd_enable="YES"

I added my user to webcamd group.

I then started webcamd. I was able to load pwcview (as root) and see the picture from the camera at this point. Cheese is not seeing the camera though and neither is firefox with youtube.

It's now possible to install 2.0-CURRENT from a 1.2.7 machine with some caveats.

This is only tested on amd64 so far.

before installworld, setenv MK_TESTS no (or put this in /etc/src.conf)
lib/libcasper won't install without this.

mergemaster is broken AFTER installworld. Do mergemaster -p before at least

makewhatis is broken. Comment out lines using it in src/share/man/Makefile when running installworld, then build makewhatis with new compiler, then uncomment and run make install from src/share/man directory to workaround this. (it segfaults)

sendmail is not binding after updating. Unclear what is going on so far.

Current was recently renamed 2.0 (rather than 1.3) in case we need to do a security upate past 1.2.9. It also made sense as 2.0 is a major update.

There aren't any snaps yet for current. In fact, it's not building at the moment. We're actively working on it. Buildworld on an amd64 box gets into lib32 compat libraries at this point.

The go port has been updated in mports to 1.14.3. (lang/go) This should allow newer go apps to be built.

We've finally got a native rust port (lang/rust) with 1.2.6.x version of rust. The blocker to updating further is a newer system compiler. We will attempt to updatee to 1.3.0 or so.

There was a security issue in dhclient. We've created new ISOs for 1.2.8 for those installing from scratch.

If you are on 1.2.7, you can simply update the source from git for stable/1.2 branch and rebuild dhclient.

MidnightBSD 1.2.7 is available via the FTP/HTTP and mirrors as well as github.

It includes several bug fixes and security updates over the last ISO release and is recommended for new installations.

Users who don't want to updatee the whole OS, should consider at least updating libmport as there are many package management fixes

ntp 4.2.8p15 is now in mports and addresses a security issue. https://t.co/3n4tIOxbUK note: this doesn't affect the base system as we use OpenNTPD

MidnightBSD 1.2.3 tag created in git. It only includes updates for 2 third party apps/libs:

unbound

sqlite3

Both include security updates.

NOTE: packages built against sqlite3 may be affected. Report issues. it's possibly a breaking change in 1.2.x

You do not need to rebuild everything to update to this release.

Run make clean; make; make install in these directories:

src/lib/libsqlite3

src/usr.bin/sqlite3

src/lib/libunbound

src/usr.sbin/unbound

If you don't use the local unbound caching resolver then sqlite3 is the only immediate need.

If you're interested in helping the project, here's a list of ideas http://wiki.midnightbsd.org/display/MD/Ways+to+Contribute We need translators, website design, documentation, porting apps, etc.

We just discovered a bug with the ca_root_nss port and mport package manager. It seems that the symlink isn't generated correctly in /usr/local/openssl Manual fix for now is cd /usr/local/openssl && ln -s /usr/local/share/certs/ca-root-nss.crt cert.pem This fixes lynx

Bug reporting change: We've migrated from bugzilla to Atlassian Jira. URL hasn't changed. Note: we decided not to migrate old bugs. Most were closed or for very old releases. https://bugreport.midnightbsd.org

Please report issues using the new jira to us. File OS bugs in MidnightBSD project (MNBSD), website bugs in WWW project and mports issues in the mports project.

MidnightBSD includes mDNSresponder in base. You can configure your local machine to access resources on your local network. This can be useful to ssh into Apple Mac systems, etc. This is sometimes called Bonjour.

To see other systems with mdns enabled on your network

Edit /etc/nsswitch.conf and add
mdns
to hosts line. It should read
hosts: files mdns dns

add mdnsd_enable="YES" to /etc/rc.conf

start mdnsd with service mdnsd start

To advertise services on your local machine

Add mdnsresponder_enable="YES" to /etc/rc.conf

create a new file called /etc/mdnsresponder.conf in /etc/

file contents:

#
# Example services file parsed by mDNSResponderPosix.
#
# Lines beginning with '#' are comments/ignored.
# Blank lines indicate the end of a service record specification.
# The first character of the service name can be a '#' if you escape it with
# backslash to distinguish if from a comment line.
# ie, "\#serviceName" will be registered as "#serviceName".
# Note that any line beginning with white space is considered a blank line.
#
# The record format is:
#
# 
# . 
# 
# 
#
# 
#
# Examples shown below.
#

#serviceName1
#_afpovertcp._tcp.
#548
#name=val1

SSH
_ssh._tcp.
22

#FTP
#_ftp._tcp.
#21

#HTTP
#_http._tcp.
#80

samba
_smb._tcp
445

adisk
_adisk._tcp
0
dk1=adVN=TimeMachine
adVF=0x82

deviceinfo
_device-info._tcp
0

model=Xserve

Enabling two factor authentication on MidnightBSD for SSH.

Recently, we added a security/duo port in mports.

When setting up two factor authentication, we recommend using the login duo setup. It's much easier to get going and we noticed some segfaults with the duo pam module.

Steps:

Setup a Duo account

Install the security/duo port. If you only want to use SSHD, you can avoid the SUID port option. However, for testing it can be helpful

Obtain the appropriate API host, skey and ikey and add them to the /usr/local/etc/login_duo.conf file.

Fix the permissions on the login_duo.conf file so that they are 600 and owned by sshd if you are only using with SSHD. if you did choose SUID option in the mport, then own by root.

In the /etc/ssh/sshd_config, you will need to add a line with ForceCommand /usr/local/sbin/login_duo

If you wish to protect all logins, you can leave ForceCommand line global. However, you can also choose to only protect certain users or groups. For instance, if you want to protect the wheel group for admins

Match group wheel 
    ForceCommand /usr/local/sbin/login_duo

Duo also has instructions on setting up on FreeBSD and this works with MidnightBSD as well.

Login Duohttps://duo.com/docs/loginduo

PAMhttps://duo.com/docs/duounix

Using it

When logging into ssh the first time, you'll get an activation link that you'll want to load in a browser. It will walk you through configuring your phone. You'll probably want the duo app installed so you can do push notifications.

After that, you'll see a menu asking if you want a push as you attempt to ssh into a box.

By default, /etc/resolv.conf is updated when DHCP is enabled for an interface. This is useful for WiFi or laptops where you frequently change networks. However, it can be problematic sometimes when different DNS servers are required.

For static IP addresses, this is not modified automatically.

Preventing Automatic Config Changes

Methods to try:

Use a static IP address

Make /etc/resolv.conf immutable

Override the dhclient configuration

Turn off resolvconf

Static IP

Simply edit your /etc/rc.conf and replace DHCP in your ifconfig line with a static IP configuration

Immutable resolv.conf

chflags schg /etc/resolv.conf

Override the dhclient config

place the following in /etc/dhclient.conf, but change the name of the interface as appropriate. This example uses OpenDNS with an Intel Gigabit NIC.

interface "em0" {

supersede domain-name-servers 208.67.222.222,208.67.220.220;

}

You will need to restart the dhclient for changes to take effect.

service dhclient restart em0

Disable resolvconf(8)

Create a file

/etc/resolvconf.conf

Place this in the file

resolv_conf="/dev/null"

resolvconf="NO"

We now have a new wiki for MidnightBSD athttp://wiki.midnightbsd.org/

We finally fixed a number of issues with the package build and i386 packages were refreshed.

New development is progressing on 1.3-CURRENT. it's recommended that users avoid it and stick with stable branches for now.