Tag Archives: FreeBSD

FreeBSD related

icinga logo

Icinga2 email via ssmtp

I have been playing around with Icinga2 for some monitoring at home. I wanted to monitor a few of my external services. Since my email is one (or the primary) of them I needed alert notifications to be sent via something else. So I setup ssmtp and have email sent through a gmail account.

Make sure to enable the account to be accessible by less secure methods for this to work. If anyone comes across a way to not have to enable that, please let me know. Continue reading


Reinstalling another hosts packages on a new host with pkg

A while back I had to reinstall my Raspberry Pi 2 due to a faulty SD card. I decided to try something with pkg and it worked well so I wanted to share it here.

I copied my pkg database from the old SD card and then ran pkg upgrade -f which worked exactly how I hoped, and installed all the packages that I had previously had installed.

I did have to change the url in my /usr/local/etc/pkg/repos/FreeBSD.conf to url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", from quarterly as FreeBSD:11:armv6/quarterly/ was not populated at the time. (it is now, just making a note of it)

This was all done on FreeBSD 11.0-RC1 #0 r303979: Fri Aug 12 17:12:13 UTC 2016 root@releng2.nyi.freebsd.org:/usr/obj/arm.armv6/usr/src/sys/RPI2 arm.


Thinkpad X220

I got myself a new (used) laptop the other day.
As there was some conflicting information regarding the compatibility with FreeBSD I just wanted to get this out there into the search engines.

I haven’t had time to play around with it too much but installing FreeBSD 10.2-RELEASE (actually PCBSD 10.2) most things seem to work out of the box. Wifi, graphics, sound, touchpad, webcam and sleep.

There are a still couple of things that I will have to look into, such as suspend to disk and two finger scroll.

Edit-20160229: Updated title to reflect the correct model (X220)

Dmesg below. Continue reading


Log remote hosts to a separate log with syslog in FreeBSD

In FreeBSD you can easily let remote hosts log to your system without installing any third party applications. When doing so you might want to separate your remote hosts logs from the local hosts logs which is also easy to do.

Add this to the bottom of your /etc/syslog.conf on the host accepting the logs:
*.* /path/to/remote-host.log

The trick is @ which is a handy short for the local hostname, so by negating it like above you get the separation you want.

Works on FreeBSD11.0-Current, check man syslog.conf(5) if this doesn’t work for you.


SHA512 hashes in OS X

While messing about with my new Raspberry Pi the other day, I realized I didn’t know how to generate SHA512 hashes on my Mac to validate the integrity of my FreeBSD images.

As suspected it’s not that much more work than what I’m used to on FreeBSD (just “sha512 file“).

In OS X just run
shasum -a 512 file
and it gives you the hash of the file.

I’ll just leave this here as a note for the next time when I forget this in the future.

I validated that the shasum perl wrapper exists on both OS X El Capitan (10.11.1) and OS X Yosemite (10.10.5), still YMMV.


Script to check for eol on the command line

I have often wanted a way to check if end of life is getting close for my systems on the command line.
The message in freebsd-update is really nice, but it feels a bit overkill to run that just to check if I should consider updating to a new release of FreeBSD -and it also only checks for the system it is run on..

So I hacked up this little script which checks if EoL is close for either the currently running release of FreeBSD or for the one given as an argument. Now I can have a cron job running every now and then to check for all releases I’m using.

Get it here if you want to give it a try.
Continue reading


fsck and filesystem type

I just learned something that I thought worked through filesystem magic when I connected an old usb harddrive to one of my systems.

If you move a drive from one system to another and want to run fsck on it as usual, it will fail.
character# fsck /dev/da1s1
fsck: Could not determine filesystem type

This is since fsck needs an entry in /etc/fstab or to be given it as an argument to know what filesystem is on the disk or partition in question..
character# fsck -t UFS /dev/da1s1
** /dev/da1s1
** Last Mounted on ...

Checking the manual actually says it uses fstab, but I guess I have just never noticed it before by pure luck of either having it in there or using the proper flags wihtout thinking of it..

The behaviour seems to be roughly the same in linux except that if no argument is given and no entry found in fstab fsck attempts to use the systems default fs type.

And now I know!


Google authenticator on FreeBSD

I wanted to give this a quick try and this is how I did:
(not much deviate from any other howto on the subject..)

Compile the port
test3# uname -a
FreeBSD test3.xxxxx.se 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
test3# cd /usr/ports/security/pam_google_authenticator/
test3# make all install distclean && rehash
I just used the default settings while compiling.

Add the pam module
auth required /usr/local/lib/pam_google_authenticator.so

To /etc/pam.d/sshd

I then went to /etc/ssh/sshd_config and removed the comment on
ChallengeResponseAuthentication yes

Restart sshd
test3# /etc/rc.d/sshd restart
Stopping sshd.
Starting sshd.

Set up the user
> google-authenticator
google-authenticator: Command not found.
> rehash
> google-authenticator
Your new secret key is: PKZ2JNIV6JXXX3SEC
Your verification code is 1266323
Your emergency scratch codes are:

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Setup the phone
Scan the QR code in the url above or add it manually to google authenticator on your phone and you are good to go.

And finally, login and get prompted for the otp code
[mbp:~] henrik% ssh
Verification code:

Easy peasy!


Booting PfSense from USB

Today I helped a friend with his PfSense firewall that had died due to hardware issues.
We put in my Intel USB SSD (it had gotten left over from my FreeNAS server) and was identic to the one he used previously.

Since we reinstalled we used the chance to try out AMD64 2.0-BETA5.
All was well through the installation but after reboot the system could not mount the disk.
We rebooted and opted for “Boot from USB” in the menu wich worked just fine.

excerpt from /boot/beastie.4th in PfSense 2.0BETA5
This led us to some digging, me in the loader and him on google.
We both came up with the solution at the exact same time..

Just set the sysctl option
in /etc/loader.conf to make the system wait a little longer when mounting from USB.

This solution probably works across all the FreeBSD derivatives.


conftest and signal 11

I have from time to time seen messages like the following when updating things on my FreeBSD systems

pid 85886 (conftest), uid 0: exited on signal 11 (core dumped)

Since they were pretty sporadic and nothing else was acting up it generally went uninvestigated.

Then a little time ago I updated a load of ports on my web host and the messages just became eerily frequent so I decided to dig into it a bit.
Looking through logs and compile output revealed nothing wrong.

Google to the rescue! I found out that this is actually GNU autoconf forcing this behaviour to make sure the system deals with a segfault correctly.

FreeBSD-questions@ cleared this up years ago, so I guess I should have checked at once and saved myself some worry..


redmine and svn repos

I recently set up browsing of a subversion repository in redmine but kept getting this annoying error:

The entry or revision was not found in the repository.

After a bit of googling and trying various things without success the thing that finally solved it was changing
SVN_BIN = "svn"
SVN_BIN = "/usr/local/bin/svn"
in lib/redmine/scm/adapters/subversion_adapter.rb

Redmine 0.9.6-Stable

This is in FreeBSD, the location of the svn binary you want might of course differ.


hassle-free reinstall of meta ports

When only changing a config option on an installed port -for example adding a feature you missed initially- it is sometimes a hassle with all the ports installed as parts of the one to be reinstalled, especially if it is a metaport like php5-extensions or the like.

To not have to also update all the ports this reinstall will crash on I like to do the following:

make deinstall && make -E FORCE_PKG_REGISTER=1 reinstall distclean

This will simply ignore all those pesky “already installed” errors.
And since I am not actually upgrading anything but rather reinstalling the same thing again this will not brake anyting.