FreeBSD: disable IPv6 on PKG

pkg on FreeBSD uses libfetch under the hood to fetch packages and metadata. Unlike modern HTTP clients, libfetch does not implement Happy Eyeballs which lets a client race IPv4 and IPv6 connections and use whichever responds first.

Without this protocol, with a broken IPv6 path, the client just sits there waiting for the IPv6 connection to time out before falling back to IPv4. That is exactly what pkg does when IPv6 is broken on your network — it hangs.

The fix is straightforward: tell pkg to use IPv4 only.

Edit /usr/local/etc/pkg.conf and find the commented-out line:

#IP_VERSION=0

Uncomment it and change the value to 4:

IP_VERSION=4

pkg will now skip IPv6, and installs and updates will no longer stall on networks where IPv6 connectivity is broken. That may be a better temporary solution than disabling IPv6 entirely.

Wrong OS version in pkg

If FreeBSD’s pkg refuses to update because of a wrong OS version, for example because you are in a FreeNAS jail and version mismatch are bound to happen, then you can always try to force the OS version in pkg (which you can find with uname -UK. Either put OSVERSION={{version}} in /usr/local/etc/pkg.conf or start it with pkg -o OSVERSION={{version}} where {{version}} is the target version, for example 1101001.

Fingerprint and XScreenSaver

Today I configured the fingerprint reader on my Thinkpad X201. I will not describe the process of configuring the fingerprint reader on FreeBSD as it has been documented many times on the Internet. Though if you want I may describe the process in a separate article, just tell me.

After the configuration, everybody from the display manager to su asked to authenticate with the reader. So it was fine. Except for xscreensaver which still confined itself password authentification. There were no configuration for xscreensaver in /etc/pam.d so I initially thought that it fell back on the “other” configuration. Therefore I added one for xscreensaver but it didn’t change anything.

However I installed xscreensaver as a package, and not from the ports. It turns out that the xscreensaver package does not enable the PAM option. You can check that via pkg info xscreensaver or use ldd /usr/local/bin/xscreensaver to check if xscreensaver is effectively linked with libpam.so.

So you can reinstall xscreensaver from the ports and configure it with the PAM option enabled. However I still wonder why they disabled this by default. I still have a problem with PAM which sometime does not detect the reader and cannot even authenticate with pam_unix. I don’t know what is the cause of this, but I’ll find out.