Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[Bryan Linton]

On 2016-10-15 02:03:54, Joel Sing  wrote:
> 
> The number of rounds specified for bcrypt_pbdkf(3) is linear, not logarithmic 
> (unlike bcrypt(3)). That said, the processing required for each round is 
> significantly higher than that of pkcs5_pbkdf2(3) (using `bioctl -r auto -v` 
> will tell you rounds your machine will do in ~1s).
>  

Ah, good to know.  Thank you for the correction!

-- 
Bryan

Re: axen(4) usb ethernet problems

[gwes]

On 10/14/2016 03:35, Mark Carroll wrote:

On 13 Oct 2016, Ilya Kaliman wrote:


I have a "Plugable USB 3.0 ethernet adapter" with ASIX AX88179
chipset. The device is successfully recognized by axen(4) driver but
behaves strangely. When I plug in the ethernet cable the ifconfig
axen0 status says active and the leds start blinking. But after a
second or two both leds turn off and status says: no carrier.
Re-plugging the cable have no effect. Re-plugging the adapter itself
brings it up again for a second or two.

The device itself seems to be fine as it works in other OSes without
problems. I suspect it has to do with OpenBSD driver.


I'm afraid that I can't offer any useful help but I can at least confirm
the problem: I also have one of these devices (actually, maybe a couple)
and see exactly the same issue with OpenBSD, at least with 5.9, I didn't
try since with 6.0. At the time I chatted to a competent-seeming vendor
guy and apparently they've seen the same problem at their end with
OpenBSD and have no idea what the issue is. So, at least I can say:
you're correct, it's probably indeed not just that you have a bad
adapter. I don't know if any developers might like to have one of these
mailed to them.

-- Mark


I have this:
Oct 15 00:01:57 river /bsd: axe0 at uhub1
Oct 15 00:01:57 river /bsd:  port 3 configuration 1 interface 0 "Belkin 
Components F5D5055" rev 2.00/0.01 addr 6

Oct 15 00:01:57 river /bsd: axe0: AX88178, address 00:22:75:d7:1c:6d
Oct 15 00:01:57 river /bsd: ukphy0 at axe0 phy 1: Generic IEEE 802.3u 
media interface, rev. 4: OUI 0x00a0bc, model 0x0001


which had similar symptoms under 5.8. It seems to be usable under 5.9

the FreeBSD driver definitely works. Porting it or adapting it without 
the data sheet looks difficult and comments in the FreeBSD driver say 
that there are undocumented problems. Haven't looked at Linux drivers. 
They have worked for several years.


One clue from looking at the drivers is that the physical interface 
number in the OpenBSD driver was fixed at 0 and it appears that other 
drivers searched for the active one.


geoff steckel

Re: what all touches the carp demote counter?

[Paul B. Henson]

On Fri, Oct 14, 2016 at 01:27:42PM -0700, Paul B. Henson wrote:
> Arg, I'm still having issues with the carp demote counter. I disabled
> ospfd for now, but something is still changing it. After a reboot
> without ospfd, the counter is changing between 0 and 1:

Ah, I tracked it down. I had configured another carp interface on the
new system which didn't yet have a corresponding interface on the old
system. I have the carp interfaces configured with explicit peer
addresses rather than using multicast, and evidentally the inability to
send a packet to the peer was causing the other carp interface to
twiddle the global carp demote counter, which popped up once I cranked
up the carp log level:

Oct 14 15:21:48 lisa /bsd: carp: carp1 demoted group carp by -1 to 2 (< 
snderrors)
Oct 14 15:21:52 lisa /bsd: carp1: ip_output failed: 64
Oct 14 15:21:54 lisa /bsd: carp: carp1 demoted group carp by 1 to 3 (> 
snderrors)
Oct 14 15:21:55 lisa /bsd: carp1: ip_output failed: 64
Oct 14 15:22:14 lisa /bsd: carp: carp1 demoted group carp by -1 to 2 (< 
snderrors)
Oct 14 15:22:18 lisa /bsd: carp1: ip_output failed: 64
Oct 14 15:22:20 lisa /bsd: carp: carp1 demoted group carp by 1 to 3 (> 
snderrors)

It doesn't do this if I remove the carppeer and use the default multicast;
that's an unexpected side effect of configuring a carppeer that might be
worth documenting. A down carppeer on one interface can impact the
functionality of all carp interfaces on the system.

Re: what all touches the carp demote counter?

[Paul B. Henson]

Arg, I'm still having issues with the carp demote counter. I disabled
ospfd for now, but something is still changing it. After a reboot
without ospfd, the counter is changing between 0 and 1:

bash-4.3# ifconfig -g carp
carp: carp demote count 1

bash-4.3# ifconfig -g carp
carp: carp demote count 0

bash-4.3# ifconfig -g carp
carp: carp demote count 1

bash-4.3# ifconfig -g carp
carp: carp demote count 0

And the carp interface is flapping:

Oct 14 13:17:17 lisa /bsd: carp0: state transition: BACKUP -> MASTER
Oct 14 13:17:23 lisa /bsd: carp0: state transition: MASTER -> BACKUP
Oct 14 13:17:43 lisa /bsd: carp0: state transition: BACKUP -> MASTER
Oct 14 13:17:49 lisa /bsd: carp0: state transition: MASTER -> BACKUP
Oct 14 13:18:08 lisa /bsd: carp0: state transition: BACKUP -> MASTER

There's not too much running; smtpd, sshd, npppd, dhcpd. Any suggestions
as to what might be screwing with the carp demote value?

Thanks...


root 1  0.0  0.0   440   520 ??  Is 1:14PM0:01.01 /sbin/init
root 21696  0.0  0.0  1044  1296 ??  Isp1:14PM0:00.00 syslogd: 
[priv] (syslogd)
_syslogd 22103  0.0  0.0  1044  1388 ??  Sp 1:14PM0:00.07 
/usr/sbin/syslogd
_pflogd   5335  0.0  0.0   684   400 ??  Sp 1:14PM0:00.02 pflogd: 
[running] -s 160 -i pfl
root 27252  0.0  0.0   620   600 ??  Is 1:14PM0:00.00 pflogd: 
[priv] (pflogd)
_ntp 16170  0.0  0.0   636  1472 ??  Isp1:14PM0:00.02 ntpd: dns 
engine (ntpd)
_ntp 15754  0.0  0.0   688  1540 ??  S I'm setting up a second router that's going to sit next to an existing
> one and become a redundant failover system. The current one is in
> production, and I've been converting some of the existing LAN subnets on it
> to use carp interfaces and making them primary and the new box
> secondary. I also set up a carp interface on the WAN side and made the
> new box primary for testing as that didn't exist before. That all
> worked fine when I set it up by hand, but when I rebooted the new box,
> the old box stayed primary for everything including the WAN interface,
> which I tracked down to the carp demote counter, which ended up at 2 on
> the new box after the reboot:
> 
> bash-4.3# ifconfig -g carp
> carp: carp demote count 2
> 
> After I manually decreased the demote counter by 2 back to 0 the WAN
> interface master switched back to the new box.
> 
> I'm not sure what's doing that at boot? I am running ospfd on the box,
> but I don't have any demote statements in my configuration. I'm also
> running npppd, but I don't see anything about that and carp demotion.
> What else might be setting carp demotion values?
> 
> Thanks...

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[Raul Miller]

On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.com
 wrote:
> " The only truly secure system is one that is powered off, cast in a block of 
> concrete and sealed in a lead-lined room with armed guards - and even then I 
> have my doubts. "

Powered off works surprisingly well for some other operating systems.

-- 
Raul

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[thrph.i...@gmail.com]

On Fri, 14 Oct 2016 21:20:23 +0300
Mihai Popescu  wrote:

> > ...
> 
> Prepare now for posts on this thread showing that if he/she runs a
> proper OS, everybody can be a security expert.
> 
> Have fun!
> 

or this kind...

" The only truly secure system is one that is powered off, cast in a block of 
concrete and sealed in a lead-lined room with armed guards - and even then I 
have my doubts. "

-- 
thrph.i...@gmail.com 

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[Mihai Popescu]

> ...

Prepare now for posts on this thread showing that if he/she runs a
proper OS, everybody can be a security expert.

Have fun!

Re: axen(4) usb ethernet problems

[Ilya Kaliman]

I've tried both 6.0 and current with same results. Here is a dmesg:
=
OpenBSD 6.0-current (GENERIC.MP) #10: Mon Oct 10 14:42:44 PDT 2016
i...@puffy.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP
RTC BIOS diagnostic error 80
real mem = 8468033536 (8075MB)
avail mem = 8206884864 (7826MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6a80 (27 entries)
bios0: vendor Insyde Corp. version "V2.12" date 05/20/2014
bios0: Acer Aspire S7-392
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP TCPA UEFI FPDT MSDM ASF! HPET APIC MCFG SSDT
BOOT ASPT DBGP SSDT SSDT SSDT SSDT SSDT DMAR
acpi0: wakeup devices P0P1(S4) GLAN(S4) EHC1(S3) EHC2(S3) XHC_(S3)
HDEF(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4)
PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 1596.71 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADL
INE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BM
I1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 1596.31 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADL
INE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BM
I1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 1596.31 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADL
INE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BM
I1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 1596.31 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADL
INE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BM
I1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus -1 (RP01)
acpiprt3 at acpi0: bus -1 (RP02)
acpiprt4 at acpi0: bus 1 (RP03)
acpiprt5 at acpi0: bus -1 (RP04)
acpiprt6 at acpi0: bus -1 (RP05)
acpiprt7 at acpi0: bus -1 (RP06)
acpiprt8 at acpi0: bus -1 (RP07)
acpiprt9 at acpi0: bus -1 (RP08)
acpiprt10 at acpi0: bus -1 (PEG0)
acpiprt11 at acpi0: bus -1 (PEG1)
acpiprt12 at acpi0: bus -1 (PEG2)
acpiec0 at acpi0
acpicpu0 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33),
C1(1000@1 mwait.1), PSS
acpitz0 at acpi0: critical temperature is 99 degC
acpitz1 at acpi0: critical temperature is 98 degC
acpials0 at acpi0: ALSD
acpiac0 at acpi0: AC unit online
acpibat0 at acpi0: BAT0 model "AP13F3N" serial  2358 type LION oem
acpibtn0 at acpi0: PWRB
"10250759" at acpi0 not configured
"SYN1B78" at acpi0 not configured
"PNP0C14" at acpi0 not configured
dwiic0 at acpi0: I2C1 addr 0xfe105000/0x1000 irq 7
iic0 at dwiic0
"BCM2E4E" at acpi0 not configured
acpibtn1 at acpi0: LID0
acpibtn2 at acpi0: SLPB
"PNP0C14" at acpi0 not configured
"INT340E" at acpi0 not configured
"INT33A0" at acpi0 not configured
tpm0 at acpi0: TPM_ addr 0xfed4/0x5000: Infineon SLB9635 1.2 rev 0x10
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 1596 MHz: speeds: 

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[Joel Sing]

On Friday 14 October 2016 18:19:21 Bryan Linton wrote:
> On 2016-10-14 09:21:24, Peter Janos  wrote:
> > Hello,
> > 
> > [snip]
> > 
> > ps.: it would be nice to have a feature in the default installer to
> > install
> > with full disc encryption :) we still have to escape to shell during
> > install and ex.:
> > 
> > install60.iso
> > (S)hell
> > dmesg | grep MB # or: sysctl hw.disknames
> > dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
> > dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> > fdisk -iy sd0
> > disklabel -E sd0
> > a a
> > enter
> > enter
> > RAID
> > w
> > q
> > bioctl -c C -l /dev/sd0a -r 2000 softraid0
> > # use a random high iteration number x > 10 000 000
> 
> I just want to point out (for the archives as well as others) that
> the softraid crypto discipline has recently been switched from
> PBKDF2 to bcrypt.
> 
> http://marc.info/?l=openbsd-cvs=147430724911779=2
> http://www.openbsd.org/faq/current.html#r20160919
> 
> Since bcrypt calculates its rounds based on the exponentiation of
> the number (i.e. the default of 16 rounds actually performs 2^16
> rounds or 65536 rounds), the default number of "rounds" was
> reduced from 8192 to only 16.  If you were to use 20 million
> "rounds" with the new bcrypt algorithm, I wouldn't be surprised if
> it took weeks, months, or even YEARS to actually mount your disk
> after inputting your password.
>
> For reference, I tried to simply calculate 2^20 millionth power
> using dc for my own amusement and gave up after it crunched numbers
> for over a minute with no answer returned.
> 
> A value of 24 (2^24 or 16,777,216) or 25 (2^25 or 33,554,432)
> would probably be closer to what you actually want.

The number of rounds specified for bcrypt_pbdkf(3) is linear, not logarithmic 
(unlike bcrypt(3)). That said, the processing required for each round is 
significantly higher than that of pkcs5_pbkdf2(3) (using `bioctl -r auto -v` 
will tell you rounds your machine will do in ~1s).
 
> > exit
> > Start install to the newly created bioctl/crypt raid device: sdX, where X
> > is ex.: 2...
> > 
> > with a random (but very high) number for iteration, afaik iteration only
> > counts when typing in the password, much higher iteration would slow down
> > brute-force attackers.
> 
> Indeed it would.  Quite significantly in fact.

Re: axen(4) usb ethernet problems

[Remi Locherer]

On Thu, Oct 13, 2016 at 05:40:18PM -0700, Ilya Kaliman wrote:
> Hi!
> 
> I have a "Plugable USB 3.0 ethernet adapter" with ASIX AX88179
> chipset. The device is successfully recognized by axen(4) driver but
> behaves strangely. When I plug in the ethernet cable the ifconfig
> axen0 status says active and the leds start blinking. But after a
> second or two both leds turn off and status says: no carrier.
> Re-plugging the cable have no effect. Re-plugging the adapter itself
> brings it up again for a second or two.
> 
> The device itself seems to be fine as it works in other OSes without
> problems. I suspect it has to do with OpenBSD driver.
> 
> I have axen(4) driver compiled with debug - it prints a lot of stuff,
> but nothing that seem to indicate an error. Can anyone give some
> pointers on how to diagnose the problem?
> 
> Thanks,
> Ilya

What version of OpenBSD are you running? Usually it's best to add the
output of dmesg to such a mail to give others an idea what you are
running.

There was a change to axen in March this year that made my adapter
work reliably. It ships with 6.0.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/dev/usb/if_axen.c

Remi

Re: An AR9280 as an Access Point

[physkets]

Thanks a lot guys! Then I think I will consider it.

Stefan Sperling, To use 802.11a, I will need to buy the dual-band antennae. But 
PC Engines advises against doing that. They prefer the regular antenna "for 
best gain in a specific frequency band"
ref: http://www.pcengines.ch/antsmadb.htm

Re: Fwd: Booting BSD on a Libreboot system - documentation needed

[Leah Rowe]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Aaron,

On 06/10/16 05:05, Aaron Mason wrote:
> Holy frijole, just reading some of the responses from the some
> people in GNU - I'm at the point where I'm not entirely convinced
> that GNU isn't a cult, with Stallman as the high almighty leader.

Can you link me to those posts? (E.g. mailing list archive posts)

- -- 
Leah Rowe

Libreboot developer

Use free software. Free as in freedom.
https://en.wikipedia.org/wiki/Free_software

Use a free operating system, GNU/Linux.
https://libreboot.org/docs/distros/

Use a free BIOS.
https://libreboot.org/

Support computer user freedom.
https://peers.community/

Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: http://minifree.org/

-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJYAMJOAAoJEP9Ft0z50c+UZNoH/1Jkv4QfcIdzGdOTl55Zwk4w
lMUfZguBl7hro0HDmmf/OVFH7MChwZl20Hug8lDy12g+QGMe+kHO2eCrtdyRMJoc
BwTDksPvTOgkALZ6ysgJBeikGh10jzNv/5/xGrCWtqNaHTauYGVnGVn/wN9FHMSC
ko0WQLtsLtbNwK1lS6uAk6fFNUGB5wMShxbsxuiaHPJsO7n2azE8w2CJi3WTZgK9
GZ2EucoSAIou1PYE31JdwZfRDOOWqRLeOaQAXtqVnD63SntvCLJAf8in+422nOQR
v4zqV0SoHWuA/4zhiIyN5lp/nKKY4qzcYYHvuCuyZJyfVSFLL1VUxi8vi/ifD48=
=ViWC
-END PGP SIGNATURE-

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[Otto Moerbeek]

On Fri, Oct 14, 2016 at 09:21:24AM +0200, Peter Janos wrote:

> Hello,
> 
> I know some features that can give additional security isn't turned on due to
> because of the bad quality of the code in ports and some also decreases
> performance (or disables a feature, ex.: screenlock doesn't work if nosuid
> set, but if feature not used, nousid can be used).
> 
> I only know about these "security hardenings", hopefully all are ok (if not,
> please say/argue!):
>  
> ==
> ln -s GJU /etc/malloc.conf

$ man man.conf | grep security

-Otto

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[Stuart Henderson]

On 2016-10-14, Peter Janos  wrote:
> Make as many files immutable with "chflags schg filenamehere" as you can.

This could be seen as an *in*security feature because now it's an utter
pain to update software that has bugs.

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[Bryan Linton]

On 2016-10-14 09:21:24, Peter Janos  wrote:
> Hello,
> 
> [snip]
>
> ps.: it would be nice to have a feature in the default installer to install
> with full disc encryption :) we still have to escape to shell during install
> and ex.:
> 
> install60.iso
> (S)hell
> dmesg | grep MB # or: sysctl hw.disknames
> dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
> dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> fdisk -iy sd0
> disklabel -E sd0
> a a
> enter
> enter
> RAID
> w
> q
> bioctl -c C -l /dev/sd0a -r 2000 softraid0
> # use a random high iteration number x > 10 000 000
>

I just want to point out (for the archives as well as others) that
the softraid crypto discipline has recently been switched from
PBKDF2 to bcrypt.

http://marc.info/?l=openbsd-cvs=147430724911779=2
http://www.openbsd.org/faq/current.html#r20160919

Since bcrypt calculates its rounds based on the exponentiation of
the number (i.e. the default of 16 rounds actually performs 2^16
rounds or 65536 rounds), the default number of "rounds" was
reduced from 8192 to only 16.  If you were to use 20 million
"rounds" with the new bcrypt algorithm, I wouldn't be surprised if
it took weeks, months, or even YEARS to actually mount your disk
after inputting your password.

For reference, I tried to simply calculate 2^20 millionth power
using dc for my own amusement and gave up after it crunched numbers
for over a minute with no answer returned.

A value of 24 (2^24 or 16,777,216) or 25 (2^25 or 33,554,432)
would probably be closer to what you actually want.

> exit
> Start install to the newly created bioctl/crypt raid device: sdX, where X is
> ex.: 2...
> 
> with a random (but very high) number for iteration, afaik iteration only
> counts when typing in the password, much higher iteration would slow down
> brute-force attackers.
> 

Indeed it would.  Quite significantly in fact.

-- 
Bryan

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[Simon Mages]

Hi,

i just want to say that those security messures you describe here don't
improve the security for every user or use case. Everybody should know exactly
what he is doing bevore enabling or changing them. I think if you use such
security messures you better should be able to help yourself if you have
problems. Not every knob is meant to be pressed by a user, the system can get
unstable.

Im writing this because this is misc@ and i think the title of your mail could
confuse users without a deep understanding of the system. They could even end
up with a less secure system because of workarounds they use to get back some
convenience they lost due to some "security" messures they implemented which
they don't fully understand.

But its interessting to see how people try to improve their security, so please
go on collecting ideas.

BR
Simon


2016-10-14 9:21 GMT+02:00, Peter Janos :
> Hello,
>
> I know some features that can give additional security isn't turned on due
> to
> because of the bad quality of the code in ports and some also decreases
> performance (or disables a feature, ex.: screenlock doesn't work if nosuid
> set, but if feature not used, nousid can be used).
>
> I only know about these "security hardenings", hopefully all are ok (if
> not,
> please say/argue!):
>
> ==
> ln -s GJU /etc/malloc.conf
> ==
> Remove wxallowed from /etc/fstab
> ==
> echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf
> ==
> Remove all SUID and SGID permissions and all FS must have "nosuid".
> ==
> Add noexec, nodev where you can in fstab, but can be bypassed..
> ==
> All filesystems that are only modified during software install and removal
> need to be read-only.
> They can be only rw if sw install/removal happens.
> ==
> Remove all files that is not needed for the machine to operate/do its
> purpose.
> ==
> echo "sysctl kern.securelevel=2" > /etc/rc.securelevel
> ==
> Make as many files immutable with "chflags schg filenamehere" as you can.
> ==
> If using X (so desktop) only use dangerous softwares (webbrowser, any
> viewer
> software: pdf, video, audio, torrent client, etc.) with another (limited)
> user!
> ==
>
> The purpose of this mail to find more... what are the other security
> features
> that are disabled in the default install?
>
> -
> ps.: it would be nice to have a feature in the default installer to install
> with full disc encryption :) we still have to escape to shell during
> install
> and ex.:
>
> install60.iso
> (S)hell
> dmesg | grep MB # or: sysctl hw.disknames
> dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
> dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> fdisk -iy sd0
> disklabel -E sd0
> a a
> enter
> enter
> RAID
> w
> q
> bioctl -c C -l /dev/sd0a -r 2000 softraid0
> # use a random high iteration number x > 10 000 000
> exit
> Start install to the newly created bioctl/crypt raid device: sdX, where X
> is
> ex.: 2...
>
> with a random (but very high) number for iteration, afaik iteration only
> counts when typing in the password, much higher iteration would slow down
> brute-force attackers.
> -
>
> Many thanks.

Re: What are the security features in OpenBSD 6.0 that are by default disabled?

[Theo de Raadt]

You forgot one item:

Don't file bug reports to the project, because your system is too far
away from what the developers use & maintain; and we cannot diagnose
the failure conditions you have inadvertently created.

So, if you are willing to accept that limitation -- knock yourself
out.  Change anything you want.  But do NOT tell us what bothers you,
until you repeat the problem on a *stock install*.

We simply cannot accept the cost of becoming fixit buddies for
everyone's private mistake.  It's like fixing the printer at grandma's
house.  It's not our job.

> I know some features that can give additional security isn't turned on due to
> because of the bad quality of the code in ports and some also decreases
> performance (or disables a feature, ex.: screenlock doesn't work if nosuid
> set, but if feature not used, nousid can be used).
> 
> I only know about these "security hardenings", hopefully all are ok (if not,
> please say/argue!):
>  
> ==
> ln -s GJU /etc/malloc.conf
> ==
> Remove wxallowed from /etc/fstab
> ==
> echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf
> ==
> Remove all SUID and SGID permissions and all FS must have "nosuid".
> ==
> Add noexec, nodev where you can in fstab, but can be bypassed..
> ==
> All filesystems that are only modified during software install and removal
> need to be read-only.
> They can be only rw if sw install/removal happens.
> ==
> Remove all files that is not needed for the machine to operate/do its
> purpose.
> ==
> echo "sysctl kern.securelevel=2" > /etc/rc.securelevel
> ==
> Make as many files immutable with "chflags schg filenamehere" as you can.
> ==
> If using X (so desktop) only use dangerous softwares (webbrowser, any viewer
> software: pdf, video, audio, torrent client, etc.) with another (limited)
> user!
> ==
> 
> The purpose of this mail to find more... what are the other security features
> that are disabled in the default install?
>  
> -
> ps.: it would be nice to have a feature in the default installer to install
> with full disc encryption :) we still have to escape to shell during install
> and ex.:
> 
> install60.iso
> (S)hell
> dmesg | grep MB # or: sysctl hw.disknames
> dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
> dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
> fdisk -iy sd0
> disklabel -E sd0
> a a
> enter
> enter
> RAID
> w
> q
> bioctl -c C -l /dev/sd0a -r 2000 softraid0
> # use a random high iteration number x > 10 000 000
> exit
> Start install to the newly created bioctl/crypt raid device: sdX, where X is
> ex.: 2...
> 
> with a random (but very high) number for iteration, afaik iteration only
> counts when typing in the password, much higher iteration would slow down
> brute-force attackers.
> -
> 
> Many thanks.

Re: axen(4) usb ethernet problems

[Mark Carroll]

On 13 Oct 2016, Ilya Kaliman wrote:

> I have a "Plugable USB 3.0 ethernet adapter" with ASIX AX88179
> chipset. The device is successfully recognized by axen(4) driver but
> behaves strangely. When I plug in the ethernet cable the ifconfig
> axen0 status says active and the leds start blinking. But after a
> second or two both leds turn off and status says: no carrier.
> Re-plugging the cable have no effect. Re-plugging the adapter itself
> brings it up again for a second or two.
>
> The device itself seems to be fine as it works in other OSes without
> problems. I suspect it has to do with OpenBSD driver.

I'm afraid that I can't offer any useful help but I can at least confirm
the problem: I also have one of these devices (actually, maybe a couple)
and see exactly the same issue with OpenBSD, at least with 5.9, I didn't
try since with 6.0. At the time I chatted to a competent-seeming vendor
guy and apparently they've seen the same problem at their end with
OpenBSD and have no idea what the issue is. So, at least I can say:
you're correct, it's probably indeed not just that you have a bad
adapter. I don't know if any developers might like to have one of these
mailed to them.

-- Mark

What are the security features in OpenBSD 6.0 that are by default disabled?

[Peter Janos]

Hello,

I know some features that can give additional security isn't turned on due to
because of the bad quality of the code in ports and some also decreases
performance (or disables a feature, ex.: screenlock doesn't work if nosuid
set, but if feature not used, nousid can be used).

I only know about these "security hardenings", hopefully all are ok (if not,
please say/argue!):
 
==
ln -s GJU /etc/malloc.conf
==
Remove wxallowed from /etc/fstab
==
echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf
==
Remove all SUID and SGID permissions and all FS must have "nosuid".
==
Add noexec, nodev where you can in fstab, but can be bypassed..
==
All filesystems that are only modified during software install and removal
need to be read-only.
They can be only rw if sw install/removal happens.
==
Remove all files that is not needed for the machine to operate/do its
purpose.
==
echo "sysctl kern.securelevel=2" > /etc/rc.securelevel
==
Make as many files immutable with "chflags schg filenamehere" as you can.
==
If using X (so desktop) only use dangerous softwares (webbrowser, any viewer
software: pdf, video, audio, torrent client, etc.) with another (limited)
user!
==

The purpose of this mail to find more... what are the other security features
that are disabled in the default install?
 
-
ps.: it would be nice to have a feature in the default installer to install
with full disc encryption :) we still have to escape to shell during install
and ex.:

install60.iso
(S)hell
dmesg | grep MB # or: sysctl hw.disknames
dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids
dd if=/dev/zero of=/dev/rsd0c bs=1m count=1
fdisk -iy sd0
disklabel -E sd0
a a
enter
enter
RAID
w
q
bioctl -c C -l /dev/sd0a -r 2000 softraid0
# use a random high iteration number x > 10 000 000
exit
Start install to the newly created bioctl/crypt raid device: sdX, where X is
ex.: 2...

with a random (but very high) number for iteration, afaik iteration only
counts when typing in the password, much higher iteration would slow down
brute-force attackers.
-

Many thanks.