Re: sha256 cksums for amd64 snapshot
On 01/05/14 00:42, Andrew Ngo wrote: I was trying to retrieve the 03-Jan-2014 09:31 amd64 snapshot: bsd.rd has the correct checksum, but other files do not. (At the very least, bsd and bsd.mp don't.) SHA256 (bsd.rd) = d7ace3a649d18d660ca64da9f7563e976a5480c3c463a99c796d40c17b209322 SHA256 (bsd) = 842e90b2a5716946f79e6a61cc94d9a6119f031584f82583d87de961032985de SHA256 (bsd.mp) = 007f7c5419f0256fbc27b62d3431b927d8a4c0d62dc15a75f0b46f75b1c57a15 The values in SHA256 on the server were, at the time: SHA256 (bsd.rd) = d7ace3a649d18d660ca64da9f7563e976a5480c3c463a99c796d40c17b209322 SHA256 (bsd) = fdc62d9b6a711a07cac1e394181d03d53e36bd39921ec0cba6f7cb3f8c9fb84b SHA256 (bsd.mp) = e10b86f249d1d38b8162edc60b1c5003ce69bb76caebedc332aaf7af80515ac4 Anyway, I checked another server or two and also ran the less friendly sha256 utility in bsd.rd -- the results are consistent. Is it just me? -- Not just you. I found the same thing, but also with the i386 sets. All the x* files are fine. These things happen from time to time (check the archives). I haven't installed either of them yet, but I will shortly. Be aware the installer will complain. -- Scott McEachern https://www.blackstaff.ca Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four. -- Bruce Schneier
patch to test: simplify pkg addition
The following patch removes pure package additions in pkg_add: instead of having separate code paths for normal installs and for updates (with extract then install), everything follows the extract then install road. There are several reasons behind this patch: first, it simplifies the code, and makes it simpler to fix some details later on (in particular, I think there are now conditions where you may end up with a slightly suboptimal /var/db/pkg if you interrupt at the wrong time). Second, it should allow me to do some interesting things with extraction, namely reorder archives wrt packing-lists, which is a desireable property to speed up incremental updates. Index: OpenBSD/Add.pm === RCS file: /build/data/openbsd/cvs/src/usr.sbin/pkg_add/OpenBSD/Add.pm,v retrieving revision 1.135 diff -u -p -r1.135 Add.pm --- OpenBSD/Add.pm 5 Jan 2014 10:24:30 - 1.135 +++ OpenBSD/Add.pm 5 Jan 2014 10:25:11 - @@ -102,14 +102,21 @@ sub perform_installation { my ($handle, $state) = @_; - $state-{archive} = $handle-{location}; $state-{end_faked} = 0; - $handle-{partial} //= {}; - $state-{partial} = $handle-{partial}; $state-progress-visit_with_size($handle-{plist}, 'install', $state); $handle-{location}-finish_and_close; } +sub perform_extraction +{ + my ($handle, $state) = @_; + + $handle-{partial} = {}; + $state-{partial} = $handle-{partial}; + $state-{archive} = $handle-{location}; + $state-progress-visit_with_size($handle-{plist}, 'extract', $state); +} + my $user_tagged = {}; sub extract_pkgname @@ -174,13 +181,21 @@ sub prepare_for_addition { } +sub extract +{ + my ($self, $state) = @_; + $state-{partial}-{$self} = 1; + if ($state-{interrupted}) { + die Interrupted; + } +} + sub install { my ($self, $state) = @_; if ($state-{interrupted}) { die Interrupted; } - $state-{partial}-{$self} = 1; } sub copy_info @@ -352,6 +367,7 @@ package OpenBSD::PackingElement::FileBas use OpenBSD::Error; use File::Basename; use File::Path; +use OpenBSD::Temp; sub prepare_for_addition { @@ -375,53 +391,6 @@ sub prepare_for_addition } } -sub install -{ - my ($self, $state) = @_; - $self-SUPER::install($state); - my $fullname = $self-fullname; - my $destdir = $state-{destdir}; - if ($fullname =~ m,^$state-{localbase}/share/doc/pkg-readmes/,) { - $state-{readmes}++; - } - - if ($state-{extracted_first}) { - if ($state-{not}) { - $state-say(moving tempfile - #1, - $destdir.$fullname) if $state-verbose = 5; - return; - } - File::Path::mkpath(dirname($destdir.$fullname)); - if (defined $self-{link}) { - link($destdir.$self-{link}, $destdir.$fullname); - } elsif (defined $self-{symlink}) { - symlink($self-{symlink}, $destdir.$fullname); - } else { - rename($self-{tempname}, $destdir.$fullname) or - $state-fatal(can't move #1 to #2: #3, - $self-{tempname}, $fullname, $!); - $state-say(moving #1 - #2, - $self-{tempname}, $destdir.$fullname) - if $state-verbose = 5; - undef $self-{tempname}; - } - } else { - my $file = $self-prepare_to_extract($state); - - $state-say(extracting #1, $destdir.$fullname) - if $state-verbose = 5; - if ($state-{not}) { - $state-{archive}-skip; - return; - } else { - $file-create; - $self-may_check_digest($file, $state); - - } - } - $self-set_modes($state, $destdir.$fullname); -} - sub prepare_to_extract { my ($self, $state) = @_; @@ -467,6 +436,96 @@ sub prepare_to_extract return $file; } +sub extract +{ + my ($self, $state) = @_; + + my $file = $self-prepare_to_extract($state); + + if (defined $self-{link} || defined $self-{symlink}) { + $state-{archive}-skip; + return; + } + + $self-SUPER::extract($state); + + # figure out a safe directory where to put the temp file + my $d = dirname($file-{destdir}.$file-name); + # we go back up until we find an existing directory. + # hopefully this will be on the same file system. + while (!-d $d -e _ || defined $state-{noshadow}-{$d}) { + $d = dirname($d); + } + if ($state-{not}) { + $state-say(extracting tempfile
Re: new login style: yubikey-and-pwd
On 2014/01/05 13:10, Remi Locherer wrote: + /* only test the password if yubikey auth was successful */ This should be done even if Yubikey auth fails, to avoid disclosing information due to timing.
Re: new login style: yubikey-and-pwd
On Sun, Jan 05, 2014 at 09:15:21PM +0900, Ryan McBride wrote: My wish is for something with this user functionality, but use the password to encrypt/decrypt the user.key file, via pbkdf2-ish function (like bioctl/softraid_crypto), to avoid having the key in plaintext on the disk. It's a bit trickier, as you'd need to handle password changes, but with the right metadata in the user.key file you could avoid having a separate binary for this (all handled cleanly by login_yubikey). Yes, that would be nice. But I don't understand how it could work without an extra tool to handle password changes. Even without the encrypt/decrypt functionality a tool like ssh-keygen for yubikey in base would be nice. It could be used to generate the key and id file and write it to the yubikey. On Sat, Jan 04, 2014 at 10:55:39AM +0100, Remi Locherer wrote: This patch privides a new login style: yubikey-and-pwd. The idea is from login_totp-and-pwd from the login_oath port. I tried to keep the patch small and not touch to many things. But probably it would be bette to chang more stuff (eg: there are now two backchannels: *back from login_passwd.c and *f from login_yubikey.c). It's likely that I got something wrong - I'm a novice in progamming c ;)
Re: new login style: yubikey-and-pwd
On Sun, Jan 05, 2014 at 12:26:05PM +, Stuart Henderson wrote: On 2014/01/05 13:10, Remi Locherer wrote: + /* only test the password if yubikey auth was successful */ This should be done even if Yubikey auth fails, to avoid disclosing information due to timing. Good point! I changed it to this: ret = pwd_login(username, password_pwd, wheel, lastchance, class); ret_yubi = yubikey_login(username, password_yubikey); if (ret_yubi != AUTH_OK) ret = AUTH_FAILED; This does not work because pwd_login writes directly to the back channel. To make it work correct I would need to change login_passwd.c (maybe with #ifdev YUBIKEY). But I try to implement Ryan's idea instead with a passphrase that encrypts the user.key file.
Re: new login style: yubikey-and-pwd
Still haven't tested, but I also saw: +password_pwd = malloc(password_pwd_len + 1); /* +1 for \0 */ + +/* extract the password */ +for ( cnt = 0 ; cnt password_pwd_len ; cnt++ ) +password_pwd[cnt] = password[cnt]; +password_pwd[password_pwd_len] = '\0'; Use strlcpy, don't roll your own. +/* copy last 44 bytes (yubikey one-time password) */ +for ( cnt = 0 ; cnt + password_pwd_len strlen(password) ; cnt++ ) +password_yubikey[cnt] = password[cnt+password_pwd_len]; If you made password_yubikey char[45] instead of char[44] then you could do: char *temp = password + password_pwd_len; strlcpy(password_yubikey, temp, 45);
Re: new login style: yubikey-and-pwd
+/* the string generated by yubikey is 44 bytes long */ +password_pwd_len = strlen(password) - 44, cnt; Haven't tested your latest diff, but I think you have a copy-pasto here (, cnt).
provide etext symbol on sparc64
Profiling on sparc64 is broken because e(nd of)text is missing. Once fixed, profiling works just fine on a Blade 1500. Am I missing something? OK? Index: arch/sparc64/conf/ld.script === RCS file: /home/vcs/cvs/openbsd/src/sys/arch/sparc64/conf/ld.script,v retrieving revision 1.5 diff -u -p -r1.5 ld.script --- arch/sparc64/conf/ld.script 28 Dec 2013 19:27:35 - 1.5 +++ arch/sparc64/conf/ld.script 6 Jan 2014 03:00:38 - @@ -33,6 +33,7 @@ SECTIONS .text : { *(.text) + PROVIDE(etext = .); } :text .rodata : {
Re: new login style: yubikey-and-pwd
On Sun, Jan 05, 2014 at 06:44:22PM -0600, Kent R. Spillner wrote: Still haven't tested, but I also saw: +password_pwd = malloc(password_pwd_len + 1); /* +1 for \0 */ + +/* extract the password */ +for ( cnt = 0 ; cnt password_pwd_len ; cnt++ ) +password_pwd[cnt] = password[cnt]; +password_pwd[password_pwd_len] = '\0'; Use strlcpy, don't roll your own. Yes, that's better. +/* copy last 44 bytes (yubikey one-time password) */ +for ( cnt = 0 ; cnt + password_pwd_len strlen(password) ; cnt++ ) +password_yubikey[cnt] = password[cnt+password_pwd_len]; If you made password_yubikey char[45] instead of char[44] then you could do: char *temp = password + password_pwd_len; strlcpy(password_yubikey, temp, 45); This way I don't even have to copy the string. Having password_yubikey pointing to the right position is sufficient. New diff, but don't use it. It will log you in with a wrong one-time password as long as the password is correct. Index: Makefile === RCS file: /cvs/src/libexec/Makefile,v retrieving revision 1.54 diff -u -p -r1.54 Makefile --- Makefile4 Dec 2013 20:49:28 - 1.54 +++ Makefile3 Jan 2014 23:54:18 - @@ -5,8 +5,8 @@ SUBDIR= comsat fingerd ftpd getty ld.so lockspool login_chpass \ login_lchpass login_passwd login_radius login_reject \ - login_skey login_tis login_token login_yubikey mail.local \ - makewhatis rpc.rquotad rpc.rstatd rpc.rusersd rpc.rwalld \ + login_skey login_tis login_token login_yubikey login_yubikey-and-pwd \ + mail.local makewhatis rpc.rquotad rpc.rstatd rpc.rusersd rpc.rwalld \ rpc.sprayd rshd security spamd spamd-setup spamlogd talkd \ tcpd uucpd Index: login_yubikey/login_yubikey.c === RCS file: /cvs/src/libexec/login_yubikey/login_yubikey.c,v retrieving revision 1.8 diff -u -p -r1.8 login_yubikey.c --- login_yubikey/login_yubikey.c 27 Nov 2013 21:25:25 - 1.8 +++ login_yubikey/login_yubikey.c 6 Jan 2014 06:30:38 - @@ -54,6 +54,12 @@ #defineAUTH_OK 0 #defineAUTH_FAILED -1 +#ifdef PASSWD +#include util.h +#include common.h +FILE *back = NULL; +#endif + static const char *path = /var/db/yubikey; static int clean_string(const char *); @@ -67,6 +73,13 @@ main(int argc, char *argv[]) char *username, *password = NULL; char response[1024]; +#ifdef PASSWD + int pwd_len, ret_yubi; + char *password_pwd = NULL, *password_yubikey = NULL; + char *wheel = NULL, *class = NULL; + int lastchance = 0; +#endif + setpriority(PRIO_PROCESS, 0, 0); openlog(NULL, LOG_ODELAY, LOG_AUTH); @@ -151,7 +164,36 @@ main(int argc, char *argv[]) } } +#ifndef PASSWD ret = yubikey_login(username, password); +#endif +#ifdef PASSWD + /* +* XXX this is bad because pwd_login writes to back and makes +* the login successful if pwd_login succeeds even if yubikey +* auth fails! +*/ + back = f; + + /* the string generated by yubikey is 44 bytes + \0 */ + pwd_len = strlen(password) - 44 + 1; + password_pwd = malloc(pwd_len); + + /* extract the password */ + strlcpy(password_pwd, password, pwd_len); + + /* the yubikey one-time password is located right after the password */ + password_yubikey = password + pwd_len; + + ret = pwd_login(username, password_pwd, wheel, lastchance, class); + ret_yubi = yubikey_login(username, password_yubikey); + if (ret_yubi != AUTH_OK) + ret = AUTH_FAILED; + + memset(password_pwd, 0, strlen(password_pwd)); + free(password_pwd); +#endif + memset(password, 0, strlen(password)); if (ret == AUTH_OK) { syslog(LOG_INFO, user %s: authorize, username); Index: login_yubikey-and-pwd/Makefile === RCS file: login_yubikey-and-pwd/Makefile diff -N login_yubikey-and-pwd/Makefile --- /dev/null 1 Jan 1970 00:00:00 - +++ login_yubikey-and-pwd/Makefile 4 Jan 2014 01:18:49 - @@ -0,0 +1,23 @@ +# $OpenBSD$ + +.include bsd.own.mk + +PROG= login_yubikey-and-pwd +MAN= ${PROG}.8 +SRCS= login_passwd.c pwd_gensalt.c +SRCS+= login_yubikey.c yubikey.c +DPADD= ${LIBUTIL} +LDADD+=-lutil + +CFLAGS+=-DPASSWD -Wall +CFLAGS+=-I${.CURDIR}/../login_passwd +CFLAGS+=-I${.CURDIR}/../../usr.bin/passwd + +.PATH: ${.CURDIR}/../login_passwd ${.CURDIR}/../../usr.bin/passwd ${.CURDIR}/../login_yubikey + +BINOWN=root +BINGRP=auth +BINMODE=2555 +BINDIR=/usr/libexec/auth + +.include bsd.prog.mk Index: login_yubikey-and-pwd/login_yubikey-and-pwd.8 === RCS file: