Category Archives: freebsd

nsupdate woes

Over the past three days, I’ve been trying unsuccessfully to set up a fresh name server (using Ansible and Vagrant) to play around with nsupdate and some potential middleware to automate updating DNS zones. Unfortunately, I couldn’t find any good documentation on all the specifics, just a lot of how-tos that somehow all did’t really work for me. I kept getting this error:

client request has invalid signature: TSIG tsig verify failure (BADKEY)

I will upload my Ansible role for this to Github shortly, but I felt it necessary to spare the next person the pain of getting it all to work.

To use nsupdate, you need to give bind a key, associate that with a zone, and then use that key with nsupdate. Sounds easy enough, right? What all the tutorials fail to mention is that the key files and the name of the key entries in named.conf are all significant.

First, you need to decide what to call your key. It doesn’t matter for which zones you will use it, or from which hosts you will run nsupdate, but you will need to pick a name and stick to it. You can’t change it later, you will need to create a new key if you don’t like the name.

$ dnssec-keygen -a HMAC-MD5 -n HOST -b 512 mysamplekey

This will create two files. You need both of them, and you can’t change the files’ names.

Next up, you need to add the key to named.conf, and allow requests signed by that key to update a zone (or more):

key "mysamplekey" {
    algorithm hmac-md5;
    secret "base 64 encoded key";

zone "" {
    allow-update { key "mysamplekey"; };
    type master;
    file "dynamic/";

It is important to remember that “mysamplekey” needs to be the exact same string as from the key generation!

Armed with this configuration, you should be able to update

$ nsupdate -k Kmysamplekey+123+45678
debug yes
update add foobar 10 A

Ab Herbst muss man auch seinen PC rooten

Wer noch nichts davon gehört hat: Mit Windows 8 hat Microsoft die BIOS- und Systemhersteller „überzeugt“, dass PC nur dann mit Windows 8 geliefert werden dürfen, wenn diese SecureBoot unterstützen und per Default aktiviert haben. Gnädigerweise erlaubt Microsoft den Herstellern, SecureBoot abschaltbar zu machen. Wie einfach das geht, und ob es überhaupt implementiert wird, bleibt aber den Herstellern überlassen. Soweit so schlecht.

Fedora hat sich jetzt entschieden, über das Microsoft-Programm ihren Bootloader zu signieren, damit man in Zukunft Fedora booten (und installieren) kann, ohne SecureBoot auszuschalten.

Booting from an USB disk – even when your system doesn’t support it

I like using VMware Fusion on my Mac, but it has one shortcoming: it cannot boot from USB devices. You can use disk images (floppy, CD/DVD and harddisk) as well as a physical optical drive, but USB devices are not available. That’s unfortunate if you want to use VMware to prepare a hard disk for a machine, and want to test booting off that system before installing it in the machine.

When I install a new FreeBSD machine, I often start out from an existing FreeBSD machine and install directly from that running system, instead of booting off an install DVD. Obviously, using a virtual machine for this bootstrapping system, together with a USB hard disk adapter, is very convenient. But without being able to boot the VM off that USB disk, testing can be cumbersome.

I was very happy to come across Plop, a boot manager with many features. The most interesting one for me is it’s support for booting off USB devices without BIOS support. Plop includes its own U/O/EHCI driver, supporting standard USB 1.1 and USB 2.0 devices and ports.

Also very important: Plop can be run off a CD or floppy image, so you don’t need to (re-)configure your main hard disk. If I feel adventurous, I might look into patching the Plop BIOS extension into VMware, making booting even easier. For the time being, I’m using the floppy image, since none of my virtual (nor physical) machines have floppy drives any more.

Also, when you have an older machine which BIOS does not support booting off USB devices, Plop might be very helpful!

Getting sshd to start as early as possible

In FreeBSD, sshd by default gets started quite late in the boot process, about the same time a console will show the login prompt. There’s quite a few services that can make trouble and hang before that. Annoyingly, you can’t fix a stuck system via ssh, since it’s not started yet. But as it turns out, sshd can be started quite a bit earlier than FreeBSD does by default.

The rcorder keywords in /etc/rc.d/sshd normally look like this:

# PROVIDE: sshd
# REQUIRE: LOGIN cleanvar
# KEYWORD: shutdown

Change the rcorder keywords like so:

# PROVIDE: sshd
# BEFORE: mountcritremote
# KEYWORD: shutdown


Now sshd will be started right after the network has been configured.

Note that starting sshd before certain parts of the system are ready might give you temporary or permanent errors. For example, starting sshd before the user home directories are mounted might cause problems with logins. However, if your machine has all critical filesystems on local disks, making these changes should not pose any problems, and will allow you to log in while the rc scripts are still running, giving you the opportunity to fix any misbehaving services.

Running bash as root’s shell only when it’s not broken

I like bash, mostly for its interactive features over FreeBSD’s standard Bourne-compatible shell, ash.

Setting bash as the default shell for the root user however has a big downside: if you ever break bash or any of the libraries it depends on, you can’t log in as root anymore to fix it. I’ve tried quite a few ways to work around this, and I think I’ve finally figured out a good solution: leave the root shell as /bin/sh, and add this snippet at the end of /root/.profile:

[ -z "$BASH" ] && /usr/local/bin/bash -c 'true' && exec /usr/local/bin/bash

This will start bash, but only if the shell sourcing .profile isn’t bash, and bash can actually successfully be executed.

In FreeBSD 9, ash has apparently grown command name completion. Together with the editing functions (already available in FreeBSD 7), this might allow me to switch to ash as the default shell.


FreeBSD, CUPS and iPad printing

For the longest time, I couldn’t get CUPS configured on my FreeBSD server successfully. Between CUPS access rules, foomatic drivers and avahi announcements, I had terrible trouble making heads or tails of the nondescript error messages I was getting.

Spurned on by the arrival of an iPad, I finally sat down and worked through configuring CUPS and avahi. So I don’t have to go through all the fiddling again, here’s a recipe of what I did.

TEMPer USB Thermometer

Measuring temperature in a PC should be easy: after all, most mainboards have extensive monitoring capabilities for temperature and voltage levels built-in. Unfortunately, very few of these facilities are documented properly, and software support is lacking. Instead of trying to navigate the maze that is lm-sensors (which isn’t even available for FreeBSD), I decided to look for some USB-based solution.

There’s a reasonably cheap chinese USB thermometer called TEMPer. I got mine from Brando for 12 Euros. It’s a USB-to-serial chip from WinChipHead. It’s DTR, RTS, and CTS lines are used to connect a LM75 I²C temperature sensor. To talk to the LM75, you need some bit-banging driver.

I’ve put together a command line utility for the TEMPer that can program the built-in thermostat (TEMPer has a LED connected to that output) and print out temperature measurement data. It does it’s job, and might serve as an example on how to do I²C over a simple interface.

Patch to vmmouse to make it work in FreeBSD

Here’s a patch to the vmmouse port that activates the driver unconditionally. This makes the VMware mouse driver work in the default configuration in FreeBSD (7 and 8).

When xorg moved to use hal by default, the vmmouse driver needed to be registered with hal. This would work fine, except for the the current port version of hal (hal-0.5.11_25) not supporting a command line option that the probe script for vmmouse needs, and the matching code that determines whether to probe for VMware never matching on FreeBSD.

The patch unconditionally activates the vmmouse driver. This should be fine even when not running in VMware, as vmmouse should be compatible with the default xorg mouse driver.

FreeBSD ppp(8): work around invalid remote address

When connecting via a Huawai E169 UTMS USB stick through O2 Germany’s network, the data stick or the network suggests a PPP IPCP remote address of FreeBSD refuses to ifconfig the tun interface with this endpoint address.

Fortunately, ppp(8) offers a configuration parameter to influence the IP addresses negotiated with the peer (ifaddr), and suggesting a different address will make the configuration work.

If you get this log output from ppp, you need to configure address selection:

IPCP: deflink: RecvConfigAck(4) state = Req-Sent
IPCP: deflink: State change Req-Sent --> Ack-Rcvd
IPCP: deflink: RecvConfigReq(47) state = Ack-Rcvd
IPCP: deflink: SendConfigAck(47) state = Ack-Rcvd
IPCP: deflink: State change Ack-Rcvd --> Opened
IPCP: deflink: LayerUp.
IPCP: myaddr hisaddr =
Warning: iface add: ioctl(SIOCAIFADDR, -> Destination address required
Error: ipcp_InterfaceUp: unable to set ip address

Here’s my complete ppp.conf, with the ifaddr line included:

	set device /dev/cuaU0.0
	set speed 115200
	set ifaddr
	set authname internet
	set authkey  internet
	set log local phase ipcp
	set dial "ABORT BUSY TIMEOUT 2 \
		\"\" \
		AT+CGDCONT=1,\\\"IP\\\",\\\"internet\\\" OK \
		ATD*99***1# CONNECT"
	set crtscts on
	nat enable yes
	add default HISADDR
	disable dns

This applies to both 7-stable and 8-stable (with both the old and the new USB stacks). I’ve used u3g(4) on both occasions. The original ppp.conf for 3G modems is based off this one from Nick Hibma.

This is how it looks like when using ifaddr:

IPCP: MS NBNS req 130 - NAK??
IPCP: MS NBNS req 132 - NAK??
IPCP: deflink: SendConfigReq(2) state = Req-Sent
IPCP:  COMPPROTO[6] 16 VJ slots with slot compression
IPCP: deflink: RecvConfigReq(50) state = Req-Sent
IPCP: deflink: SendConfigNak(50) state = Req-Sent
IPCP: deflink: RecvConfigRej(2) state = Req-Sent
IPCP:  COMPPROTO[6] 16 VJ slots with slot compression
IPCP: deflink: SendConfigReq(3) state = Req-Sent
IPCP: deflink: RecvConfigNak(3) state = Req-Sent
IPCP:  IPADDR[6] changing address:  -->
IPCP: deflink: SendConfigReq(4) state = Req-Sent
IPCP: deflink: RecvConfigAck(4) state = Req-Sent
IPCP: deflink: State change Req-Sent --> Ack-Rcvd
IPCP: deflink: RecvConfigReq(51) state = Ack-Rcvd
IPCP: deflink: SendConfigAck(51) state = Ack-Rcvd
IPCP: deflink: State change Ack-Rcvd --> Opened
IPCP: deflink: LayerUp.
IPCP: myaddr hisaddr =
PPP ON freebsd-current>