Re: bioctl, encryption, and keydisk

2018-05-04 Thread Etienne 

On 04/05/18 17:40, Marcus MERIGHI wrote:


I'm currently reading https://marc.info/?l=openbsd-misc=141435482820277
"crypto softraid and keydisk on same harddrive", 2014-10-26.

jsing@ had this patch, which was tested and worked for the OP - but was
not commited: https://marc.info/?l=openbsd-misc=141450636905550



Nice! Thanks for that, I'll try.

--
Étienne

Re: bioctl, encryption, and keydisk

2018-05-04 Thread Marcus MERIGHI 
etienne.m...@magickarpet.org (Etienne), 2018.05.04 (Fri) 14:03 (CEST):
> Hello list,
> 
> What I'm going to describe will most probably sound very silly, but I
> believe I have a reasonable use case. I'm trying to setup a machine with
> full disk encryption using a partition of the same disk as a keydisk. (take
> all the time you want to laugh, then carry on reading).
> 
> So I'm creating two RAID partitions "a" and "p", then run:
> 
> bioctl -c C -l sd0a -k sd0p softraid0
> 
> and this succeed. I'm then proceeding to a normal installation on sd1, then
> reboot, and I'm greeted with the message `ERR M`.
> 
> I have tried this with the p partition at the beginning or at the end of the
> disk, tried to change sizes,... no effect. I'm wondering if what I'm trying
> is actually supported? Any idea?
> 
> 
> For those who wonder, my use case is installing 100+ virtual machines in the
> cloud with full disk encryption, rebooting them, and using rc.firsttime to
> overwrite the key so if the machine is powered down, it can't be booted
> anymore. I'm also aware that this is still vulnerable to an attack from
> someone who's in control of the host machine.

I'm currently reading https://marc.info/?l=openbsd-misc=141435482820277
"crypto softraid and keydisk on same harddrive", 2014-10-26. 

jsing@ had this patch, which was tested and worked for the OP - but was
not commited: https://marc.info/?l=openbsd-misc=141450636905550

Index: i386_softraid.c
===
RCS file: /cvs/src/usr.sbin/installboot/i386_softraid.c,v
retrieving revision 1.2
diff -u -p -r1.2 i386_softraid.c
--- i386_softraid.c 9 Jun 2014 13:13:48 -   1.2
+++ i386_softraid.c 28 Oct 2014 14:21:27 -
@@ -42,6 +42,7 @@ void  sr_install_bootldr(int, char *);
 void
 sr_install_bootblk(int devfd, int vol, int disk)
 {
+   struct bioc_vol bv;
struct bioc_disk bd;
struct disklabel dl;
struct partition *pp;
@@ -56,6 +57,15 @@ sr_install_bootblk(int devfd, int vol, i
bd.bd_diskid = disk;
if (ioctl(devfd, BIOCDISK, ) == -1)
err(1, "BIOCDISK");
+
+   /* Skip CRYPTO key disks. */
+   /* XXX - pass volume in rather than volume ID. */
+   memset(, 0, sizeof(bv));
+   bv.bv_volid = vol;
+   if (ioctl(devfd, BIOCVOL, ) == -1)
+   err(1, "BIOCVOL");
+   if (bv.bv_level == 'C' && bd.bd_size == 0)
+   return;

/* Check disk status. */
if (bd.bd_status != BIOC_SDONLINE && bd.bd_status != BIOC_SDREBUILD) {


Marcus

Re: mail sign/encrypt

2018-05-04 Thread Tony Boston 
On 05/03/18 10:30, Rudolf Sykora wrote:
> Hello misc,
> 
> I'd like to be able to optionally
> - sign my email,
> - encrypt the email.
> 
> I have a certificate in the .p12 form,
> containing my private key and two certificates,
> one of them mine.
> 
> I want to prepare mail locally, i.e. to use
> some simple locally installed MUA.
> 
> Is there a way with the default "mail" program,
> or do I have to install some more powerful MUA?
> 
> Thanks
> Ruda
> 

I'd suggest Thunderbird + Enigmail for that but that really depends on
what machine you're running on or if you want to go for CLI only

just my 2 cents

-- 
Tony

GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580



signature.asc
Description: OpenPGP digital signature

HTTPD and php-cgi

2018-05-04 Thread Duncan Patton a Campbell 

I am looking for documentation on running php-cgi-5.6 under the bsd httpd 
server.

>From what I can tell, the function of php-fastcgi has been subsumed to 
>php-cgi-5.6, 
but further than that I can find little or no salient documentation.  Any 
pointers
would be appreciated.

Thanks,

Dhu

-- 
 Je suis Canadien. Ce n'est pas Francais ou Anglaise.  
 C'est une esp`ece de sauvage: ne obliviscaris, vix ea nostra voco;-) 

http://babayaga.neotext.ca/PublicKeys/Duncan_Patton_a_Campbell_pubkey.txt

Re: Can SSH report successful connections to pf?

2018-05-04 Thread Tony Boston 
On 05/05/18 00:16, Luke Small wrote:
> Can SSH and possibly other programs more easily able to report successful
> connections so pf can make stricter bruteforce connection rejecting even
> better?
>

Hi,

could be just me but I didn't get what you want to achieve really.

Could you be more specific here?

-- 
Tony

GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580



signature.asc
Description: OpenPGP digital signature

Re: mail sign/encrypt

2018-05-04 Thread Stuart Longland 
On 05/05/18 08:31, Tony Boston wrote:
> On 05/03/18 10:30, Rudolf Sykora wrote:
>> Hello misc,
>>
>> I'd like to be able to optionally
>> - sign my email,
>> - encrypt the email.
>>
>> I have a certificate in the .p12 form,
>> containing my private key and two certificates,
>> one of them mine.
>>
>> I want to prepare mail locally, i.e. to use
>> some simple locally installed MUA.
>>
>> Is there a way with the default "mail" program,
>> or do I have to install some more powerful MUA?
>>
>> Thanks
>> Ruda
>>
> 
> I'd suggest Thunderbird + Enigmail for that but that really depends on
> what machine you're running on or if you want to go for CLI only
> 
> just my 2 cents

It's also worth noting that this would encrypt/sign using the OpenPGP
standard.

The discussion of .p12 certificates makes me suspicious the author is
after S/MIME, which Thunderbird can do without any extensions.
-- 
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Re: Can SSH report successful connections to pf?

2018-05-04 Thread Kapfhammer, Stefan 

You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz
for successful and unsuccessful logins and then add the unsuccessful logins
with pfctl to a blocked table. To have it permanent after a reboot you can write
with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset.

Like
table  persist file "/etc/pf.bruteforce"
block in quick proto tcp from  to any

Stefan






Van: owner-m...@openbsd.org  namens Luke Small 

Verzonden: zaterdag 5 mei 2018 00:16
Aan: openbsd-misc
Onderwerp: Can SSH report successful connections to pf?

Can SSH and possibly other programs more easily able to report successful
connections so pf can make stricter bruteforce connection rejecting even
better?

Re: Can SSH report successful connections to pf?

2018-05-04 Thread IL Ka 
If you want to open gate for those, who authenticated using ssh, you may
need authpf(8)  (known as Authentication Gateway)
https://www.openbsd.org/faq/pf/authpf.html

Can SSH report successful connections to pf?

2018-05-04 Thread Luke Small 
Can SSH and possibly other programs more easily able to report successful
connections so pf can make stricter bruteforce connection rejecting even
better?

bioctl, encryption, and keydisk

2018-05-04 Thread Etienne 

Hello list,

What I'm going to describe will most probably sound very silly, but I 
believe I have a reasonable use case. I'm trying to setup a machine with 
full disk encryption using a partition of the same disk as a keydisk. 
(take all the time you want to laugh, then carry on reading).


So I'm creating two RAID partitions "a" and "p", then run:

bioctl -c C -l sd0a -k sd0p softraid0

and this succeed. I'm then proceeding to a normal installation on sd1, 
then reboot, and I'm greeted with the message `ERR M`.


I have tried this with the p partition at the beginning or at the end of 
the disk, tried to change sizes,... no effect. I'm wondering if what I'm 
trying is actually supported? Any idea?



For those who wonder, my use case is installing 100+ virtual machines in 
the cloud with full disk encryption, rebooting them, and using 
rc.firsttime to overwrite the key so if the machine is powered down, it 
can't be booted anymore. I'm also aware that this is still vulnerable to 
an attack from someone who's in control of the host machine.


--
Étienne

Re: Machine won't boot - softraid metadata version mismatch

2018-05-04 Thread Stuart Henderson 
On 2018-05-03, Erling Westenvik  wrote:
> On Thu, May 03, 2018 at 10:51:12AM -0500, Brandon Tanner wrote:
>> I haven't posted here in years, and OpenBSD has been rock solid for a home
>> file server. However recently I somehow made the machine un-bootable and
>> I'm kicking myself for it now. I've tried to google my heart out to fix
>> this issue, but I doubt it is very common based on my searches.
>
> Don't panic.
>
>> My machine is OpenBSD 5.4, and has 2 x raid1 softraid with 4 disks, and a
>> 5th disc for the OS only.
>>
>> So I was wanting to try out the latest kernel to see if sysctl hw.sensors
>> would report my motherboard fan sensors since 5.4 does not, so I made a
>> bootable USB live-stick using 6.3, based on this article (
>> http://astro-gr.org/openbsd-live-usb-stick/) which says to prepare the
>> machine in QEMU and then dd it to a usb flash drive. I was able to boot the
>> USB stick fine, and run sysctl, and nope, my fan sensors are not there in
>> 6.3 either.
>>
>> Now, when I removed the stick and booted the old system (5.4), it now won't
>> boot. The complaint is that my softraid volumes have a metadata version
>> that is newer than it should be. I guess the live-USB stick actually
>> upgraded them somehow.
>
> Quoting https://www.openbsd.org/faq/upgrade60.html:
>
> "softraid(4) metadata version changed. The current softraid metadata
> version has been incremented as part of implementing support for sector
> sizes other than 512 bytes. Since on-disk metadata is automatically
> updated every time a softraid volume is mounted, once you mount a
> softraid volume on a new kernel (including bsd.rd) that volume will no
> longer be recognized by older kernels."
>
> As I see it, you have two options:
>
> 1. Upgrade your system to at least 6.0, carefully upgrading version by
>version and following the steps for each upgrade guide:
>
>   5.4 -> 5.5
>   5.5 -> 5.6
>   5.6 -> 5.7
>   5.7 -> 5.8
>   5.8 -> 5.9
>   5.9 -> 6.0
>   6.0 -> 6.1
>   6.1 -> 6.2
>   6.2 -> 6.3
>
> 2. Do a fresh install of 6.3.
>
> I would go for option 1. It takes time but you'll learn a lot during the
> process, and in the end it may take you just as long to fine tune a
> fresh install.

There are multiple flag days in that upgrade process. Coming from 5.4,
unless it's a remote machine without console access, I would advise a
fresh install of 6.3 instead. (And even with console access, there are
some gotchas along the way). Upgrading step by step is a long slog.
You'll learn a lot from a fresh install approach too and I'd argue
those things are practically more useful.

I'd start with an install to a new main disk, with the other drives
unplugged for safety. Once it's installed and booted, connect the
softraid drives and you'll be able to mount them.

To figure out what needs transferring from the 5.4 install, it may
help to use find(1) to look for files newer than the base OS install
files, or compare a file listing (including timestamps) with one from
a fresh 5.4 install (maybe some variant of "find / -newer /some/file -ls").

If you don't have time for that, boot from a live USB or similar and
backup the softraid partition/s elsewhere (unless of course you already
have a backup). Then you could go back to 5.4, wipe and re-create the
softraid, then restore.

>> It looks like this person has a similar experience:
>> http://openbsd-archive.7691.n7.nabble.com/softraid-not-bootable-in-5-4-after-visiting-5-5-td253121.html#a253330

In that case it was not bootable but the metadata was still of the same
version. In your case running a post-6.0 version upgraded the metadata
making it unreadable by older versions. You won't be able to fix
your case just by using installboot/reattaching.

Re: Machine won't boot - softraid metadata version mismatch

2018-05-04 Thread Mark Carroll 
On 04 May 2018, Stuart Henderson wrote:
(snip)
> I'd start with an install to a new main disk, with the other drives
> unplugged for safety. Once it's installed and booted, connect the
> softraid drives and you'll be able to mount them.
>
> To figure out what needs transferring from the 5.4 install, it may
> help to use find(1) to look for files newer than the base OS install
> files, or compare a file listing (including timestamps) with one from
> a fresh 5.4 install (maybe some variant of "find / -newer /some/file -ls").
(snip)

Further, I'd add: take good notes about what you needed to transfer or
otherwise adjust and why. Those notes may be enormously helpful for the
future where you need to quickly provision another fresh system
according to your needs.

-- Mark