Re: 2FA VPNs
On Wed, Nov 02, 2022 at 02:05:48AM -, Stuart Henderson wrote: > If anyone's got any good suggestions on how to do VPNs with 2FA > on an OpenBSD gateway for non-technical users to access (iOS, Android, > Windows clients) I'd love to hear them. > > I could bodge something together with openvpn and TOTP but it doesn't > exactly spark joy. We're using Let's Connect/EduVPN (https://www.letsconnect-vpn.org/) which is effectively a frontend for OpenVPN and wireguard, with client apps for every major platform. The user authenticates to the VPN server using a browser window, so you can do anything you want there, including MFA. Some minor changes were required to get it working on OpenBSD, mostly relating to EdDSA and chacha support.
Kerberos Heimdal problem on OpenBSD: Failed to verify AP-REQ
Hi, I have setup an OpenBSD 7.2 machine running Heimdal 7.7.0 as a Kerberos server. I then have an NFS Linux server running Arch Linux on another machine. I then have a FreeBSD NFS client and another Arch Linux NFS client on other physical hardware (all physical machines on the same LAN). Without Kerberos, I can mount the NFS share from both FreeBSD and Linux without any problems, but when I try to mount the NFS share on the Linux machine, with Kerberos running, i.e. using "sec=krb5" on exports as well as the mount command, from either the FreeBSD client or the Linux client, I get the following error in the log on the OpenBSD Heimdal server: Oct 29 00:16:54 foo kdc[55215]: Failed to verify AP-REQ: Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 Oct 29 00:16:54 foo kdc[55215]: Failed parsing TGS-REQ from IPv4:192.168.1.4 Oct 29 00:16:54 foo kdc[55215]: tgs-req: sending error: -1765328353 to client Oct 29 00:16:54 foo kdc[55215]: sending 81 bytes to IPv4:192.168.1.4 When I list the key types on the OpenBSD machine, I get: aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 On FreeBSD I get: aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 aes256-cts-hmac-sha1-96 On Linux it's: aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac I don't quite understand the error message or whether that is relevant for the key types: Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96 But I don't see "hmac-sha1-96-aes256", listed anywhere. I have no prior experience using Kerberos and are wondering if anyone on this list have experience using the Kerberos port on OpenBSD and whether this problem look familiar? Thanks. Cheers!
Re: 2FA VPNs
Hi Stuart, some of the commercial systems we have used use Radius as the Authentication Mechanisim... One could do a rudimentary OTP password system using Radius ... some OTP systems allow for Caching a series of One Time passowrds circa 100 passwords... so it could be fesible to have 100 passowrds listed on a card , and ask the user to enter password X ? Thanks, Tom Smyth On Wed, 2 Nov 2022 at 02:14, Stuart Henderson wrote: > If anyone's got any good suggestions on how to do VPNs with 2FA > on an OpenBSD gateway for non-technical users to access (iOS, Android, > Windows clients) I'd love to hear them. > > I could bodge something together with openvpn and TOTP but it doesn't > exactly spark joy. > > > -- Kindest regards, Tom Smyth.
Re: Disable amdgpu driver without a working keyboard in UKC?
On Tue, 1 Nov 2022 22:54:12 +0100 Thomas Bohl wrote: > You could SSH into the machine or use the the install kernel to drop > into a shell. From there you could create a bsd.re-config file. > > man bsd.re-config Ah thank you so much! I was able to run the install kernel, drop into a shell, mount the SSD, then write "disable amdgpu" into /etc/bsd.re-config, but unfortunately it's still happening so it might be a different issue. Thank you for the help anyway!
2FA VPNs
If anyone's got any good suggestions on how to do VPNs with 2FA on an OpenBSD gateway for non-technical users to access (iOS, Android, Windows clients) I'd love to hear them. I could bodge something together with openvpn and TOTP but it doesn't exactly spark joy.
Re: Suspend not working Lenovo X1 Nano Gen 2
Thanks for the quick reply and noted! Le Tuesday 01 Nov 2022 à 15:50:02 (-0700), Mike Larkin a écrit : > On Tue, Nov 01, 2022 at 05:05:21PM -0500, Jason Morris wrote: > > Hi Everyone, > > > > I've upgraded from a X1 Nano Gen 1 and noticed that suspend isn't working > > on the new machine. By running 'zzz' it starts to suspend and then wakes up > > after ~10 seconds. I've ran apmd in debug mode and got the following: > > > > apmd -d > > battery status: high. external power status: not connected. estimated > > battery life 65% (225 minutes life time estimate) > > can't disable driver messages, error: Inappropriate ioctl for device > > apmevent index 0 > > apmevent 0006 index 193 > > system suspending > > battery status: high. external power status: not connected. estimated > > battery life 65% (235 minutes life time estimate) > > /etc/apm/suspend exited with status 0 > > apmevent 0003 index 194 > > do_etc_file(): cannot access file /etc/apm/resume > > system resumed from sleep > > battery status: high. external power status: not connected. estimated > > battery life 65% (272 minutes life time estimate) > > apmevent 0006 index 196 > > apmevent 0006 index 197 > > > > > > When running 'ZZZ' the system hibernates but when it's waking back up, I'm > > flooding with the following error: > > > > "*ERROR* Fault errors on pipe A" > > > > Any recommendations on how I can move forward? > > > > -Jason > > This is a known issue. No solution at this time. > > -ml >
Re: Suspend not working Lenovo X1 Nano Gen 2
On Tue, Nov 01, 2022 at 05:05:21PM -0500, Jason Morris wrote: > Hi Everyone, > > I've upgraded from a X1 Nano Gen 1 and noticed that suspend isn't working on > the new machine. By running 'zzz' it starts to suspend and then wakes up > after ~10 seconds. I've ran apmd in debug mode and got the following: > > apmd -d > battery status: high. external power status: not connected. estimated battery > life 65% (225 minutes life time estimate) > can't disable driver messages, error: Inappropriate ioctl for device > apmevent index 0 > apmevent 0006 index 193 > system suspending > battery status: high. external power status: not connected. estimated battery > life 65% (235 minutes life time estimate) > /etc/apm/suspend exited with status 0 > apmevent 0003 index 194 > do_etc_file(): cannot access file /etc/apm/resume > system resumed from sleep > battery status: high. external power status: not connected. estimated battery > life 65% (272 minutes life time estimate) > apmevent 0006 index 196 > apmevent 0006 index 197 > > > When running 'ZZZ' the system hibernates but when it's waking back up, I'm > flooding with the following error: > > "*ERROR* Fault errors on pipe A" > > Any recommendations on how I can move forward? > > -Jason This is a known issue. No solution at this time. -ml
Suspend not working Lenovo X1 Nano Gen 2
Hi Everyone, I've upgraded from a X1 Nano Gen 1 and noticed that suspend isn't working on the new machine. By running 'zzz' it starts to suspend and then wakes up after ~10 seconds. I've ran apmd in debug mode and got the following: apmd -d battery status: high. external power status: not connected. estimated battery life 65% (225 minutes life time estimate) can't disable driver messages, error: Inappropriate ioctl for device apmevent index 0 apmevent 0006 index 193 system suspending battery status: high. external power status: not connected. estimated battery life 65% (235 minutes life time estimate) /etc/apm/suspend exited with status 0 apmevent 0003 index 194 do_etc_file(): cannot access file /etc/apm/resume system resumed from sleep battery status: high. external power status: not connected. estimated battery life 65% (272 minutes life time estimate) apmevent 0006 index 196 apmevent 0006 index 197 When running 'ZZZ' the system hibernates but when it's waking back up, I'm flooding with the following error: "*ERROR* Fault errors on pipe A" Any recommendations on how I can move forward? -Jason
Re: Disable amdgpu driver without a working keyboard in UKC?
Hello, I wanted to try that out by running the same `disable amdgpu` command in UKC, but neither the built-in keyboard nor my external keyboard work in UKC mode. Is there an alternative way of disabling amdgpu when my keyboards don't work? Perhaps I can echo to some config file during the `boot>` prompt? You could SSH into the machine or use the the install kernel to drop into a shell. From there you could create a bsd.re-config file. man bsd.re-config
Re: Triple booting Windows/Debian/OpenBSD?
Thanks for all the education here folks!
Re: Triple booting Windows/Debian/OpenBSD?
On 01/11/2022 13:27, Ottavio Caruso wrote: Hi, I have some spare space on my laptop (a rubbish Thinkpad E130) that was originally meant for NetBSD, but I gave up on it due suspend/resume not working. This is how it looks from Debian: Device Start End Sectors Size Type /dev/sda1 2048 1023999 1021952 499M Windows recovery environment /dev/sda2 1024000 1226751 202752 99M EFI System >>> [EFI partition] /dev/sda3 1226752 1259519 32768 16M Microsoft reserved /dev/sda4 1259520 51845119 50585600 24.1G Microsoft basic data /dev/sda5 51845120 124938239 73093120 34.9G NetBSD FFS /dev/sda6 223012864 877277183 654264320 312G Microsoft basic data /dev/sda7 206057472 223012863 16955392 8.1G Linux swap /dev/sda8 877277184 976773119 99495936 47.4G Linux filesystem >>> ]Debian /home partition] /dev/sda9 124938240 206057471 81119232 38.7G Linux filesystem >>> [Debian / root] Questions: 1) Can/should I reuse the EFI partition? 2) Can I reuse and mount the Linux swap partition? 3) I will nuke sda5 and install OpenBSD in there. Anything I need to know or do before installation? I have read the installation guide: https://www.openbsd.org/faq/faq4.html#Multibooting but it's quite short and terse. Is multibooting worth it or is it just a pain in the down under? I did install OpenBSD before but in a VM, so... apples and oranges really. Thanks. Hi, Presumably you are using GRUB to multiboot. Yes you should keep the EFI partition and add an OpenBSD directory in there, copy the BOOTX64.EFI file to it (available on your local mirror in the 7.2/amd64 directory) and point your grub.cfg entry to the BOOTX64.EFI file in it. It's easiest to edit the /etc/grub.d/40_custom file and add this: menuentry 'OpenBSD/amd64 normal kernel' { insmod part_gpt insmod search_fs_uuid insmod chain chainloader (hd0,gpt2)/EFI/OpenBSD/BOOTX64.EFI } and run update-grub to modify grub.cfg. Cheers, Noth
Disable amdgpu driver without a working keyboard in UKC?
Hello, I recently installed OpenBSD on a MacBook Pro 15 (2017), but I'm having trouble getting to the actual login screen because the screen turns blank and turns off before Xenodm even starts. After searching around the web for a bit, I found this thread about a problematic amdgpu firmware: https://www.reddit.com/r/openbsd/comments/k7r0bw/black_screen_after_some_boot_prompts/ I wanted to try that out by running the same `disable amdgpu` command in UKC, but neither the built-in keyboard nor my external keyboard work in UKC mode. Is there an alternative way of disabling amdgpu when my keyboards don't work? Perhaps I can echo to some config file during the `boot>` prompt? I would send a dmesg, but unfortunately I can't even log in so I apologize. I believe my graphics card is Radeon Pro 560 or Radeon Pro 555 based on https://support.apple.com/kb/SP756?locale=en_US Thanks so much!
Re: Triple booting Windows/Debian/OpenBSD?
Ottavio Caruso wrote (2022-11-01 13:27 CET): > Hi, > > I have some spare space on my laptop (a rubbish Thinkpad E130) that was > originally meant for NetBSD, but I gave up on it due suspend/resume not > working. > > [...] > > Is multibooting worth it or is it just a pain in the down under? I did > install OpenBSD before but in a VM, so... apples and oranges really. Doesn't this machine come with an UltraBay slot that usually contains a CD or DVD drive? You can get an HDD adapter for that and install OpenBSD on there. Multiboot in general is a pain. How much suffering is accepted is a personal decision :-) Best Regards, Stefan
Re: Triple booting Windows/Debian/OpenBSD?
On Tue, Nov 01, 2022 at 02:20:38PM +, Ottavio Caruso wrote: > Op 01/11/2022 om 13:16 schreef Claudio Jeker: > > On Tue, Nov 01, 2022 at 12:42:10PM +, Maurice McCarthy wrote: > > > I think you are asking for a world of grief. > > Not really, just be careful when installing any additional OS on a > > multiboot system. They like to trample on each others toes > > Thanks. > > Incidentally, is suspend/resume to RAM supposed to work on OpenBSD? Because > it didn't work on NetBSD. I know they are two different ecospheres but you > never know. Generally suspend to RAM works fine. If not file a bug report. -- :wq Claudio
Re: X/DRM freeze on 7.2
Hello Patrick, Thanks for the tip, it seems that everything works with LIBGL_ALWAYS_INDIRECT=1 Best, Mickael October 24, 2022 6:09 PM, "Patrick Harper" wrote: > Hi, > > https://docs.mesa3d.org/envvars.html#radeonsi-driver-environment-variables > > For me freezes happen only when hardware acceleration is enabled so this > might be a good place to start. > > -- > Patrick Harper > paia...@fastmail.com > > On Fri, 21 Oct 2022, at 19:56, Mickael Torres wrote: > >> Hello, >> >> Since upgrading to 7.2, I have X/DRM freezes on one computer (dmesg below). >> >> When it happens, the screen is completely frozen, but I can still ssh >> to the machine. >> It only happened when starting firefox or VLC, for now. Once they are >> started I didn't have any >> problem. >> When the machine is in that state, the X and firefox processes are in >> the DRM wait state: >> 87821 _x11 -20 0 97M 110M idle DRM 0:01 0.00% Xorg >> 76467 mike -20 0 12M 28M idle DRM 0:00 0.00% >> firefox >> 51234 mike -20 0 5972K 49M idle DRM 0:00 0.00% >> firefox >> Nothing in dmesg or Xorg.0.log. >> >> As far as I can remember, it never happened with 7.1. >> >> Is there anything I can do to further debug this? >> >> Best, >> Mickael >> >> OpenBSD 7.2 (GENERIC.MP) #758: Tue Sep 27 11:57:54 MDT 2022 >> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP >> real mem = 68598935552 (65421MB) >> avail mem = 66502520832 (63421MB) >> random: good seed from bootblocks >> mpath0 at root >> scsibus0 at mpath0: 256 targets >> mainbus0 at root >> bios0 at mainbus0: SMBIOS rev. 3.3 @ 0xbda23000 (49 entries) >> bios0: vendor American Megatrends International, LLC. version "F37d" >> date 07/27/2022 >> bios0: Gigabyte Technology Co., Ltd. X570 AORUS ELITE >> acpi0 at bios0: ACPI 6.2 >> acpi0: sleep states S0 S4 S5 >> acpi0: tables DSDT FACP SSDT SSDT SSDT SSDT FIDT MCFG HPET SSDT IVRS >> FPDT VFCT BGRT PCCT SSDT CRAT CDIT SSDT SSDT SSDT SSDT WSMT APIC SSDT >> acpi0: wakeup devices GPP0(S4) GPP2(S4) GPP3(S4) GPP4(S4) GPP5(S4) >> GPP6(S4) GPP7(S4) GPP8(S4) GPP9(S4) GPPA(S4) GPPB(S4) GPPC(S4) GPPD(S4) >> GPPE(S4) GPPF(S4) GP10(S4) [...] >> acpitimer0 at acpi0: 3579545 Hz, 32 bits >> acpimcfg0 at acpi0 >> acpimcfg0: addr 0xf000, bus 0-127 >> acpihpet0 at acpi0: 14318180 Hz >> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >> cpu0 at mainbus0: apid 0 (boot processor) >> cpu0: AMD Ryzen 9 5900X 12-Core Processor, 3700.08 MHz, 19-21-00 >> cpu0: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT >> SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MM >> X,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE >> TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,RDSEED,ADX,SMAP,C >> FLUSHOPT,CLWB,SHA,UMIP,PKU,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES >> cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 512KB >> 64b/line 8-way L2 cache, 32MB 64b/line 16-way L3 cache >> cpu0: smt 0, core 0, package 0 >> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges >> cpu0: apic clock running at 100MHz >> cpu0: mwait min=64, max=64, C-substates=1.1, IBE >> cpu1 at mainbus0: apid 1 (application processor) >> cpu1: AMD Ryzen 9 5900X 12-Core Processor, 3700.00 MHz, 19-21-00 >> cpu1: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT >> SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MM >> X,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE >> TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,RDSEED,ADX,SMAP,C >> FLUSHOPT,CLWB,SHA,UMIP,PKU,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES >> cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 512KB >> 64b/line 8-way L2 cache, 32MB 64b/line 16-way L3 cache >> cpu1: smt 0, core 1, package 0 >> cpu2 at mainbus0: apid 2 (application processor) >> cpu2: AMD Ryzen 9 5900X 12-Core Processor, 3700.00 MHz, 19-21-00 >> cpu2: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT >> SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MM >> X,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TCE >> TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,RDSEED,ADX,SMAP,C >> FLUSHOPT,CLWB,SHA,UMIP,PKU,IBPB,IBRS,STIBP,SSBD,XSAVEOPT,XSAVEC,XGETBV1,XSAVES >> cpu2: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 512KB >> 64b/line 8-way L2 cache, 32MB 64b/line 16-way L3 cache >> cpu2: smt 0, core 2, package 0 >> cpu3 at mainbus0: apid 3 (application processor) >> cpu3: AMD Ryzen 9 5900X 12-Core Processor, 3700.00 MHz, 19-21-00 >> cpu3: >>
Re: Triple booting Windows/Debian/OpenBSD?
On Tue, Nov 01, 2022 at 12:42:10PM +, Maurice McCarthy wrote: > I think you are asking for a world of grief. Not really, just be careful when installing any additional OS on a multiboot system. They like to trample on each others toes. In the OpenBSD installer be careful and do not select whole disk. > sda5 is likely to be on an extended partition. That is trouble booting. This is GPT and EFI. I had no trouble booting OpenBSD from large offsets. Btw. you can use the linux efibootmgr to set a menu entry for OpenBSD. With that you can use the boot menu to select what to boot. > You cannot use the linux swap partition easily, though it might be > possible, reformatting on change of operation system, ???!!! I would not reuse swap partitions. Mainly because hibernate uses swap to store the image. So if you hibernate and boot into a different OS that would destroy your image. > I'd advise against even trying. Unless you enjoy pain, that is. Honestly there is no big issue if your careful and have backups ready. Sure it is far easier to install on individual disks but heck not every system has that luxury. -- :wq Claudio
Re: Triple booting Windows/Debian/OpenBSD?
I think you are asking for a world of grief. sda5 is likely to be on an extended partition. That is trouble booting. You cannot use the linux swap partition easily, though it might be possible, reformatting on change of operation system, ???!!! I'd advise against even trying. Unless you enjoy pain, that is.