Re: Encrypting my keydisk

[Normen Wohner]

> Am 24.10.2019 um 03:27 schrieb Aaron Mason :
> 
> On Wed, Oct 23, 2019 at 7:45 PM Normen Wohner  wrote:
>> 
>> To enable two factor encryption?
>> One passcode is in his head the other on a key.
>> If either is missing the data on drive is unreadable.
>> I don’t know what is hard to understand about it.
>> In an ideal world you’d use the manual passcode
>> to decrypt the keydisk and then the keydisk
>> to decrypt the fs.
>> You should also not be able to tell
>> whether the keydisk was in fact encrypted,
>> the bootloader should try and on failure ask
>> for a passcode, not expect there to be some
>> 'RSA-2048' written at the end.
>> It’s hard for me to understand why nobody asked for this sooner.
>> 
> 
> You could just use a passphrase on the original disk to the same
> effect.  No sense over-complicating things.

No, you could not, that way whoever has the keydisk has access to the files on 
disk, otherwise you still need a password. Not sure what is unclear about this. 
Maybe you think this is about login? It is actually about obfuscating the login 
process and enabling 2FA.
Maybe you think live files are still encrypted when the OS runs but no user is 
logged in. That is sadly not the case.


Regarding your second question, whatever part or level of the "bootloader" 
normally checks for keydisk already has access to the full range of supported 
en- and decryption mechanisms as it uses the key to do just that to the disk. 
This would simply add a second decrypt trial.

Re: Cannot configure IPv6 to a neighbor that drops NDP traffic

[Normen Wohner]

If you don’t have issues with Linux, could this be possibly handled by DHCP 
automatically?

> Am 16.10.2019 um 00:40 schrieb Demi M. Obenour :
> 
> I am trying to configure IPv6 support for an OpenBSD VM running on 
> QubesOS, but have not been successful.  Is this likely due to NDP 
> traffic being blocked by the peer?  If so, is there a workaround? 
> Linux manages to connect fine. 
> 
> For context, QubesOS uses Xen networking, and drops all IP traffic 
> that is not directly from a VM’s assigned address.  This includes 
> traffic on link-local addresses.
> 
> Thank you,
> 
> Demi
> 

Re: What is you motivational to use OpenBSD

[Normen Wohner]

That is a long story,
I first switched to BSD around 2010,
I was just a kid with a Netbook
running on a VIA C7-M.
I was pissed at lack of open source drivers
and wanted to code my own
for the on board graphics.
The Ubuntu and general Linux boards
back then where full of script kiddies
ridiculing anyone with any perceived
lack of knowledge to oblivion.
Even when they them selves lacked the knowledge.

This hostility, combined with the utter lack of
documentation among the Linux Distros,
drove me away from Linux.
I came to FreeBSD, then Dragonfly,
then finally OpenBSD.

I currently use Dfly and OBSD on my private machines where ever I do not run 
MacOS,
sometimes alongside. FreeBSD became rare,
NetBSD is only around on an image that 
I sometimes boot on my PlayStation 2.

I tend to choose OpenBSD in the following scenarios:
1. outdated and/or obscure hardware.
Example: I have an older G3 iMac
that I use out of pure enjoyment,
getting Open running on there still took half a day
(I had to write my first own X11 config in 6 years)
but it runs, is secure and always up to date. 
I even managed to write my own TBXI boot file
for the OpenFirmware from the source on the
image for macppc. Now I have a nice Pufferfish
greeting me if I hold down the Option (Alt) key
at boot.

2. Pentesting
Rationale: In Opsec scenarios you have to often
make yourself vulnerable to exploit someone elses
vulnerability. I like to be able to select where my
ports are open. OpenBSD is, as stated often,
secure by default. It therefore won’t surprise you
with new and sudden vulnerabilities. OpenBSD
also won’t complain when running as root only

3. network facing always on devices
Example: I have exactly one device at home that
is constantly running and exposed to the Internet
instead of only our intranet. That thing runs ssh.
No other distro would I trust with handling my
security right.

Other benefits of OpenBSD include:
-Lack of patheticism:  Other Distros call you an idiot
when they assume you i.e. tried to mount an already
hung in device (Ubuntu), I even wrote a Program in
Go before, Go craps it’s pants when you do not
indent correctly. I hat shit like that.
OpenBSD just assumes sou what you do.

-excellent documentation as mentioned
in contrast to Linux.
Oh how I hate fumbling for „solutions“ in Forums.

-maintained base of excellent standard software,
they really do fork what they need.
Xenocara and LibreSSL are excellent examples.
OpenBSD is doing where others are merely complaining.

Glaring Cons: 
-Bluetooth support, I mean folks it’s 2019
-That lackluster Raspberry port
-The often harsh community,
there is a certain elitism here^ 
-The obvious lack of proprietary graphics drivers
the likes of which Linux gets^^
-No killer Filesystem like ZFS or HAMMER,
get used to UFS brother

^however it mostly extends to telling others when
and why they made dumb decisions and it goes
by without namecalling, Linux is just a Swamp
nowadays, a swamp of kiddies.
Dragonfly, in contrast to all here, really is
the heaven of polite technical conversation.

^^that is just stupid vendors though, the community ports where there is 
interest.

> On Wed, 28 Aug 2019, at 15:32, Mohamed salah wrote:

> I wanna put something in discussion, what's your motivational to use
> OPENBSD what not other bsd's what not gnu/Linux, if something doesn't work
> fine on openbsd and you love this os so much what will do?

Re: LibreOffice, and others, not usable via ssh at OpenBSD 6.4

[Normen Wohner]

Did you try setting the $DISPLAY?
In the past I had situations where ssh starts 
DISPLAY=:1 if there is already a session running on 
the server. Also sometimes I had to specify 
DISPLAY=:0. Would be news to me that Open has 
issues with this however 

On May 12, 2019, at 11:27, Roger Marsh  wrote:
> I am guessing, but the following explanation of the 'ssh -Y hostname 
> libreoffice' problem seems reasonable.  Libreoffice asks 'is accelerated 
> graphics available?' and gets a yes or no answer depending on the driver 
> availble on hostname. 

maybe either of you could try to just ssh -Y (-X if on 
a corresponding machine) and then start Libreoffice 
to get some verbose output on the issue.
If it complains about being unable to open the 
Xsession it should already be running and you can 
try stuff like DISPLAY=:1 libreoffice

Re: hacked for the second time

[Normen Wohner]

Seeing that OpenBSD comes secure out of the Box the most likely
thing is that you yourself compromised your System through 3rd
party software. If it even is the case. I think the best course of
action would be to go for a forensic approach. Google how to log ssh
traffic and where to find the logs. Then confirm your remote access
actually happens. If so you should determine what software exposed
you. VPN, Some Web Service, Your own stupidity? If you really use
ssh keys instead of password login then someone had to be able
to access those, usually outside of transfer. So most likely your
work device is compromised and your OpenBSD server is just a 
casualty.

> On 4 Apr 2019, at 11:57, Cord  wrote:
> 
> Hi, my english seems very bad because my problem is not to make secure the 
> ssh key. My problem is how do not be hacked.
> I have talked about the ssh key stealing to show signs that my pc was been 
> compromised.
> I can for sure make secure my ssh key but how to make secure my the pc ?
> If I have a rootkit that steal the ssh key the problem is the rootkit. You 
> know keylogger that steal password ? or cookie stealing ?
> 
> 
> 
> Sent with ProtonMail Secure Email.
> 
> ‐‐‐ Original Message ‐‐‐
> On Thursday, April 4, 2019 10:19 AM, Tor Houghton  wrote:
> 
>> Hi,
>> 
>> Difficult to make any recommendations based on this information, but once
>> you've recovered, enforce ssh key-based logins only.
>> 
>> Given that your client might be compromised, you probably want to look into
>> that as well.
>> 
>> To limit the possibilities that someone gets access to your
>> ssh private key's keyphrase, store it off-client -- for example using your
>> mobile phone (e.g. Kryptonite -- https://krypt.co; do read caveat regarding
>> Android crypto).
>> 
>> Good luck.
>> 
>> On Wed, Apr 03, 2019 at 06:56:39PM +, Cord wrote:
>> 
>>> Hi,
>>> I have some heavy suspect that my openbsd box was been hacked for the 
>>> second time in few weeks. The first time was been some weeks ago, I have 
>>> got some suspects and after few checks I have found that someone was been 
>>> connected to my vps via ssh on a non-standard port using my ssh key. The 
>>> connection came from a tor exit node. There were been 2 connections and up 
>>> since 5 days. Now I have some other new suspects because some private email 
>>> seems knew from others. Also I have found other open sessions on the web 
>>> gui of my email provider, but I am abolutely sure I have done the logout 
>>> always.
>>> I am using just chrome+unveil and I haven't used any other script or opened 
>>> pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used 
>>> epiphany only to open the webmail because chrome crash. My email provider 
>>> support html (obviously) but generally photo are not loaded. Ofcourse I 
>>> have pf enable and few service.
>>> I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 
>>> website just to read news. Sometimes I search things about openbsd.
>>> Anyone could help me ?
>>> Cord.
> 
> 

Re: Troubleshooting FDE with SD Card Reader

[Normen Wohner]

> On Mar 31, 2019, at 12:56, Stefan Sperling  wrote:
> 
>> On Sat, Mar 30, 2019 at 04:49:59PM -0600, Theo de Raadt wrote:
>> Normen Wohner  wrote:
>>> No you do not,
>>> even the Installer sees my SD reader
>>> out of the box as a standard umass
>>> device.
>>> Since I can setup the FDE with the
>>> SD during install it should be trivial
>> 
>> Some BIOS can see SD cards, especially if they are USB.  But not all
>> systems.  Also some BIOS have a different problem, that the moment you
>> choose a root device the other devices don't quite work.  I think this
>> can be rather disruptive towards forming a raid.
> 
> To see a list of disks detected by the BIOS, type 'machine disk' 
> the boot> promp. Keydisks will only work during boot if they show
> up in this list.
> Other keydisks will only work once the kernel has already booted up.
> 
> Perhaps this should be thrown into the FAQ, this question keeps coming up...

As suspected nothing from the internal reader.
Thanks for all the help!

Re: Troubleshooting FDE with SD Card Reader

[Normen Wohner]

> On Mar 30, 2019, at 18:39, "tfrohw...@fastmail.com"  
> wrote:
> 
> That makes sense - I missed the part in your initial email about it being the 
> keydisk. Unfortunately I'm not familiar with how bootloader/bioctl access a 
> keydisk. Does the SD card reader work otherwise?
> 
> It's a hardware question, so your chances for someone recognizing a solution 
> still increase dramatically if you share a dmesg...

Frankly: good call,
I should have included it in the initial email,
but since mail wasn't set up I said fuck it

Will copy it as soon as 
I'm back at the machine.

Re: Troubleshooting FDE with SD Card Reader

[Normen Wohner]

> On Mar 30, 2019, at 20:21, Maurice McCarthy  wrote:
> 
> Forgive me if I'm being silly but just because the kernel recognizes
> the SD card it does not follow that the software to read it is built
> into _base_. I hardly ever use an SD card but from what I remember you
> have install pcsc-tools from ports to use one. If this is so then you
> will _never_ be able to boot with a keydisk on the SD card. You must
> use the USB.
> 
> Good Luck

No you do not,
even the Installer sees my SD reader
out of the box as a standard umass
device.
Since I can setup the FDE with the
SD during install it should be trivial
to make it readable, since the
bootloader is basically the Installer.
You will notice that if you ever
switch from release to -current or
just make an OS update from there.

Re: Troubleshooting FDE with SD Card Reader

[Normen Wohner]

No I have the Full Disk Encryption on the internal Harddrive.
Keydisk is on an SD card.
When I try to boot with it being in the 
internal reader it says keydrive not found.
I can boot with the same SD inside a USB Adapter.
That MAKEDEV solution would not be permanent,
maybe I should try to see what devices the
System has when nothing is inserted.

> On Mar 30, 2019, at 16:19, "tfrohw...@fastmail.com"  
> wrote:
> 
>> On March 29, 2019 9:42:44 PM UTC, Normen Wohner  wrote:
>> I cannot use my SD Reader for keydisk purposes.
>> It does show up in dmesg and should be there on boot.
>> Since my SD reader is bundled with a 
>> Sony MemoryStick reader I see them both coming up
>> when I plug in the SD Card.
>> The MS umass shows first on sd0 even if empty so the
>> SD gets pushed to sd1.
>> Should I somehow MAKEDEV sd1?
>> I presumed it to be there?
>> Is this maybe a different issue all together?
>> Thanks for all the help!
>> 
> 
> I'm not sure about the exact problem that you are trying to solve. Are you 
> trying to boot the SD card with FDE on it? Do you get to the first boot 
> prompt? Some output would be helpful to get a better understanding, ideally a 
> dmesg. In my eperience, the bootloader can communicate with sd1 and higher 
> numbers, and the install should come with device files for /dev/sd1 and a 
> little higher.
> 
> If additional device entries are needed, just do:
> 
> # cd /dev && sh MAKEDEV 
> 
> ... but I doubt that's your problem.
> 

Troubleshooting FDE with SD Card Reader

[Normen Wohner]

I cannot use my SD Reader for keydisk purposes.
It does show up in dmesg and should be there on boot.
Since my SD reader is bundled with a 
Sony MemoryStick reader I see them both coming up
when I plug in the SD Card.
The MS umass shows first on sd0 even if empty so the
SD gets pushed to sd1.
Should I somehow MAKEDEV sd1?
I presumed it to be there?
Is this maybe a different issue all together?
Thanks for all the help!
 

Re: starting i3 with xenodm

[Normen Wohner]

issue solved had to . ~/.profile from .xsession
obvious in retrospect.
Thanks for all the help

> On 27 Mar 2019, at 18:35, Normen Wohner  wrote:
> 
> New Issue, after install and setup neither dmenu nor the statusbar show up... 
> anybody ever experienced this behavior?
> I played around and I can start both manually.
> 
>> On Mar 27, 2019, at 9:59 AM, Normen Wohner  wrote:
>> 
>> I installed i3 with pkg_add,
>> yet don't understand how
>> to call it from xenodm.
>> 
>> I tried replacing the stock 
>> ${exec_path}/bin/fvwm
>> with /usr/local/bin/i3
>> inside xenodm's Xsession,
>> but that didn't help much.
>> 
>> I then wrote the typical
>> exec i3
>> into .xinitrc in my /root
>> nothing.
>> 
>> Anybody here using i3?
>> 
> 

Re: starting i3 with xenodm

[Normen Wohner]

New Issue, after install and setup neither dmenu nor the statusbar show up... 
anybody ever experienced this behavior?
I played around and I can start both manually.

> On Mar 27, 2019, at 9:59 AM, Normen Wohner  wrote:
> 
> I installed i3 with pkg_add,
> yet don't understand how
> to call it from xenodm.
> 
> I tried replacing the stock 
> ${exec_path}/bin/fvwm
> with /usr/local/bin/i3
> inside xenodm's Xsession,
> but that didn't help much.
> 
> I then wrote the typical
> exec i3
> into .xinitrc in my /root
> nothing.
> 
> Anybody here using i3?
> 

Re: starting i3 with xenodm

[Normen Wohner]

> On 27 Mar 2019, at 14:46,   wrote:
> this is real issue i see time & time again and it's really frustrating...the 
> op asked a question and rather than answering his question we put our 
> personal preferences forward. TOXIC 

Ah I never feel offended by the occasional 
"use X instead” it’s a valid suggestion as long as
reason is stated. Everybody has their reasons.
Though, true, 
“I never asked for this” - Adam Jensen 

> OP use .xsession instead of .xinintrc

perfect answer

> also OpenBSD is known for their quality of man pages...please use these top 
> quality man pages

I know it for the quality man pages
plus it’s the only OS that truly installs
anywhere I try.

> checkout:
> man afterboot
> man man
> 
> Hope you enjoy your time with OpenBSD

Thanks, have a nice day too.

>> 27 Mar 2019, 13:20 by def...@posteo.de:
>> Tip : use CWM
>> 
>> You don't need to install extra software like i3 becouse of cwm is a part of 
>> the OpenBSD X.org installation.
>> 
>> its clean, secure , lightweight and efficient window manager for X11


Frankly I have tired cwm and although
I really appreciate the source style, 
I always end up feeling handicapped
compared to i3wm.
You should look at the video under i3wm.org 
It’s a BSD licensed tiling wm that does vertical
and horizontal automatic window splitting for 
arbitrarily complex layouts.
It’s like going from nano to vim.
CWM is my preferred base wm though.

>>> On 27 Mar 2019, at 14:05, Johan Huldtgren 
>>>  wrote:
>>> $ cat ~/.xsession
>>> # disable system beep
>>> xset b off
>>> 
>>> # lock display
>>> xidle -timeout 300 &

Those are neat suggestions,
haven’t tried autosleep on display yet
should look into man xidle

 On 27 Mar 2019, at 14:01, Christopher Turkel 
  wrote:
 
 create an .xsesson in your home directory file and put in it something 
 like:
 
 xterm &
 exec i3
 
 then chmod +x .xsession
Ahhh, dammit xsession not xinitrc. 
You see I have a bunch of OpenBSD installs,
not all up to date
and I always forget when things change-.-

starting i3 with xenodm

[Normen Wohner]

I installed i3 with pkg_add,
yet don't understand how
to call it from xenodm.

I tried replacing the stock 
${exec_path}/bin/fvwm
with /usr/local/bin/i3
inside xenodm's Xsession,
but that didn't help much.

I then wrote the typical
exec i3
into .xinitrc in my /root
nothing.

Anybody here using i3?

Re: GMA500 drivers

[Normen Wohner]

> On 26 Mar 2019, at 13:30, Jonathan Gray  wrote:
> 
> 
> There is no suitably licensed driver to port.  And no documentation to
> write one from scratch.
> 

I’m not looking to make this an upstream thing. The idea was to take the crappy 
binary blobs from Debian and wrap that into something decent. Reading up on 
OpenBSD driver management however, this seems (outside of reverse engineering) 
frankly impossible.

GMA500 drivers

[Normen Wohner]

I have now successfully installed OpenBSD
on my Netbook, however Graphics performance 
is abysmal.
I know that sadly Linux uses binary blobs for
the GMA500 as it is a licensed Powervr chip.
Any idea on how to "maybe" get faster graphics
working?
I'm willing to do the legwork.

FDE with keydrive imponderabilities

[Normen Wohner]

I thought you might be able to help me with a setup concerning  
Full Disk Encryption on OpenBSD 6.4 where I am at my whits end.
I am trying to install on a Sony Vaio VPC P11S1E netbook.
It is a 32-bit x86 machine with an internal SSD and SD card reader.

During boot of the installer my internal disk shows up as wd0.
I have no Idea why it would be IDE but be that as it may.
Plugging in any USB drive shows as sd0 while the SD card-reader
shows two devices, respectively some controller on sd0 and the 
actual drive on sd1.

I really hope to find anything else I could try.

What I have tried thus far.
booting into the installer, 
once everything is in ramdisk is at the Install
etc. prompt I unplug the boot USB and proceed with:

(S)hell


# dd if=/dev/zero of=/dev/wd0 bs=1m count=8
to erase previous RAID attempt

# fdisk -iy wd0
# disklabel -E wd0
> z
> a a
offset: [64] 1024 
size: [n]
FS type: [4.2BSD] RAID
> w
> q
returns: 'No label changes.'

# cd /dev
# sh MAKEDEV sd1
# sh MAKEDEV sd2
# cd /

after that either 
Route 1:
plugging in SD card

# fdisk -iy sd1
# disklabel -E sd1
> z
> a a
offset: [64] 1024
size: [n] 1m
FS type: [4.2BSD] RAID
> w
> q
returns: 'No label changes.'

# dd if=/dev/random of=/dev/sd1a

# bioctl -c C -k sd1a -l wd0a softraid0
returns: 'Error sd1 did not quit correctly'


This Error remains consistend between boots,
even after restarting to the Installer

alternatively
Route 2:
plugging in USB stick
# fdisk -iy sd0
# disklabel -E sd0
> z
> a a
offset: [64] 1024
size: [n] 1m
FS type: [4.2BSD] RAID
> w
> q
returns: No label changes.

# dd if=/dev/random of=/dev/sd0a

# bioctl -c C -k sd0a -l wd0a softraid0
returns: softraid0: CRYPTO volume attached as sd2
#exit
(I)nstall to sd2
...
hangs in BIOS after reboot whenever
the Keydrive is plugged in.