Just to doublecheck, is softraid sandwhiching possible (FAQ says not)

[Joseph Mayer]

https://www.openbsd.org/faq/faq14.html#softraidFDE says:

"Note that "stacking" softraid modes (mirrored drives and encryption, for
example) is not supported at this time."

I had the impression that it's possible. Please feel free to
doubleconfirm this one.

Here https://marc.info/?l=openbsd-miscm=144899721527642w=2 is a
previous mentioning in the mailing list of "sandwhiching" softraid
from 2015, there was no correction of the question then.

Joseph

Re: Just to doublecheck, is softraid sandwhiching possible (FAQ says not)

[Stuart Henderson]

On 2021-02-13, Joseph Mayer  wrote:
> https://www.openbsd.org/faq/faq14.html#softraidFDE says:
>
> "Note that "stacking" softraid modes (mirrored drives and encryption, for
> example) is not supported at this time."
>
> I had the impression that it's possible. Please feel free to
> doubleconfirm this one.

it may be "possible" but, if you like your data, it's probably better
to go for something which is "supported".

> Here https://marc.info/?l=openbsd-miscm=144899721527642w=2 is a
> previous mentioning in the mailing list of "sandwhiching" softraid
> from 2015, there was no correction of the question then.

if you don't need to boot from it, see the recently added RAID1C
discipline in -current (combined RAID1+crypto).

Re: Secure by default

[Peter Nicolai Mathias Hansteen]

Hi,

> 13. feb. 2021 kl. 20:14 skrev sivasubramanian muthusamy 
> <6.inter...@gmail.com>:
> 
> Hello,
> 
> I am an ordinary computer user, installed 6.8 without connecting to
> the Internet yet, (a friend and a technical expert recently advised me
> in a different context: do not expose your machine to the Internet-
> don't know what that means)
> 
> OpenBSD intro says OpenBSD is secure by default. How is it secure by
> default for an average user who does not get to ssh, does not use his
> computer as a web-server or as a VM host, who does not have to share
> screen etc? What ports are open by default and what applications start
> by default?
> 
> Before connecting the computer to the Internet, what other steps
> should a very ordinary user take? Block a few more ports? Which ones?

To me this sounds like your friend does not know anything specific about 
OpenBSD, and in that scenario the advice is sound — «don’t put anything on the 
network that you don’t know how to operate».

However, if you did run through the install, you will have noticed that it 
asked whether you wanted to run sshd. If you said no to that question, as far 
as I know  there are no daemons listening on a default OpenBSD install. This is 
easy to verify by running a simple port scan from another host on your local 
network.

By the way, you posted this to the wrong list. tech@ is for patches and patch 
related discussions only. I’m redirecting to misc@, which is a more appropriate 
forum.

You might find useful information in one of my recent presentations, see 
https://undeadly.org/cgi?action=article;sid=20201109055713 
 and links therein.

All the best,
Peter N. M. Hansteen


—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.






signature.asc
Description: Message signed with OpenPGP

Re: Trouble with remote syslog over TLS

[Stuart Henderson]

On 2021-01-21, Seth Hanford  wrote:
> I'm trying unsuccessfully to create a central syslogd logging server between 
> two OpenBSD 6.8 hosts, but I can't see what I'm missing.
>
> My syslog server (logs.lan.ckure.com) has a certificate from my internal CA, 
> and that certificate's Root & Intermediate certs are pushed out internally to 
> the /etc/ssl/cert.pem file on each OpenBSD host on my network. I have created 
> a symlink to that cert to reference the IP / port per the documentation:

/etc/ssl/cert.pem should only have roots, not intermediates.

/etc/ssl/192.168.32.20:514.crt should have the server certificate
followed by the intermediate.

With that config it's working for me (6.8 + syspatches on the server,
-current from a month ago on the client).

> logs$ ls -all |grep logs.lan.ckure.com
> lrwxr-xr-x   1 root  wheel  31 Jan 17 19:25 192.168.32.20:514.crt -> 
> /etc/ssl/logs.lan.ckure.com.crt
> -rw-rw   1 root  wheel5605 Jan 16 12:42 logs.lan.ckure.com.crt
>
> I am running syslogd on the log server with the following flags:
> logs$ doas rcctl get syslogd flags
> -ZS 192.168.32.20:514

BTW there are some tweaks you might like to make. Neither of these
should affect whether it works, but might be useful.

The standard port for syslog-over-TLS is 6514. syslogd uses this by
default if you leave out the port number (both in -S and with tls4://)
and in that case would look in 192.168.32.20.crt for the cert.

If you don't need this root for other purposes it maybe better
to point syslogd at a separate CA file using -C, then sysmerge will
handle the main cert.pem file itself without you needing to merge it.

> When I connect from ns1.lan.ckure.com via openssl, the cert verifies and 
> anything I write to that connection I see becoming log entries written to 
> /var/log/hosts/ns1.lan.ckure.com like so:

openssl s_client is a poor test tool, about the only thing it
does usefully is display the certificate chain in an easy to read
way, otherwise it doesn't verify by default and even when you set
the right options you have to read the output carefully.
The version in libressl doesn't afaik have a way to verify
that the hostname is correct automatically (openssl 1.1 does,
but it's disabled by default).

Try "nc -vvc ns1.lan.ckure.com 514" instead.

Re: OpenBSD and Shells.com

[Anders Andersson]

On Thu, Feb 11, 2021 at 11:13 PM Abel Abraham Camarillo Ojeda
 wrote:
>
> On Thu, Feb 11, 20210.00 at 4:00 PM Alex Lee  wrote:
>
> > Just wanted to check in on this one and see if there was a chance to chat.
> > Thanks!
> >
> > On Sun, Jan 24, 2021 at 3:07 PM Alex Lee  wrote:
> >
> > > Hi!  My name is Alex Lee, and I am hoping that we can partner with
> > > OpenBSD.  We offer virtual cloud computers that can be accessed from any
> > > web enabled device.  As we offer multiple OS options such as different
> > > Linux distros and Windows, it gives the user the opportunity to use the
> > OS
> > > they want on the device they want (I use Ubuntu Desktop on an iPad
> > Pro).  I
> > > was hoping that we could chat about a potential collaboration as our
> > > product can give folks an opportunity to test out OpenBSD without
> > > installing it on their hardware.  I know there are a lot of folks who are
> > > afraid to make the jump and this would be an easy way for them to get
> > > involved with OpenBSD.  Let me know if we could chat more!   Thanks.
> > >
> > > alex
> > >
> >
>
> As far as I know you don't need to ask permission to do that kind of
> service,
> or I don't understand what you're requesting

"I was hoping that we could chat about a potential collaboration"
usually means "How much are you willing to pay to have your name on
our front page". Not even sure that OP knows what OpenBSD is, it looks
like a template email and the website is shady.

They are trying to trademark the word "Shells" from what I can see
from the google preview, but the website doesn't show anything at all
without javascript.