IPv6 Neighbor Discovery Issue

[Alexander Mischke]

Hello,


I am currently facing the following problem:

I have a server with two interfaces:

- em1 (Outbound / facing the Internet)
- em0 (Internal use / LAN)
  (additionally: vlan1000 - parentdev is em0)

The server runs OpenBSD 6.6-stable with the latest
syspatches installed and rebooted to the patched kernel.


I assigned one address of the /56 my provider gave me
to em1. Let's say it looks like this (obfuscated):


Prefix = 2a02:::cc00::/56
Gateway (provider) = 2a02:::cc00::1


I assigned to em1:

2a02:::cc00::2/56


### /etc/hostname.em1 ###

inet6 2a02:::cc00::2 56
!route add -inet6 default 2a02:::cc00::1
-soii

---


This far, everything works (inbound and outbound IPv6 connectivity).



In the next step I took a /64 from that range and assigned an address to
the vlan1000 interface:


2a02:::ccff:dead::1


### /etc/hostname.em0 ###

up

---

### /etc/hostname.vlan1000 ###

inet 10.20.30.40 255.255.255.0 vnetid 1000 parent em0
inet6 2a02:::ccff:dead::1 64

---


This worked "somehow" (e.g. for a short period of time)
"Worked" means: This address was reachable from the outside world
and vice versa.

After it stopped working I did a reboot and then it worked again
(for a limited amount of time)


All i can see (from tcpdump) is that the provider gateway sends NDP
solicitations, asking for 2a02:::ccff:dead::1
But no replies are appearing.

The same behaviour occurs independently from either

- pf disabled
or
- allowing anything IPv6 related (icmp-v6 etc.)


I already enabled net.inet6.icmp6.nd6_debug but nothing shows up in
dmesg.



Has anyone encountered this as well and/or has hints on
how to solve this?


Thank you very much for your time.


Best regards,

Alex

Re: problems setting up PORTS_PRIVSEP

[putridsoul66]

I didn't knew anything about the mystuff 
directory. Anyway I tried it.

mkdir /usr/ports/mystuff
mkdir /usr/ports/mystuff/x11
cp -r /usr/ports/x11/dmenu /usr/ports/mystuff/x11/dmenu
chown -R user:wsrc /usr/ports/mystuff 
cd /usr/ports/mystuff/x11/dmenu
make install

And it was successfull, so you should check the 
file permissions in and of mystuff dir. 

If build was successfull in /usr/ports/x11/dmenu, then
permission could be skewed in mystuff.("local user":"wsrc") 
If no conflict in that, I think you could have messed up 
your /usr/ports/x11/dmenu dir before copying it, 
did you edit it?

Re: problems setting up PORTS_PRIVSEP

[Moises Simon]

On Thu, Mar 26, 2020 at 06:04:19PM +0530, putridsou...@gmail.com wrote:
> I don't understand the logic of this
> 
> mkdir /usr/ports/mystuff/x11
> cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/
> cd /usr/ports/mystuff/x11/dmenu
> make package
> 
> to build a package, one usually just runs command
> 
> cd /usr/ports/x11/dmenu
> make install
> 
> try and see if this gives an error.
> 

Yes, that works but I want to apply some private patches to the application.
Thats why I copye the port to /usr/ports/mystuff, to make local changes

Re: MITM ?

[Chris Bennett]

On Wed, Mar 25, 2020 at 11:06:57PM +, Cord wrote:
> 
> > Read a LOT of man pages and misc@ tech@ ports@ bugs@
> >
> > Maybe even tell us which version of VAX your laptop runs on?
> 
> VAX ???
> 
> > Is it OpenBSD version 4.9?
> >
> 
> 4.9 ???
> 
> I'm sorry, I'm in the future.

But, my joking aside, you haven't provided much info for giving advice.

They have now found out that a huge number of commercial VPN companies
are both running tracker software and selling your data.
Worse, many are running session recording which could be making your
passwords stealable.

In the USA, ISP's like Comcast have opened up all customers rented
routers to the full public without the need for a password.
If that is your case, your private network isn't private.

If your laptop is Intel based, turn off HT/SMT.
Run syspatch and pkg_add -u.
Look at all of your logs in detail.

Use NoScript and Ghostery plugins for Firefox.
Assume that someone might be physically accessing your laptop.
The laws in the USA since 9/11 allow this to be done without you being
told.

Good luck, hopefully you are not having this problem, but paranoia is a
good thing in today's world.

Chris Bennett

Re: Managing multiple OpenBSD systems with a single base install

[Frank Beuth]

On Wed, Mar 25, 2020 at 09:28:52PM -0400, Demi M. Obenour wrote:

I am working on an OpenBSD-based QubesOS TemplateVM, and have run
into a few problems.


I don't have answers to your questions, but that sounds like an 
amazingly good and useful project and I wish you all the best in making 
it happen!

Re: Porting from linux

[Tom Smyth]

Howdy Putrid... :)
Kurt M and Mark Espie have given some talks available from U Tube

https://www.youtube.com/watch?v=eyK_LloYZu4

https://www.youtube.com/watch?v=aw2Gezj-Nkw

Peace out ...


On Thu, 26 Mar 2020 at 12:53,  wrote:
>
> I want to get into porting, I have experience
> installing from source particularly on linux.
>
> Is there a difference in how package works on
> linux and openbsd? Is there a guide anyone
> can point me to porting linux packages to
> openbsd?
>
> Are there different syscalls?
> Directory systems are almost the same, in
> concern to packages.
> Is there a need to edit the source?
>


-- 
Kindest regards,
Tom Smyth.

Re: Porting from linux

[Antal Ispanovity]

https://www.openbsd.org/faq/ports/index.html

2020-03-26 13:49 GMT+01:00, putridsou...@gmail.com :
> I want to get into porting, I have experience
> installing from source particularly on linux.
>
> Is there a difference in how package works on
> linux and openbsd? Is there a guide anyone
> can point me to porting linux packages to
> openbsd?
>
> Are there different syscalls?
> Directory systems are almost the same, in
> concern to packages.
> Is there a need to edit the source?
>
>

Porting from linux

[putridsoul66]

I want to get into porting, I have experience
installing from source particularly on linux.

Is there a difference in how package works on
linux and openbsd? Is there a guide anyone 
can point me to porting linux packages to 
openbsd?

Are there different syscalls? 
Directory systems are almost the same, in 
concern to packages.
Is there a need to edit the source?

Re: problems setting up PORTS_PRIVSEP

[putridsoul66]

I don't understand the logic of this

mkdir /usr/ports/mystuff/x11
cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/
cd /usr/ports/mystuff/x11/dmenu
make package

to build a package, one usually just runs command

cd /usr/ports/x11/dmenu
make install

try and see if this gives an error.

Re: problems setting up PORTS_PRIVSEP

[putridsoul66]

You only need to change permissions on the
/usr/obj

Run these as root
install -dm0775 -o _pbuild -g _pbuild /usr/obj 
install -dm0775 -o _pbuild -g _pbuild /usr/obj/ports 

Also the variables DISTDIR and PACKAGE_REPOSITORY 
are redundant, since those are the default values
anyway.

In /etc/doas.conf, replace the three commands with
their complete paths. This will save a headache,
believe me.

Setting WRKOBJDIR is not really usefull, the default
location(/usr/ports/pobj) works fine, unless it's an 
aesthetic issue, since it deals mostly with temporary 
data

Only real use according to me, is to set /usr/ports
as read-only by pushing all work directories out of it.

Re: problems setting up PORTS_PRIVSEP

[Moises Simon]

On Thu, Mar 26, 2020 at 07:50:27AM -, Stuart Henderson wrote:
> Does _pbuild have write access to /usr/obj? If not, either grant it,
> or create /usr/obj/ports yourself and grant _pbuild write access to
> that.


this where the permissions:

drwxrwxr-x  4 build  wobj  512 Mar 25 11:03 /usr/obj

d2d35fe9f62eb1e1.i /usr/obj ffs rw,softdep,noatime,nodev,nosuid 1 2

because that is for building base I have changed

WRKOBJDIR=/usr/ports/obj

drwxr-xr-x  3 _pbuild  _pbuild  512 Mar 26 10:12 /usr/ports/obj/

Now its working.

Thanks!

Now i'm getting this:

sirius$ make package
===>  Checking files for dmenu-4.9
>> Fetch https://dl.suckless.org/tools/dmenu-4.9.tar.gz
dmenu-4.9.tar.gz 100% 
|*|
 15972   00:00
>> (SHA256) dmenu-4.9.tar.gz: OK
===>  Verifying specs:  X11 Xft Xinerama c fontconfig
===>  found X11.17.0 Xft.12.0 Xinerama.6.0 c.96.0 fontconfig.13.0
===>  Extracting for dmenu-4.9
make: don't know how to make do-extract
Stop in .
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2641
'/usr/ports/obj/dmenu-4.9/.extract_done': @cd /usr/ports/mystuff/x11/dmenu &...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2089
'/usr/ports/packages/amd64/all/dmenu-4.9.tgz': @cd /usr/ports/mystuff/x11/dm...)
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2578
'_internal-package': @case X${_DEPENDS_CACHE} in  X) _DEPENDS_CACHE=$(doas -...)
*** Error 2 in /usr/ports/mystuff/x11/dmenu
(/usr/ports/infrastructure/mk/bsd.port.mk:2557 'package': @lock=dmenu-4.9;
export _LOCKS_HELD="...)

in ports under /usr/ports/mystuff
I just:

mkdir /usr/ports/mystuff/x11
cp -R /usr/ports/x11/dmenu /usr/ports/mystuff/x11/
cd /usr/ports/mystuff/x11/dmenu
make package

But it doesn't seems related to PORT_PRIVSEP, I have build wmutils
doing the same without problems

> Allowing pkg_add with nopass opens a way for your account to get root
> without a password.
> 
> Since doas "persist" doesn't allow password persistence with how ports
> uses it, I use sudo not doas on ports dev machines. (I use doas on
> ports build machines, but dpb manages running pkg_add in that case,
> and is started as root so it only needs to drop privs rather than
> raise them).
> 

So dpb for building just 3 or 4 ports is over-kill right?

Re: problems setting up PORTS_PRIVSEP

[Ottavio Caruso]

On Wed, 25 Mar 2020 at 11:19, Moises Simon  wrote:
>
> Hi misc,
>
> I'm trying to set the ports system to use PORT_PRIVSEP
> according to bsd.port.mk(5) and
> https://www.openbsd.org/faq/ports/ports.html#PortsConfig
>
> but I'm getting the following error:
>
> sirius$ make fetch
> mkdir /usr/obj/ports: Permission denied at
> /usr/ports/infrastructure/bin/portlock line 53.  *** Error 255 in
> /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557
> 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="...
>
> even after doing make fix-permissions. I'm not seens something.
>
> cat /etc/mk.conf
> SUDO=doas
> CLEANDEPENDS=Yes
> PORTS_PRIVSEP=Yes
> WRKOBJDIR=/usr/obj/ports
> DISTDIR=/usr/ports/distfiles
> PACKAGE_REPOSITORY=/usr/ports/packages
>
> cat /etc/doas.conf
> permit nopass msv cmd touch
> permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add
> permit nopass setenv { TERM } msv cmd pkg_delete
>
> permit keepenv nopass msv as _pbuild
> permit keepenv nopass msv as _pfetch
>
> permit msv as root
>

Hi, have you given a look at this tutorial:
https://dataswamp.org/~solene/2020-01-11-privsep.html

-- 
Ottavio Caruso

Re: problems setting up PORTS_PRIVSEP

[Stuart Henderson]

On 2020-03-25, Moises Simon  wrote:
> Hi misc,
>
> I'm trying to set the ports system to use PORT_PRIVSEP
> according to bsd.port.mk(5) and
> https://www.openbsd.org/faq/ports/ports.html#PortsConfig
>
> but I'm getting the following error:
>
> sirius$ make fetch
> mkdir /usr/obj/ports: Permission denied at
> /usr/ports/infrastructure/bin/portlock line 53.  *** Error 255 in
> /usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557
> 'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="...

Does _pbuild have write access to /usr/obj? If not, either grant it,
or create /usr/obj/ports yourself and grant _pbuild write access to
that.

> even after doing make fix-permissions. I'm not seens something.
>
> cat /etc/mk.conf
> SUDO=doas
> CLEANDEPENDS=Yes
> PORTS_PRIVSEP=Yes
> WRKOBJDIR=/usr/obj/ports
> DISTDIR=/usr/ports/distfiles
> PACKAGE_REPOSITORY=/usr/ports/packages
>
> cat /etc/doas.conf
> permit nopass msv cmd touch
> permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add

Allowing pkg_add with nopass opens a way for your account to get root
without a password.

Since doas "persist" doesn't allow password persistence with how ports
uses it, I use sudo not doas on ports dev machines. (I use doas on
ports build machines, but dpb manages running pkg_add in that case,
and is started as root so it only needs to drop privs rather than
raise them).

Re: Trusted Boot with OpenBSD

[Julius Zint]

>> I can't tell from the instructions how the FDE encryption key is stored -- 
>> do we manually seal it to the TPM and then manually unseal and copy/paste it 
>> every time we boot? Or is it assumed the user will write a script to handle 
>> this -- a script which itself will have to be measured by the TPM?
> 
> This is not possible with the current version. The Masterthesis was
> about answering this Question: Did unencrypted software change since 
> the last time the user operated this system.
> 
> What exactly is your use case? Do you want a system with FDE that does
> not prompt you for the encryption key or do you want to improve the
> security by storing a part of the key material inside the TPM while the
> other half is provided by a user password?
> 
> There are a lot of possibilities with a available TPM on boot, so if
> you have a specific use case we can tailor that right in.
> 
> Before we do that i think it is important to make this feature a lot
> easier to install. Following this manual, patching and compiling source
> code and updating the MBR and biosboot is not something the user should
> have to worry about.
> 
> The problem is, in order to make space for this feature in the MBR as
> well as in biosboot i had to remove the code responsible for loading a
> block from disk via CHS. This is obviously not acceptable if this should
> be integrated back into OpenBSD.
> 
> One possible solution would be to let the MBR and biosboot grow bigger
> than 512 byte and let installboot(8) figure out what the user needs and
> remove code paths that are not used to get the binary back to 512 byte.
> 
> Everything else i thought of involves recompiling.