Contributed by jolan on from the merci-beaucoup dept.
CRANS provides and manages broadband connections to their network and the Internet to residents of the campus. They also promote free software by running Install Parties and hosting official mirrors for software such as VideoLAN.
CRANS has previously funded open source projects such as FSF, Debian, and OpenWRT. They chose to give their annual donation to OpenBSD/OpenSSH because they saw the call for funding and have been using OpenBSD daily for 3 years as it is the only OS that they can use for their secure WiFi deployment which is based on IPsec. Of course, they are also large users of OpenSSH.
I think that it's incredible to see such a large donation from a non-commercial entity and I'd like to personally say thank you to CRANS! This money will definitely help further OpenBSD and OpenSSH development and I'm sure CRANS will reap the rewards of their own donation.
(Comments are closed)
By Anonymous Coward (68.104.1.58) on
Comments
By Anonymous Coward (202.45.98.115) on
Thank you CRANS
hmm well i've always wanted to go to Paris, so one day when I have enough money for a holiday there, I will spend some extra tourist dollars thanks to what CRANS did
Comments
By Anonymous Coward (213.175.169.4) on
>
> Thank you CRANS
I have undeadly as my homepage and yeah i was surprised where did the stream server story go?I think it was booted out due to lack of intrest?
Anyways CR@NS donated almost as much as Adobe!!And they don't make money nearly as much as them as they are a University!!!
So the rest who have not donated yet shame shame on you :D
A quand le CNAM ?
Comments
By Anonymous Coward (138.231.136.10) on
> >
> > Thank you CRANS
> I have undeadly as my homepage and yeah i was surprised where did the stream server story go?I think it was booted out due to lack of intrest?
> Anyways CR@NS donated almost as much as Adobe!!And they don't make money nearly as much as them as they are a University!!!
They're not.
They're a no-profit student association whose purposes are providing a (now) professional-level quality network to students living on Cachan campus :)
They are what we call in France a 'association de loi 1901".
So they make even less money than a University.
And the annual budget is only between 50000€ and 100000€ :)
> So the rest who have not donated yet shame shame on you :D
> A quand le CNAM ?
Sooner than later, hopefully.
By Marco Peereboom (67.64.89.177) marco@peereboom.us on http://www.peereboom.us
Comments
By Anonymous Coward (128.171.90.200) on
?
Comments
By Anonymous Coward (66.11.66.41) on
>
> ?
>
??
Comments
By Anonymous Coward (128.171.90.200) on
> > ?
> ??
What was wrong with it ?
By Anonymous Coward (70.27.15.123) on
> >
> > ?
> >
>
> ??
???
Comments
By Anonymous Coward (202.45.98.115) on
> > >
> > > ?
> > >
> >
> > ??
>
> ???
????
Comments
By Anonymous Coward (84.57.12.207) on
> > > >
> > > > ?
> > > >
> > >
> > > ??
> >
> > ???
>
> ????
?????
Comments
By Anonymous Coward (65.94.99.88) on
> > > > >
> > > > > ?
> > > > >
> > > >
> > > > ??
> > >
> > > ???
> >
> > ????
>
> ?????
??????
Comments
By Anonymous Coward (84.9.163.205) on
> > > > > >
> > > > > > ?
> > > > > >
> > > > >
> > > > > ??
> > > >
> > > > ???
> > >
> > > ????
> >
> > ?????
>
> ??????
???????
By Anonymous Coward (24.84.108.32) on
Can you re-post it on purpose?
Comments
By Anonymous Coward (67.64.89.177) on
>
> Can you re-post it on purpose?
No, it's not undeadly type news.
By cnst (217.12.147.5) on
Comments
By Charles C. Hocker (216.66.109.58) on
Well after their lackluster IPO I expect not much.
By Anonymous Coward (81.57.42.108) on
there: http://www.crans.ens-cachan.fr/WifiTechnique/OpenBsd
Thanks CR@N, and thanks the sysadmin staff !
Comments
By Clay Dowling (12.37.120.99) clay@lazarusid.com on http://www.ceamus.com
> there:
> http://www.crans.ens-cachan.fr/WifiTechnique/OpenBsd
This is definitely one of those points where I'm regretting that I studied Spanish instead of French. Anybody got and English translation of the article for the French-impaired?
Comments
By mosburn (216.145.227.194) michael@mosburn.com on
The waiter nectaris
This waiter is lodged in our buildings and acts like a router. It is equipped with the operating system OpenBSD in its version 3.8. The whole of the services dedicated to WiFi turn on this machine. The services included in the basic system profit from one audit of safety on behalf of the team of the developers. Safety is the creed of the OpenBSD project which implements a certain number of mechanisms to avoid the most current attacks, such as for example the systematic separation of the privileges or the installation of a sand vat (chroot) for each application as soon as it is possible. Their policy proves to be paying with the passing of years bus few faults are finally discovered and very little of them are exploitable. One will be able to consult the http://www.openbsd.org/errata.html page to consult the faults relating to OpenBSD.
At the material level, this waiter had an accelerator card crypto, making it possible to discharge the main frame from the cryptographic operations, and a chart gigabit. The chart crypto was decontaminated because it was less powerful than the main frame.
The demon ISAKMP and the IPsec pile
The principal element of ragnarok is the demon ISAKMP, ISAKMPd, and IPsec crushes it. These two elements constitute the iron of war of the WiFi solution. Demon ISAKMP (RFC 2408) is in charge of the distribution with the keys using protocol IKE and management with associations with safety. It is provided and installed out of standard in OpenBSD. Its configuration is generated starting from base LDAP, with each change of this one. The elements of authentification are the IP addresses and the secrecies shared: each customer has of his own address IP and his own password. This one is generated in a way random (and nonselected) for reasons of safety.
Demon ISAKMP negotiates the various parameters of safety with the customer. This one can choose between 3DES and AES for coding. This last is preferred because it is at the same time faster and surer. However, the Windows customers have only 3DES. The mechanism of integrity is with choice HMAC-MD5 and HMAC-SHA1; this last being preferred. If the customer wishes it, it can also activate Perfect Forward Secrecy (PFS) which makes it possible to avoid the compromising of the temporary keys of session following the compromising of the one of them.
The files of configuration for ISAKMPd are:
/etc/isakmp/isakmpd.conf
/etc/isakmp/isakmpd.policy
Once the negotiated parameters of safety, demon IKE provides to the IPsec pile the parameters necessary to build the association of safety and thus to quantify the communications between the customer and the waiter. OpenBSD also contains out of standard a IPsec pile based on the establishment of Kame. This establishment can draw part of the material acceleration provided by the charts cryptos. ragnarok has one of these charts, which enables him to quantify 200 MBps of flow.
Waiter DHCP
VieCrans/ServeurRagnarok Ragnarok ] also contains a waiter DHCP in charge of the automatic configuration of the customers. Its configuration is regénérée automatically starting from the contents of base LDAP. This waiter also forms part of the basic system and is used as relai at the WiFi boundaries.
The Web server
A modified version of Apache 1.3 is also available. It is useful only of the static pages extracted from our wiki. The extraction is made manually to prevent that a badly disposed person does not modify the pages with erroneous instructions. Nonprotected connections are redirected towards the protected waiter. This one is able to detect if the customer were redirected of force or full liking to post the page of adequate explanation to him.
The Web server forms also part of the basic installation.
Update of the terminals with Apache
Apache is also useful of the packages tar.gz which allow to update terminals. There is a virtual host wifi-update.crans.org . In this one, the URL / is rewritten according to the name of the applicant:
is # it well a terminal? Does RewriteCond
%{REMOTE_ADDR}!^138\.231\.148\.[0-9]*$ [ GOLD ] RewriteCond
%{HTTP_USER_AGENT}!^Wifi-Update [ GOLD ] RewriteCond
%{REQUEST_METHOD}!^GET RewriteRule ^(.*)$ https://wifi.crans.org$1 [
L,R ] # its file of config exist? RewriteCond
/wifi-update/%{REMOTE_HOST}.tar.gz - F RewriteRule ^/$
/%{REMOTE_HOST}.tar.gz [ L ] # If there does not exist, one uses a
file by defect. RewriteRule ^/$ /default.tar.gz [ L ]
Currently, the file corresponding in the name of the terminal exists obligatorily (and default.tar.gz point on non-configure.wifi.crans.org.
The package is built by mixing the contents of two repertories:
/etc/wifi/wifi-update-ng/common
/etc/wifi/wifi-update-ng/nom-of-the-limit
If the second repertory does not exist, it is the repertory /etc/wifi/wifi-update-ng/default which is used. In /etc/wifi/wifi-update-ng/common, one finds in particular /etc/macip which contains the file of correspondence MAC/IP used on many occasions. In more of the contents of these two repertories, one adds (or supplements) the file /etc/nvram.updates which contains the values of the variables to be updated. There is for example:
variables="lan_ipaddr wan_hostname"
NVRAM_lan_ipaddr=138.231.148.54 NVRAM_wan_hostname=machin
That means that one will update (if need be) the variables lan_ipaddr and wan_hostname. Cf ../VariablesNvram for a description of all variables qu one uses. One also adds to this file of the assignments directly resulting from the description of the terminals. Thus if one of the lines of information of the terminal (in base LDAP) is of this form:
< nvram>clef=valor
the following line will be added:
variables="${variables} key" NVRAM_clef=valeur
The contents of the file will be recovered by the terminal and will be decompressed with the root. An important file is /tmp/update.sh : it will be carried out after decompression. It will make it possible to start again the services which need some.
The firewall
Nectaris also has a firewall which is occupied of making respect to it quasi totality of the policy of safety. The firewall is PF which is the standard firewall under OpenBSD. Its file of configuration is in /etc/pf.conf. In addition to its own safety, the firewall checks a certain number of things such as for example, for the recognized customers, only IPsec, ISAKMPd and the captive gate is authorized.
Others
Nectaris also uses SysTrace. Cf the wiki page which is associated to him for more information.
Comments
By Anonymous Coward (200.168.74.54) on
By maxime danis (138.231.136.10) danis@crans.org on
>
Thank you for your translation. If you don't mind, i will update our Wiki.
http://wiki.crans.org/WifiTechnique/OpenBsdEn
Comments
By Clay Dowling (12.37.120.99) clay@lazarusid.com on http://www.ceamus.com
> >
>
> Thank you for your translation. If you don't mind, i will update our Wiki.
>
> http://wiki.crans.org/WifiTechnique/OpenBsdEn
Maxine: Don't Do It. The translation is beautiful only in that is has a very real touch of whimsey. It's definitely more clear than translations from German, but it is still very bad. It is nearly indecipherable. I'm sure you know many English speakers who can do a more masterful job of translation.
By Lars Hansson (203.65.245.7) lars@unet.net.ph on
Please dont. This "translation" is more bizarre than usefull.
By Anonymous Coward (71.126.122.228) on
Comments
By Anonymous Coward (128.171.90.200) on
> (or maybe "butlers" or "valets") from now on; it's much classier.
but less politically correct
By Anonymous Coward (62.252.32.11) on
By double-p (89.49.193.58) pb@ on
annual?
So, OpenBSD might expect to get hit by this 5k more often than
an one-time donation?
That would be esp. notable, since for now the bigger (>1000$) donations
have been one-time for now.
Big thumbs up for this one anyway!
Comments
By cnst (217.12.147.5) on
>
> annual?
> So, OpenBSD might expect to get hit by this 5k more often than
> an one-time donation?
>
> That would be esp. notable, since for now the bigger (>1000$) donations
> have been one-time for now.
>
> Big thumbs up for this one anyway!
I think 'annual donation' here means 'this year's donation', but this is only a guess...
By Anonymous Coward (84.9.161.71) on
>
> annual?
> So, OpenBSD might expect to get hit by this 5k more often than
> an one-time donation?
>
> That would be esp. notable, since for now the bigger (>1000$) donations
> have been one-time for now.
>
> Big thumbs up for this one anyway!
If money wasn't being wasted on pointless hack-a-thons and the FTP server was made accessible to devs and mirror sites only (openbsd.somedomain.net could be used instead as a mirror site) then the OpenBSD project wouldn't have such a big financial strain put on it.
Comments
By Anonymous Coward (87.78.88.5) on
Comments
By DH (84.9.161.71) DavidHayter@Hotmail.Com on
What I should have also added is that perhaps it would be a smart idea to incorporate a bittorrent client into the default install to help minimise the costs on the main FTP servers.
Comments
By Janne Johansson (82.182.176.20) jj@inet6.se on http://slackathon2006.unix.se
>
> What I should have also added is that perhaps it would be a smart idea to incorporate a bittorrent client into the default install to help minimise the costs on the main FTP servers.
Been there done that. Wouldn't fit on the install media.
We could try yours though.
Comments
By Anonymous Coward (202.45.98.115) on
> >
> > What I should have also added is that perhaps it would be a smart idea to incorporate a bittorrent client into the default install to help minimise the costs on the main FTP servers.
>
> Been there done that. Wouldn't fit on the install media.
> We could try yours though.
>
Why not? utorrent.exe is 107KB, and are you telling me that theres no bittorrent client that would fit on a boot CD?
Comments
By Anonymous Coward (82.182.176.20) on
> > Been there done that. Wouldn't fit on the install media.
> > We could try yours though.
> >
>
> Why not? utorrent.exe is 107KB, and are you telling me that theres no bittorrent client that would fit on a boot CD?
boot-cds aren't the only install option.
By Anonymous Coward (68.148.236.57) on
You're new here aren't you?
By Anonymous Coward (202.45.98.115) on
> >
> > annual?
> > So, OpenBSD might expect to get hit by this 5k more often than
> > an one-time donation?
> >
> > That would be esp. notable, since for now the bigger (>1000$) donations
> > have been one-time for now.
> >
> > Big thumbs up for this one anyway!
>
> If money wasn't being wasted on pointless hack-a-thons and the FTP server was made accessible to devs and mirror sites only (openbsd.somedomain.net could be used instead as a mirror site) then the OpenBSD project wouldn't have such a big financial strain put on it.
your a dickhead
By Anonymous Coward (67.64.89.177) on
Comments
By Anonymous Coward (84.9.160.251) on
I fully intend to purchase a CD set once my credit card arrives AND I also intend to DONATE.
I realise that it does not cost OpenBSD anything however I thought that the people that run the FTP servers might appreciate the decrease in the load on their servers and the lower bandwidth costs that arise from the lower usage of their servers.
> Been there done that. Wouldn't fit on the install media.
We could try yours though.
ctorrent.sf.net or a BSD/appropriately licensed equivalent would surely fit on the install media.
> You're new here aren't you?
Sort of, I've been using OpenBSD since version 3.6, Haven't looked at undeadly very often though, Guess it shows huh?
> your a dickhead
Yes, I am.