Re: ideas needed for password management

2020-09-23 Thread Mitchell Riedstra 


> However, I now have the problem of allowing users setting and
> modifying their own passwords (perhaps even their usernames) without
> giving them ssh access to the host.

It will be a bit more tricky if you want them to be able to change
their usernames and such, but it's possible to modify sshd to force a
command for a specific group.

For instance if you create a group 'passwdonly', add the users to it,
and place a:

Match Group passwdonly
ForceCommand /usr/bin/passwd

At the bottom of /etc/ssh/sshd_config it makes the only thing they can
do when they SSH is to be able to change their password.

If you have password authentication turned off you can turn it on for
that specific group as well.

You can also write a custom script to prompt them for what they wish to
do, change their username and such and force that to be the command.


> I set up a simple mail server on OpenBSD on a VPS, based on OpenSMTP
> and Dovecot. The users will be the Unix users on the VPS for
> simplicity.

In this instance, if you wish to expose a web interface for changing
of usernames and passwords, going with virtual users backed by
a SQL database may be easier and less likely to compromise the host.

I know you had mentioned not having a lot of experience in this area,
but if it's a hobby the bit of programming involved may be fun.

I hope this helps.

--
Mitch Riedstra

Re: OpenBSD migration

2018-11-18 Thread Mitchell Riedstra 
Hi Martin,

On Sat, Nov 17, 2018 at 3:18 PM Martin Sukany  wrote:
> I want to migrate OpenBSD 6.4 (stable) from VM to bare metal. I see, as
> usual, two options:
>
> 1) install everything from scratch
> 2) create some flashimage (I did such thing on Solaris few years ago)
> and apply the image on new hw.

OpenBSD is in many ways just files on a disk and it's possible to migrate from
a VM to bare metal with a dump, tarball, rsync or similar. This will
also require a
somewhat in-depth understanding of the boot process, and setting up the fstab
properly and perhaps other OpenBSD specific things I do not recall at this time.

It's certainly possible to get this understanding by reading the installer
scripts. I've had to do this on FreeBSD and Linux to migrate between hosting
providers w/o downtime. It's painful and filled with some trial and error . For
simple setups often takes longer than a re-install.

If downtime isn't a major concern just back-up the important things
and re-install.

As others have mentioned getting the list of installed packages is doable, and
even mentioned int the FAQ:

https://www.openbsd.org/faq/faq15.html#PkgDup

I hope this helps!

--
Mitch