the eys

2022-03-01 Thread flint pyrite 
we are watching and with you brother

Ukraine

fight on

Re: ikev2 fails with mschap-v2

2022-03-01 Thread Andrew Daugherity 
On Wed, Feb 23, 2022 at 10:10 PM  wrote:
>
> I honestly have no idea where the logs would even be stored or what
> the daemon runs as under MacOS 12.2.1 (Monterey).

I don't have a Monterey system handy, but at least under macOS
Catalina, VPN connections use setkey and racoon, similar to FreeBSD.
Parts of the FreeBSD handbook's chapter on IPsec VPN may be relevant.
The global conf is in /etc/racoon.conf, which has some logging options
(and the associated man pages are installed), and there's a
/var/log/racoon.log.  setkey [ -P ] -D looks useful, but may not apply
if it's failing before establishing SA entries.

It also uses pppd, at least for L2TP over IPsec; a handy feature of
which is support for your own scripts at /etc/ppp/ip-{up,down}.


-Andrew

prosody-openbsd: Request for comments

2022-03-01 Thread William Ahern 
I recently installed Prosody after a few years hiatus from XMPP. Previously
I used ejabberd, but that was removed from ports. Given the ease of writing
modules in Lua generally, and Prosody specifically, I figured it would be
relatively simple to add pledge(2) and unveil(2) support.

  https://github.com/wahern/prosody-openbsd

It was less simple than I anticipated as Prosody's module API doesn't let
you control module loading order beyond statically-defined dependencies
within each module. Because I was concerned about modules potentially,
accidentally loading malicious state from /var/prosody, I wanted to begin
isolating the process ASAP, before most other modules were even loaded and
had the opportunity to read mutable state, regardless of whether any modules
actually did this. (NB: They don't seem to, but I could be wrong, and it
could silently change in the future.) Doing this required a non-standard
configuration approach that poked at some internal APIs.

Other than that, things seem to be working well. But I don't have much
experience running a Prosody installation, and am still struggling to get
MUC cloud notifications working, so I'm curious if anybody has any
suggestions or comments.

One improvement I'll likely make soon is to narrow down /var/prosody
permissions. Currently /var/prosody (prosody.paths.data) is unveiled with
"rwc" by default. But ideally the process would only have write and create
permissions to specific files and subdirectories, /var/prosody/prosody.pid,
/var/prosody/prosody.log, /var/prosody/$VIRTUALHOST, etc, not the directory
entirely. This can be done currently with explicit unveil configuration
directives, but a finer-grained unveil'ing should be done by default. In
particular log files should be write-only if possible. (Even better would be
only using syslog, but even I haven't bothered changing that default
configuration.) I need to examine Prosody's storage module(s) to make sure I
properly understand the most common layouts and how their paths are
specified in the configuration, and perhaps double-check that non-existent
directories (in the case of first startup after adding a virtualhost) can be
unveil'd similar to files.

TIA for comments and suggestions,

- Bill