Re: How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)

[Christian Weisgerber]

On 2017-02-06, Tinker  wrote:

> How use a HDD as crypto softraid root filesystem media, but put boot 
> code and cryto softraid keydisk partition (and perhaps /boot file and/or 
> kernel) on an USB disk?

Create a bootable OpenBSD area with two OpenBSD partitions on the
USB stick: 'a' with type 4.2BSD and let's say 'd' with type RAID.
They can be really small, 1MB each is fine:

#size   offset  fstype [fsize bsize   cpg]
  a: 2048   64  4.2BSD   2048 1638464 
  c:  79288320  unused
  d: 2048 2112RAID
  i:  7924672 4160   MSDOS

Let's say the USB stick is sd1.  Create a filesystem with newfs(8)
on sd1a.  Mount this partition, say on /mnt.  Create a directory
/mnt/etc/ and a file /mnt/etc/boot.conf with the line

set device sr0a

Install a bootstrap to the USB stick with

# installboot -r /mnt sd1 /usr/mdec/biosboot /usr/mdec/boot

Later, when you create the softraid crypto volume, use the USB
stick's other OpenBSD partition as key disk.  E.g.:

# bioctl -c C -k sd1d -l sd0a softraid0

When you boot from the USB stick, the unencrypted boot loader on
'a' is executed.  It assembles the softraid volume, automagically
using 'd' as the key disk.  It next reads /etc/boot.conf from the
stick's 'a' file system, then switches the boot device to the
softraid volume, and runs the kernel there.  Presto!

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: pkg_add: ftp: connect: Invalid argument

[Marc Espie]

On Mon, Feb 06, 2017 at 09:18:09AM -0800, jungle Boogie wrote:
> On 6 February 2017 at 04:41, Marc Espie  wrote:
> > On Sat, Feb 04, 2017 at 08:31:45PM -0800, jungle boogie wrote:
> >> On 02/04/2017 05:45 PM, Philip Guenther wrote:
> >> >On Sat, 4 Feb 2017, jungle boogie wrote:
> >> >>What's happening here?
> >> >>
> >> >>$ doas pkg_add -u
> >> >>Error from http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/
> >> >>ftp: connect: Invalid argument
> >> >
> >> >Running that under ktrace -i might help see the problem, ala
> >> > doas ktrace -i pkg_add -u
> >> >
> >> >then kdump | less and look for a failed connect call.  Should be able to
> >> >search for "connect -1 errno" and then go backwards to see the connect()
> >> >call and the sockaddr passed to it.
> >> >
> >> >
> >>
> >> Here's where it actually lits the URL:
> >
> > perl doesn't do network connects in that context.
> > just run
> > ftp -o - http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/
> > it should dump the html list of packages.
> >
> > if it doesn't, your network is broken.
> 
> Ah, that's a good trick! I'll keep that in mind if there's a next time.

Another important point: it's run as the _pkgfetch user.
So if you have any kind of local pf rules that varies depending on user,
that might be an issue.

You should properly do something like
doas -u _pkgfetch env -i ftp -o - 
http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/

(unless you have proxy settings, in which case you should pass the proxy env
variables thru as well)

drop_privileges_and_setup_env is the routine
that does it in PackageRepository.pm, and you can see
it's quite picky about the part of the environment it lets thru...

RAP - Reuse Attack Protector

[minek van]

Just read it today, hopefully it could be useful for the OpenBSD team too: 

http://www.prweb.com/releases/2017/02/prweb14044396.htm

https://grsecurity.net/rap_announce_ret.php

https://grsecurity.net/download.php#test

Re: pkg_add: ftp: connect: Invalid argument

[jungle Boogie]

On 6 February 2017 at 04:41, Marc Espie  wrote:
> On Sat, Feb 04, 2017 at 08:31:45PM -0800, jungle boogie wrote:
>> On 02/04/2017 05:45 PM, Philip Guenther wrote:
>> >On Sat, 4 Feb 2017, jungle boogie wrote:
>> >>What's happening here?
>> >>
>> >>$ doas pkg_add -u
>> >>Error from http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/
>> >>ftp: connect: Invalid argument
>> >
>> >Running that under ktrace -i might help see the problem, ala
>> > doas ktrace -i pkg_add -u
>> >
>> >then kdump | less and look for a failed connect call.  Should be able to
>> >search for "connect -1 errno" and then go backwards to see the connect()
>> >call and the sockaddr passed to it.
>> >
>> >
>>
>> Here's where it actually lits the URL:
>
> perl doesn't do network connects in that context.
> just run
> ftp -o - http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/
> it should dump the html list of packages.
>
> if it doesn't, your network is broken.

Ah, that's a good trick! I'll keep that in mind if there's a next time.

-- 
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info

Re: How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)

[Christian Weisgerber]

On 2017-02-06, Tinker  wrote:

> The following is for AMD64 though I'd guess that a similar approach 
> would be possible on other platforms also.
>
> The boot sequence with MBR is:
>
>   MBR: Load PBR (unencrypted)
>
>   PBR: Load /boot (encrypted)

/boot is not encrypted.  In fact, with root on softraid, there is
no such file /boot.

Since it needs to fit into 512 bytes, the biosboot(8) code in the
PBR is very simple.  It contains a hardcoded pointer where to find
boot(8).

Without softraid, installboot(8) installs /usr/mdec/boot as /boot,
and /usr/mdec/biosboot into the PBR and patches it with the necessary
information where to find /boot.

At the start of a softraid partition there is a metadata area that
holds various information about the softraid volume.  This area
includes reserved space for boot strapping: 320*512 bytes for the
boot loader (plus 128*512 bytes for a boot block, unused on x86).
See /usr/include/dev/softraidvar.h.  This is outside any file system.

With softraid, installboot(8) installs /usr/mdec/boot into the boot
loader space of the softraid partition, and /usr/mdec/biosboot into
the PBR and patches it with the necessary information where to find
the boot loader.

The PBR loads boot(8), unencrypted.  The boot loader then assembles
the softraid volume, which for a crypto volume includes asking the
passphrase or locating the key disk.  Once the crypto volume is
unlocked, the boot loader proceeds to load /etc/boot.conf and
typically the kernel from the 'a' partition there.

The important points to remember are:
* boot(8) is stored unencrypted.  This should be kind of obvious
  because it contains the code required to access the softraid
  volume.
* A passphrase or key disk are required BEFORE /etc/boot.conf is
  read.

Softraid crypto is intended to guard against cases where your laptop
is stolen, or you send it in for repair, or you throw away the disk.
If you expect an attacker to be able to repeatedly access the
encrypted data or to modify disk contents, you're in trouble.  Apart
from the subverted boot loader you are worried about, there are
fundamental concerns about the ability of XTS encryption to defend
against such attacks.  Google keywords: XTS malleability.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: etherip problem

[jean-yves boisiaud]

etherip0 and bridge0 were not up.

I added the up keyword into /etc/hostname.bridge0 and
/etc/hostname.etherip0.

Thanks to Pierre.

Now, I can see traffic crossing the etherip tunnel. But ARP is still not
fully working. I investigate...

2017-02-03 15:11 GMT+01:00 jean-yves boisiaud <
jean-yves.boisi...@alcor-consulting.fr>:

> hello,
>
> i'm trying to set an etherip bridge between two OBSD VM which are inside
> two ESXi servers.
>
> I configured bridges and etherip interfaces as said in manual etherip(4).
>
> private lan1 - host1  host2 - private lan2
>
> host1 public address : vmx0, 10.91.178.3
> host2 public address : vmx0,  10.91.219.52
>
> private lan1 address and private lan2 address are on vmx1 ​
>
> ​from host1, I can ping host2 (ping ​10.91.219.52) : ok
> but, from another host in private lan1 (192.168.33.1), I cannot ping
> another host in private lan2 (192.168.33.2).
>
> I can see arp requests on host1 vmx1, but there is no traffic on bridge0,
> neither on etherip0 or vmx0.
>
> I do not see what is wrong in my configuration.
>
> Thank you for your help.
>
> on host1 :
>
> OpenBSD 6.0
>
> sysctl net.inet.ip.forwarding net.inet.etherip.allow
> net.inet.ip.forwarding=1
> net.inet.etherip.allow=1
>
> ifconfig vmx0
> vmx0: flags=8b43
> mtu 1500
> lladdr a0:36:9f:c0:05:b8
> index 1 priority 0 llprio 3
> media: Ethernet autoselect (10GbaseT)
> status: active
> inet 10.91.178.3 netmask 0xff80 broadcast 10.91.178.127
>
> ifconfig vmx1
> vmx1: flags=8b43
> mtu 1500
> lladdr 00:0c:29:15:34:56
> index 2 priority 0 llprio 3
> media: Ethernet autoselect (10GbaseT)
> status: active
> inet 192.168.33.254 netmask 0xff00 broadcast 192.168.33.255
>
> ifconfig etherip0
> etherip0: flags=8902 mtu 1500
> lladdr fe:e1:ba:d0:7e:f0
> index 6 priority 0 llprio 3
> groups: etherip
> media: Ethernet autoselect
> status: active
> tunnel: inet 10.91.178.3 -> 10.91.219.52
>
> ifconfig bridge0
> bridge0: flags=0<>
> index 7 llprio 3
> groups: bridge
> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
> rstp
> designated: id 00:00:00:00:00:00 priority 0
> etherip0 flags=3
> port 6 ifpriority 0 ifcost 0
> vmx1 flags=3
> port 2 ifpriority 0 ifcost 0
> Addresses (max cache: 100, timeout: 240):
>
> --
> Jean-Yves Boisiaud - Alcor Consulting
> 24, rue de la Glycine
> 49250 Saint Remy la Varenne
> mobile : +33 6 63 71 73 46 <+33%206%2063%2071%2073%2046>  fixe : +33 9 72
> 41 19 35 <+33%209%2072%2041%2019%2035>
>



--
Jean-Yves Boisiaud - Alcor Consulting
24, rue de la Glycine
49250 Saint Remy la Varenne
mobile : +33 6 63 71 73 46  fixe : +33 9 72 41 19 35

HEADS UP: pkg_add supports installpath

[Marc Espie]

just committed, will be in the next series of snapshots.

so, basic installs create /etc/installurl

now, pkg_add uses it "by default" to create an installpath.

pkg.conf(5) takes precedence (user defines are stronger than
automatic defines):
installpath = anything
in pkg.conf will replace the installpath value from installurl.

So, if you had an install that created /etc/installurl, and
if you want pkg_add to take advantage of it, you will have to
remove the installpath   line you had in pkg.conf
(note that you can comment it out if you're unsure whether your
pkg_add supports installurl).

Re: Spammer whitelisted by spamd. How?

[Boudewijn Dijkstra]

Op Sat, 04 Feb 2017 10:03:02 +0100 schreef Clint Pachl
:
Can someone explain how the spammer at 81.7.16.33 got white listed by  
spamd and delivered 3 spam emails to me? What exactly triggered the  
white listing?


I may not understand spamd's behavior, but according to the spamd log  
below, the spammer attempted only 5 deliveries via spamd, each with a  
different envelope-from address. Correct?


At 17:12 there is a 6th connection. Presumably this is a re-try of one of
the existing grey entries.

With -v you would have seen something like:
Feb  3 17:12:29 zeus spamd[34374]: (GREY) 81.7.16.33:
 -> 

/B



If so, shouldn't white listing be considered only if, during passtime,  
the retries from a GREY host contain the same envelope-from and  
envelope-to? Legitimate mail would be resent with the same  
envelope-from/-to, but spammers (this one in particular) often do not.  
Ensuring consistent envelope addresses may be a way to stop more spam.  
No?



# passtime set short as I'm currently experimenting
$ rcctl get spamd | grep flags
spamd_flags=-G 1:10:1080

$ fgrep 81.7.16.33 /var/log/spamd
Feb  3 16:58:27 zeus spamd[34374]: 81.7.16.33: connected (3/1)
Feb  3 17:00:05 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:00:10 zeus spamd[34374]: 81.7.16.33: disconnected after 103  
seconds.

Feb  3 17:06:50 zeus spamd[34374]: 81.7.16.33: connected (3/2)
Feb  3 17:07:10 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:07:10 zeus spamd[34374]: 81.7.16.33: disconnected after 20  
seconds.

Feb  3 17:07:47 zeus spamd[34374]: 81.7.16.33: connected (3/2)
Feb  3 17:08:00 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:08:02 zeus spamd[34374]: 81.7.16.33: disconnected after 15  
seconds.

Feb  3 17:08:28 zeus spamd[34374]: 81.7.16.33: connected (4/3)
Feb  3 17:08:41 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:08:41 zeus spamd[34374]: 81.7.16.33: disconnected after 13  
seconds.

Feb  3 17:10:22 zeus spamd[34374]: 81.7.16.33: connected (4/3)
Feb  3 17:10:39 zeus spamd[21625]: new entry 81.7.16.33 from  
 to , helo minyu1esc.com
Feb  3 17:10:39 zeus spamd[34374]: 81.7.16.33: disconnected after 17  
seconds.

Feb  3 17:12:13 zeus spamd[34374]: 81.7.16.33: connected (5/4)
Feb  3 17:12:29 zeus spamd[34374]: 81.7.16.33: disconnected after 16  
seconds.

Feb  3 17:12:50 zeus spamd[17428]: queueing add of 81.7.16.33
Feb  3 17:12:50 zeus spamd[17428]: whitelisting 81.7.16.33 in  
/var/db/spamd





--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

how to generate sha512 password hashes for Linux on OpenBSD?

[Jiri B]

Hi,

how could I generate sha512 password hashes for Linux on OpenBSD?

Using 'crypto' from Python is no go, as this is OS dependent. So I
tried following via passlib but it does not work, ie. I can't login on EL7.

~~~
#!/usr/bin/python2.7

from passlib.hash import sha512_crypt
import getpass

hash = sha512_crypt.using(salt_size=16).encrypt(getpass.getpass())
# XXX
# print(hash)
hl = hash.split("$",3)
print("$6$%s" % hl[3])
~~~

It does add 'rounds=656000$', so removing this is needed.

On EL7 with hash from above:

echo 
'userfoo:$6$1AfrAnSyjs7Xpki7$59aX53IQcu9JRZKdHT311HOurgVftM/5RlgOrz7fFlDcQEqhcoUCvuDeXyMogTQrvwtmWE8Tnr2vhV2Jf2aqq0'
 \
  | chpasswd -e

And try ssh as 'userfoo'.

What can I do wrong? What is your way to generate it on OpenBSD?

j.

Re: pkg_add: ftp: connect: Invalid argument

[Marc Espie]

On Sat, Feb 04, 2017 at 08:31:45PM -0800, jungle boogie wrote:
> On 02/04/2017 05:45 PM, Philip Guenther wrote:
> >On Sat, 4 Feb 2017, jungle boogie wrote:
> >>What's happening here?
> >>
> >>$ doas pkg_add -u
> >>Error from http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/
> >>ftp: connect: Invalid argument
> >
> >Running that under ktrace -i might help see the problem, ala
> > doas ktrace -i pkg_add -u
> >
> >then kdump | less and look for a failed connect call.  Should be able to
> >search for "connect -1 errno" and then go backwards to see the connect()
> >call and the sockaddr passed to it.
> >
> >
> 
> Here's where it actually lits the URL:

perl doesn't do network connects in that context.
just run
ftp -o - http://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/
it should dump the html list of packages.

if it doesn't, your network is broken.

Re: Memory alignment

[Raimo Niskanen]

On Fri, Feb 03, 2017 at 04:07:25PM +0100, Boudewijn Dijkstra wrote:
> Op Sat, 28 Jan 2017 06:26:16 +0100 schreef Damian McGuckin  
> :
> > What is the recommended most portable way to force memory alignment for  
> > a datum of any type, assuming one has a pointer say
> >
> > char *x
> >
> > I currently use something like
> >
> > char *xany = aligntonext(x, sizeof(long))
> >
> > where I use my own function 'aligntionext' which is defined below and I  
> > also assume that a 'long' will be the natural word-size of the machine  
> > and that any datum things just needs to align to this boundary. That  
> > said, if the second argument is say 4k, the function will align its  
> > result to a 4k boundary.
> >
> > I was wondering if there is an optimal, better, more acceptable, or more  
> > portable, way.
> >
> 
> Easy and very portable:
> 
> void *
> aligntonext(void *x, size_t size)
> {
>   return (void *)uintptr_t)x + size - 1u) / size) * size);
> }
> 
> Whether it is optimal depends on compiler optimization.

Isn't this stuff macros are made of:

# define aligntonext(ptr, size) \
((void*)uintptr_t)(ptr) + (size) - 1u) / (size)) * (size)))

Or

# define aligntonext(ptr, bits) \
((void*)uintptr_t)(ptr) + (1<<(bits)) - 1u) >> (bits)) << (bits)))

Note that the second argument is evaluated three times in both variants...

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)

[bytevolcano]

Perhaps I should point out that the only reason I suggested installing
OpenBSD on the stick here was for recovery purposes, and for installing
the boot loader.

The boot loader allows you to select the HDD you have at the start. So
edit /etc/boot.conf *on the stick* as follows:

boot sr0a:/bsd

That should do the trick.

On your softraid volume is your plain, normal OpenBSD install (similar
to how it would be installed on a non-softraided partition). No trickery
needed there, and no need to store the "b" partition somewhere else
either, its fine on the softraid partition.

On Mon, 06 Feb 2017 05:17:22 +
Tinker  wrote:

> On 2017-02-06 11:40, bytevolc...@safe-mail.net wrote:
> > There is still an elephant in the room.
> > 
> > What if someone has physical access to your machine's USB ports, and
> > decides to boot something nasty from it, which in turn modifies the
> > firmware in your system (very likely to be possible due to stupid
> > "consumer-grade" junk like UEFI or OS-flashable BIOS without
> > hardware write protection).
> > 
> > This infected firmware can then scan through any keys that you
> > input, including the USB key disk, and the security of this
> > 'softraid "firewall"' is now compromised.  
> 
> Right, booting off USB provides no protection against physical
> attacks and nor against broken firmware.

Re: Memory alignment

[Boudewijn Dijkstra]

Op Sat, 28 Jan 2017 06:26:16 +0100 schreef Damian McGuckin  
:
What is the recommended most portable way to force memory alignment for  
a datum of any type, assuming one has a pointer say


char *x

I currently use something like

char *xany = aligntonext(x, sizeof(long))

where I use my own function 'aligntionext' which is defined below and I  
also assume that a 'long' will be the natural word-size of the machine  
and that any datum things just needs to align to this boundary. That  
said, if the second argument is say 4k, the function will align its  
result to a 4k boundary.


I was wondering if there is an optimal, better, more acceptable, or more  
portable, way.




Easy and very portable:

void *
aligntonext(void *x, size_t size)
{
return (void *)uintptr_t)x + size - 1u) / size) * size);
}

Whether it is optimal depends on compiler optimization.


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: How boot HDD-side crypto softraid from (bootable) USB disk? (AMD64/ARM. Currently installboot fails with "cross-device install"!..)

[Tinker]

On 2017-02-06 08:40, bytevolc...@safe-mail.net wrote:

Perhaps I should point out that the only reason I suggested installing
OpenBSD on the stick here was for recovery purposes, and for installing
the boot loader.

The boot loader allows you to select the HDD you have at the start. So
edit /etc/boot.conf *on the stick* as follows:

boot sr0a:/bsd

That should do the trick.

On your softraid volume is your plain, normal OpenBSD install (similar
to how it would be installed on a non-softraided partition). No 
trickery

needed there, and no need to store the "b" partition somewhere else
either, its fine on the softraid partition.


Ah dear, there are more block devices in the booat loader than "hd", is 
that in any man page anywhere??



Thanks for bringing up.

Now, what you suggest, is it:

On the USB stick, create two BSD partitions: one for the crypto keydisk, 
and one being a softraid, with one partition in it, being an UFS 
filesystem with /boot and /etc/boot.conf , with the line "boot 
sr0a:/bsd" in it?


But wouldn't the sr0 be the boot softraid then - and the HDD softraid be 
sr1?


Please clarify the utility and how to do it.

Thanks,
Tinker