Tue, 29 Sep 2020

11:01 AM - ESET file server antivirus scanner on MidnightBSD

I recently setup a new system with the FreeBSD 9 32bit scanner.  I was able to get it to work on a modern 64bit system with a few caveats. 

As it's an old school FreeBSD package and not using the modern pkg, I extracted it at / and then removed the "+INSTALL, +DESC" and other + files from /. 

First, the binary requires libintl.so and libiconv.so which are external dependencies not included with the compat32 system in FreeBSD. Normally one would install some packages to get those. gettext-runtime and libiconv i think.  It would be nice if the binary was either static linked or at least mentioned these need to be installed.  You can get packages from a 32bit version of freebsd 10.x  or MidnightBSD 1.2.x for these and install them and it will just work.  

Second, since I was trying to run on a 64bit system, I had to install compat9x, compat8x and manually copy the above mentioned libraries into /usr/local/lib32/compat/ and then update the runtime path.  I set the following in /etc/rc.conf to get it to run easier

ldconfig32_paths="$ldconfig32_paths /usr/local/lib32/compat /usr/local/lib"

ldconfig_local32_dirs="$ldconfig_local32_dirs /usr/local/libdata/ldconfig"

Then I ran /etc/rc.d/ldconfig restart 

I found that I had to make two directories that are included in the +INSTALL script including one for license files and one for logging.  You'll see errors when running the tools that tell you what to make if you forget.  

I was then able to import the license file and startup the daemon using the rc.d script and then perform a manual scan.  

It would be really nice of the binary was static linked and also if a 64bit version could be created.  

I technically did this on a MidnightBSD 1.2 amd64 system, but it would also work on FreeBSD 10.x or 11.x.

()

Sun, 13 Sep 2020

4:44 PM - webcam on MidnightBSD

Folks have been asking me about webcams lately.  I've previously gotten an integrated cam on my thinkpad working, but decided to try to get my logitech 920 usb camera working on my desktop.  

I've installed the following packages:

webcamd, cuse4bsd, pwcview (new port), v4l-utils (new port), v4l_compat

I then did 

kldload cuse4bsd 

also added it to /boot/loader.conf

Then I did 

webcamd scan

I found the camera line and copied the -N  line for it into /etc/rc.conf as 
webcamd_o_flags="-N ... " 
webcamd_enable="YES"

I added my user to webcamd group. 

I then started webcamd.  I was able to load pwcview (as root) and see the picture from the camera at this point. Cheese is not seeing the camera though and neither is firefox with youtube.

()

Thu, 10 Sep 2020

11:03 AM - 2.0-CURRENT update

It's now possible to install 2.0-CURRENT from a 1.2.7 machine with some caveats. 

This is only tested on amd64 so far. 

before installworld, setenv  MK_TESTS no  (or put this in /etc/src.conf) 
lib/libcasper won't install without this. 

mergemaster is broken AFTER installworld.  Do mergemaster -p before at least

makewhatis is broken.  Comment out lines using it in src/share/man/Makefile when running installworld, then build makewhatis with new compiler, then uncomment and run make install from src/share/man directory to workaround this.  (it segfaults)

sendmail is not binding after updating.  Unclear what is going on so far.

()

Tue, 8 Sep 2020

10:15 AM - Current

Current was recently renamed 2.0 (rather than 1.3) in case we need to do a security upate past 1.2.9.  It also made sense as 2.0 is a major update. 

There aren't any snaps yet for current.  In fact, it's not building at the moment. We're actively working on it.  Buildworld on an amd64 box gets into lib32 compat libraries at this point.

()

10:14 AM - Golang

The go port has been updated in mports to 1.14.3.  (lang/go)  This should allow newer go apps to be built.

()

10:13 AM - Rust

We've finally got a native rust port (lang/rust) with 1.2.6.x version of rust.  The blocker to updating further is a newer system compiler. We will attempt to updatee to 1.3.0 or so.

()

10:11 AM - MidnightBSD 1.2.8

There was a security issue in dhclient. We've created new ISOs for 1.2.8 for those installing from scratch.  

If you are on 1.2.7, you can simply update the source from git for stable/1.2 branch and rebuild dhclient.

()

Tue, 25 Aug 2020

1:23 PM - MidnightBSD 1.2.7

MidnightBSD 1.2.7 is available via the FTP/HTTP and mirrors as well as github.  

It includes several bug fixes and security updates over the last ISO release and is recommended for new installations.  

Users who don't want to updatee the whole OS, should consider at least updating libmport as there are many package management fixes

()

Mon, 3 Aug 2020

Thu, 9 Jul 2020

12:39 AM - MidnightBSD 1.2.3

MidnightBSD 1.2.3 tag created in git. It only includes updates for 2 third party apps/libs:

unbound

sqlite3

Both include security updates.

NOTE: packages built against sqlite3 may be affected. Report issues. it's possibly a breaking change in 1.2.x

You do not need to rebuild everything to update to this release.

Run make clean; make; make install in these directories:

src/lib/libsqlite3

src/usr.bin/sqlite3

src/lib/libunbound

src/usr.sbin/unbound

If you don't use the local unbound caching resolver then sqlite3 is the only immediate need.

()

Fri, 3 Jul 2020

4:26 PM - mport bug

We just discovered a bug with the ca_root_nss port and mport package manager. It seems that the symlink isn't generated correctly in /usr/local/openssl Manual fix for now is cd /usr/local/openssl && ln -s /usr/local/share/certs/ca-root-nss.crt cert.pem This fixes lynx

()

4:25 PM - Migrating from bugzilla to jira

Bug reporting change: We've migrated from bugzilla to Atlassian Jira. URL hasn't changed. Note: we decided not to migrate old bugs. Most were closed or for very old releases. https://bugreport.midnightbsd.org

Please report issues using the new jira to us. File OS bugs in MidnightBSD project (MNBSD), website bugs in WWW project and mports issues in the mports project.

()

4:24 PM - Setup multicast dns on midnightbsd using mDNSresponder

MidnightBSD includes mDNSresponder in base. You can configure your local machine to access resources on your local network.  This can be useful to ssh into Apple Mac systems, etc.  This is sometimes called Bonjour.

To see other systems with mdns enabled on your network

Edit /etc/nsswitch.conf and add 
mdns
to hosts line.  It should read
hosts: files mdns dns

add mdnsd_enable="YES" to /etc/rc.conf

start mdnsd with service mdnsd start

To advertise services on your local machine

Add mdnsresponder_enable="YES" to /etc/rc.conf

create a new file called /etc/mdnsresponder.conf in /etc/

file contents:

#
# Example services file parsed by mDNSResponderPosix.
#
# Lines beginning with '#' are comments/ignored.
# Blank lines indicate the end of a service record specification.
# The first character of the service name can be a '#' if you escape it with
# backslash to distinguish if from a comment line.
# ie, "\#serviceName" will be registered as "#serviceName".
# Note that any line beginning with white space is considered a blank line.
#
# The record format is:
#
# 
# . 
# 
# 
#
# 
#
# Examples shown below.
#

#serviceName1
#_afpovertcp._tcp.
#548
#name=val1

SSH
_ssh._tcp.
22

#FTP
#_ftp._tcp.
#21

#HTTP
#_http._tcp.
#80

samba
_smb._tcp
445

adisk
_adisk._tcp
0
dk1=adVN=TimeMachine
adVF=0x82

deviceinfo
_device-info._tcp
0

model=Xserve

()

4:23 PM - Enable Duo 2FA for SSH on MidnightBSD

Enabling two factor authentication on MidnightBSD for SSH. 

Recently, we added a security/duo port in mports. 

When setting up two factor authentication, we recommend using the login duo setup. It's much easier to get going and we noticed some segfaults with the duo pam module. 

Steps:

Setup a Duo account

Install the security/duo port.  If you only want to use SSHD, you can avoid the SUID port option.  However, for testing it can be helpful

Obtain the appropriate API host, skey and ikey and add them to the /usr/local/etc/login_duo.conf file.

Fix the permissions on the login_duo.conf file so that they are 600 and owned by sshd if you are only using with SSHD. if you did choose SUID option in the mport, then own by root. 

In the /etc/ssh/sshd_config, you will need to add a line with ForceCommand /usr/local/sbin/login_duo

If you wish to protect all logins, you can leave ForceCommand line global. However, you can also choose to only protect certain users or groups. For instance, if you want to protect the wheel group for admins

Match group wheel 
        ForceCommand  /usr/local/sbin/login_duo

Duo also has instructions on setting up on FreeBSD and this works with MidnightBSD as well. 

Login Duo https://duo.com/docs/loginduo

PAM https://duo.com/docs/duounix

Using it

When logging into ssh the first time, you'll get an activation link that you'll want to load in a browser. It will walk you through configuring your phone.  You'll probably want the duo app installed so you can do push notifications. 

After that, you'll see a menu asking if you want a push as you attempt to ssh into a box.

()

4:22 PM - Overriding DNS server changes when dhcp is enabled.

By default, /etc/resolv.conf is updated when DHCP is enabled for an interface.  This is useful for WiFi or laptops where you frequently change networks. However, it can be problematic sometimes when different DNS servers are required. 

For static IP addresses, this is not modified automatically. 

Preventing Automatic Config Changes

Methods to try:

Use a static IP address

Make /etc/resolv.conf immutable

Override the dhclient configuration

Turn off resolvconf

Static IP

Simply edit your /etc/rc.conf and replace DHCP in your ifconfig line with a static IP configuration

Immutable resolv.conf

chflags schg /etc/resolv.conf

Override the dhclient config

place the following in /etc/dhclient.conf, but change the name of the interface as appropriate.  This example uses OpenDNS with an Intel Gigabit NIC. 

interface "em0" {

    supersede domain-name-servers 208.67.222.222,208.67.220.220;

}

You will need to restart the dhclient for changes to take effect. 

service dhclient restart em0

Disable resolvconf(8)

Create a file 

/etc/resolvconf.conf

Place this in the file

resolv_conf="/dev/null"

resolvconf="NO"

()

Sun, 29 Mar 2020

5:22 PM - MidnightBSD 1.3-CURRENT

New development is progressing on 1.3-CURRENT. it's recommended that users avoid it and stick with stable branches for now.

()