Best testcases for SSHD when fuzzing with afl?
Hello, So far I found these testcases for the input directory of afl when I am fuzzing the OpenBSD OpenSSHD: git clone https://github.com/openbsd/src.git find src/ -type f | grep -i regress | grep -i ssh | grep -i testdata But the question: does anybody have more? Or better? Any idea how to have more and better quality testcases? http://lcamtuf.coredump.cx/afl/
Re: Disabling message CRCs in SSHD
Thanks. Appreciate it!! :) > Sent: Saturday, April 28, 2018 at 11:11 AM > From: "Darren Tucker" > To: "Hess THR" > Cc: "OpenBSD Misc List" > Subject: Re: Disabling message CRCs in SSHD > > On 28 April 2018 at 03:20, Hess THR wrote: > > Based on the: > > > > http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html > > > > I tried to search for these code pieces (I know he was using openbsd-compat > > and not the original OpenSSH code) but didn't found it, didn't even find > > similar for disabling message CRCs: > > Short answer: It's gone, you can ignore that part. > > Long answer: CRC32 was the message integrity method for SSH Protocol > v1 and the last of the SSH1 code was removed[0] in the 7.6 release[1] > (in part because CRC32 a weak integrity guarantee compared to a proper > MAC). > > [0] https://github.com/openssh/openssh-portable/commit/3d6d09f2 > [1] https://www.openssh.com/releasenotes.html#7.6 > > -- > Darren Tucker (dtucker at dtucker.net) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. >
Re: /etc/netstart - order of operations (lo vs physical interfaces)
who is "jmc" in the header? can someone cc him? or the people who are doing the
doc? :)
Many thanks.
> Sent: Friday, April 27, 2018 at 3:28 PM
> From: "Amelia A Lewis"
> To: misc@openbsd.org
> Subject: Re: /etc/netstart - order of operations (lo vs physical interfaces)
>
> A read of the script itself shows loopback initialized prior to
> hardware interfaces, at least in 6.2 (haven't upgraded yet).
>
> On Fri, 27 Apr 2018 08:21:54 -0400, Gabriel Guzman wrote:
> > Just a quick clarification, lo(4) says that the loopback interface
> > should be configured last, and /etc/netstart seems to support this
> > but netstart(8) says that the loopback interface is configured `before`
> > physical interfaces:
>
> Date in the man page for lo(4) is 2013. I'm guessing that the network
> system has moved on since then, and it's actually the lo(4) source
> that's out of date.
>
> Or, possibly, the netstart authors aren't aware of the potential
> problems, so started initializing loopback devices first, and ought to
> change things.
>
> :-)
>
> Amy!
> --
> Amelia A. Lewisamyzing {at} talsever.com
> There's someone in my head, but it's not me.
> -- Pink Floyd
>
>
Disabling message CRCs in SSHD
Based on the: http://www.vegardno.net/2017/03/fuzzing-openssh-daemon-using-afl.html I tried to search for these code pieces (I know he was using openbsd-compat and not the original OpenSSH code) but didn't found it, didn't even find similar for disabling message CRCs: in the ( https://github.com/openbsd/src ) $ pwd /src/usr.bin/ssh $ find . -name packet.c ./packet.c $ grep -i checksum packet.c $ Does anyone has any idea, where to disable message CRCs in SSHD? It is needed for testing purposes. Many-many thanks.
How to disable privilege separation mode in SSHD? - for testing
Hello, What is the method to do a "UsePrivilegeSeaparation=no" on source code level? Is it the following?: sed -i 's/^int use_privsep = -1;$/int use_privsep = 0;/g' /home/user/src/usr.bin/ssh/sshd.c or am I wrong? only for testing purposes! cannot check childs. Many thanks.
Re: door opening sensor HW for OpenBSD?
Hello. I was thinking of a cheap USB mouse after I sent my original mail, but your list is.. wow :) long. So it sends a mail when door is moved even a little bit and it plays an MP3. The mouse costed $3. it just works. pic: https://i.imgur.com/7X6N059.jpg https://i.imgur.com/eROpANf.jpg Thanks :) > Sent: Saturday, March 24, 2018 at 11:50 PM > From: Robert > To: misc@openbsd.org > Subject: Re: door opening sensor HW for OpenBSD? > > On Sat, 24 Mar 2018 22:32:02 +0100 > "Hess THR" wrote: > > Can you please recommend any hardware, that I could plug in to the notebook > > and though I could send a warning mail when the door was moved > > (open/closed). > > I can think of so many ways to do this, from boring to insane :) > > * Mount a switch on top of the door that gets unpressed when the door > opens, and connect to the serial port. Then read the pin status. > * The same, but mount the switch behind the door so that it gets > pressed when the door opens. > * Use a magnetic switch instead, and read it through the serial port. > * Put a keyboard behind the door, so that the door presses against a > key when it opens. Map the key to a script. > * Attach a mouse to the door and react on the mouse movement. > * Attach a GPS sensor to the door and measure movements. > * Attach a USB barometer and detect the air pressure diff when the door > opens. > * Attach a USB gyroscope to the door. Detect movement. > * Attach a USB light sensor (Arduino?) and detect movement. > * Put an RFID tag on the door, and attach an RFID reader, to detect > when the tag approaches the reader. > * Attach the laptop to the door and use the built-in gyroscope (if > available). > * Same, but use the gyroscope from the HD. Might require firmware > hacking. > * Don't oil the door and evaluate the microphone input. > * Attach any USB device, but route the 5V line through a switch > attached to the door. Detect when the device attaches. > * Mount the laptop behind the door so that the door opens/closes the > laptop lid. Detect wake/sleep state. > * Fix your credit card to the door and have it move through a card > reader when the door opens. Check account balance through script. > > Send pix! > > regards, > Robert > >
door opening sensor HW for OpenBSD?
Hello, I have an OpenBSD amd64 notebook running 24h next to a door, ~50cm. Can you please recommend any hardware, that I could plug in to the notebook and though I could send a warning mail when the door was moved (open/closed). I can do the scripting part, but I just don't know where to start for hardwares that sense that the door was moved. Many, many thanks.
noip freezes my 6.0
Hello, pkg_add ...pub/OpenBSD/6.0/packages/amd64/no-ip-2.1.9p4.tgz enable it with rcctl .. ok, it works! heading for a sleep. but in the morning: the OpenBSD router was not responding. ok, omg, power off/on. don't know what happened, nothing in the logs. ok, next day, the same, during the night, the machine freezes. now I turn the noip off with rcctl and not running the noip client. .. the machine didn't freezed. How can I help the community, how to debug this problem? (before opening a low-level bugreport, want to make it a more quality report) Many thanks.
https://www.openbsd.org/ftp.html
Hello, I can see that ftp.fsn.hu is available over HTTPS, but isn't listed in the HTTPS part of the ftp.html How can we reach the maintainer of the ftp.html? Thanks.
sudoedit for doas?
Hello, hmm, I went through the relevant man pages: https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1 https://man.openbsd.org/doas.conf.5 but I cannot find a sudoedit alternative for the "doas". Are there any? Many thanks.
UNIX Stackexchange - Community Promotion Ads - 2018
Hello, already got 2 upvotes, 4 more needed to be on the main page: https://unix.meta.stackexchange.com/a/4801/277781 If anyone wants to upvote it :)
Re: noob question: driver separation?
I mean.. did it ever happened in the history that a microphone driver sent its data via the network? if these attacks aren't very likely, then I was just loudly thinking.. wouldn't it be great to held some idea day for: "how to increase security? " there would be ex.: 500 idiot ideas, but maybe 1 great, who knows. > Sent: Monday, February 19, 2018 at 8:58 PM > From: "Hess THR" > To: misc@OpenBSD.org > Subject: Re: noob question: driver separation? > > Hello, > > nono, just in theory.. or it doesn't worth it? > > > > Sent: Monday, February 19, 2018 at 11:05 AM > > From: "Boudewijn Dijkstra" > > To: misc@openbsd.org > > Subject: Re: noob question: driver separation? > > > > Op Fri, 16 Feb 2018 21:51:12 +0100 schreef Hess THR > > : > > > Hello, > > > > > > are there any (at least on plan or theoretical level) that drivers will > > > be/are/would be separated? ex.: > > > > > > - touchpad drivers shouldn't have to do anything with network access > > > - wireless drivers shouldn't be able to touch anything from ex.: /home > > > - graphics/wireless/sound/disk/etc. drivers shouldn't be able to get > > > anything from keyboards > > > - and so on. > > > > > > or is this only a dream or bad concept that separation needed "inside > > > kernel level"? > > > > Why do you think it is needed? Did you see any dubious or sketchy OpenBSD > > driver code? > > > > > > > > -- > > Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/ > > > > > >
Re: noob question: driver separation?
Hello, nono, just in theory.. or it doesn't worth it? > Sent: Monday, February 19, 2018 at 11:05 AM > From: "Boudewijn Dijkstra" > To: misc@openbsd.org > Subject: Re: noob question: driver separation? > > Op Fri, 16 Feb 2018 21:51:12 +0100 schreef Hess THR > : > > Hello, > > > > are there any (at least on plan or theoretical level) that drivers will > > be/are/would be separated? ex.: > > > > - touchpad drivers shouldn't have to do anything with network access > > - wireless drivers shouldn't be able to touch anything from ex.: /home > > - graphics/wireless/sound/disk/etc. drivers shouldn't be able to get > > anything from keyboards > > - and so on. > > > > or is this only a dream or bad concept that separation needed "inside > > kernel level"? > > Why do you think it is needed? Did you see any dubious or sketchy OpenBSD > driver code? > > > > -- > Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/ > >
noob question: driver separation?
Hello, are there any (at least on plan or theoretical level) that drivers will be/are/would be separated? ex.: - touchpad drivers shouldn't have to do anything with network access - wireless drivers shouldn't be able to touch anything from ex.: /home - graphics/wireless/sound/disk/etc. drivers shouldn't be able to get anything from keyboards - and so on. or is this only a dream or bad concept that separation needed "inside kernel level"? Thanks and have a great weekend! :)
OpenBSD Memory protection mechanisms that are not enabled by default?
Hello! Besides the "S" option for malloc.conf and increasing kern.stackgap_random and removing the wxallowed mount option, what else memory-related hardening mechanism are in OpenBSD that can be turned on and it is not enabled by default? Even options would be useful if we have to re-compile the kernel, if minimal source code modification is needed. Tried to get lists/ideas from grsecurity (if there is any, that is not already used in OpenBSD), but it is hard when you are not a programmer. Many thanks.
Re: OpenBSD Foundation on HTTPS
Hello, https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html "Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”." so: http://www.openbsdfoundation.org/ http://firmware.openbsd.org/firmware/ any mirror that still uses just http, not https, pkg_* should only allow https communication any other? also, default redirect to HTTPS should be advisable HTTPS would provide integrity, privacy, authenticity. Have a great weekend! ps.: OpenBSD team is great! I am just advising that it would be better to use HTTPS. > Sent: Thursday, February 08, 2018 at 12:37 AM > From: "Charlie Eddy" > To: jer...@fuckthensa.nl > Cc: "Jonathan Thornburg" , misc@openbsd.org > Subject: Re: OpenBSD Foundation on HTTPS > > Hello Jonathan Thornburg, > > That is quite simple. The post will work. > > https://www.ic.gc.ca/app/scr/cc/CorporationsCanada/fdrlCrpDtls.html?corpId=4409612 > > Regards, > > On Wed, Feb 7, 2018 at 6:42 AM, Jeroen wrote: > > > With HTTPS, can you be sure that the server isn't comprimised? With or > > without HTTPS, it's always a good idea to check wether the address is > > correct (a foundation has to be registered and at other places). > > > > On Wed, 2018-02-07 at 14:40 +0100, Jonathan Thornburg wrote: > > > From http://www.openbsdfoundation.org/donations.html : > > > > Donations may be made by cheque in CAD/EUR/USD funds to: > > > > > > > > The OpenBSD Foundation > > > > 8101 160 Street > > > > Edmonton, Alberta, Canada > > > > T5R 2G9 > > > > > > Without https, how can one verify that that is the correct address? > > > > > > > > > > >
Re: OpenBSD Foundation on HTTPS
troll on hey, yeah, you are absolutely right! no one would ever modify (since plain http) the example.: http://www.openbsdfoundation.org/donations.html page, where are the PayPal donation links, bitcoin donation links are, without anybody noticing! Why would someone do something like this? we live in a perfect world without bad people! yay pink ponies! troll off > Sent: Tuesday, February 06, 2018 at 12:23 PM > From: "Ian Sutton" > To: "Hess THR" > Cc: "misc@OpenBSD.org" > Subject: Re: OpenBSD Foundation on HTTPS > > Hi, > > There is no need. There is nothing secret on those web servers, there > is no logical reason to encrypt it. This issue has been discussed to > death. Please check archives. > > Ian > > On Tue, Feb 6, 2018 at 4:03 AM, Hess THR wrote: > > Hello, > > > > because HTTPS increases the authenticity, integrity, privacy: > > https://en.wikipedia.org/wiki/HTTPS > > > > going to apache/iis/nginx/linux will not increase "security". since they > > have very buggy code. > > > > but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the > > code in the base? > > > > > >> Sent: Friday, December 15, 2017 at 12:11 PM > >> From: "Vivek Vinod" > >> To: "Hess THR" > >> Subject: Re: OpenBSD Foundation on HTTPS > >> > >> 1) Why do you want https support? > >> 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we > >> shift to IIS as well? Wait, I guess more people use Linux, so we should > >> stop using OpenBSD all together. > >> > >> > >> -Original Message- > >> From: on behalf of Hess THR > >> > >> Date: Friday, 15 December 2017 at 4:20 PM > >> To: , > >> Subject: OpenBSD Foundation on HTTPS > >> > >> Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't > >> supports HTTPS, while in 2017 Dec, ~70% of the websites does: > >> https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for > >> the OpenBSD Foundation? Which Official OpenBSD related domain hasn't > >> got > >> HTTPS yet? I whish you happy holidays and again, Thanks for all the > >> work! > >> BTW, wow: > >> > >> https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3 > >> > > >
Re: OpenBSD Foundation on HTTPS
Hello, because HTTPS increases the authenticity, integrity, privacy: https://en.wikipedia.org/wiki/HTTPS going to apache/iis/nginx/linux will not increase "security". since they have very buggy code. but for HTTPS, luckily, OpenBSD has LibreSSL. Or are we not trusting the code in the base? > Sent: Friday, December 15, 2017 at 12:11 PM > From: "Vivek Vinod" > To: "Hess THR" > Subject: Re: OpenBSD Foundation on HTTPS > > 1) Why do you want https support? > 2) Most websites use IIS, Apache or Nginx. Maybe you should suggest we shift > to IIS as well? Wait, I guess more people use Linux, so we should stop using > OpenBSD all together. > > > -Original Message- > From: on behalf of Hess THR > Date: Friday, 15 December 2017 at 4:20 PM > To: , > Subject: OpenBSD Foundation on HTTPS > > Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't > supports HTTPS, while in 2017 Dec, ~70% of the websites does: > https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for > the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got > HTTPS yet? I whish you happy holidays and again, Thanks for all the work! > BTW, wow: > > https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3 >
OpenBSD Foundation on HTTPS
Hello, Just noticed that the: http://www.openbsdfoundation.org/ doesn't supports HTTPS, while in 2017 Dec, ~70% of the websites does: https://letsencrypt.org/stats/#percent-pageloads Can we have HTTPS for the OpenBSD Foundation? Which Official OpenBSD related domain hasn't got HTTPS yet? I whish you happy holidays and again, Thanks for all the work! BTW, wow: https://www.reddit.com/r/Bitcoin/comments/7jj0oa/im_donating_5057_btc_to_charitable_causes/dr6q6tj/?context=3
