Re: OAUTH TOTP
PW> Apparently I need to "purchase an inexpensive OATH TOTP compatible PW> token device." Here's another "thumbs-up" for the pkg "oath-toolkit". I drive its oathtool(1) with a simple, rwx-- shell wrapper which collects my personal seed secrets and tells me both the current and upcoming TOTP, syncing on the HH:MM:{00,30} switch-overs. (With an intentional off-by-one, cannot remember why I preferred it that way, though. The sample seeds below are not the real thing -- no worries.) Oh: exit the loop with Ctrl-C. Martin Neitzel #!/bin/sh case "$1" in -h*|-hzi) secret=LDCKNdVBUJUWMCDBCDOKQSDLC ;; -g*|-github)secret=KMSXBBSPVOFBWCKX ;; -m*|-microsoft) secret=sxok3dck8skxn9sx ;; -o*|-oci) secret="SLODCNCDJNCDJBDCJBDCJBSXNI" ;; -*) echo "$1: no such option" 1>&2 ; exit 1 ;; ?*) secret=$1 ;; "") echo "usage: $0 [ -h | -m | -g | -o | ]" exit 1 ;; esac trap "exit 0" INT while true; do t=`date +%S` date +"%T, current & next token (changes on seconds :00 and :30):" oathtool --totp -w1 -b $secret # gotcha! $t may come as 08 or 09 which would be illegal octal # numbers -- so we need to nuke a leading "0": sleep $(( 1 + 30 - (${t#0} % 30) )) done
Re: OAUTH TOTP
Staffan Thomen writes: > It used to be that google authenticator didn't automatically back up > your secrets, so you had to be very careful to copy them over when you > got a new phone and if your old phone was unusable you were hosed. > This has since been fixed, and it will back them up to the google > cloud like any other app's private data. As long as it's e2e so google can't read it, that's ok. > I will leave any tinfoiling about backing up secrets to the cloud unsaid. I think you're joking, but it's not fair to call it tinfoiling. Putting TOTP seeds in the cloud where the cloud provider can read them is like a password manager with cloud storage that does not encrypt the passwords. Except 2fa is supposed to be better than passwords. So that's just not a reasonable thing to do. Arguably, a password manager should also be encrypting the URLs, not just the passwords, as the set of places at which you have accounts is also sensitive. I suspect there's a problem with that too. > AndOTP is an opensource alternative, and I will second a vote for > KeePassXC in general. Yes, there are other open source TOTP apps, and yes you need to pay attention to backups. Also, my understanding is that bitwarden will store seeds and do TOTP, I think if you have a paid cloud account or if you are selfhosting (vaultwarden) -- but I haven't tried it yet.
Re: ipv4_prefer
MLH wrote: > Jonathan A. Kollasch wrote: > > On Mon, Apr 29, 2024 at 02:16:13PM -0400, MLH wrote: > > > ifconfig : > > > re0: flags=0x8843 mtu 1500 > > > > > > capabilities=0x3f80 > > > capabilities=0x3f80 > > > enabled=0 > > > ec_capabilities=0x3 > > > ec_enabled=0 > > > address: (xx:xx:xx:xx:xx:xx) > > > media: Ethernet autoselect (1000baseT full-duplex) > > > status: active > > > inet6 (fe80:::::xx%re0/64) flags 0 scopeid 0x1 > > > inet6 ::1000/128 flags 0 > > > > Has "::1000/128" been redacted? Because it looks bogus if it isn't. > > No. I didn't change that. > > I am using dhcpcd and maybe that isn't getting set up correctly > but --inform6 just returns with "sending commands to dhcpcd > process/send OK" and nothing else. I will try '--waitip=6' to > dhcpcd commands and see what happens there. Same : inet6 fe80:: (redacted but looks good) inet6 ::1000/128 flags 0 dhcpcd issued a bunch of ipv6 stuff on startup that indicated all was fine but it didn't go into dmesg or a logfile that I can find and it appeared to wait a bit until an ipv6 addr was satisfied.
Re: ipv4_prefer
Jonathan A. Kollasch wrote: > On Mon, Apr 29, 2024 at 02:16:13PM -0400, MLH wrote: > > ifconfig : > > re0: flags=0x8843 mtu 1500 > > > > capabilities=0x3f80 > > capabilities=0x3f80 > > enabled=0 > > ec_capabilities=0x3 > > ec_enabled=0 > > address: (xx:xx:xx:xx:xx:xx) > > media: Ethernet autoselect (1000baseT full-duplex) > > status: active > > inet6 (fe80:::::xx%re0/64) flags 0 scopeid 0x1 > > inet6 ::1000/128 flags 0 > > Has "::1000/128" been redacted? Because it looks bogus if it isn't. No. I didn't change that. I am using dhcpcd and maybe that isn't getting set up correctly but --inform6 just returns with "sending commands to dhcpcd process/send OK" and nothing else. I will try '--waitip=6' to dhcpcd commands and see what happens there. The router is set up for dhcpv6 and appears to be working. Thanks
Re: ipv4_prefer
On Mon, Apr 29, 2024 at 02:16:13PM -0400, MLH wrote: > ifconfig : > re0: flags=0x8843 mtu 1500 > > capabilities=0x3f80 > capabilities=0x3f80 > enabled=0 > ec_capabilities=0x3 > ec_enabled=0 > address: (xx:xx:xx:xx:xx:xx) > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet6 (fe80:::::xx%re0/64) flags 0 scopeid 0x1 > inet6 ::1000/128 flags 0 Has "::1000/128" been redacted? Because it looks bogus if it isn't. > inet 192.168.0.5/24 broadcast 192.168.0.255 flags 0 > lo0: flags=0x8049 mtu 33624 > status: active > inet6 ::1/128 flags 0x20 > inet6 fe80::1%lo0/64 flags 0 scopeid 0x2 > inet 127.0.0.1/8 flags 0 > > Thanks >
Re: ipv4_prefer
beaker wrote: > Lucifer wrote: > > On Sun, Apr 28, 2024, 5:16 PM beaker wrote: > > > > > m...@goathill.org (MLH) wrote: > > > > > > > It appears that some of the pkgsrc distfiles now are only available > > > > via ipv6 servers but how do you set ipv4_prefer mode so ipv6 attempts > > > > don't prevent normal ipv4 operation? > > > > > > > > setting > > > > ip6addrctl_policy="ipv4_prefer" > > > > > > > > in rc.conf doesn't change to normal ipv4 mode first as the > > > > documentation (and other references) appear to claim. > > > > > > Try setting "ip6addrctl=YES" as well. > > > > > What is ip6addrctl? > > It's mentioned in rc.conf(5): > > "ip6addrctlBoolean value. Fine grain control of address and > routing priorities." > > I *think* it's akin to having to enable cruise control before you > can set a particular speed preference. beaker wrote: > Lucifer wrote: > > On Sun, Apr 28, 2024, 5:16 PM beaker wrote: > > > > > m...@goathill.org (MLH) wrote: > > > > > > > It appears that some of the pkgsrc distfiles now are only available > > > > via ipv6 servers but how do you set ipv4_prefer mode so ipv6 attempts > > > > don't prevent normal ipv4 operation? > > > > > > > > setting > > > > ip6addrctl_policy="ipv4_prefer" > > > > > > > > in rc.conf doesn't change to normal ipv4 mode first as the > > > > documentation (and other references) appear to claim. > > > > > > Try setting "ip6addrctl=YES" as well. > > > > > What is ip6addrctl? > > It's mentioned in rc.conf(5): > > "ip6addrctlBoolean value. Fine grain control of address and > routing priorities." > > I *think* it's akin to having to enable cruise control before you > can set a particular speed preference. Thanks. My router had showed it was connected but apparently not all was working. Now ipv4 works fine but ipv6 still doesn't appear to be working correctly. (And still many of the *current* pkgsrc distfiles are not found on netbsd distfiles sites) rc.conf: ip6addrctl=YES ip6addrctl_policy='ipv4_prefer' ip6mode='autohost' # I think... dhcp router is assigning the ipv6 addr and they agree ifconfig : re0: flags=0x8843 mtu 1500 capabilities=0x3f80 capabilities=0x3f80 enabled=0 ec_capabilities=0x3 ec_enabled=0 address: (xx:xx:xx:xx:xx:xx) media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 (fe80:::::xx%re0/64) flags 0 scopeid 0x1 inet6 ::1000/128 flags 0 inet 192.168.0.5/24 broadcast 192.168.0.255 flags 0 lo0: flags=0x8049 mtu 33624 status: active inet6 ::1/128 flags 0x20 inet6 fe80::1%lo0/64 flags 0 scopeid 0x2 inet 127.0.0.1/8 flags 0 Thanks
Re: OAUTH TOTP
Benny Siegert writes: > The cheapest way to have TOTP is to install Google Authenticator on > your phone. Be careful when you choose a TOTP program that you are able to back up the seeds yourself, and that the program does not send the seeds to the cloud not adequately protected in the name of cross-device syncing. Last I heard Google Authenticator was not ok, but maybe that has changed and it is now impossible to sync without e2e encryption inaccessible to google. > Hopefully, you can use proper Security Keys too (WebAuthn and > whatnot), in which case I highly recommend a Yubikey. I also recommend yubikeys.
Re: OAUTH TOTP
On Mon 29 Apr 2024 at 18:04:23 +0100, Patrick Welche wrote: > Apparently I need to "purchase an inexpensive OATH TOTP compatible > token device." Pkgsrc has as options at least security/keepassxc (big but secure (at least it pretends to be)) and security/2fa (small but totally insecure) (but in go, so add overhead of go compiler if you didn't have it installed yet). -Olaf. -- ___ Olaf 'Rhialto' Seibert \X/ There is no AI. There is just someone else's work. --I. Rose signature.asc Description: PGP signature
Re: OAUTH TOTP
On 29 April 2024 18:04:23 BST, Patrick Welche wrote: >Apparently I need to "purchase an inexpensive OATH TOTP compatible >token device." > >$ wtf oath >wtf: I don't know what `oath' means! >$ wtf totp >TOTP: time-based one time password > >Any suggestions on something that works on NetBSD/amd64? > > >Cheers, > >Patrick I've used oath-toolkit before when I needed a cli based tool. That's in Pkgsrc.
Re: OAUTH TOTP
Am 29.04.24 um 19:04 schrieb Patrick Welche: Apparently I need to "purchase an inexpensive OATH TOTP compatible token device." $ wtf oath wtf: I don't know what `oath' means! That's because it's OAuth, not oath :) https://datatracker.ietf.org/doc/html/rfc6749 $ wtf totp TOTP: time-based one time password The cheapest way to have TOTP is to install Google Authenticator on your phone. Hopefully, you can use proper Security Keys too (WebAuthn and whatnot), in which case I highly recommend a Yubikey. -- Benny
Re: OAUTH TOTP
On Mon, Apr 29, 2024 at 06:04:23PM +0100, Patrick Welche wrote: > Apparently I need to "purchase an inexpensive OATH TOTP compatible > token device." > > $ wtf oath > wtf: I don't know what `oath' means! > $ wtf totp > TOTP: time-based one time password > > Any suggestions on something that works on NetBSD/amd64? There is simple python code available that does it, if you only have one site that needs it and can guarantee security for your local scripts you can do something very simple like: --8<-- #!/usr/bin/env python3.10 import base64, datetime, hashlib, os, sys, unittest from warnings import warn from urllib.parse import urlparse, parse_qsl sys.path.insert(0, os.path.join(os.path.dirname(__file__), '../TOTP/pyotp-2.6.0/src')) import pyotp # noqa print(pyotp.TOTP('YOUR_SECRET_CODE_HERE').now()) -->8-- (importing the local pyotp lib is a historic artifact, I should clean it up) When "registereing" the device with your web site you will be shown a QR code typically, or often can get one after selecting "something else, not Google or MS authenticator", sometimes with the cleartext code shown that you add in above script instead of YOUR_SECRET_CODE_HERE. If only a QR code is shown, point your mobile camera at it and copy the URL, it contains the code and you can manually extract it. All of TOTP is a mangling of the current time + the pre shared secret. I think there are several more "password manager" like python applications in pkgsrc, but for me the simple single-target python script was most convenient for now (I avoid TOTP where possible, prefering WebAuthN with a yubikey whenever supported). Martin
OAUTH TOTP
Apparently I need to "purchase an inexpensive OATH TOTP compatible token device." $ wtf oath wtf: I don't know what `oath' means! $ wtf totp TOTP: time-based one time password Any suggestions on something that works on NetBSD/amd64? Cheers, Patrick
Re: ipv4_prefer
Lucifer wrote: > On Sun, Apr 28, 2024, 5:16 PM beaker wrote: > > > m...@goathill.org (MLH) wrote: > > > > > It appears that some of the pkgsrc distfiles now are only available > > > via ipv6 servers but how do you set ipv4_prefer mode so ipv6 attempts > > > don't prevent normal ipv4 operation? > > > > > > setting > > > ip6addrctl_policy="ipv4_prefer" > > > > > > in rc.conf doesn't change to normal ipv4 mode first as the > > > documentation (and other references) appear to claim. > > > > Try setting "ip6addrctl=YES" as well. > > > What is ip6addrctl? It's mentioned in rc.conf(5): "ip6addrctlBoolean value. Fine grain control of address and routing priorities." I *think* it's akin to having to enable cruise control before you can set a particular speed preference. -B
NetBSD 10 RFE (ramdisk-cgdroot.fs in boot.cfg)
Hi friends, hoping someone might be able to help or point in the right direction. We have a NetBSD 10 machine that requires Root Filesystem Encryption (unlock using passphrase) during boot. The man pages are out of date and unfortunately not helpful (https://wiki.netbsd.org/security/cgdroot/). We are using UEFI/GPT. We have a boot partition but also another user defined partition (/backups) that is not encrypted. Once configured, would also like to add remote ssh unlock using something like Dropbear. This is the equivalent on the Linux platform(s): https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux -Arvind