Re: Keeping a personal ports branch

2021-10-18 Thread Rubén Llorente
Stuart Henderson  wrote:
> Just use a different VCS, for example svn or git. /usr/ports/mystuff
> is listed in .cvsignore in the repository so they don't conflict, and
> there is special handling in ports infrastructure. The directory
> layout underneath it should be as with the main ports tree i.e.
> /usr/ports/mystuff/category/portname.
> 
> See PORTSDIR_PATH in bsd.port.mk(5). By default /usr/ports takes
> priority over /usr/ports/mystuff, but if you want to override things
> in the main tree you can swap that around with an entry in /etc/mk.conf
> like PORTSDIR_PATH=${PORTSDIR}/mystuff:${PORTSDIR}
> 
> 

That is all I need. It sounds great to me.

I am a CVS dude so mystuff may as well stay CVS :-)

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76



Re: Keeping a personal ports branch

2021-10-15 Thread Rubén Llorente
Marc Espie  wrote:
> On Fri, Oct 15, 2021 at 10:25:17AM -0000, Rubén Llorente wrote:
>> Hi there!
>> 
>> I am wondering how does people around here keep local branches of the ports
>> tree for personal use.
>> 
> 
> Put your own ports into mystuff...
> 
> if you think they might interest other people, see whether the WIP git repo
> would be suitable for them, until they're mature enough.
> 
> 

A bunch of this stuff is really of no interest to anybody. Or does not fit a
port system for general use.

Having a "mystuff" folder sounds fine but if I want to put it under version
control it is going to need some engineering :-) It sounds like a workable
solution so I will study it.

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76



Keeping a personal ports branch

2021-10-15 Thread Rubén Llorente
Hi there!

I am wondering how does people around here keep local branches of the ports
tree for personal use.

The reason I am asking is because I keep some patched ports which are suited
to solve my problems, but not suited (or useful) for submission to the
official ports tree. Ideally I would upgrade my personal ports tree alongisde
the official one.

I suppose I could cvs import every -RELEASE of the ports into my own cvs
repository, but ideally I would rather have something more automated.
Besides, I am curious as to how people is doing it.

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76



Libsecret + gnome-keyring + qykeychain broken (was nextcloudclient fails to work with gnome-keyring)

2021-09-25 Thread Rubén Llorente
Hello again.

I reproduced the issue once again:

I performed a fresh install of -current and installed Gnome.
Starting Gnome via GDM brings up all the services necessary
for storing secrets (dbus and gnome-keyring) out-of-the-box.

Nextcloud Client is still incapable of leveraging libsecret
or Gnome Keyring for storing secrets in a keyring in this
configuration.

My conclussion, unless somebody brings an alternative, is
that either Libsecret, Gnome Keychain, qtkeychain or
Nextcloud Client are broken.

If it is one of the first three, it means such port is
broken since it cannot perform the primary function
expected from it.

Since interest in having this working is low I am
staying with my workaround of using kwalletd5 instead.
If anybody is willing to debug this problem further I
am willing to provide more information.

Rubén Llorente  wrote:
> I have reproduced the issue in Fluxbox.
> 
> ~.xession:
> 
> /usr/local/bin/startfluxbox
> 
> 
> ~.fluxbox/startup
> 
> if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
>eval $(dbus-launch --sh-syntax --exit-with-session)
> fi
> 
> exec fluxbox
> 
> 
> Under a similar configuration in Linux, Nextcloud calls
> a prompt for creating a password database on first launch,
> and stores the credentials in a keyring. In OpenBSD this
> happens not.
> 
> Some worrying logs from Nextcloud:
> 
> 2021-09-25 00:52:25:016 [ info nextcloud.sync.credentials.webflow ]:Get 
> QNAM
> 2021-09-25 00:52:25:667 [ info nextcloud.sync.credentials.webflow ]:Fetch 
> from keychain!
> 2021-09-25 00:52:25:985 [ info nextcloud.sync.credentials.keychainchunk ]:
>   Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
> 2021-09-25 00:52:36:312 [ warning nextcloud.sync.credentials.keychainchunk ]: 
>   Unable to read 
> "someuser_clientCertificatePEM:https://somedomain.invalid/:0; chunk "0" 
> "Unknown error"
> 2021-09-25 00:52:36:313 [ info nextcloud.sync.credentials.keychainchunk ]:
>   Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
> 2021-09-25 00:52:46:491 [ warning nextcloud.sync.credentials.keychainchunk ]: 
>   Unable to read "someuser_clientKeyPEM:https://somedomain.invalid/:0; chunk 
> "0" "Unknown error"
> 2021-09-25 00:52:46:491 [ warning nextcloud.sync.credentials.webflow ]: 
> Unable to read client key "Unknown error"
> 2021-09-25 00:52:46:492 [ info nextcloud.sync.credentials.keychainchunk ]:
>   Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
> 2021-09-25 00:52:56:186 [ warning nextcloud.sync.credentials.keychainchunk ]: 
>   Unable to read 
> "someuser_clientCaCertificatePEM0:https://somedomain.invalid/:0; chunk "0" 
> "Unknown error"
> 
> "Unknown Error" is returned by qtkeychain when unable to operate its
> backend.
> 
> Either there is a problem with libsecret or the PEBKAC level is
> astronomical at this point.
> 
-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76



Re: nextcloudclient fails to work with gnome-keyring

2021-09-24 Thread Rubén Llorente
I have reproduced the issue in Fluxbox.

~.xession:

/usr/local/bin/startfluxbox


~.fluxbox/startup

if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
   eval $(dbus-launch --sh-syntax --exit-with-session)
fi

exec fluxbox


Under a similar configuration in Linux, Nextcloud calls
a prompt for creating a password database on first launch,
and stores the credentials in a keyring. In OpenBSD this
happens not.

Some worrying logs from Nextcloud:

2021-09-25 00:52:25:016 [ info nextcloud.sync.credentials.webflow ]:Get QNAM
2021-09-25 00:52:25:667 [ info nextcloud.sync.credentials.webflow ]:Fetch 
from keychain!
2021-09-25 00:52:25:985 [ info nextcloud.sync.credentials.keychainchunk ]:  
Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
2021-09-25 00:52:36:312 [ warning nextcloud.sync.credentials.keychainchunk ]:   
Unable to read "someuser_clientCertificatePEM:https://somedomain.invalid/:0; 
chunk "0" "Unknown error"
2021-09-25 00:52:36:313 [ info nextcloud.sync.credentials.keychainchunk ]:  
Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
2021-09-25 00:52:46:491 [ warning nextcloud.sync.credentials.keychainchunk ]:   
Unable to read "someuser_clientKeyPEM:https://somedomain.invalid/:0; chunk "0" 
"Unknown error"
2021-09-25 00:52:46:491 [ warning nextcloud.sync.credentials.webflow ]: Unable 
to read client key "Unknown error"
2021-09-25 00:52:46:492 [ info nextcloud.sync.credentials.keychainchunk ]:  
Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
2021-09-25 00:52:56:186 [ warning nextcloud.sync.credentials.keychainchunk ]:   
Unable to read "someuser_clientCaCertificatePEM0:https://somedomain.invalid/:0; 
chunk "0" "Unknown error"

"Unknown Error" is returned by qtkeychain when unable to operate its
backend.

Either there is a problem with libsecret or the PEBKAC level is
astronomical at this point.

Rubén Llorente  wrote:
> Hello there!
> 
> I have been testing some machine for deployment as a workstation. I have set 
> up XFCE4 as a desktop environment (which is launched by my .xsession file). I 
> have also set nextcloudclient and installed gnome-keyring-daemon.
> 
> I have found that Nextcloud Client is unable to leverage gnome-keyring in 
> order to save credentials securely. Nextcloud Client always complains because 
> the secrets agent cannot be used because of an "Unknown Error".
> 
> Things I have tried in order to properly launch gnome-keyring-daemon include:
> 
> Using an .xsession script such as:
> 
> 
> . $HOME/.profile
> eval $(/usr/local/bin/gnome-keyring-daemon --start )
> export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID GPG_AGENT_INFO SSH_AUTH_SOCK
> /usr/local/bin/startxfce4 
> 
> Also, I have tried using the XFCE4 desktop configuration tool, enabling Gnome 
> Services on startup in the Advanced tab.
> 
> Essentially, I can get the keyring started, but nextcloud, or qtkeychain, or 
> whatever backend is suppose to talk to gnome-keyring fails to find it.
> 
> As a workarround I am using Kwalletd5 for the time being, which works.
> 
> If anybody has any guide or instructions to set up gnome-keyring with 
> nextcloudclient, or ideas to get such setup working, I am eager to read your 
> ideas. 
> 
> The working environment is OpenBSD 6.9 -RELEASE amd64.
> 

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76



nextcloudclient fails to work with gnome-keyring

2021-09-22 Thread Rubén Llorente
Hello there!

I have been testing some machine for deployment as a workstation. I have set up 
XFCE4 as a desktop environment (which is launched by my .xsession file). I have 
also set nextcloudclient and installed gnome-keyring-daemon.

I have found that Nextcloud Client is unable to leverage gnome-keyring in order 
to save credentials securely. Nextcloud Client always complains because the 
secrets agent cannot be used because of an "Unknown Error".

Things I have tried in order to properly launch gnome-keyring-daemon include:

Using an .xsession script such as:


. $HOME/.profile
eval $(/usr/local/bin/gnome-keyring-daemon --start )
export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID GPG_AGENT_INFO SSH_AUTH_SOCK
/usr/local/bin/startxfce4 

Also, I have tried using the XFCE4 desktop configuration tool, enabling Gnome 
Services on startup in the Advanced tab.

Essentially, I can get the keyring started, but nextcloud, or qtkeychain, or 
whatever backend is suppose to talk to gnome-keyring fails to find it.

As a workarround I am using Kwalletd5 for the time being, which works.

If anybody has any guide or instructions to set up gnome-keyring with 
nextcloudclient, or ideas to get such setup working, I am eager to read your 
ideas. 

The working environment is OpenBSD 6.9 -RELEASE amd64.

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76



Program getting stuck at sqlite3_exec()

2021-01-29 Thread Rubén Llorente
Hello!

I am porting a stupid program to OpenBSD and found a roadblock.

The program is a terminal game launcher. It is intended to serve roguelike 
games over telnet or SSH.The main project site is 
http://github.com/paxed/dgamelaunch.

So far I have sanitized the autoconf config file to use OpenBSD and replaced 
the program's crypt() calls with OpenBSD's cryptools alternatives.

The problem I am fazing now is that when I attempt to create a new user, the 
program gets stuck in an sqlite3_exec() call until I hit Enter. This is 
specially puzzling because the program is not supposed to be accepting user 
input at that point. And once Enter is hit, the sqlite3_exec() action is 
actually performed properly(!).

If anybody is aware of any reason why sqlite_exec() would get stuck, I'd be 
glad to hear.

How to reproduce (I recommend using a spare system, because this program is 
kinda intrusive):

The program is intended to be suid, chroot into some directory and drop 
privileges. Prepare a directory for runnign a chroot in it. 

Download the current code: 
gopher://gopher.operationalsecurity.es/5/dgamelaunch-openbsd.tar

Untar it somewhere.

Configure a build environment (export CPATH=/usr/local/include, export 
LIBRARY_PATH=/usr/lical/lib, etc)

Configure the build with ./autogen.sh --enable-sqlite 
--with-config-file=/path/of/chroot/etc/dgamelaunch.conf

Make it with gmake.

Edit example/dgamelaunch.conf in the source code folder to suit your needs. For 
a quick test, you only need to change the chroot=, shed_uid= and shed_guid= 
options.

Edit dgl-create-chroot in the source code folder. The only important value to 
change is chroot=.

Execute the dgl-create-chroot script as root, which will populate the chroot 
directory you have selected.

Set the suid bit of the dgamelaunch binary and execute it. It will chroot into 
the directory and offer you a bunch of options. Registrate a new user (r) and 
go with the instructions.

The bug is triggered after you enter your email address. The ncurses interface 
gets frozen and nothing gets written to the database. Then you hit enter while 
the interface is frozen, and it returns back to normal.

I think the problem is triggered in the writefile function in dgamelaunch.c, 
where sqlite_exec() gets called. 

Help and suggestions are appreciated.

AFAIK the main project is dead.

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Patch for crypt(3) man page.

2021-01-21 Thread Rubén Llorente
Hello everybody.

I have been porting a stupid old program to OpenBSD. I hit a bit or a
road block because this program uses crypt() but the man page at OpenBSD
is not clear enough regarding a couple of details.

Specifically: the man page does not provide a clear explanation of the
format in which the _setting_ parameter is to be fed to crypt(). In
fact, it says: "The second, setting, currently supports a single form.
If it begins with a string character (‘$’) and a number then a different
algorithm is used depending on the number." So far, so good.

What it doesn't say is that if you don't identify the algorithm as
either "2a" or "2b" you get an errno and no hash. It also does not
specify that you need to provide the log2 of rounds with the
_setting_ param, and that such log2 of rounds must be expressed as a two
digit number.

I am pasting a proposed patch for the crypt(3) man page. I am not aware
of any style guide and the fix is trivial, so I'd rather post it in misc
than on a developer list.

Suggestions and ideas are welcome.

I am aware the crypt() family is deprecated.

--- crypt.3 Thu Jan 21 16:59:05 2021
+++ crypt.new   Thu Jan 21 20:11:31 2021
@@ -70,14 +70,17 @@
 typically a user's typed password.
 The second,
 .Fa setting ,
-currently supports a single form.
-If it begins
-with a string character
-.Pq Ql $
-and a number then a different algorithm is used depending on the number.
-At the moment
-.Ql $2
-chooses Blowfish hashing; see below for more information.
+currently supports a single form, and must be formatted as
+.Fa $algorithm$lrounds$salt
+.Pp
+The
+.Fa algorithm 
+must be either "2a" or "2b", which select the old and new implementation of 
Blowfish hashing respectively. The 
+.Fa lrounds 
+preference must be a two digit number between "04" and "31", whereas 
+.Fa salt 
+is a character string which represents 128 bits of radix-64 encoded salt.
+
 .Ss Blowfish crypt
 The Blowfish version of crypt has 128 bits of
 .Fa salt


-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: Recommendations for USB Barcode Scanner and Thermal Receipt Printer

2020-08-15 Thread Rubén Llorente
For the record, I came into a chep USB barcode scanner that works wonders. An 
Inateck BCST-31 according to the label.

I also ran into a cheap chinesse ticket printer, a Terow. Sadly, it crashes the 
kernel - looks like a bad kernel bug. It works well when it is not crashing. 

Stuart Henderson  wrote:
> On 2020-07-29, Rubén Llorente  wrote:
>> Thank you for the advice. I will search for those ones and see what I can 
>> find.
>>
>> I still need to solve the printer issue. So far it looks like receipt 
>> printers use very simple interfaces. Somebody engineered ppd files for Zjian 
>> printers for Linux, but I don't know if the OpenBSD kernel would interface 
>> with them. They are certainly not in the USB Product/Vendor database of the 
>> kernel. Maybe they would show as Unknown Printers?
> 
> For standard device types, USB typically uses "class drivers", there are
> specifications for e.g. mass storage, USB-attached SCSI, human interface
> devices (mouse/keyboard/etc), etc, including printers. If the device
> follows one of these it doesn't need a specific driver or information
> about the particular device in the kernel (the kernel product/vendors
> are used when the device doesn't use a class driver or needs some
> special quirks, or as a fallback if the device doesn't report a
> human-readable vendor/product name).
> 
> Really unless you can find someone with a particular device you'll need
> to take a gamble, or buy something that you can return if incompatible.
> 
> ppd files can be used on OpenBSD.
> 
> 
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: Recommendations for USB Barcode Scanner and Thermal Receipt Printer

2020-08-01 Thread Rubén Llorente
That sounds cool.

I was considering a network printer, whit the POS here is not going to be 
networked.

Out of curiosity, which printer it is that you are using?

ibs...@ripsbusker.no.eu.org wrote:
> So I would not need to deal with USB printers anymore, I got a thermal
> printer with an ethernet port. I communicate with it by ESC/POS over
> UDP to port 9100.
> 
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: Recommendations for USB Barcode Scanner and Thermal Receipt Printer

2020-07-29 Thread Rubén Llorente
Thank you for the advice. I will search for those ones and see what I can find.

I still need to solve the printer issue. So far it looks like receipt printers 
use very simple interfaces. Somebody engineered ppd files for Zjian printers 
for Linux, but I don't know if the OpenBSD kernel would interface with them. 
They are certainly not in the USB Product/Vendor database of the kernel. Maybe 
they would show as Unknown Printers?


john slee  wrote:
> +1 for Symbol here. Have used them in factory environments and I can???t
> recall one ever failing.
> 
> If buying used, be sure you can get the documentation for it, as these are
> often configurable (eg. continuous vs. triggered scanning) via scanning
> special barcodes.
> 
> John
> 
> 
> On Sun, Jul 26, 2020 at 07:20 Erling Westenvik 
> wrote:
> 
>> On Sat, Jul 25, 2020 at 08:47:48PM +0200, Rubén Llorente wrote:
>> > Anybody in the list has good (or bad) experiences with USB Barcode
>> > Scanners? Which models with?
>>
>> I have a working barcode scanner, Symbol Technologies LS2208, that
>> shows up in dmesg as:
>>
>> uhidev4 at uhub3 port 6 configuration 1 interface 0 "?Symbol
>> Technologies, Inc, 2002 Symbol Bar Code Scanner" rev 2.00/2.01 addr 4
>> uhidev4: iclass 3/1
>> ukbd1 at uhidev4: 8 variable keys, 6 key codes, country code 33
>> wskbd2 at ukbd1 mux 1
>> wskbd2: connecting to wsdisplay0
>>
>> It's an old model, manufactured in 2005, and I can't say that I've used
>> it extensively, but it seems to work well with at least "normal"
>> barcodes typically found on groceries, books (ISBN), receipts and so on.
>> There are barcodes that it cannot read but I have not investigated the
>> matter. The manufacturer still exists.
>>
>> Good luck!
>>
>> Erling
>>
>>
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Recommendations for USB Barcode Scanner and Thermal Receipt Printer

2020-07-25 Thread Rubén Llorente
Hello,

I am considering to set a Point of Sale (POS) solution for a small
business. Given the chance I'd like to use OpenBSD for it. It is
supposed to be very basic and the software would be a web application
running in a remote server. No pole screen or cash drawer support is
required.

This leaves me with the need of gathering some hardware. This would
be a barcode scanner - afaik they show up as keyboards for the operating
system - and a receipt printer.

Anybody in the list has good (or bad) experiences with USB Barcode
Scanners? Which models with?

What about receipt printers? Does anybody have a recommendation for
those?

Happy OpenBSDing!

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: pass 'password manager' problem

2020-02-24 Thread Rubén Llorente
As far as I have seen in the pass script, --batch mode is oly invoked if you 
are running a gpg agent or are running gpg2.

Do you have gpg2 installed?

Do you have a gpg agent configured?

You may need to include the following line in your ~.profile :
export GPG_TTY=$(tty)

Shadrock Uhuru  wrote:
> [-- text/plain, encoding 8bit, charset: utf-8, 61 lines --]
> 
> Hi
> 
>>From: Rubén Llorente 
>>To: misc@openbsd.org
>>Subject: Re: pass 'password manager' problem
>>Date: Fri, 21 Feb 2020 16:22:37 - (UTC)
>>
>>Do you have a ~.gnupg/gpg.conf ? Pass works fine for me.
>>
>>Shadrock Uhuru  wrote:
>>> [-- text/plain, encoding 7bit, charset: utf-8, 6 lines --]
>>>
>>> running 'pass username' returns
>>> "gpg: Sorry, we are in batchmode - can't get input",
>>> am i missing a piece of software or setting ?
>>>
>>> shadrock
>>>
> 
> yes i have the following 
> cat ~/.gnupg/gpg.conf
> 
> use-agent
> pinentry-mode loopback
> personal-cipher-preferences CAMELLIA256 AES256 AES192 AES CAST5
> # personal-cipher-preferences AES256 AES192 AES CAST5 CAMELLIA192
> # BLOWFISH TWOFISH CAMELLIA128 3DES
> personal-digest-preferences SHA512 SHA384 SHA256 SHA224
> personal-compress-preferences BZIP2 ZIP ZLIB
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
> CAST5 ZLIB BZIP2 ZIP Uncompressed
> cert-digest-algo SHA512
> digest-algo SHA256
> s2k-mode 3
> s2k-digest-algo SHA512
> s2k-cipher-algo AES256
> s2k-count 1015808
> charset utf-8
> fixed-list-mode
> no-greeting
> no-secmem-warning
> no-comments
> no-emit-version
> keyid-format 0xlong
> list-options show-uid-validity
> verify-options show-uid-validity
> keyserver-options import-clean-sigs import-clean-uids export-clean-sigs
> export-clean-uids
> keyserver hkp://hkps.pool.sks-keyservers.net
> keyserver-options auto-key-retrieve
> keyserver-options no-honor-keyserver-url
> escape-from-lines
> bzip2-compress-level 9
> compress-level 9
> with-fingerprint
> 
> 
> ---
> 
> shadrock
> 
> [-- application/x-pkcs7-signature, encoding base64, 67 lines, name: smime.p7s 
> --]

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: pass 'password manager' problem

2020-02-21 Thread Rubén Llorente
Do you have a ~.gnupg/gpg.conf ? Pass works fine for me.

Shadrock Uhuru  wrote:
> [-- text/plain, encoding 7bit, charset: utf-8, 6 lines --]
> 
> running 'pass username' returns 
> "gpg: Sorry, we are in batchmode - can't get input",
> am i missing a piece of software or setting ?
> 
> shadrock
> 
> [-- application/x-pkcs7-signature, encoding base64, 67 lines, name: smime.p7s 
> --]

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: Smartphone Alternatives

2020-02-18 Thread Rubén Llorente
Hi there.

I have yet to see a smartphone I would trust with anything important.

Nowadays I have a real laptop for computer stuff and leech free wifi, and a 
Nokia feature phone from 2016.

I tried to get an Android phone into a "secure state" by replacing the OS with 
LineageOS, but the Android base is just very bad. The encryption subsystem 
encrypts what it wants and leaves the rest unprotected, proxy settings across 
the OS are not applied consistently... Two days after I left it in a state I 
liked, my favourite mare stepped on it accidentally.

Predrag Punosevac  wrote:
> Hi,
> 
> I would firstly like to apologize to developers as the question I am
> about to ask has little to do with OpenBSD. However, in my experience
> the number of security conscious people lurking on this mailing list is
> such that I could not resist.
> 
> Long story short one of my virtual servers (running Red Hat) got hacked
> by cryptomining folks. I noticed 100% load on CPUs coming out of a cron
> job and traced everything to a cryptomining scripts. Sure enough there
> was an ssh-key .ssh/authorized_keys which was not suppose to be there.
> Incidentally, I had to turn off Duo 2-factor authentication as one of my
> users insisted on having GUI access via X2go-client. 
> 
> I am not much of a security expert so my instinct is that account was
> compromised by scooping account information from a browser cash or my
> "smart" phone while reading email from Office 365. I have log files and
> I am going through them. Browser cash problem hopefully will be offset
> now when I have 2-factor enabled for Office 365 email and using only
> browser on my locked down OpenBSD desktop. 
> 
> However, that still leaves me with a damn Android smartphone. I already
> deleted/disabled email clients but the more I look the more I feel
> stupid for having that crap. I am looking now at purchasing something
> like Nokia 106. Note that I use one of USA T-Mobile plans and my current
> smartphone works well across the globe. It looks like Nokia 106 doesn't
> work in Europe. 
> 
> I would appreciate any advises, comments, suggestions on the choice of
> mobile device for basic phone calls and texting. It would be painful to
> carry around a small laptop for web browsing, maps, and few other
> useful things but it looks like I am heading there. 
> 
> Thanks for your help.
> 
> Predrag Punosevac
> 
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: Thinking of changing DNS Service provider, looking for recommendations

2020-01-07 Thread Rubén Llorente
If it is for your personal use only, you can have a look at the Opennic Project.

They have an alternate DNS structure separated for the regular DNS Root. They 
provide Dynamic DNS for their .dyn unofficial TDL.

It is free of charge and you need no special client for it to work, only 
ftp/curl/wget and cron.

The catch is that, for a computer to be able to access the .dyn TDL, it needs 
to use Opennic DNS servers. If it is just for you, you can configure your 
computers anr routers to use them and be done with it. If your need the general 
public to access it, you are out of luck with Opennic.

Jay Hart  wrote:
> Hey all, and Happy New Years!!!
> 
> I am currently using DYN.COM for DNS service. A few months back they changed 
> there payment
> methodology and I am now considering finding another solution. DYN charges me 
> $5 US monthly so its
> not a huge financial burden. That said, if I could find a free service 
> provider, all the better.
> 
> My only real requirement is they must be able to support OpenBSD based 
> system.  Currently using
> DDclient. It works fine, has been for years.
> 
> This would be for a residential connection.
> 
> Guess what I'm really looking for, from the list, is a OpenBSD friendly 
> provider, and a brief
> write up on how you are connected.  I've looked over a few sites but nothing 
> stood out as being
> OpenBSD friendly.
> 
> Thanks in Advance,
> 
> Jay
> 
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



OpenJDK and support for JCE Unlimited Strength Jurisdiction Policy

2016-12-14 Thread Rubén Llorente
Hello.

I am running a Java application that throws a non-fatal warning when used. The
warning states that, in order for the application to work properly, the JCE
Unlimited Strength Jurisdiction Policy files should be downloaded to
/usr/local/jre-1.8.0/lib/security

I used to think that OpenJDK already included the Unlimited Strength Policies,
so this is a bit confusing.

Is there an easy way for checking myself if such policies are installed and
working on the system?

For the record, I am running OpenBSD 6.0 amd64. 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: SSH key encryption when using FDE

2016-08-03 Thread Rubén Llorente
Nick Holland  wrote:
> Now, I suspect (nb: I am not a cryptographer or SSH coder. But I sat at
> a table with one once, and was completely in awe) the key has to be held
> in unlocked form in RAM, so perhaps a very serious breach that allowed
> the raw access of system RAM might produce it...but would also produce a
> lot of other nifty things, and by that point, your system is so
> completely compromised, not much is trustworthy anymore.
> 
> Nick.

I have actually seen step by step instructions for doing just that, but I
don't have the link around. You essentially need root permissions for
pulling that off.

Ssh-agent prevents an intruder from stealing the key material in any
useful form, but it does not prevent him from using the material that is
already kept by the agent - if he is able to send a query to your agent,
he will be able to use the keys even if he does not get to see them.

I encrypt my key materials even when I am using PFDE, I just don't think
the agent is something it is not.

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: Impossibility of cryptographic verification of downloads

2016-05-25 Thread Rubén Llorente
Eduard - Gabriel Munteanu  wrote:
> Hi,
> 
> It currently seems impossible to verify downloads from a computer
> without OpenBSD, for a few reasons:
> 
> 1. No securely-distributed public key
> 2. Lack of signify packages in e.g. Linux distros, or
> securely-distributed sources

I have not used them, but signify seems to have been ported to Linux and
at least some ports are available.

https://github.com/chneukirchen/signify

Regarding the key distribution, I suggest you to read Ted's comments on
the matter. Many people is just uding the TOFU model with the keys. 

https://www.openbsd.org/papers/bsdcan-signify.html

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: light browsers

2016-05-13 Thread Rubén Llorente
Dmitrij D. Czarkoff  wrote:
> Webkit1-based browsers (Luakit, Midori, surf, Vimb and Xombrero) use
> unmaintained engine, so nobody fixes even known issues.  People who care
> about security should probably avoid these.

I heard the developer of Surf (Webkit-1 based browser) say that he
suspects that Webkit2 is still a worse option to use than Webkit1 even
if you acknowledge that Webkit1 is EOled. There is some work being
done in a Webkit2 version of Surf, but he said that Webkit2 was likely
a bigger problem than a Webkit1 with known unpatched issues. 

I have not checked the facts so I can't back any of these engines, but
I thought this post was going to be relevant to the conversation. 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: TLS now supported on openbsd.org?

2016-05-09 Thread Rubén Llorente
Giancarlo Razzolini  wrote:
> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https? 

I dislike the idea.

An http->https redirect does not prevent a MITM by itself.

It also prevents the easy use of caching or proper proxies with the site.
Purely informative sites are ok without https for the most part. If
the user feels that TLS is somehow required, he can enable it by
different means. http->https redirection does not add much in terms of
security unless the user takes additional steps, but if the user is
going to take additional steps he does not really require the
redirection.

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: TLS now supported on openbsd.org?

2016-05-09 Thread Rubén Llorente
Giancarlo Razzolini  wrote:
> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https? 

I dislike the idea.

For one, it does not stop a MITM by itself. 

In addition, enforced encryption makes it hard to cache and/or use proper 
http proxies with the site.

Purely informative sites don't need TLS. The user can opt to use TLS if
he thinks the content he needs to read is somehow sensitive, or configure
his browser not to use the regular http version if he feels like doing
 that. A pure simple redirect does not add much to security unless the
user takes extra steps - but if the user takes extra steps he does not
need a redirect at all.  

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA



Re: OpenBSD mailserver success stories ?

2016-04-26 Thread Rubén Llorente
On Tue, 26 Apr 2016 12:32:22 -0400, stan wrote:

> Given that, most of the things we are doing with FreeBSD,  Apache,
> Samba, NFS etc, do not concern me as to doing them with OpenBSD. but I
> am a bit concerned about the mailserver. We use it for internal mail,
> and it gets mail from a large variety of systems, and devices, not all
> of which are modern. also I offer our users many options for retrieving
> their mail. With this in mid, I'd like to hear the experience of others
> using OpenBSD for mailserver.
> 
> Thanks.

I have set OpenSMTPD for small deployments and it does the trick. It is 
just easier to configure than any other SMTP daemon I have dealt with.

If you want to know if OpenSMTPD is good for your user case, you are 
better off asking if it can do X and Y and Z, and how well it does them.

If your deployment is any serious you should test the software in 
controlled conditions before you take a decision and install it.



Re: Creating a blog using OpenBSD: technology choices and security considerations

2016-04-26 Thread Rubén Llorente
On Tue, 26 Apr 2016 06:15:22 +, David Lou wrote:

> When I say 'blog', I'm referring to a website that contains essentially
> many pages of content. Each content page has attributes such as title,
> date, category, tags, and so on. When a user browsers this website, the
> content pages are served in a visually attractive layout, with possible
> bells and whistles such as Facebook/Twitter share buttons, and comment
> sections. Additional features may include a search bar and an archive
> page.
> 
> I'm shying away from popular solutions such as WordPress because (1) I'm
> not sure if it even installs on OpenBSD and more importantly (2) I'm not
> convinced that it adheres to the OpenBSD principles of correctness and
> proactive security.

Hello, and welcome.

A static website generator is a safe bet. You can use bashblog or any 
similar alternative, for example. Bashblog can be seen in action at 
http://www.richard-falken.com

Bashblog might need some hacking in the code in order to include social 
media buttons, but the CSS is easy enough to configure. No native comment 
services exist, but it can integrate with external ones.

For the record, I don't like commentary mechanisms that work as an 
external service to your website. In fact, I would not care for a 
commentary mechanism unless you really needed it. A commentary mechanism 
forces you to deploy anti-spam defenses, to police against trolls and is 
one of those things that don't let you stop worrying about the 
administrative aspects of being running a website.

Regards.