OpenBSD Journal

5,000 Euro Donation From CR@NS

Contributed by jolan on from the merci-beaucoup dept.

CRANS, which stands for Cachan Reseau @ Normale Sup, is an association of students living in Cachan, France which is near Paris on the campus of the Ecole Normale Supérieure de Cachan.

CRANS provides and manages broadband connections to their network and the Internet to residents of the campus. They also promote free software by running Install Parties and hosting official mirrors for software such as VideoLAN.

CRANS has previously funded open source projects such as FSF, Debian, and OpenWRT. They chose to give their annual donation to OpenBSD/OpenSSH because they saw the call for funding and have been using OpenBSD daily for 3 years as it is the only OS that they can use for their secure WiFi deployment which is based on IPsec. Of course, they are also large users of OpenSSH.

I think that it's incredible to see such a large donation from a non-commercial entity and I'd like to personally say thank you to CRANS! This money will definitely help further OpenBSD and OpenSSH development and I'm sure CRANS will reap the rewards of their own donation.

(Comments are closed)


Comments
  1. By Anonymous Coward (68.104.1.58) on

    and the darwin streaming server article that was here?

    Comments
    1. By Anonymous Coward (202.45.98.115) on

      > and the darwin streaming server article that was here?

      Thank you CRANS

      hmm well i've always wanted to go to Paris, so one day when I have enough money for a holiday there, I will spend some extra tourist dollars thanks to what CRANS did

      Comments
      1. By Anonymous Coward (213.175.169.4) on

        > > and the darwin streaming server article that was here?
        >
        > Thank you CRANS
        I have undeadly as my homepage and yeah i was surprised where did the stream server story go?I think it was booted out due to lack of intrest?
        Anyways CR@NS donated almost as much as Adobe!!And they don't make money nearly as much as them as they are a University!!!
        So the rest who have not donated yet shame shame on you :D
        A quand le CNAM ?

        Comments
        1. By Anonymous Coward (138.231.136.10) on

          > > > and the darwin streaming server article that was here?
          > >
          > > Thank you CRANS
          > I have undeadly as my homepage and yeah i was surprised where did the stream server story go?I think it was booted out due to lack of intrest?
          > Anyways CR@NS donated almost as much as Adobe!!And they don't make money nearly as much as them as they are a University!!!

          They're not.
          They're a no-profit student association whose purposes are providing a (now) professional-level quality network to students living on Cachan campus :)
          They are what we call in France a 'association de loi 1901".
          So they make even less money than a University.
          And the annual budget is only between 50000€ and 100000€ :)


          > So the rest who have not donated yet shame shame on you :D
          > A quand le CNAM ?

          Sooner than later, hopefully.

    2. By Marco Peereboom (67.64.89.177) marco@peereboom.us on http://www.peereboom.us

      It was my fault, I posted it by accident.

      Comments
      1. By Anonymous Coward (128.171.90.200) on

        > It was my fault, I posted it by accident.

        ?

        Comments
        1. By Anonymous Coward (66.11.66.41) on

          > > It was my fault, I posted it by accident.
          >
          > ?
          >

          ??

          Comments
          1. By Anonymous Coward (128.171.90.200) on

            > > > It was my fault, I posted it by accident.
            > > ?
            > ??

            What was wrong with it ?

          2. By Anonymous Coward (70.27.15.123) on

            > > > It was my fault, I posted it by accident.
            > >
            > > ?
            > >
            >
            > ??

            ???

            Comments
            1. By Anonymous Coward (202.45.98.115) on

              > > > > It was my fault, I posted it by accident.
              > > >
              > > > ?
              > > >
              > >
              > > ??
              >
              > ???

              ????

              Comments
              1. By Anonymous Coward (84.57.12.207) on

                > > > > > It was my fault, I posted it by accident.
                > > > >
                > > > > ?
                > > > >
                > > >
                > > > ??
                > >
                > > ???
                >
                > ????

                ?????

                Comments
                1. By Anonymous Coward (65.94.99.88) on

                  > > > > > > It was my fault, I posted it by accident.
                  > > > > >
                  > > > > > ?
                  > > > > >
                  > > > >
                  > > > > ??
                  > > >
                  > > > ???
                  > >
                  > > ????
                  >
                  > ?????

                  ??????

                  Comments
                  1. By Anonymous Coward (84.9.163.205) on

                    > > > > > > > It was my fault, I posted it by accident.
                    > > > > > >
                    > > > > > > ?
                    > > > > > >
                    > > > > >
                    > > > > > ??
                    > > > >
                    > > > > ???
                    > > >
                    > > > ????
                    > >
                    > > ?????
                    >
                    > ??????
                    ???????

      2. By Anonymous Coward (24.84.108.32) on

        > It was my fault, I posted it by accident.

        Can you re-post it on purpose?

        Comments
        1. By Anonymous Coward (67.64.89.177) on

          > > It was my fault, I posted it by accident.
          >
          > Can you re-post it on purpose?

          No, it's not undeadly type news.

  2. By cnst (217.12.147.5) on

    BTW, how much did Vonage donate?

    Comments
    1. By Charles C. Hocker (216.66.109.58) on

      > BTW, how much did Vonage donate?


      Well after their lackluster IPO I expect not much.

  3. By Anonymous Coward (81.57.42.108) on

    It should be noted that ENS Cachan has a transparent network policy and give back all the documentation of his network setup, involving OpenWRT on Linksys WRT54G for Access Point and OpenBSD has authentication and IPsec gateway (including clients and servers configuration etc.). They also give their scripts and home made programs on either GPL or BSD licences.

    there: http://www.crans.ens-cachan.fr/WifiTechnique/OpenBsd

    Thanks CR@N, and thanks the sysadmin staff !

    Comments
    1. By Clay Dowling (12.37.120.99) clay@lazarusid.com on http://www.ceamus.com

      >
      > there:
      > http://www.crans.ens-cachan.fr/WifiTechnique/OpenBsd

      This is definitely one of those points where I'm regretting that I studied Spanish instead of French. Anybody got and English translation of the article for the French-impaired?

      Comments
      1. By mosburn (216.145.227.194) michael@mosburn.com on

        This chapter is a technical description of the solution implemented at Cr@ns. We have two types of elements. The first is the waiter ragnarok which is used as footbridge. Second is consisted of the sets of the WiFi terminals which we can disseminate everywhere. We speak here about the first element. See ../FirmWare concerning the terminals wifi.

        The waiter nectaris
        This waiter is lodged in our buildings and acts like a router. It is equipped with the operating system OpenBSD in its version 3.8. The whole of the services dedicated to WiFi turn on this machine. The services included in the basic system profit from one audit of safety on behalf of the team of the developers. Safety is the creed of the OpenBSD project which implements a certain number of mechanisms to avoid the most current attacks, such as for example the systematic separation of the privileges or the installation of a sand vat (chroot) for each application as soon as it is possible. Their policy proves to be paying with the passing of years bus few faults are finally discovered and very little of them are exploitable. One will be able to consult the http://www.openbsd.org/errata.html page to consult the faults relating to OpenBSD.

        At the material level, this waiter had an accelerator card crypto, making it possible to discharge the main frame from the cryptographic operations, and a chart gigabit. The chart crypto was decontaminated because it was less powerful than the main frame.

        The demon ISAKMP and the IPsec pile
        The principal element of ragnarok is the demon ISAKMP, ISAKMPd, and IPsec crushes it. These two elements constitute the iron of war of the WiFi solution. Demon ISAKMP (RFC 2408) is in charge of the distribution with the keys using protocol IKE and management with associations with safety. It is provided and installed out of standard in OpenBSD. Its configuration is generated starting from base LDAP, with each change of this one. The elements of authentification are the IP addresses and the secrecies shared: each customer has of his own address IP and his own password. This one is generated in a way random (and nonselected) for reasons of safety.

        Demon ISAKMP negotiates the various parameters of safety with the customer. This one can choose between 3DES and AES for coding. This last is preferred because it is at the same time faster and surer. However, the Windows customers have only 3DES. The mechanism of integrity is with choice HMAC-MD5 and HMAC-SHA1; this last being preferred. If the customer wishes it, it can also activate Perfect Forward Secrecy (PFS) which makes it possible to avoid the compromising of the temporary keys of session following the compromising of the one of them.

        The files of configuration for ISAKMPd are:

        /etc/isakmp/isakmpd.conf
        /etc/isakmp/isakmpd.policy
        Once the negotiated parameters of safety, demon IKE provides to the IPsec pile the parameters necessary to build the association of safety and thus to quantify the communications between the customer and the waiter. OpenBSD also contains out of standard a IPsec pile based on the establishment of Kame. This establishment can draw part of the material acceleration provided by the charts cryptos. ragnarok has one of these charts, which enables him to quantify 200 MBps of flow.

        Waiter DHCP
        VieCrans/ServeurRagnarok Ragnarok ] also contains a waiter DHCP in charge of the automatic configuration of the customers. Its configuration is regénérée automatically starting from the contents of base LDAP. This waiter also forms part of the basic system and is used as relai at the WiFi boundaries.

        The Web server
        A modified version of Apache 1.3 is also available. It is useful only of the static pages extracted from our wiki. The extraction is made manually to prevent that a badly disposed person does not modify the pages with erroneous instructions. Nonprotected connections are redirected towards the protected waiter. This one is able to detect if the customer were redirected of force or full liking to post the page of adequate explanation to him.

        The Web server forms also part of the basic installation.

        Update of the terminals with Apache
        Apache is also useful of the packages tar.gz which allow to update terminals. There is a virtual host wifi-update.crans.org . In this one, the URL / is rewritten according to the name of the applicant:

        is # it well a terminal? Does RewriteCond
        %{REMOTE_ADDR}!^138\.231\.148\.[0-9]*$ [ GOLD ] RewriteCond
        %{HTTP_USER_AGENT}!^Wifi-Update [ GOLD ] RewriteCond
        %{REQUEST_METHOD}!^GET RewriteRule ^(.*)$ https://wifi.crans.org$1 [
        L,R ] # its file of config exist? RewriteCond
        /wifi-update/%{REMOTE_HOST}.tar.gz - F RewriteRule ^/$
        /%{REMOTE_HOST}.tar.gz [ L ] # If there does not exist, one uses a
        file by defect. RewriteRule ^/$ /default.tar.gz [ L ]
        Currently, the file corresponding in the name of the terminal exists obligatorily (and default.tar.gz point on non-configure.wifi.crans.org.

        The package is built by mixing the contents of two repertories:

        /etc/wifi/wifi-update-ng/common
        /etc/wifi/wifi-update-ng/nom-of-the-limit
        If the second repertory does not exist, it is the repertory /etc/wifi/wifi-update-ng/default which is used. In /etc/wifi/wifi-update-ng/common, one finds in particular /etc/macip which contains the file of correspondence MAC/IP used on many occasions. In more of the contents of these two repertories, one adds (or supplements) the file /etc/nvram.updates which contains the values of the variables to be updated. There is for example:

        variables="lan_ipaddr wan_hostname"
        NVRAM_lan_ipaddr=138.231.148.54 NVRAM_wan_hostname=machin
        That means that one will update (if need be) the variables lan_ipaddr and wan_hostname. Cf ../VariablesNvram for a description of all variables qu one uses. One also adds to this file of the assignments directly resulting from the description of the terminals. Thus if one of the lines of information of the terminal (in base LDAP) is of this form:

        < nvram>clef=valor
        the following line will be added:

        variables="${variables} key" NVRAM_clef=valeur
        The contents of the file will be recovered by the terminal and will be decompressed with the root. An important file is /tmp/update.sh : it will be carried out after decompression. It will make it possible to start again the services which need some.

        The firewall
        Nectaris also has a firewall which is occupied of making respect to it quasi totality of the policy of safety. The firewall is PF which is the standard firewall under OpenBSD. Its file of configuration is in /etc/pf.conf. In addition to its own safety, the firewall checks a certain number of things such as for example, for the recognized customers, only IPsec, ISAKMPd and the captive gate is authorized.

        Others
        Nectaris also uses SysTrace. Cf the wiki page which is associated to him for more information.

        Comments
        1. By Anonymous Coward (200.168.74.54) on

          Nice translation. You should consider sending it to the upstream site, that'll be very helpful.

        2. By maxime danis (138.231.136.10) danis@crans.org on

          > [a beautiful translation].
          >

          Thank you for your translation. If you don't mind, i will update our Wiki.

          http://wiki.crans.org/WifiTechnique/OpenBsdEn

          Comments
          1. By Clay Dowling (12.37.120.99) clay@lazarusid.com on http://www.ceamus.com

            > > [a beautiful translation].
            > >
            >
            > Thank you for your translation. If you don't mind, i will update our Wiki.
            >
            > http://wiki.crans.org/WifiTechnique/OpenBsdEn

            Maxine: Don't Do It. The translation is beautiful only in that is has a very real touch of whimsey. It's definitely more clear than translations from German, but it is still very bad. It is nearly indecipherable. I'm sure you know many English speakers who can do a more masterful job of translation.

          2. By Lars Hansson (203.65.245.7) lars@unet.net.ph on

            > Thank you for your translation. If you don't mind, i will update our Wiki.

            Please dont. This "translation" is more bizarre than usefull.

        3. By Anonymous Coward (71.126.122.228) on

          Cool. I think I'm going to start referring to "servers" as "waiters" (or maybe "butlers" or "valets") from now on; it's much classier.

          Comments
          1. By Anonymous Coward (128.171.90.200) on

            > Cool. I think I'm going to start referring to "servers" as "waiters"
            > (or maybe "butlers" or "valets") from now on; it's much classier.

            but less politically correct

  4. By Anonymous Coward (62.252.32.11) on

    Thanks :)

  5. By double-p (89.49.193.58) pb@ on

    "they chose to give their annual donation to OpenBSD/OpenSSH"

    annual?
    So, OpenBSD might expect to get hit by this 5k more often than
    an one-time donation?

    That would be esp. notable, since for now the bigger (>1000$) donations
    have been one-time for now.

    Big thumbs up for this one anyway!

    Comments
    1. By cnst (217.12.147.5) on

      > "they chose to give their annual donation to OpenBSD/OpenSSH"
      >
      > annual?
      > So, OpenBSD might expect to get hit by this 5k more often than
      > an one-time donation?
      >
      > That would be esp. notable, since for now the bigger (>1000$) donations
      > have been one-time for now.
      >
      > Big thumbs up for this one anyway!

      I think 'annual donation' here means 'this year's donation', but this is only a guess...

    2. By Anonymous Coward (84.9.161.71) on

      > "they chose to give their annual donation to OpenBSD/OpenSSH"
      >
      > annual?
      > So, OpenBSD might expect to get hit by this 5k more often than
      > an one-time donation?
      >
      > That would be esp. notable, since for now the bigger (>1000$) donations
      > have been one-time for now.
      >
      > Big thumbs up for this one anyway!

      If money wasn't being wasted on pointless hack-a-thons and the FTP server was made accessible to devs and mirror sites only (openbsd.somedomain.net could be used instead as a mirror site) then the OpenBSD project wouldn't have such a big financial strain put on it.

      Comments
      1. By Anonymous Coward (87.78.88.5) on

        care to elaborate?!?

        Comments
        1. By DH (84.9.161.71) DavidHayter@Hotmail.Com on

          > care to elaborate?!?

          What I should have also added is that perhaps it would be a smart idea to incorporate a bittorrent client into the default install to help minimise the costs on the main FTP servers.

          Comments
          1. By Janne Johansson (82.182.176.20) jj@inet6.se on http://slackathon2006.unix.se

            > > care to elaborate?!?
            >
            > What I should have also added is that perhaps it would be a smart idea to incorporate a bittorrent client into the default install to help minimise the costs on the main FTP servers.

            Been there done that. Wouldn't fit on the install media.
            We could try yours though.

            Comments
            1. By Anonymous Coward (202.45.98.115) on

              > > > care to elaborate?!?
              > >
              > > What I should have also added is that perhaps it would be a smart idea to incorporate a bittorrent client into the default install to help minimise the costs on the main FTP servers.
              >
              > Been there done that. Wouldn't fit on the install media.
              > We could try yours though.
              >

              Why not? utorrent.exe is 107KB, and are you telling me that theres no bittorrent client that would fit on a boot CD?

              Comments
              1. By Anonymous Coward (82.182.176.20) on


                > > Been there done that. Wouldn't fit on the install media.
                > > We could try yours though.
                > >
                >
                > Why not? utorrent.exe is 107KB, and are you telling me that theres no bittorrent client that would fit on a boot CD?

                boot-cds aren't the only install option.

      2. By Anonymous Coward (68.148.236.57) on

        > If money wasn't being wasted on pointless hack-a-thons and the FTP server...

        You're new here aren't you?

      3. By Anonymous Coward (202.45.98.115) on

        > > "they chose to give their annual donation to OpenBSD/OpenSSH"
        > >
        > > annual?
        > > So, OpenBSD might expect to get hit by this 5k more often than
        > > an one-time donation?
        > >
        > > That would be esp. notable, since for now the bigger (>1000$) donations
        > > have been one-time for now.
        > >
        > > Big thumbs up for this one anyway!
        >
        > If money wasn't being wasted on pointless hack-a-thons and the FTP server was made accessible to devs and mirror sites only (openbsd.somedomain.net could be used instead as a mirror site) then the OpenBSD project wouldn't have such a big financial strain put on it.

        your a dickhead

      4. By Anonymous Coward (67.64.89.177) on

        Yeah this would really help because ftp is a $0 cost for OpenBSD! Let's give whiners that won't spend $45 on a CD their way! Or the other whiners that don't understand that you don't need a CD to install OpenBSD.

        Comments
        1. By Anonymous Coward (84.9.160.251) on

          > Yeah this would really help because ftp is a $0 cost for OpenBSD! Let's give whiners that won't spend $45 on a CD their way! Or the other whiners that don't understand that you don't need a CD to install OpenBSD.

          I fully intend to purchase a CD set once my credit card arrives AND I also intend to DONATE.

          I realise that it does not cost OpenBSD anything however I thought that the people that run the FTP servers might appreciate the decrease in the load on their servers and the lower bandwidth costs that arise from the lower usage of their servers.

          > Been there done that. Wouldn't fit on the install media.
          We could try yours though.

          ctorrent.sf.net or a BSD/appropriately licensed equivalent would surely fit on the install media.

          > You're new here aren't you?

          Sort of, I've been using OpenBSD since version 3.6, Haven't looked at undeadly very often though, Guess it shows huh?

          > your a dickhead

          Yes, I am.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]