Re: Randomish Reboots on Current

[Daniel Wilkins]

On Mon, Jun 20, 2016 at 10:19:36AM +0200, Erling Westenvik wrote:
> On Sun, Jun 19, 2016 at 07:54:45PM -0700, Philip Guenther wrote:
> > On Sun, Jun 19, 2016 at 1:59 PM, Daniel Wilkins  
> > wrote:
> > > Has anyone else been hvaing random reboots on current? The system freezes 
> > > up for
> > > maybe 30 seconds or so, then reboots. I have a hunch that it's something 
> > > with my
> > > wifi card because occasionally during a reboot it'll error saying 
> > > something about
> > > MIC errors and then reboot, or just freeze+reboot during the netstart 
> > > portion of boot.
> > > The other thing that makes me think it's network is that it tends to 
> > > happen during
> > > relatively network heavy things, like when I'm doing ssh X forwarding 
> > > while watching
> > > streaming video, but this isn't always the case.
> > >
> > > This is a recent thing that just seems to have randomly appeared; it was 
> > > working
> > > fine before and then it started rebooting one day; I hadn't updated the 
> > > snapshot
> > > although I've tried that since to see if it helped. There's no panic so I 
> > > don't
> > > have any ddb info, but I've attached dmesg and dmesg.boot.
> > 
> > Saying "before" without what that *means* leaves us guessing.  What
> > was the date of the snapshot or build you had installed *before* this
> > occurred?  Maybe it's still showing in an old /var/log/message.* file?
> 
> And you should probably try upgrading to the newest snapshot released
> yesterday (Jun 19). AFAIK there hasn't been a new snapshot since Jun 2,
> which is the date in your dmesg(8), and there seems to have been some
> commits on iwn(4) on Jun 3.
> 
> -- 
> Erling Westenvik
> 

I upgraded to the latest snapshot while I was in class and the reboot happened 
again
within 10 minutes of me getting home; guess there was no fix in there. The fact 
that I was
fine all day when away from home has me convinced that it's an issue in the WPA 
support
at least, since the problem doesn't manifest at all on open networks.

Re: /usr/ and wxallowed

[Lampshade]

I have upgraded base system.
I am going to update ports when mirror will be in sync with main.

wxallowed on /usr works as expected


$ mount | grep /usr
/dev/sd2e on /usr type ffs (local, noatime, nodev, wxallowed, softdep)
$ grep wxallowed /etc/fstab
   
e2687744d2198a2e.e /usr ffs rw,wxallowed,nodev,softdep,noatime 1 2

Besides that I can add that Firefox works with W^X restriction
and Chromium does not.

wxallowed lets me use Chromium successfully.

Re: Adding more cuaUxx devices

[Chris Cappuccio]

sh MAKEDEV ttyUa ttyUb ...

Denis Lapshin [den...@mindall.org] wrote:
> Hi there!
> 
> Could someone give some advice how to add more cuaUxx devices?
> Nowadays I have just cuaU0-9 ones, but need a bit more...
> 
> MAKEDEV returns:
> 
> # ./MAKEDEV cuaU10
> cuaU10: unknown device
> 
> Thank you in advance.
> 
> Denis

Adding more cuaUxx devices

[Denis Lapshin]

Hi there!

Could someone give some advice how to add more cuaUxx devices?
Nowadays I have just cuaU0-9 ones, but need a bit more...

MAKEDEV returns:

# ./MAKEDEV cuaU10
cuaU10: unknown device

Thank you in advance.

Denis

Re: Booting encrypted drive from another device

[chohag]

Bodie writes:
> access then you are screwed. It is just matter of your importance to
> attacker if it will be sooner or later.

You briefly touch on it here

> Attacks on CEO level mentioned in postthey have already laptop
> made in China and there is plenty of examples how HW is screwed up
> these days by firmware and other code doing all the crazy stuff where
> even best OS can not help to protect against

But then go and ignore it here.

There are threat levels between Johnny Nobody and NSA's Most
Wanted. While both attacks are eminently possible, attacking the
hardware or firmware is hard while attacking the bootloader is easy, if
for no other reason than by the time you get to the boot loader you
effectively have 1 possible architecture to deal with and plenty of
space in which to do it.

I've achieved with little fuss what was originally requested in this
thread on Linux and FreeBSD and I may or may not have done so using
OpenBSD. I forget whether I got it working or not - probably did as it's
reputedly possible and I do remember poring over OpenBSD's boot loader
code to find something out but I needed a hypervisor on the tin and
FreeBSD and Linux were the only options there.

So if it's easy to do and the inconvenience is acceptable, it provides
protection which is in some cases unnecessary and in some insufficient
but is neither in all.

Matthew

Re: Booting encrypted drive from another device

[Bodie]

On 20.06.2016 13:39, bootcr...@openmailbox.org wrote:

On 20.06.2016 13:00, bootcr...@openmailbox.org wrote:

Hello!
I have recently decided to use full disk encryption on my openbsd
boxes.
I've managed to do so and it's working, however for security 
reasons

I want to boot them from
another drive.

What is that security reason worth of not using default full disk
encryption?

In my threat model, I consider that adversary with physical access
can change bootloader on wd0 drive to store passphrases(or do 
anything else).


After booting from USB I remove it and hold it in safe place.
I don't consider adversary to be able to change BIOS code or
something like that.


Ivan provided some nice post, which is however not an answer. IF 
attacker
is able to get physical access to your computer then you missed 
something
important in preparations - physical protection. Once attacker has 
physical
access then you are screwed. It is just matter of your importance to 
attacker

if it will be sooner or later.

Attacks on CEO level mentioned in postthey have already laptop made 
in China
and there is plenty of examples how HW is screwed up these days by 
firmware and
other code doing all the crazy stuff where even best OS can not help to 
protect
against (can remember some of the developers pointing that out as 
well). So why
to bother and risk personal involvement when you can remotely activate 
such
a code (IME, firmware in peripherals, BIOS and so on). And yet except 
of Theo
and couple of others you can be very surprised by the state of laptop 
on CEOs
level where situation you describe is last problem to overall security 
of

particular company.

Not that you are prohibited to try and as pointed out already boot can 
handle

it just fine.

Industry as such has problem and you can do all the crazy tricks, but 
once
your data must leave your computer and your network to travel over 
other networks
and reach other computers to be able to use online banking, order 
stuff, use of
multimedia, handle personnal data with gov agencies, do taxes, provide 
medical
data about you and many other things. That is a place where it gets 
really
bad as they do not have security approach like OpenBSD has and they are 
not
even interested in that, because it blocks cloud, containers, 
serverless, IoT,
.whatever. Like those new cars full of electronics, where you will 
have
your nearly perfect secure laptop on next seat, but you will still 
crash
after someone play with your car electronics remotely just because nuts 
in car
industry are saving cents and know s... about security and so use open 
connections
between components which can be accessed remotely eg. via SMS without 
any

authentication.

This is where we are heading http://www.openbsd.org/lyrics.html#46 so 
far however.

Re: Randomish Reboots on Current

[Daniel Wilkins]

Sorry about that, but the issue appeared separate of an upgrade; I just 
mentioned that
I upgraded to point out that the problem wasn't something that's since been 
fixed.
The messages log (attached anyway) coincides with what I said before; it seem 
to be a
behavior that happens when the network runs into a Michael MIC failure. A bit 
of googling
said that it was a problem which occurs on a network when the router thinks 
that someone's
trying to get around the WPA and that the correct behavior is basically that 
the network
is shut down temporarily; not totally sure where the reboot comes in (doesn't 
handle
something right in the driver, I guess? And it hangs the network card.)


On Sun, Jun 19, 2016 at 07:54:45PM -0700, Philip Guenther wrote:
> On Sun, Jun 19, 2016 at 1:59 PM, Daniel Wilkins  wrote:
> > Has anyone else been hvaing random reboots on current? The system freezes 
> > up for
> > maybe 30 seconds or so, then reboots. I have a hunch that it's something 
> > with my
> > wifi card because occasionally during a reboot it'll error saying something 
> > about
> > MIC errors and then reboot, or just freeze+reboot during the netstart 
> > portion of boot.
> > The other thing that makes me think it's network is that it tends to happen 
> > during
> > relatively network heavy things, like when I'm doing ssh X forwarding while 
> > watching
> > streaming video, but this isn't always the case.
> >
> > This is a recent thing that just seems to have randomly appeared; it was 
> > working
> > fine before and then it started rebooting one day; I hadn't updated the 
> > snapshot
> > although I've tried that since to see if it helped. There's no panic so I 
> > don't
> > have any ddb info, but I've attached dmesg and dmesg.boot.
> 
> Saying "before" without what that *means* leaves us guessing.  What
> was the date of the snapshot or build you had installed *before* this
> occurred?  Maybe it's still showing in an old /var/log/message.* file?
> 
> 
> Philip Guenther
Jun 17 00:00:01 Hetalia newsyslog[12898]: logfile turned over
Jun 17 00:00:01 Hetalia syslogd: restart
Jun 17 00:11:07 Hetalia ntpd[52754]: tls connect failed: 2607:f8b0:4003:c03::69 
(www.google.com): connect: No route to host
Jun 17 00:15:24 Hetalia apmd: battery status: high. external power status: not 
connected. estimated battery life 60% (122 minutes)
Jun 17 00:26:08 Hetalia ntpd[62489]: tls connect failed: 2607:f8b0:4003:c03::69 
(www.google.com): connect: No route to host
Jun 17 00:35:25 Hetalia apmd: battery status: low. external power status: not 
connected. estimated battery life 50% (103 minutes)
Jun 17 00:41:08 Hetalia ntpd[25317]: tls connect failed: 2607:f8b0:4003:c03::69 
(www.google.com): connect: No route to host
Jun 17 00:42:08 Hetalia apmd: battery status: low. external power status: 
connected. estimated battery life 47%
Jun 17 00:44:37 Hetalia Tor[37431]: Tor v0.2.7.6 running on OpenBSD with 
Libevent 2.0.22-stable, OpenSSL LibreSSL 2.4.0 and Zlib 1.2.3.
Jun 17 00:44:37 Hetalia Tor[37431]: Tor can't help you if you use it wrong! 
Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 17 00:44:37 Hetalia Tor[37431]: Read configuration file "/etc/tor/torrc".
Jun 17 00:44:37 Hetalia Tor[37431]: Opening Socks listener on 127.0.0.1:1920
Jun 17 00:44:37 Hetalia Tor[37431]: Parsing GEOIP IPv4 file 
/usr/local/share/tor/geoip.
Jun 17 00:44:38 Hetalia Tor[37431]: Parsing GEOIP IPv6 file 
/usr/local/share/tor/geoip6.
Jun 17 00:44:38 Hetalia Tor[37431]: We were built to run on a 64-bit CPU, with 
OpenSSL 1.0.1 or later, but with a version of OpenSSL that apparently lacks 
accelerated support for the NIST P-224 and P-256 groups. Building openssl with 
such support (using the enable-ec_nistp_64_gcc_128 option when configuring it) 
would make ECDH much faster.
Jun 17 00:44:38 Hetalia Tor[37431]: Bootstrapped 0%: Starting
Jun 17 00:44:40 Hetalia Tor[37431]: Bootstrapped 5%: Connecting to directory 
server
Jun 17 00:44:40 Hetalia Tor[37431]: Bootstrapped 80%: Connecting to the Tor 
network
Jun 17 00:44:40 Hetalia Tor[37431]: Bootstrapped 85%: Finishing handshake with 
first hop
Jun 17 00:44:41 Hetalia Tor[37431]: Bootstrapped 90%: Establishing a Tor circuit
Jun 17 00:44:48 Hetalia Tor[37431]: Tor has successfully opened a circuit. 
Looks like client functionality is working.
Jun 17 00:44:48 Hetalia Tor[37431]: Bootstrapped 100%: Done
Jun 17 00:45:17 Hetalia /bsd: iwn0: Michael MIC failure
Jun 17 00:48:28 Hetalia syslogd: start
Jun 17 00:48:28 Hetalia /bsd: iwn0: Michael MIC failure
Jun 17 00:48:28 Hetalia /bsd: OpenBSD 6.0-beta (GENERIC.MP) #2149: Mon May 30 
17:15:14 MDT 2016
Jun 17 00:48:28 Hetalia /bsd: 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Jun 17 00:48:28 Hetalia /bsd: real mem = 8237068288 (7855MB)
Jun 17 00:48:28 Hetalia /bsd: avail mem = 7982821376 (7613MB)
Jun 17 00:48:28 Hetalia /bsd: mpath0 at root
Jun 17 00:48:28 Hetalia /bsd: scsibus0 at mpath0: 

Re: [pf] NAT64 rule for *outgoing* packets

[Dan Lüdtke]

Benno, all,

The gateway is running unbound with dns64 module enabled. The gateway does use
the resolver for it's own resolving of names. I found a better solution by
running two instances of unbound on the gateway. One instance for the client
networks with dns64 module enabled, and one instance for the gateway itself
which validates but does not translate.

Thanks for the clarification regarding pass out rules and af-to.

Dan


> On 19 Jun 2016, at 22:53, Sebastian Benoit  wrote:
>
> Dan L??dtke(m...@danrl.com) on 2016.06.07 19:14:24 +0200:
>> Follow-up:
>>
>> This rule matches outgoing packets to nat64 well-known prefix
64:ff9b::/96:
>> pass out quick on $if_wan inet6 from $if_wan:network to 64:ff9b::/96 af-to
>> inet from ($if_wan)
>
> af-to does not work on pass out rules.
>
> Why do you want to use it on the gateway itself?
>
> /Benno
>
>
>> Echo requests do leave $if_wan with translated address family, replies show
up
>> in tcpdump on $if_wan:
>>
>> 19:09:54.038392 router > 8.8.8.8: icmp: echo request (DF)
>> 19:09:54.051733 8.8.8.8 > router: icmp: echo reply
>>
>> BUT the echo replies do *not* make it through to the ping6 process. It
looks
>> like there is no back-translation taking place. Anyone ideas how to debug
or
>> follow packets on their way through the kernel for this issue?
>>
>> Cheers,
>>
>> Dan
>>
>>
>>
>>> On 7 Jun 2016, at 14:48, Dan L??dtke  wrote:
>>>
>>> Hi,
>>>
>>> my setup: [host]--[router]--[internet]
>>>
>>> [Host] can ping legacy internet hosts via NAT64. Works fine.
Corresponding
>>> line in pf.conf reads:
>>> pass in  quick on $if_lan inet6 from $if_lan:network to 64:ff9b::/96
af-to
>>> inet from ($if_wan)
>>>
>>> However, [router] can not ping legacy internet hosts via NAT64. It can,
of
>>> course, reach legacy internet hosts natively.
>>>
>>> How to push outgoing traffic addressed to 64:ff9b::/96 through pf's NAT64
>>> engine?
>>>
>>> Cheers,
>>>
>>> Dan
>>>
>>>
>>>
>>> Some outputs FYI:
>>>
>>> router# route get 64:ff9b::/96
>>> route: writing to routing socket: No such process
>>>
>>>
>>> router# ping6 64:ff9b::8.8.8.8
>>> PING6 64:ff9b::8.8.8.8 (64:ff9b::808:808): 24 data bytes
>>> ^C--- 64:ff9b::8.8.8.8 ping6 statistics ---
>>> 3 packets transmitted, 0 packets received, 100.0% packet loss
>>
>
> --

Re: Booting encrypted drive from another device

[bootcrypt]

On 20.06.2016 13:00, bootcr...@openmailbox.org wrote:

Hello!

I have recently decided to use full disk encryption on my openbsd
boxes.

I've managed to do so and it's working, however for security reasons
I want to boot them from
another drive.


What is that security reason worth of not using default full disk
encryption?

In my threat model, I consider that adversary with physical access
can change bootloader on wd0 drive to store passphrases(or do anything 
else).


After booting from USB I remove it and hold it in safe place.
I don't consider adversary to be able to change BIOS code or something 
like that.

Re: Booting encrypted drive from another device

[Ivan Markin]

Bodie:
> What is that security reason worth of not using default full disk
> encryption?

Have a look at e.g. Evil Maid Attack [1]. One may want to bear a trusted
bootloader with themselves and leave raw full-encrypted drive in some
'hostile' environment.

[1] https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

--
Ivan Markin

Re: Booting encrypted drive from another device

[bootcrypt]

On 2016-06-20 14:14, Stefan Sperling wrote:
On Mon, Jun 20, 2016 at 02:00:20PM +0300, bootcr...@openmailbox.org 
wrote:

Hello!

I have recently decided to use full disk encryption on my openbsd 
boxes.


I've managed to do so and it's working, however for security reasons I 
want

to boot them from
another drive.

Example:
I have computer with encrypted hard-drive(wd0). To boot it, I want to 
insert

a USB-flash drive(sd0)
and to boot from it in bios. I expect it run bootloader from sd0,
ask me password from my wd0 drive and then boot (wd0):/bsd.
However it's not working like that. When I'm booting from let's say
installation media,
it's simply not asking me the password,
and it seems there is no way to specificly ask bootloader to decrypt 
some

drive.

I've read man pages and googled things like boot, installboot,
"cross-device install" etc but unsuccessfuly.


Is it(booting CRYPT hard drive from usb) possible? If yes, what am I 
doing

wrong?



When you boot the machine, the boot loader should display a list of
disks it has found. It looks something like this:

disk: hd0+ hd1* sr0*

In this example, the 'sr0' disk is the encrypted drive.
Try booting from this disk with a command such as: boot sr0a:/bsd

Thank you. I somehow did miss that.

Re: Booting encrypted drive from another device

[Bodie]

On 20.06.2016 13:00, bootcr...@openmailbox.org wrote:

Hello!

I have recently decided to use full disk encryption on my openbsd 
boxes.


I've managed to do so and it's working, however for security reasons
I want to boot them from
another drive.


What is that security reason worth of not using default full disk 
encryption?




Example:
I have computer with encrypted hard-drive(wd0). To boot it, I want to
insert a USB-flash drive(sd0)
and to boot from it in bios. I expect it run bootloader from sd0,
ask me password from my wd0 drive and then boot (wd0):/bsd.
However it's not working like that. When I'm booting from let's say
installation media,
it's simply not asking me the password,
and it seems there is no way to specificly ask bootloader to decrypt
some drive.

I've read man pages and googled things like boot, installboot,
"cross-device install" etc but unsuccessfuly.


Is it(booting CRYPT hard drive from usb) possible? If yes, what am I
doing wrong?

Re: Booting encrypted drive from another device

[Stefan Sperling]

On Mon, Jun 20, 2016 at 02:00:20PM +0300, bootcr...@openmailbox.org wrote:
> Hello!
> 
> I have recently decided to use full disk encryption on my openbsd boxes.
> 
> I've managed to do so and it's working, however for security reasons I want
> to boot them from
> another drive.
> 
> Example:
> I have computer with encrypted hard-drive(wd0). To boot it, I want to insert
> a USB-flash drive(sd0)
> and to boot from it in bios. I expect it run bootloader from sd0,
> ask me password from my wd0 drive and then boot (wd0):/bsd.
> However it's not working like that. When I'm booting from let's say
> installation media,
> it's simply not asking me the password,
> and it seems there is no way to specificly ask bootloader to decrypt some
> drive.
> 
> I've read man pages and googled things like boot, installboot,
> "cross-device install" etc but unsuccessfuly.
> 
> 
> Is it(booting CRYPT hard drive from usb) possible? If yes, what am I doing
> wrong?
> 

When you boot the machine, the boot loader should display a list of
disks it has found. It looks something like this:

disk: hd0+ hd1* sr0*

In this example, the 'sr0' disk is the encrypted drive.
Try booting from this disk with a command such as: boot sr0a:/bsd

Booting encrypted drive from another device

[bootcrypt]

Hello!

I have recently decided to use full disk encryption on my openbsd boxes.

I've managed to do so and it's working, however for security reasons I 
want to boot them from

another drive.

Example:
I have computer with encrypted hard-drive(wd0). To boot it, I want to 
insert a USB-flash drive(sd0)

and to boot from it in bios. I expect it run bootloader from sd0,
ask me password from my wd0 drive and then boot (wd0):/bsd.
However it's not working like that. When I'm booting from let's say 
installation media,

it's simply not asking me the password,
and it seems there is no way to specificly ask bootloader to decrypt 
some drive.


I've read man pages and googled things like boot, installboot,
"cross-device install" etc but unsuccessfuly.


Is it(booting CRYPT hard drive from usb) possible? If yes, what am I 
doing wrong?

Re: Long life on SSD in a firewall environment

[Edgar Pettijohn]

Sent from my iPhone

> On Jun 19, 2016, at 11:19 PM, li...@wrant.com wrote:
>
> Sun, 19 Jun 2016 23:05:34 -0500 Edgar Pettijohn
> 
>> Sent from my iPhone
>>
>>> On Jun 19, 2016, at 11:01 PM, li...@wrant.com wrote:
>>>
>>> Sun, 19 Jun 2016 21:35:04 -0500 Edgar Pettijohn 
 Sent from my iPhone
 ...
 Ok. Thanks for the seller advice.
>>>
>>> Who said it's seller advice?  I said your idea is not a good idea at all.
>> My idea was sharing information. If that's a bad idea then why are you on
the list?
>
> Edgar, you're misleading people and obviously this why "You" are here.
>

You found me out. Guess I'll have to move to the next list.

Re: Corrections to the Release Song Lyrics page

[lists]

> You are not an OpenBSD developer, you do not speak for any aspect of the
> OpenBSD community, and you are hazardous to everything you interact with.

Tell me something I did not know already: the third part of your statement.

Re: Randomish Reboots on Current

[Erling Westenvik]

On Sun, Jun 19, 2016 at 07:54:45PM -0700, Philip Guenther wrote:
> On Sun, Jun 19, 2016 at 1:59 PM, Daniel Wilkins  wrote:
> > Has anyone else been hvaing random reboots on current? The system freezes 
> > up for
> > maybe 30 seconds or so, then reboots. I have a hunch that it's something 
> > with my
> > wifi card because occasionally during a reboot it'll error saying something 
> > about
> > MIC errors and then reboot, or just freeze+reboot during the netstart 
> > portion of boot.
> > The other thing that makes me think it's network is that it tends to happen 
> > during
> > relatively network heavy things, like when I'm doing ssh X forwarding while 
> > watching
> > streaming video, but this isn't always the case.
> >
> > This is a recent thing that just seems to have randomly appeared; it was 
> > working
> > fine before and then it started rebooting one day; I hadn't updated the 
> > snapshot
> > although I've tried that since to see if it helped. There's no panic so I 
> > don't
> > have any ddb info, but I've attached dmesg and dmesg.boot.
> 
> Saying "before" without what that *means* leaves us guessing.  What
> was the date of the snapshot or build you had installed *before* this
> occurred?  Maybe it's still showing in an old /var/log/message.* file?

And you should probably try upgrading to the newest snapshot released
yesterday (Jun 19). AFAIK there hasn't been a new snapshot since Jun 2,
which is the date in your dmesg(8), and there seems to have been some
commits on iwn(4) on Jun 3.

-- 
Erling Westenvik

Re: Corrections to the Release Song Lyrics page

[Peter Hessler]

On 2016 Jun 19 (Sun) at 19:29:51 +0300 (+0300), li...@wrant.com wrote:
:You're not part of the OpenBSD developers, you're coming from a free
:mail provider (gmail).  You show nothing to validate your suggestion.
:You should probably stop making corrections in people's names unless
:you get appointed to do so by the project.  Until then, this is just
:ignored, and wastes bytes, electricity, time, mostly yours.

I am amazed that _you_ are the one writing this.

You are not an OpenBSD developer, you do not speak for any aspect of the
OpenBSD community, and you are hazardous to everything you interact with.

I am telling you _again_.  Stop posting here.  We don't even want your
apology.  Simply, stop.