Re: OAUTH TOTP

[Martin Neitzel]

PW> Apparently I need to "purchase an inexpensive OATH TOTP compatible
PW> token device."

Here's another "thumbs-up" for the pkg "oath-toolkit".

I drive its oathtool(1) with a simple, rwx-- shell wrapper which
collects my personal seed secrets and tells me both the current and
upcoming TOTP, syncing on the HH:MM:{00,30} switch-overs.

(With an intentional off-by-one, cannot remember why I preferred
it that way, though.  The sample seeds below are not the real thing
-- no worries.)

Oh:  exit the loop with Ctrl-C.

Martin Neitzel


#!/bin/sh

case "$1" in
-h*|-hzi)   secret=LDCKNdVBUJUWMCDBCDOKQSDLC ;;
-g*|-github)secret=KMSXBBSPVOFBWCKX ;;
-m*|-microsoft) secret=sxok3dck8skxn9sx ;;
-o*|-oci)   secret="SLODCNCDJNCDJBDCJBDCJBSXNI" ;;
-*) echo "$1: no such option" 1>&2 ; exit 1 ;;
?*) secret=$1 ;;
"") echo "usage: $0 [ -h | -m | -g | -o |  ]"
exit 1
;;
esac

trap "exit 0" INT

while true; do
t=`date +%S`
date +"%T,  current & next token (changes on seconds :00 and :30):"
oathtool --totp -w1 -b $secret
# gotcha!  $t may come as 08 or 09 which would be illegal octal
# numbers -- so we need to nuke a leading "0":
sleep $(( 1 + 30 - (${t#0} % 30) ))
done

Re: OAUTH TOTP

[Greg Troxel]

Staffan Thomen  writes:

> It used to be that google authenticator didn't automatically back up
> your secrets, so you had to be very careful to copy them over when you
> got a new phone and if your old phone was unusable you were hosed.

> This has since been fixed, and it will back them up to the google
> cloud like any other app's private data.

As long as it's e2e so google can't read it, that's ok.


> I will leave any tinfoiling about backing up secrets to the cloud unsaid.

I think you're joking, but it's not fair to call it tinfoiling.  Putting
TOTP seeds in the cloud where the cloud provider can read them is like a
password manager with cloud storage that does not encrypt the passwords.
Except 2fa is supposed to be better than passwords.  So that's just not
a reasonable thing to do.  Arguably, a password manager should also be
encrypting the URLs, not just the passwords, as the set of places at
which you have accounts is also sensitive.  I suspect there's a problem
with that too.

> AndOTP is an opensource alternative, and I will second a vote for
> KeePassXC in general.

Yes, there are other open source TOTP apps, and yes you need to pay
attention to backups.

Also, my understanding is that bitwarden will store seeds and do TOTP, I
think if you have a paid cloud account or if you are selfhosting
(vaultwarden) -- but I haven't tried it yet.

Re: ipv4_prefer

[MLH]

MLH wrote:
> Jonathan A. Kollasch wrote:
> > On Mon, Apr 29, 2024 at 02:16:13PM -0400, MLH wrote:
> > > ifconfig :
> > > re0: flags=0x8843 mtu 1500
> > > 
> > > capabilities=0x3f80
> > > capabilities=0x3f80
> > > enabled=0
> > > ec_capabilities=0x3
> > > ec_enabled=0
> > > address: (xx:xx:xx:xx:xx:xx)
> > > media: Ethernet autoselect (1000baseT full-duplex)
> > > status: active
> > > inet6 (fe80:::::xx%re0/64) flags 0 scopeid 0x1
> > > inet6 ::1000/128 flags 0
> > 
> > Has "::1000/128" been redacted?  Because it looks bogus if it isn't.
> 
> No. I didn't change that.
> 
> I am using dhcpcd and maybe that isn't getting set up correctly
> but --inform6 just returns with "sending commands to dhcpcd
> process/send OK" and nothing else.  I will try '--waitip=6' to
> dhcpcd commands and see what happens there.

Same :
inet6 fe80:: (redacted but looks good)
inet6 ::1000/128 flags 0

dhcpcd issued a bunch of ipv6 stuff on startup that indicated all
was fine but it didn't go into dmesg or a logfile that I can find
and it appeared to wait a bit until an ipv6 addr was satisfied.

Re: ipv4_prefer

[MLH]

Jonathan A. Kollasch wrote:
> On Mon, Apr 29, 2024 at 02:16:13PM -0400, MLH wrote:
> > ifconfig :
> > re0: flags=0x8843 mtu 1500
> > 
> > capabilities=0x3f80
> > capabilities=0x3f80
> > enabled=0
> > ec_capabilities=0x3
> > ec_enabled=0
> > address: (xx:xx:xx:xx:xx:xx)
> > media: Ethernet autoselect (1000baseT full-duplex)
> > status: active
> > inet6 (fe80:::::xx%re0/64) flags 0 scopeid 0x1
> > inet6 ::1000/128 flags 0
> 
> Has "::1000/128" been redacted?  Because it looks bogus if it isn't.

No. I didn't change that.

I am using dhcpcd and maybe that isn't getting set up correctly
but --inform6 just returns with "sending commands to dhcpcd
process/send OK" and nothing else.  I will try '--waitip=6' to
dhcpcd commands and see what happens there.

The router is set up for dhcpv6 and appears to be working.

Thanks

Re: ipv4_prefer

[Jonathan A. Kollasch]

On Mon, Apr 29, 2024 at 02:16:13PM -0400, MLH wrote:
> ifconfig :
> re0: flags=0x8843 mtu 1500
> 
> capabilities=0x3f80
> capabilities=0x3f80
> enabled=0
> ec_capabilities=0x3
> ec_enabled=0
> address: (xx:xx:xx:xx:xx:xx)
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet6 (fe80:::::xx%re0/64) flags 0 scopeid 0x1
> inet6 ::1000/128 flags 0

Has "::1000/128" been redacted?  Because it looks bogus if it isn't.

> inet 192.168.0.5/24 broadcast 192.168.0.255 flags 0
> lo0: flags=0x8049 mtu 33624
> status: active
> inet6 ::1/128 flags 0x20
> inet6 fe80::1%lo0/64 flags 0 scopeid 0x2
> inet 127.0.0.1/8 flags 0
> 
> Thanks
> 

Re: ipv4_prefer

[MLH]

beaker wrote:
> Lucifer  wrote:
> > On Sun, Apr 28, 2024, 5:16 PM beaker  wrote:
> >
> > > m...@goathill.org (MLH) wrote:
> > >
> > > > It appears that some of the pkgsrc distfiles now are only available
> > > > via ipv6 servers but how do you set ipv4_prefer mode so ipv6 attempts
> > > > don't prevent normal ipv4 operation?
> > > >
> > > > setting
> > > > ip6addrctl_policy="ipv4_prefer"
> > > >
> > > > in rc.conf doesn't change to normal ipv4 mode first as the
> > > > documentation (and other references) appear to claim.
> > >
> > > Try setting "ip6addrctl=YES" as well.
> > >
> > What is ip6addrctl?
> 
> It's mentioned in rc.conf(5):
> 
>  "ip6addrctlBoolean value.  Fine grain control of address and
> routing priorities."
> 
> I *think* it's akin to having to enable cruise control before you
> can set a particular speed preference.

beaker wrote:
> Lucifer  wrote:
> > On Sun, Apr 28, 2024, 5:16 PM beaker  wrote:
> >
> > > m...@goathill.org (MLH) wrote:
> > >
> > > > It appears that some of the pkgsrc distfiles now are only available
> > > > via ipv6 servers but how do you set ipv4_prefer mode so ipv6 attempts
> > > > don't prevent normal ipv4 operation?
> > > >
> > > > setting
> > > > ip6addrctl_policy="ipv4_prefer"
> > > >
> > > > in rc.conf doesn't change to normal ipv4 mode first as the
> > > > documentation (and other references) appear to claim.
> > >
> > > Try setting "ip6addrctl=YES" as well.
> > >
> > What is ip6addrctl?
> 
> It's mentioned in rc.conf(5):
> 
>  "ip6addrctlBoolean value.  Fine grain control of address and
> routing priorities."
> 
> I *think* it's akin to having to enable cruise control before you
> can set a particular speed preference.

Thanks. My router had showed it was connected but apparently not
all was working. Now ipv4 works fine but ipv6 still doesn't appear
to be working correctly. (And still many of the *current* pkgsrc
distfiles are not found on netbsd distfiles sites)

rc.conf:
ip6addrctl=YES
ip6addrctl_policy='ipv4_prefer'
ip6mode='autohost'   # I think... dhcp router is assigning the ipv6 addr and 
they agree

ifconfig :
re0: flags=0x8843 mtu 1500
capabilities=0x3f80
capabilities=0x3f80
enabled=0
ec_capabilities=0x3
ec_enabled=0
address: (xx:xx:xx:xx:xx:xx)
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 (fe80:::::xx%re0/64) flags 0 scopeid 0x1
inet6 ::1000/128 flags 0
inet 192.168.0.5/24 broadcast 192.168.0.255 flags 0
lo0: flags=0x8049 mtu 33624
status: active
inet6 ::1/128 flags 0x20
inet6 fe80::1%lo0/64 flags 0 scopeid 0x2
inet 127.0.0.1/8 flags 0

Thanks

Re: OAUTH TOTP

[Greg Troxel]

Benny Siegert  writes:

> The cheapest way to have TOTP is to install Google Authenticator on
> your phone.

Be careful when you choose a TOTP program that you are able to back up
the seeds yourself, and that the program does not send the seeds to the
cloud not adequately protected in the name of cross-device syncing.
Last I heard Google Authenticator was not ok, but maybe that has changed
and it is now impossible to sync without e2e encryption inaccessible to
google.

> Hopefully, you can use proper Security Keys too (WebAuthn and
> whatnot), in which case I highly recommend a Yubikey.

I also recommend yubikeys.

Re: OAUTH TOTP

[Rhialto]

On Mon 29 Apr 2024 at 18:04:23 +0100, Patrick Welche wrote:
> Apparently I need to "purchase an inexpensive OATH TOTP compatible
> token device."

Pkgsrc has as options at least security/keepassxc (big but secure (at
least it pretends to be)) and security/2fa (small but totally
insecure) (but in go, so add overhead of go compiler if you didn't have
it installed yet).

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert
\X/ There is no AI. There is just someone else's work.   --I. Rose


signature.asc
Description: PGP signature

Re: OAUTH TOTP

[atomicules]

On 29 April 2024 18:04:23 BST, Patrick Welche  wrote:
>Apparently I need to "purchase an inexpensive OATH TOTP compatible
>token device."
>
>$ wtf oath
>wtf: I don't know what `oath' means!
>$ wtf totp
>TOTP: time-based one time password
>
>Any suggestions on something that works on NetBSD/amd64?
>
>
>Cheers,
>
>Patrick

I've used oath-toolkit before when I needed a cli based tool. That's in Pkgsrc.

Re: OAUTH TOTP

[Benny Siegert]

Am 29.04.24 um 19:04 schrieb Patrick Welche:

Apparently I need to "purchase an inexpensive OATH TOTP compatible
token device."

$ wtf oath
wtf: I don't know what `oath' means!


That's because it's OAuth, not oath :)
https://datatracker.ietf.org/doc/html/rfc6749


$ wtf totp
TOTP: time-based one time password


The cheapest way to have TOTP is to install Google Authenticator on your 
phone.


Hopefully, you can use proper Security Keys too (WebAuthn and whatnot), 
in which case I highly recommend a Yubikey.


--
Benny

Re: OAUTH TOTP

[Martin Husemann]

On Mon, Apr 29, 2024 at 06:04:23PM +0100, Patrick Welche wrote:
> Apparently I need to "purchase an inexpensive OATH TOTP compatible
> token device."
> 
> $ wtf oath
> wtf: I don't know what `oath' means!
> $ wtf totp
> TOTP: time-based one time password
> 
> Any suggestions on something that works on NetBSD/amd64?

There is simple python code available that does it, if you only have one
site that needs it and can guarantee security for your local scripts
you can do something very simple like:

--8<--
#!/usr/bin/env python3.10

import base64, datetime, hashlib, os, sys, unittest
from warnings import warn

from urllib.parse import urlparse, parse_qsl

sys.path.insert(0, os.path.join(os.path.dirname(__file__), 
'../TOTP/pyotp-2.6.0/src'))
import pyotp  # noqa


print(pyotp.TOTP('YOUR_SECRET_CODE_HERE').now())
-->8--

(importing the local pyotp lib is a historic artifact, I should clean it up)

When "registereing" the device with your web site you will be shown a QR
code typically, or often can get one after selecting "something else, not
Google or MS authenticator", sometimes with the cleartext code shown
that you add in above script instead of YOUR_SECRET_CODE_HERE.

If only a QR code is shown, point your mobile camera at it and copy the
URL, it contains the code and you can manually extract it.

All of TOTP is a mangling of the current time + the pre shared secret.

I think there are several more "password manager" like python
applications in pkgsrc, but for me the simple single-target python
script was most convenient for now (I avoid TOTP where possible, prefering
WebAuthN with a yubikey whenever supported).

Martin

OAUTH TOTP

[Patrick Welche]

Apparently I need to "purchase an inexpensive OATH TOTP compatible
token device."

$ wtf oath
wtf: I don't know what `oath' means!
$ wtf totp
TOTP: time-based one time password

Any suggestions on something that works on NetBSD/amd64?


Cheers,

Patrick

Re: ipv4_prefer

[beaker]

Lucifer  wrote:
> On Sun, Apr 28, 2024, 5:16 PM beaker  wrote:
>
> > m...@goathill.org (MLH) wrote:
> >
> > > It appears that some of the pkgsrc distfiles now are only available
> > > via ipv6 servers but how do you set ipv4_prefer mode so ipv6 attempts
> > > don't prevent normal ipv4 operation?
> > >
> > > setting
> > > ip6addrctl_policy="ipv4_prefer"
> > >
> > > in rc.conf doesn't change to normal ipv4 mode first as the
> > > documentation (and other references) appear to claim.
> >
> > Try setting "ip6addrctl=YES" as well.
> >
> What is ip6addrctl?

It's mentioned in rc.conf(5):

 "ip6addrctlBoolean value.  Fine grain control of address and
routing priorities."

I *think* it's akin to having to enable cruise control before you
can set a particular speed preference.

-B

NetBSD 10 RFE (ramdisk-cgdroot.fs in boot.cfg)

[Arvind]

Hi friends, hoping someone might be able to help or point in the right 
direction. We have a NetBSD 10 machine that requires Root Filesystem Encryption 
(unlock using passphrase) during boot. The man pages are out of date and 
unfortunately not helpful (https://wiki.netbsd.org/security/cgdroot/).

We are using UEFI/GPT. We have a boot partition but also another user defined 
partition (/backups) that is not encrypted.

Once configured, would also like to add remote ssh unlock using something like 
Dropbear. This is the equivalent on the Linux platform(s): 
https://www.cyberciti.biz/security/how-to-unlock-luks-using-dropbear-ssh-keys-remotely-in-linux

-Arvind