Re: What are the security features in OpenBSD 6.0 that are by default disabled?
On 2016-10-15 02:03:54, Joel Singwrote: > > The number of rounds specified for bcrypt_pbdkf(3) is linear, not logarithmic > (unlike bcrypt(3)). That said, the processing required for each round is > significantly higher than that of pkcs5_pbkdf2(3) (using `bioctl -r auto -v` > will tell you rounds your machine will do in ~1s). > Ah, good to know. Thank you for the correction! -- Bryan
Re: axen(4) usb ethernet problems
On 10/14/2016 03:35, Mark Carroll wrote: On 13 Oct 2016, Ilya Kaliman wrote: I have a "Plugable USB 3.0 ethernet adapter" with ASIX AX88179 chipset. The device is successfully recognized by axen(4) driver but behaves strangely. When I plug in the ethernet cable the ifconfig axen0 status says active and the leds start blinking. But after a second or two both leds turn off and status says: no carrier. Re-plugging the cable have no effect. Re-plugging the adapter itself brings it up again for a second or two. The device itself seems to be fine as it works in other OSes without problems. I suspect it has to do with OpenBSD driver. I'm afraid that I can't offer any useful help but I can at least confirm the problem: I also have one of these devices (actually, maybe a couple) and see exactly the same issue with OpenBSD, at least with 5.9, I didn't try since with 6.0. At the time I chatted to a competent-seeming vendor guy and apparently they've seen the same problem at their end with OpenBSD and have no idea what the issue is. So, at least I can say: you're correct, it's probably indeed not just that you have a bad adapter. I don't know if any developers might like to have one of these mailed to them. -- Mark I have this: Oct 15 00:01:57 river /bsd: axe0 at uhub1 Oct 15 00:01:57 river /bsd: port 3 configuration 1 interface 0 "Belkin Components F5D5055" rev 2.00/0.01 addr 6 Oct 15 00:01:57 river /bsd: axe0: AX88178, address 00:22:75:d7:1c:6d Oct 15 00:01:57 river /bsd: ukphy0 at axe0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI 0x00a0bc, model 0x0001 which had similar symptoms under 5.8. It seems to be usable under 5.9 the FreeBSD driver definitely works. Porting it or adapting it without the data sheet looks difficult and comments in the FreeBSD driver say that there are undocumented problems. Haven't looked at Linux drivers. They have worked for several years. One clue from looking at the drivers is that the physical interface number in the OpenBSD driver was fixed at 0 and it appears that other drivers searched for the active one. geoff steckel
Re: what all touches the carp demote counter?
On Fri, Oct 14, 2016 at 01:27:42PM -0700, Paul B. Henson wrote: > Arg, I'm still having issues with the carp demote counter. I disabled > ospfd for now, but something is still changing it. After a reboot > without ospfd, the counter is changing between 0 and 1: Ah, I tracked it down. I had configured another carp interface on the new system which didn't yet have a corresponding interface on the old system. I have the carp interfaces configured with explicit peer addresses rather than using multicast, and evidentally the inability to send a packet to the peer was causing the other carp interface to twiddle the global carp demote counter, which popped up once I cranked up the carp log level: Oct 14 15:21:48 lisa /bsd: carp: carp1 demoted group carp by -1 to 2 (< snderrors) Oct 14 15:21:52 lisa /bsd: carp1: ip_output failed: 64 Oct 14 15:21:54 lisa /bsd: carp: carp1 demoted group carp by 1 to 3 (> snderrors) Oct 14 15:21:55 lisa /bsd: carp1: ip_output failed: 64 Oct 14 15:22:14 lisa /bsd: carp: carp1 demoted group carp by -1 to 2 (< snderrors) Oct 14 15:22:18 lisa /bsd: carp1: ip_output failed: 64 Oct 14 15:22:20 lisa /bsd: carp: carp1 demoted group carp by 1 to 3 (> snderrors) It doesn't do this if I remove the carppeer and use the default multicast; that's an unexpected side effect of configuring a carppeer that might be worth documenting. A down carppeer on one interface can impact the functionality of all carp interfaces on the system.
Re: what all touches the carp demote counter?
Arg, I'm still having issues with the carp demote counter. I disabled ospfd for now, but something is still changing it. After a reboot without ospfd, the counter is changing between 0 and 1: bash-4.3# ifconfig -g carp carp: carp demote count 1 bash-4.3# ifconfig -g carp carp: carp demote count 0 bash-4.3# ifconfig -g carp carp: carp demote count 1 bash-4.3# ifconfig -g carp carp: carp demote count 0 And the carp interface is flapping: Oct 14 13:17:17 lisa /bsd: carp0: state transition: BACKUP -> MASTER Oct 14 13:17:23 lisa /bsd: carp0: state transition: MASTER -> BACKUP Oct 14 13:17:43 lisa /bsd: carp0: state transition: BACKUP -> MASTER Oct 14 13:17:49 lisa /bsd: carp0: state transition: MASTER -> BACKUP Oct 14 13:18:08 lisa /bsd: carp0: state transition: BACKUP -> MASTER There's not too much running; smtpd, sshd, npppd, dhcpd. Any suggestions as to what might be screwing with the carp demote value? Thanks... root 1 0.0 0.0 440 520 ?? Is 1:14PM0:01.01 /sbin/init root 21696 0.0 0.0 1044 1296 ?? Isp1:14PM0:00.00 syslogd: [priv] (syslogd) _syslogd 22103 0.0 0.0 1044 1388 ?? Sp 1:14PM0:00.07 /usr/sbin/syslogd _pflogd 5335 0.0 0.0 684 400 ?? Sp 1:14PM0:00.02 pflogd: [running] -s 160 -i pfl root 27252 0.0 0.0 620 600 ?? Is 1:14PM0:00.00 pflogd: [priv] (pflogd) _ntp 16170 0.0 0.0 636 1472 ?? Isp1:14PM0:00.02 ntpd: dns engine (ntpd) _ntp 15754 0.0 0.0 688 1540 ?? S I'm setting up a second router that's going to sit next to an existing > one and become a redundant failover system. The current one is in > production, and I've been converting some of the existing LAN subnets on it > to use carp interfaces and making them primary and the new box > secondary. I also set up a carp interface on the WAN side and made the > new box primary for testing as that didn't exist before. That all > worked fine when I set it up by hand, but when I rebooted the new box, > the old box stayed primary for everything including the WAN interface, > which I tracked down to the carp demote counter, which ended up at 2 on > the new box after the reboot: > > bash-4.3# ifconfig -g carp > carp: carp demote count 2 > > After I manually decreased the demote counter by 2 back to 0 the WAN > interface master switched back to the new box. > > I'm not sure what's doing that at boot? I am running ospfd on the box, > but I don't have any demote statements in my configuration. I'm also > running npppd, but I don't see anything about that and carp demotion. > What else might be setting carp demotion values? > > Thanks...
Re: What are the security features in OpenBSD 6.0 that are by default disabled?
On Fri, Oct 14, 2016 at 2:50 PM, thrph.i...@gmail.comwrote: > " The only truly secure system is one that is powered off, cast in a block of > concrete and sealed in a lead-lined room with armed guards - and even then I > have my doubts. " Powered off works surprisingly well for some other operating systems. -- Raul
Re: What are the security features in OpenBSD 6.0 that are by default disabled?
On Fri, 14 Oct 2016 21:20:23 +0300 Mihai Popescuwrote: > > ... > > Prepare now for posts on this thread showing that if he/she runs a > proper OS, everybody can be a security expert. > > Have fun! > or this kind... " The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. " -- thrph.i...@gmail.com
Re: What are the security features in OpenBSD 6.0 that are by default disabled?
> ... Prepare now for posts on this thread showing that if he/she runs a proper OS, everybody can be a security expert. Have fun!
Re: axen(4) usb ethernet problems
I've tried both 6.0 and current with same results. Here is a dmesg: = OpenBSD 6.0-current (GENERIC.MP) #10: Mon Oct 10 14:42:44 PDT 2016 i...@puffy.my.domain:/usr/src/sys/arch/amd64/compile/GENERIC.MP RTC BIOS diagnostic error 80 real mem = 8468033536 (8075MB) avail mem = 8206884864 (7826MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe6a80 (27 entries) bios0: vendor Insyde Corp. version "V2.12" date 05/20/2014 bios0: Acer Aspire S7-392 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP TCPA UEFI FPDT MSDM ASF! HPET APIC MCFG SSDT BOOT ASPT DBGP SSDT SSDT SSDT SSDT SSDT DMAR acpi0: wakeup devices P0P1(S4) GLAN(S4) EHC1(S3) EHC2(S3) XHC_(S3) HDEF(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 1596.71 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADL INE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BM I1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 1596.31 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADL INE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BM I1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 1596.31 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADL INE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BM I1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz, 1596.31 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADL INE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BM I1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus -1 (RP01) acpiprt3 at acpi0: bus -1 (RP02) acpiprt4 at acpi0: bus 1 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus -1 (RP06) acpiprt8 at acpi0: bus -1 (RP07) acpiprt9 at acpi0: bus -1 (RP08) acpiprt10 at acpi0: bus -1 (PEG0) acpiprt11 at acpi0: bus -1 (PEG1) acpiprt12 at acpi0: bus -1 (PEG2) acpiec0 at acpi0 acpicpu0 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpitz0 at acpi0: critical temperature is 99 degC acpitz1 at acpi0: critical temperature is 98 degC acpials0 at acpi0: ALSD acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT0 model "AP13F3N" serial 2358 type LION oem acpibtn0 at acpi0: PWRB "10250759" at acpi0 not configured "SYN1B78" at acpi0 not configured "PNP0C14" at acpi0 not configured dwiic0 at acpi0: I2C1 addr 0xfe105000/0x1000 irq 7 iic0 at dwiic0 "BCM2E4E" at acpi0 not configured acpibtn1 at acpi0: LID0 acpibtn2 at acpi0: SLPB "PNP0C14" at acpi0 not configured "INT340E" at acpi0 not configured "INT33A0" at acpi0 not configured tpm0 at acpi0: TPM_ addr 0xfed4/0x5000: Infineon SLB9635 1.2 rev 0x10 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD1F cpu0: Enhanced SpeedStep 1596 MHz: speeds:
Re: What are the security features in OpenBSD 6.0 that are by default disabled?
On Friday 14 October 2016 18:19:21 Bryan Linton wrote: > On 2016-10-14 09:21:24, Peter Janoswrote: > > Hello, > > > > [snip] > > > > ps.: it would be nice to have a feature in the default installer to > > install > > with full disc encryption :) we still have to escape to shell during > > install and ex.: > > > > install60.iso > > (S)hell > > dmesg | grep MB # or: sysctl hw.disknames > > dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids > > dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > > fdisk -iy sd0 > > disklabel -E sd0 > > a a > > enter > > enter > > RAID > > w > > q > > bioctl -c C -l /dev/sd0a -r 2000 softraid0 > > # use a random high iteration number x > 10 000 000 > > I just want to point out (for the archives as well as others) that > the softraid crypto discipline has recently been switched from > PBKDF2 to bcrypt. > > http://marc.info/?l=openbsd-cvs=147430724911779=2 > http://www.openbsd.org/faq/current.html#r20160919 > > Since bcrypt calculates its rounds based on the exponentiation of > the number (i.e. the default of 16 rounds actually performs 2^16 > rounds or 65536 rounds), the default number of "rounds" was > reduced from 8192 to only 16. If you were to use 20 million > "rounds" with the new bcrypt algorithm, I wouldn't be surprised if > it took weeks, months, or even YEARS to actually mount your disk > after inputting your password. > > For reference, I tried to simply calculate 2^20 millionth power > using dc for my own amusement and gave up after it crunched numbers > for over a minute with no answer returned. > > A value of 24 (2^24 or 16,777,216) or 25 (2^25 or 33,554,432) > would probably be closer to what you actually want. The number of rounds specified for bcrypt_pbdkf(3) is linear, not logarithmic (unlike bcrypt(3)). That said, the processing required for each round is significantly higher than that of pkcs5_pbkdf2(3) (using `bioctl -r auto -v` will tell you rounds your machine will do in ~1s). > > exit > > Start install to the newly created bioctl/crypt raid device: sdX, where X > > is ex.: 2... > > > > with a random (but very high) number for iteration, afaik iteration only > > counts when typing in the password, much higher iteration would slow down > > brute-force attackers. > > Indeed it would. Quite significantly in fact.
Re: axen(4) usb ethernet problems
On Thu, Oct 13, 2016 at 05:40:18PM -0700, Ilya Kaliman wrote: > Hi! > > I have a "Plugable USB 3.0 ethernet adapter" with ASIX AX88179 > chipset. The device is successfully recognized by axen(4) driver but > behaves strangely. When I plug in the ethernet cable the ifconfig > axen0 status says active and the leds start blinking. But after a > second or two both leds turn off and status says: no carrier. > Re-plugging the cable have no effect. Re-plugging the adapter itself > brings it up again for a second or two. > > The device itself seems to be fine as it works in other OSes without > problems. I suspect it has to do with OpenBSD driver. > > I have axen(4) driver compiled with debug - it prints a lot of stuff, > but nothing that seem to indicate an error. Can anyone give some > pointers on how to diagnose the problem? > > Thanks, > Ilya What version of OpenBSD are you running? Usually it's best to add the output of dmesg to such a mail to give others an idea what you are running. There was a change to axen in March this year that made my adapter work reliably. It ships with 6.0. http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/dev/usb/if_axen.c Remi
Re: An AR9280 as an Access Point
Thanks a lot guys! Then I think I will consider it. Stefan Sperling, To use 802.11a, I will need to buy the dual-band antennae. But PC Engines advises against doing that. They prefer the regular antenna "for best gain in a specific frequency band" ref: http://www.pcengines.ch/antsmadb.htm
Re: Fwd: Booting BSD on a Libreboot system - documentation needed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Aaron, On 06/10/16 05:05, Aaron Mason wrote: > Holy frijole, just reading some of the responses from the some > people in GNU - I'm at the point where I'm not entirely convinced > that GNU isn't a cult, with Stallman as the high almighty leader. Can you link me to those posts? (E.g. mailing list archive posts) - -- Leah Rowe Libreboot developer Use free software. Free as in freedom. https://en.wikipedia.org/wiki/Free_software Use a free operating system, GNU/Linux. https://libreboot.org/docs/distros/ Use a free BIOS. https://libreboot.org/ Support computer user freedom. https://peers.community/ Minifree Ltd, trading as Ministry of Freedom | Registered in England, No. 9361826 | VAT No. GB202190462 Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK | Web: http://minifree.org/ -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJYAMJOAAoJEP9Ft0z50c+UZNoH/1Jkv4QfcIdzGdOTl55Zwk4w lMUfZguBl7hro0HDmmf/OVFH7MChwZl20Hug8lDy12g+QGMe+kHO2eCrtdyRMJoc BwTDksPvTOgkALZ6ysgJBeikGh10jzNv/5/xGrCWtqNaHTauYGVnGVn/wN9FHMSC ko0WQLtsLtbNwK1lS6uAk6fFNUGB5wMShxbsxuiaHPJsO7n2azE8w2CJi3WTZgK9 GZ2EucoSAIou1PYE31JdwZfRDOOWqRLeOaQAXtqVnD63SntvCLJAf8in+422nOQR v4zqV0SoHWuA/4zhiIyN5lp/nKKY4qzcYYHvuCuyZJyfVSFLL1VUxi8vi/ifD48= =ViWC -END PGP SIGNATURE-
Re: What are the security features in OpenBSD 6.0 that are by default disabled?
On Fri, Oct 14, 2016 at 09:21:24AM +0200, Peter Janos wrote: > Hello, > > I know some features that can give additional security isn't turned on due to > because of the bad quality of the code in ports and some also decreases > performance (or disables a feature, ex.: screenlock doesn't work if nosuid > set, but if feature not used, nousid can be used). > > I only know about these "security hardenings", hopefully all are ok (if not, > please say/argue!): > > == > ln -s GJU /etc/malloc.conf $ man man.conf | grep security -Otto
Re: What are the security features in OpenBSD 6.0 that are by default disabled?
On 2016-10-14, Peter Janoswrote: > Make as many files immutable with "chflags schg filenamehere" as you can. This could be seen as an *in*security feature because now it's an utter pain to update software that has bugs.
Re: What are the security features in OpenBSD 6.0 that are by default disabled?
On 2016-10-14 09:21:24, Peter Janoswrote: > Hello, > > [snip] > > ps.: it would be nice to have a feature in the default installer to install > with full disc encryption :) we still have to escape to shell during install > and ex.: > > install60.iso > (S)hell > dmesg | grep MB # or: sysctl hw.disknames > dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids > dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > fdisk -iy sd0 > disklabel -E sd0 > a a > enter > enter > RAID > w > q > bioctl -c C -l /dev/sd0a -r 2000 softraid0 > # use a random high iteration number x > 10 000 000 > I just want to point out (for the archives as well as others) that the softraid crypto discipline has recently been switched from PBKDF2 to bcrypt. http://marc.info/?l=openbsd-cvs=147430724911779=2 http://www.openbsd.org/faq/current.html#r20160919 Since bcrypt calculates its rounds based on the exponentiation of the number (i.e. the default of 16 rounds actually performs 2^16 rounds or 65536 rounds), the default number of "rounds" was reduced from 8192 to only 16. If you were to use 20 million "rounds" with the new bcrypt algorithm, I wouldn't be surprised if it took weeks, months, or even YEARS to actually mount your disk after inputting your password. For reference, I tried to simply calculate 2^20 millionth power using dc for my own amusement and gave up after it crunched numbers for over a minute with no answer returned. A value of 24 (2^24 or 16,777,216) or 25 (2^25 or 33,554,432) would probably be closer to what you actually want. > exit > Start install to the newly created bioctl/crypt raid device: sdX, where X is > ex.: 2... > > with a random (but very high) number for iteration, afaik iteration only > counts when typing in the password, much higher iteration would slow down > brute-force attackers. > Indeed it would. Quite significantly in fact. -- Bryan
Re: What are the security features in OpenBSD 6.0 that are by default disabled?
Hi, i just want to say that those security messures you describe here don't improve the security for every user or use case. Everybody should know exactly what he is doing bevore enabling or changing them. I think if you use such security messures you better should be able to help yourself if you have problems. Not every knob is meant to be pressed by a user, the system can get unstable. Im writing this because this is misc@ and i think the title of your mail could confuse users without a deep understanding of the system. They could even end up with a less secure system because of workarounds they use to get back some convenience they lost due to some "security" messures they implemented which they don't fully understand. But its interessting to see how people try to improve their security, so please go on collecting ideas. BR Simon 2016-10-14 9:21 GMT+02:00, Peter Janos: > Hello, > > I know some features that can give additional security isn't turned on due > to > because of the bad quality of the code in ports and some also decreases > performance (or disables a feature, ex.: screenlock doesn't work if nosuid > set, but if feature not used, nousid can be used). > > I only know about these "security hardenings", hopefully all are ok (if > not, > please say/argue!): > > == > ln -s GJU /etc/malloc.conf > == > Remove wxallowed from /etc/fstab > == > echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf > == > Remove all SUID and SGID permissions and all FS must have "nosuid". > == > Add noexec, nodev where you can in fstab, but can be bypassed.. > == > All filesystems that are only modified during software install and removal > need to be read-only. > They can be only rw if sw install/removal happens. > == > Remove all files that is not needed for the machine to operate/do its > purpose. > == > echo "sysctl kern.securelevel=2" > /etc/rc.securelevel > == > Make as many files immutable with "chflags schg filenamehere" as you can. > == > If using X (so desktop) only use dangerous softwares (webbrowser, any > viewer > software: pdf, video, audio, torrent client, etc.) with another (limited) > user! > == > > The purpose of this mail to find more... what are the other security > features > that are disabled in the default install? > > - > ps.: it would be nice to have a feature in the default installer to install > with full disc encryption :) we still have to escape to shell during > install > and ex.: > > install60.iso > (S)hell > dmesg | grep MB # or: sysctl hw.disknames > dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids > dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > fdisk -iy sd0 > disklabel -E sd0 > a a > enter > enter > RAID > w > q > bioctl -c C -l /dev/sd0a -r 2000 softraid0 > # use a random high iteration number x > 10 000 000 > exit > Start install to the newly created bioctl/crypt raid device: sdX, where X > is > ex.: 2... > > with a random (but very high) number for iteration, afaik iteration only > counts when typing in the password, much higher iteration would slow down > brute-force attackers. > - > > Many thanks.
Re: What are the security features in OpenBSD 6.0 that are by default disabled?
You forgot one item: Don't file bug reports to the project, because your system is too far away from what the developers use & maintain; and we cannot diagnose the failure conditions you have inadvertently created. So, if you are willing to accept that limitation -- knock yourself out. Change anything you want. But do NOT tell us what bothers you, until you repeat the problem on a *stock install*. We simply cannot accept the cost of becoming fixit buddies for everyone's private mistake. It's like fixing the printer at grandma's house. It's not our job. > I know some features that can give additional security isn't turned on due to > because of the bad quality of the code in ports and some also decreases > performance (or disables a feature, ex.: screenlock doesn't work if nosuid > set, but if feature not used, nousid can be used). > > I only know about these "security hardenings", hopefully all are ok (if not, > please say/argue!): > Â > == > ln -s GJU /etc/malloc.conf > == > Remove wxallowed from /etc/fstab > == > echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf > == > Remove all SUID and SGID permissions and all FS must have "nosuid". > == > Add noexec, nodev where you can in fstab, but can be bypassed.. > == > All filesystems that are only modified during software install and removal > need to be read-only. > They can be only rw if sw install/removal happens. > == > Remove all files that is not needed for the machine to operate/do its > purpose. > == > echo "sysctl kern.securelevel=2" > /etc/rc.securelevel > == > Make as many files immutable with "chflags schg filenamehere" as you can. > == > If using X (so desktop) only use dangerous softwares (webbrowser, any viewer > software: pdf, video, audio, torrent client, etc.) with another (limited) > user! > == > > The purpose of this mail to find more... what are the other security features > that are disabled in the default install? > Â > - > ps.: it would be nice to have a feature in the default installer to install > with full disc encryption :) we still have to escape to shell during install > and ex.: > > install60.iso > (S)hell > dmesg | grep MB # or: sysctl hw.disknames > dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids > dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 > fdisk -iy sd0 > disklabel -E sd0 > a a > enter > enter > RAID > w > q > bioctl -c C -l /dev/sd0a -r 2000 softraid0 > # use a random high iteration number x > 10 000 000 > exit > Start install to the newly created bioctl/crypt raid device: sdX, where X is > ex.: 2... > > with a random (but very high) number for iteration, afaik iteration only > counts when typing in the password, much higher iteration would slow down > brute-force attackers. > - > > Many thanks.
Re: axen(4) usb ethernet problems
On 13 Oct 2016, Ilya Kaliman wrote: > I have a "Plugable USB 3.0 ethernet adapter" with ASIX AX88179 > chipset. The device is successfully recognized by axen(4) driver but > behaves strangely. When I plug in the ethernet cable the ifconfig > axen0 status says active and the leds start blinking. But after a > second or two both leds turn off and status says: no carrier. > Re-plugging the cable have no effect. Re-plugging the adapter itself > brings it up again for a second or two. > > The device itself seems to be fine as it works in other OSes without > problems. I suspect it has to do with OpenBSD driver. I'm afraid that I can't offer any useful help but I can at least confirm the problem: I also have one of these devices (actually, maybe a couple) and see exactly the same issue with OpenBSD, at least with 5.9, I didn't try since with 6.0. At the time I chatted to a competent-seeming vendor guy and apparently they've seen the same problem at their end with OpenBSD and have no idea what the issue is. So, at least I can say: you're correct, it's probably indeed not just that you have a bad adapter. I don't know if any developers might like to have one of these mailed to them. -- Mark
What are the security features in OpenBSD 6.0 that are by default disabled?
Hello, I know some features that can give additional security isn't turned on due to because of the bad quality of the code in ports and some also decreases performance (or disables a feature, ex.: screenlock doesn't work if nosuid set, but if feature not used, nousid can be used). I only know about these "security hardenings", hopefully all are ok (if not, please say/argue!): == ln -s GJU /etc/malloc.conf == Remove wxallowed from /etc/fstab == echo 'kern.stackgap_random=16777216' >> /etc/sysctl.conf == Remove all SUID and SGID permissions and all FS must have "nosuid". == Add noexec, nodev where you can in fstab, but can be bypassed.. == All filesystems that are only modified during software install and removal need to be read-only. They can be only rw if sw install/removal happens. == Remove all files that is not needed for the machine to operate/do its purpose. == echo "sysctl kern.securelevel=2" > /etc/rc.securelevel == Make as many files immutable with "chflags schg filenamehere" as you can. == If using X (so desktop) only use dangerous softwares (webbrowser, any viewer software: pdf, video, audio, torrent client, etc.) with another (limited) user! == The purpose of this mail to find more... what are the other security features that are disabled in the default install? - ps.: it would be nice to have a feature in the default installer to install with full disc encryption :) we still have to escape to shell during install and ex.: install60.iso (S)hell dmesg | grep MB # or: sysctl hw.disknames dd if=/dev/urandom of=/dev/rsd0c bs=1m # not needed, only for paranoids dd if=/dev/zero of=/dev/rsd0c bs=1m count=1 fdisk -iy sd0 disklabel -E sd0 a a enter enter RAID w q bioctl -c C -l /dev/sd0a -r 2000 softraid0 # use a random high iteration number x > 10 000 000 exit Start install to the newly created bioctl/crypt raid device: sdX, where X is ex.: 2... with a random (but very high) number for iteration, afaik iteration only counts when typing in the password, much higher iteration would slow down brute-force attackers. - Many thanks.