yubikey: user failed: password too short.

2020-02-15 Thread Predrag Punosevac 
Hi Misc,

I am playing with yubikey on

predrag@oko$ uname -a
OpenBSD oko.int.bagdala2.net 6.6 GENERIC.MP#4 amd64


The idea is to use yubikey as a challenge for a console login. I tried
first to configure /etc/login.conf just to use yubikey

auth-defaults:auth=yubikey:

However, I see 

oko# tail -3 authlog 
Feb 15 23:29:15 oko yubikey: user predrag failed: password too short.
Feb 15 23:29:15 oko yubikey: user predrag: reject
Feb 15 23:43:09 oko su: predrag to root on /dev/ttyC0


I used advanced mode in yubikey-personalization-gui and generated public
key of lenght 16 instead of default 6. No avail. Then I realized that 

010: SECURITY FIX: December 4, 2019   All architectures
libc's authentication layer performed insufficient username validation.

Is it possible to use yubikey for console authentication or does above
patch disables it completely? 

Most Kind Regards,
Predrag Punosevac

Re: Replace PF rule + inetd Proxy with 2 PF rules

2020-02-15 Thread Fabio Martins 
>
> May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
>

Neither can I believe had forgotten it, but I think you nailed it.
Will test monday and let know.

Thanks in advance.

-fm

>
> tcpdump of a successful test connection:
> c.c.c.c = remote test client on internet
> r.r.r.r = firewall external IP
>
> pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194
> tcpdump: listening on vmx1, link-type EN10MB
> 14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0)
> win 64240  [tos 0x20]
> 14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S
> 3178148684:3178148684(0) win 64240  8,nop,nop,sackOK> [tos 0x20]
> 14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S
> 3355699325:3355699325(0) ack 3178148685 win 16384  1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20]
> 14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0)
> ack 3178148685 win 16384  [tos 0x20]
> 14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20]
> 14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win
> 1026 [tos 0x20]
> 14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos
> 0x20]
> 14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win
> 1026 [tos 0x20]
> 14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436
> win 273 (DF) [tos 0x20]
> 14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack
> 436 win 273 (DF) [tos 0x20]
> 14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win
> 273 [tos 0x20]
> 14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436
> win 273 [tos 0x20]
>
>
>

Atheros AR9462 wireless card support

2020-02-15 Thread Anthony BOCCI 
Hello,

I am a new OpenBSD user and I just installed version 6.6 on an Acer
Aspire. Inside I have an Atheros AR9462 wireless card. I saw there
is no drivers. During my researches I found this mail from 2014 to
the misc mailing list about support of this wireless card
(https://marc.info/?l=openbsd-misc=139282412523049=2).

Is there any news about the support? I don't know much about OpenBSD
but I can test or compile things if it can help.

When I run `$ dmesg | grep "Atheros AR9462"` I get the following:

Atheros AR9462" rev 0x01 at pci4 dev 0 function 0 not configured

Anthony

Re: Full disk encryption including /boot, excluding bootloader?

2020-02-15 Thread no@s...@mgedv.net 
> >depends what you want to achieve, but my recommendation is booting from
> USB
> >and mount encrypted root from the HDD.
> >you can safely remove the usb key after root mount and all your
configs/etc
> >files are used from the encrypted storage.
> >this ensures 2 things: bootloader + kernel on USB boot media cannot be
> >attacked during system uptime and all bytes on disk are encrypted.
> >another advantage is, you don't need (to type, write down or remember)
any
> >passphrases but can use strong random data for crypto payload/keys.
> >
> 
> How do you do this on OpenBSD?
@frank: https://www.openbsd.org/faq/faq14.html#softraidFDEkeydisk

Call for papers and presentations for EuroBSDCon 2020 (Vienna, AT 2020-09-17 - 202-09-20) is open

2020-02-15 Thread Peter Nicolai Mathias Hansteen 
The EuroBSDCon 2020 call for papers and presentations is now open, with 
submissions accepted until May 24th, 2020.

Please see the full call for papers text at 
https://2020.eurobsdcon.org/call-for-papers/ 
 for details and instructions on 
how to submit your proposals.

I hope to see a significant number of you in Vienna!

(Also, please do forward this message or the significant information it 
contains to other forums, your local user groups, groups of friends or 
colleagues who may find the conference topics interesting)


All the best,
Peter

—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.






signature.asc
Description: Message signed with OpenPGP

Re: experience setting up a low memory machine

2020-02-15 Thread Dumitru Moldovan 

On Sat, Feb 15, 2020 at 01:54:56AM +0100, Noth wrote:

I wouldn't call 64Mb "small" for memory, it's tiny. Even 20 years ago
64 wasn't really enough.


Not really, about 21 years ago I was learning to get XFree86 working,
to break free from the console on a desktop with 24MB of RAM.  Built
that machine with 16MB of RAM in 1998.  Around year 2000, prices of
memory modules significantly increased because of market troubles in
Southeast Asia.  So it took me some time to get to 32MB of RAM in the
end, definitely less than 20 years ago.

To put things in perspective, it was possible to run KDE 1.0 in 24MB of
RAM comfortably.  Biggest memory hog was Netscape, the only usable web
browser on Linux and Unix systems at the time.  A screenshot from that
era: http://toastytech.com/guis/dvxxserv.png.

Obligatory XKCD reference: https://www.xkcd.com/386/  :-]

Re: experience setting up a low memory machine

2020-02-15 Thread Stefan Sperling 
On Sat, Feb 15, 2020 at 01:54:56AM +0100, Noth wrote:
> The only thing I can recommend is to stick to an older version of the OS

I wouldn't recommend running old releases, at least not until i386
officially becomes an unsupported platform.

Re: experience setting up a low memory machine

2020-02-15 Thread Stefan Sperling 
On Fri, Feb 14, 2020 at 10:01:06PM +0900, rgc wrote:
> every boot OpenBSD relinks the kernel ... i stared at the top display and
> saw ld on top with around 170Mb ... literally out of memory ... and out of
> swap space. on machines with small memory swap is configured by disklabel
> as 2x physmem.  in my case 122Mb swap was calculated but it was not enough
> for the kernel relinking.

On an alix board with 256MB of RAM + 2G swap it is holding up OK.

With low-spec machines like this you need to add lots of swap or you will
need to get a bit creative. You can't use out of the box defaults on this
machine in any case, so some tweaking is required anyway.

For library relinking there's an rc.conf.local option to turn it off.

You can disable automatic kernel relinking, there is one obvious line
to remove from /etc/rc. You can still relink the kernel occasionally if
you want the added security.
Secret tip: You can compile an i386 kernel on a fast amd64 machine which
will also "relink" the kernel of course, just go into sys/arch/i386 and
do the usual kernel compile steps. Don't tell anyone I told you that!

If you want to go further and have another faster i386 machine you can follow
the release(8) man page to build custom release sets for your i386 laptop with
all the tweaks it needs included.

[no subject]

2020-02-15 Thread Jazz Man 
subscribe