Re: security(8) for linux?

[Rubén Llorente]

Give aide a try. It isn't exactly a security(8) replacement but it is 
fine for detecting filesystem changes.


chrootkit and rkhunter are also fine for detecting suspicious activity 
and tracking critical filesystem changes, but adapting them to your 
environment might take some work.


Allan Streib wrote:

I am guessing that many of us also manage linux systems, is anyone
aware of a port or adaptation of security(8) for linux, specifically
Ubuntu or Debian distributions?

Allan

Re: Copying files from an Android phone

[Rubén Llorente]

Plenty options here.

I usually either dump the files from the phone to an external pen-drive 
(which requires you to have an USB-OTG cable and your phone to support 
OTG) or launch an FTP server from Android and download the files into my 
OpenBSD machine using an FTP client.


FTP Server is available for Android in FDROID, I think.

Sadeep Madurange wrote:

Hello,

I'm trying to backup some files (~1000 photos and two short videos, in
total about 3GB) from an Android phone to OpenBSD. In the past I used
Android file transfer (MTP) client. I couldn't find it on OpenBSD.
What's the best way to achieve this?

Re: Rate limit the httpd web server for signup requests

[Rubén Llorente]

No perfect solution exists, but the following may help.

1) Parse the logs of your web application and ban any IP that attempts 
to create multiple accounts. Not great because you may have multiple 
users sharing the same public IP. It only works ok if you automate it 
via cronjob scripts.


2) Require the user to provide an external means of identification (such 
as an email address or a phone number) whose existence must be verified 
before his account is activated. Not great because bots may use 
disposable addresses/numbers, it delays the activation for legitimate 
users, and it requires more effort to implement than 1).


3) Alternative capchas. If your site is not that big of a target, you 
can get away with some naive captcha (such as Captcheck) without 
annoying your users too much. The problem is (as you have already 
noticed) naive captchas are not that hard to break for persistent bots; 
meanwhile complex captchas are bad for users. Maybe try different 
capctha solutions until you find one that sticks.


Martin wrote:

But what useful methods exists that prevent spamming a HTML signup form
from stuffing the database with useless signups?

Re: umount raid volume before shutdown?

[Rubén Llorente]

Personally, I'd just have your encrypted filesystem not listed in 
/etc/fstab at all, since it can't be mounted without attaching the 
softraid device manually anyway. Since the password is needed in every 
case, just attach the softraid device with bioctl and mount the 
filesystem with mount when needed.


As a matter of hygiene, I like having /etc/rc.shutdown umount "extra" 
filesystems I may or may have not mounted. You may as well have it 
umount /decrypted and then de-attach the softraid device.


I don't know if OpenBSD auto-umounts filesystems not listed on fstab 
during its shutdown sequence. I should try it out.


04-psyche.tot...@icloud.com wrote:

Hi all,

on my main hard drive, I have a partition `p` that I have encrypted in the 
following way:

$bioctl -c C -l sd0p softraid0

-> This created the sd1 pseudo-device, on which I ran the following:

$fdisk -g sd1

$disklabel -E sd1 # created partition i, to take all the space. This is the 
unique partition on this

$newfs sd1a

I then mount this via:

$mount /dev/sd1i /decrypt


I have two questions:

- I don't want to have to unmount /decrypt before I shutdown or restart the 
computer. Does OpenBSD unmount cleanly encrypted volumes when shutting down?

- what should I do with the encrypted sd0p ? Should I remove it from my 
/etc/fstab and not even mount it? Or is it fine to keep it mounted?

Thanks!

Jake

Re: httpd & pixelfed

[Rubén Llorente]

Wild guess:

When a request is made against a picture in /storage/, it triggers the 
location not found * rule.


The rewritten request does never hit the location "/storage/*" rule 
because it now requests /index.php$something instead of any object 
within /storage.


Try placing a matching /storage rule before the location not found * 
rule and see what happens. This is where the rule belongs anyway, 
because specific rules ought to be placed before more generic rules.




Am Jam wrote:

Hi Everyone,

I am trying to install and run pixelfed (think of it as a self-hosted 
instagram alternative) on OpenBSD 7.5, but I am having a problem with my 
/etc/httpd.conf. Unfortunately, pixelfed's installation instructions 
only provide an nginx example. For those of you familiar with nextcloud, 
pixelfed is similar -- it's essentially a large php application that one 
can unpack under /var/www/.


I have chosen to "install" (i.e. unpack) pixelfed into 
/var/www/pixelfed. After chown -R www:www'ing the entire directory, 
everything "works" except for one critical part -- none of the images 
load, which, for an instagram alternative, is an issue :)


What works is everything else -- I can browse around, create a user, 
login, adjust my settings, and post images (which ultimately don't show 
up). Everything works except displaying images. This expands to more 
than just uploaded photos -- for example, the main page's header image 
won't load.


I believe I have pinpointed the issue, but I struggle to translate that 
into my /etc/httpd.conf.


Most of what makes pixelfed work is located in /var/www/pixelfed/public, 
and hence pixelfed requires that the root directory be 
/var/www/pixelfed/public.

So in /etc/httpd.conf I have the following lines:
-   root "/pixelfed/public"
-   directory index "index.php"

However, for some bizarre reason, all the images are stored in 
/var/www/pixelfed/storage (note: *not* /var/www/pixelfed/public/storage).
And part of the pixelfed installation process includes creating the 
following symlink in /var/www/pixelfed:
-   lrwxr-xr-x  1 root  www    37B May 27 12:15 storage@ -> 
/var/www/pixelfed/storage/app/public/


That, unfortunately, is "outside" of the root directory specified in 
/etc/httpd.conf.


My /etc/httpd.conf is below, and you can see that I have tried to re-set 
the root directory whenever someone navigates to "/storage/*", but it 
doesn't work. Does anyone know what I'm doing wrong?


P.S. -
Running the following makes all images work, but I hesitate to use this 
as a long-term solution:

-   cd /var/www/pixlfed/public
-   cp -a /var/www/pixelfed/storage /var/www/pixelfed/public/storage_blah
-   ln -s /var/www/pixelfed/public/storage_blah/app/public storage


Many Thanks.

/etc/httpd.conf:

server "www.domain.com " {
         listen on * tls port 443

         # acme-challenge TLS location
         location "/.well-known/acme-challenge/*" {
                 root "/acme"
                 request strip 2
         }

         # enable HTTP Strict Transport Security
         hsts {
                 preload
                 subdomains
                 max-age 15768000
         }

         tls {
                 certificate "/etc/ssl/domain.com.fullchain.pem"
                 key "/etc/ssl/private/domain.com.key"
         }

         # set logs
         log {
                 access "pixelfed-access.log"
                 error "pixelfed-error.log"
         }

         # set max upload size to 1G (in bytes)
         connection max request body 1048576000
         connection max requests 1000
         connection request timeout 3600
         connection timeout 3600

         root "/pixelfed/public"
         directory index "index.php"

         # works roughly like the `try_files` line of an nginx config
         location not found "*" {
                 request rewrite "/index.php?$QUERY_STRING"
                 fastcgi socket "/run/php-fpm.sock"
         }

         location "/storage/*" {
                 root "/pixelfed/storage/app/public"
                 fastcgi socket "/run/php-fpm.sock"
         }

         location "/*.php" {
                 fastcgi socket "/run/php-fpm.sock"
         }
  }

Re: https://twitter.com/openbsd

[Rubén Llorente]

Stuart Longland wrote:
It's also dead because how how things are being run there.  It's a site 
for misinformation.  "OpenBSD 7.5 is released" isn't misinformation, 
it's fact, so has no place on twitter.com or x.com.  It's also news 
about an open-source free-software project, something that also is 
off-topic for twitter.com and x.com.


Traditional social media has been on the decline since 2015, and it has 
nothing to do with the reliability of the content it hosts. I would 
argue TV stations and newspapers generate a comparable amount of garbage 
and nobody complains.


The main issue is that it is getting harder to reach people from social 
media, which is the main goal of corporate and commercial users of 
social media. So called "organic growth" (ie. passively building an 
audience just because they find you on social media) has been descending 
since 2015. The main issue seems to be that mainstream social media 
generates so much stuff for people to read that the probability of 
people finding you instead of finding yet another silly video has 
decreased significantly.


I think it is worth mentioning I know of a number of small operations 
that have announced their complete withdrawal from social media - 
Twitter, Facebook, Instagram, the Fediverse - because the benefit they 
get from social media presence is not worth the labor time required to 
sustain social media presence.


That said, when those operations ceased social media activity, they took 
care of making it widely known among their audience rather than just let 
their social media accounts rot...

Re: How to customise the OS update process

[Rubén Llorente]

An option I can think about is downloading the upgrade kernel and 
booting from it, instead of using sysupgrade. The upgrade process will 
let you select which sets you want to install and which ones you want to 
exclude.


In practice, I think you are better off just installing all the sets and 
being done with it.


The old BSD Games rock hard.

WATANABE Takeo wrote:

Hi everyone,

The most common way to upgrade OpenBSD is to use "sysupgrade".

However, I do not want to install certain packages (e.g. game).
# When the host is built, it is not installed, because the

Is there any way to upgrade to fulfil these wishes?

Re: Keeping a personal ports branch

[Rubén Llorente]

Stuart Henderson  wrote:
> Just use a different VCS, for example svn or git. /usr/ports/mystuff
> is listed in .cvsignore in the repository so they don't conflict, and
> there is special handling in ports infrastructure. The directory
> layout underneath it should be as with the main ports tree i.e.
> /usr/ports/mystuff/category/portname.
> 
> See PORTSDIR_PATH in bsd.port.mk(5). By default /usr/ports takes
> priority over /usr/ports/mystuff, but if you want to override things
> in the main tree you can swap that around with an entry in /etc/mk.conf
> like PORTSDIR_PATH=${PORTSDIR}/mystuff:${PORTSDIR}
> 
> 

That is all I need. It sounds great to me.

I am a CVS dude so mystuff may as well stay CVS :-)

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76

Re: Keeping a personal ports branch

[Rubén Llorente]

Marc Espie  wrote:
> On Fri, Oct 15, 2021 at 10:25:17AM -0000, Rubén Llorente wrote:
>> Hi there!
>> 
>> I am wondering how does people around here keep local branches of the ports
>> tree for personal use.
>> 
> 
> Put your own ports into mystuff...
> 
> if you think they might interest other people, see whether the WIP git repo
> would be suitable for them, until they're mature enough.
> 
> 

A bunch of this stuff is really of no interest to anybody. Or does not fit a
port system for general use.

Having a "mystuff" folder sounds fine but if I want to put it under version
control it is going to need some engineering :-) It sounds like a workable
solution so I will study it.

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76

Keeping a personal ports branch

[Rubén Llorente]

Hi there!

I am wondering how does people around here keep local branches of the ports
tree for personal use.

The reason I am asking is because I keep some patched ports which are suited
to solve my problems, but not suited (or useful) for submission to the
official ports tree. Ideally I would upgrade my personal ports tree alongisde
the official one.

I suppose I could cvs import every -RELEASE of the ports into my own cvs
repository, but ideally I would rather have something more automated.
Besides, I am curious as to how people is doing it.

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76

Libsecret + gnome-keyring + qykeychain broken (was nextcloudclient fails to work with gnome-keyring)

[Rubén Llorente]

Hello again.

I reproduced the issue once again:

I performed a fresh install of -current and installed Gnome.
Starting Gnome via GDM brings up all the services necessary
for storing secrets (dbus and gnome-keyring) out-of-the-box.

Nextcloud Client is still incapable of leveraging libsecret
or Gnome Keyring for storing secrets in a keyring in this
configuration.

My conclussion, unless somebody brings an alternative, is
that either Libsecret, Gnome Keychain, qtkeychain or
Nextcloud Client are broken.

If it is one of the first three, it means such port is
broken since it cannot perform the primary function
expected from it.

Since interest in having this working is low I am
staying with my workaround of using kwalletd5 instead.
If anybody is willing to debug this problem further I
am willing to provide more information.

Rubén Llorente  wrote:
> I have reproduced the issue in Fluxbox.
> 
> ~.xession:
> 
> /usr/local/bin/startfluxbox
> 
> 
> ~.fluxbox/startup
> 
> if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
>eval $(dbus-launch --sh-syntax --exit-with-session)
> fi
> 
> exec fluxbox
> 
> 
> Under a similar configuration in Linux, Nextcloud calls
> a prompt for creating a password database on first launch,
> and stores the credentials in a keyring. In OpenBSD this
> happens not.
> 
> Some worrying logs from Nextcloud:
> 
> 2021-09-25 00:52:25:016 [ info nextcloud.sync.credentials.webflow ]:Get 
> QNAM
> 2021-09-25 00:52:25:667 [ info nextcloud.sync.credentials.webflow ]:Fetch 
> from keychain!
> 2021-09-25 00:52:25:985 [ info nextcloud.sync.credentials.keychainchunk ]:
>   Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
> 2021-09-25 00:52:36:312 [ warning nextcloud.sync.credentials.keychainchunk ]: 
>   Unable to read 
> "someuser_clientCertificatePEM:https://somedomain.invalid/:0; chunk "0" 
> "Unknown error"
> 2021-09-25 00:52:36:313 [ info nextcloud.sync.credentials.keychainchunk ]:
>   Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
> 2021-09-25 00:52:46:491 [ warning nextcloud.sync.credentials.keychainchunk ]: 
>   Unable to read "someuser_clientKeyPEM:https://somedomain.invalid/:0; chunk 
> "0" "Unknown error"
> 2021-09-25 00:52:46:491 [ warning nextcloud.sync.credentials.webflow ]: 
> Unable to read client key "Unknown error"
> 2021-09-25 00:52:46:492 [ info nextcloud.sync.credentials.keychainchunk ]:
>   Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
> 2021-09-25 00:52:56:186 [ warning nextcloud.sync.credentials.keychainchunk ]: 
>   Unable to read 
> "someuser_clientCaCertificatePEM0:https://somedomain.invalid/:0; chunk "0" 
> "Unknown error"
> 
> "Unknown Error" is returned by qtkeychain when unable to operate its
> backend.
> 
> Either there is a problem with libsecret or the PEBKAC level is
> astronomical at this point.
> 
-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76

Re: nextcloudclient fails to work with gnome-keyring

[Rubén Llorente]

I have reproduced the issue in Fluxbox.

~.xession:

/usr/local/bin/startfluxbox


~.fluxbox/startup

if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then
   eval $(dbus-launch --sh-syntax --exit-with-session)
fi

exec fluxbox


Under a similar configuration in Linux, Nextcloud calls
a prompt for creating a password database on first launch,
and stores the credentials in a keyring. In OpenBSD this
happens not.

Some worrying logs from Nextcloud:

2021-09-25 00:52:25:016 [ info nextcloud.sync.credentials.webflow ]:Get QNAM
2021-09-25 00:52:25:667 [ info nextcloud.sync.credentials.webflow ]:Fetch 
from keychain!
2021-09-25 00:52:25:985 [ info nextcloud.sync.credentials.keychainchunk ]:  
Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
2021-09-25 00:52:36:312 [ warning nextcloud.sync.credentials.keychainchunk ]:   
Unable to read "someuser_clientCertificatePEM:https://somedomain.invalid/:0; 
chunk "0" "Unknown error"
2021-09-25 00:52:36:313 [ info nextcloud.sync.credentials.keychainchunk ]:  
Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
2021-09-25 00:52:46:491 [ warning nextcloud.sync.credentials.keychainchunk ]:   
Unable to read "someuser_clientKeyPEM:https://somedomain.invalid/:0; chunk "0" 
"Unknown error"
2021-09-25 00:52:46:491 [ warning nextcloud.sync.credentials.webflow ]: Unable 
to read client key "Unknown error"
2021-09-25 00:52:46:492 [ info nextcloud.sync.credentials.keychainchunk ]:  
Backend unavailable (yet?) Retrying in a few seconds. "Unknown error"
2021-09-25 00:52:56:186 [ warning nextcloud.sync.credentials.keychainchunk ]:   
Unable to read "someuser_clientCaCertificatePEM0:https://somedomain.invalid/:0; 
chunk "0" "Unknown error"

"Unknown Error" is returned by qtkeychain when unable to operate its
backend.

Either there is a problem with libsecret or the PEBKAC level is
astronomical at this point.

Rubén Llorente  wrote:
> Hello there!
> 
> I have been testing some machine for deployment as a workstation. I have set 
> up XFCE4 as a desktop environment (which is launched by my .xsession file). I 
> have also set nextcloudclient and installed gnome-keyring-daemon.
> 
> I have found that Nextcloud Client is unable to leverage gnome-keyring in 
> order to save credentials securely. Nextcloud Client always complains because 
> the secrets agent cannot be used because of an "Unknown Error".
> 
> Things I have tried in order to properly launch gnome-keyring-daemon include:
> 
> Using an .xsession script such as:
> 
> 
> . $HOME/.profile
> eval $(/usr/local/bin/gnome-keyring-daemon --start )
> export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID GPG_AGENT_INFO SSH_AUTH_SOCK
> /usr/local/bin/startxfce4 
> 
> Also, I have tried using the XFCE4 desktop configuration tool, enabling Gnome 
> Services on startup in the Advanced tab.
> 
> Essentially, I can get the keyring started, but nextcloud, or qtkeychain, or 
> whatever backend is suppose to talk to gnome-keyring fails to find it.
> 
> As a workarround I am using Kwalletd5 for the time being, which works.
> 
> If anybody has any guide or instructions to set up gnome-keyring with 
> nextcloudclient, or ideas to get such setup working, I am eager to read your 
> ideas. 
> 
> The working environment is OpenBSD 6.9 -RELEASE amd64.
> 

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76

nextcloudclient fails to work with gnome-keyring

[Rubén Llorente]

Hello there!

I have been testing some machine for deployment as a workstation. I have set up 
XFCE4 as a desktop environment (which is launched by my .xsession file). I have 
also set nextcloudclient and installed gnome-keyring-daemon.

I have found that Nextcloud Client is unable to leverage gnome-keyring in order 
to save credentials securely. Nextcloud Client always complains because the 
secrets agent cannot be used because of an "Unknown Error".

Things I have tried in order to properly launch gnome-keyring-daemon include:

Using an .xsession script such as:


. $HOME/.profile
eval $(/usr/local/bin/gnome-keyring-daemon --start )
export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID GPG_AGENT_INFO SSH_AUTH_SOCK
/usr/local/bin/startxfce4 

Also, I have tried using the XFCE4 desktop configuration tool, enabling Gnome 
Services on startup in the Advanced tab.

Essentially, I can get the keyring started, but nextcloud, or qtkeychain, or 
whatever backend is suppose to talk to gnome-keyring fails to find it.

As a workarround I am using Kwalletd5 for the time being, which works.

If anybody has any guide or instructions to set up gnome-keyring with 
nextcloudclient, or ideas to get such setup working, I am eager to read your 
ideas. 

The working environment is OpenBSD 6.9 -RELEASE amd64.

-- 
OpenPGP Key Fingerprint:
543F EB89 7FDE 8E33 AFF7 E794 E4AB 4807 58F7 6C76

Program getting stuck at sqlite3_exec()

[Rubén Llorente]

Hello!

I am porting a stupid program to OpenBSD and found a roadblock.

The program is a terminal game launcher. It is intended to serve roguelike 
games over telnet or SSH.The main project site is 
http://github.com/paxed/dgamelaunch.

So far I have sanitized the autoconf config file to use OpenBSD and replaced 
the program's crypt() calls with OpenBSD's cryptools alternatives.

The problem I am fazing now is that when I attempt to create a new user, the 
program gets stuck in an sqlite3_exec() call until I hit Enter. This is 
specially puzzling because the program is not supposed to be accepting user 
input at that point. And once Enter is hit, the sqlite3_exec() action is 
actually performed properly(!).

If anybody is aware of any reason why sqlite_exec() would get stuck, I'd be 
glad to hear.

How to reproduce (I recommend using a spare system, because this program is 
kinda intrusive):

The program is intended to be suid, chroot into some directory and drop 
privileges. Prepare a directory for runnign a chroot in it. 

Download the current code: 
gopher://gopher.operationalsecurity.es/5/dgamelaunch-openbsd.tar

Untar it somewhere.

Configure a build environment (export CPATH=/usr/local/include, export 
LIBRARY_PATH=/usr/lical/lib, etc)

Configure the build with ./autogen.sh --enable-sqlite 
--with-config-file=/path/of/chroot/etc/dgamelaunch.conf

Make it with gmake.

Edit example/dgamelaunch.conf in the source code folder to suit your needs. For 
a quick test, you only need to change the chroot=, shed_uid= and shed_guid= 
options.

Edit dgl-create-chroot in the source code folder. The only important value to 
change is chroot=.

Execute the dgl-create-chroot script as root, which will populate the chroot 
directory you have selected.

Set the suid bit of the dgamelaunch binary and execute it. It will chroot into 
the directory and offer you a bunch of options. Registrate a new user (r) and 
go with the instructions.

The bug is triggered after you enter your email address. The ncurses interface 
gets frozen and nothing gets written to the database. Then you hit enter while 
the interface is frozen, and it returns back to normal.

I think the problem is triggered in the writefile function in dgamelaunch.c, 
where sqlite_exec() gets called. 

Help and suggestions are appreciated.

AFAIK the main project is dead.

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Patch for crypt(3) man page.

[Rubén Llorente]

Hello everybody.

I have been porting a stupid old program to OpenBSD. I hit a bit or a
road block because this program uses crypt() but the man page at OpenBSD
is not clear enough regarding a couple of details.

Specifically: the man page does not provide a clear explanation of the
format in which the _setting_ parameter is to be fed to crypt(). In
fact, it says: "The second, setting, currently supports a single form.
If it begins with a string character (‘$’) and a number then a different
algorithm is used depending on the number." So far, so good.

What it doesn't say is that if you don't identify the algorithm as
either "2a" or "2b" you get an errno and no hash. It also does not
specify that you need to provide the log2 of rounds with the
_setting_ param, and that such log2 of rounds must be expressed as a two
digit number.

I am pasting a proposed patch for the crypt(3) man page. I am not aware
of any style guide and the fix is trivial, so I'd rather post it in misc
than on a developer list.

Suggestions and ideas are welcome.

I am aware the crypt() family is deprecated.

--- crypt.3 Thu Jan 21 16:59:05 2021
+++ crypt.new   Thu Jan 21 20:11:31 2021
@@ -70,14 +70,17 @@
 typically a user's typed password.
 The second,
 .Fa setting ,
-currently supports a single form.
-If it begins
-with a string character
-.Pq Ql $
-and a number then a different algorithm is used depending on the number.
-At the moment
-.Ql $2
-chooses Blowfish hashing; see below for more information.
+currently supports a single form, and must be formatted as
+.Fa $algorithm$lrounds$salt
+.Pp
+The
+.Fa algorithm 
+must be either "2a" or "2b", which select the old and new implementation of 
Blowfish hashing respectively. The 
+.Fa lrounds 
+preference must be a two digit number between "04" and "31", whereas 
+.Fa salt 
+is a character string which represents 128 bits of radix-64 encoded salt.
+
 .Ss Blowfish crypt
 The Blowfish version of crypt has 128 bits of
 .Fa salt


-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: Recommendations for USB Barcode Scanner and Thermal Receipt Printer

[Rubén Llorente]

For the record, I came into a chep USB barcode scanner that works wonders. An 
Inateck BCST-31 according to the label.

I also ran into a cheap chinesse ticket printer, a Terow. Sadly, it crashes the 
kernel - looks like a bad kernel bug. It works well when it is not crashing. 

Stuart Henderson  wrote:
> On 2020-07-29, Rubén Llorente  wrote:
>> Thank you for the advice. I will search for those ones and see what I can 
>> find.
>>
>> I still need to solve the printer issue. So far it looks like receipt 
>> printers use very simple interfaces. Somebody engineered ppd files for Zjian 
>> printers for Linux, but I don't know if the OpenBSD kernel would interface 
>> with them. They are certainly not in the USB Product/Vendor database of the 
>> kernel. Maybe they would show as Unknown Printers?
> 
> For standard device types, USB typically uses "class drivers", there are
> specifications for e.g. mass storage, USB-attached SCSI, human interface
> devices (mouse/keyboard/etc), etc, including printers. If the device
> follows one of these it doesn't need a specific driver or information
> about the particular device in the kernel (the kernel product/vendors
> are used when the device doesn't use a class driver or needs some
> special quirks, or as a fallback if the device doesn't report a
> human-readable vendor/product name).
> 
> Really unless you can find someone with a particular device you'll need
> to take a gamble, or buy something that you can return if incompatible.
> 
> ppd files can be used on OpenBSD.
> 
> 
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: Recommendations for USB Barcode Scanner and Thermal Receipt Printer

[Rubén Llorente]

That sounds cool.

I was considering a network printer, whit the POS here is not going to be 
networked.

Out of curiosity, which printer it is that you are using?

ibs...@ripsbusker.no.eu.org wrote:
> So I would not need to deal with USB printers anymore, I got a thermal
> printer with an ethernet port. I communicate with it by ESC/POS over
> UDP to port 9100.
> 
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: Recommendations for USB Barcode Scanner and Thermal Receipt Printer

[Rubén Llorente]

Thank you for the advice. I will search for those ones and see what I can find.

I still need to solve the printer issue. So far it looks like receipt printers 
use very simple interfaces. Somebody engineered ppd files for Zjian printers 
for Linux, but I don't know if the OpenBSD kernel would interface with them. 
They are certainly not in the USB Product/Vendor database of the kernel. Maybe 
they would show as Unknown Printers?


john slee  wrote:
> +1 for Symbol here. Have used them in factory environments and I can???t
> recall one ever failing.
> 
> If buying used, be sure you can get the documentation for it, as these are
> often configurable (eg. continuous vs. triggered scanning) via scanning
> special barcodes.
> 
> John
> 
> 
> On Sun, Jul 26, 2020 at 07:20 Erling Westenvik 
> wrote:
> 
>> On Sat, Jul 25, 2020 at 08:47:48PM +0200, Rubén Llorente wrote:
>> > Anybody in the list has good (or bad) experiences with USB Barcode
>> > Scanners? Which models with?
>>
>> I have a working barcode scanner, Symbol Technologies LS2208, that
>> shows up in dmesg as:
>>
>> uhidev4 at uhub3 port 6 configuration 1 interface 0 "?Symbol
>> Technologies, Inc, 2002 Symbol Bar Code Scanner" rev 2.00/2.01 addr 4
>> uhidev4: iclass 3/1
>> ukbd1 at uhidev4: 8 variable keys, 6 key codes, country code 33
>> wskbd2 at ukbd1 mux 1
>> wskbd2: connecting to wsdisplay0
>>
>> It's an old model, manufactured in 2005, and I can't say that I've used
>> it extensively, but it seems to work well with at least "normal"
>> barcodes typically found on groceries, books (ISBN), receipts and so on.
>> There are barcodes that it cannot read but I have not investigated the
>> matter. The manufacturer still exists.
>>
>> Good luck!
>>
>> Erling
>>
>>
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Recommendations for USB Barcode Scanner and Thermal Receipt Printer

[Rubén Llorente]

Hello,

I am considering to set a Point of Sale (POS) solution for a small
business. Given the chance I'd like to use OpenBSD for it. It is
supposed to be very basic and the software would be a web application
running in a remote server. No pole screen or cash drawer support is
required.

This leaves me with the need of gathering some hardware. This would
be a barcode scanner - afaik they show up as keyboards for the operating
system - and a receipt printer.

Anybody in the list has good (or bad) experiences with USB Barcode
Scanners? Which models with?

What about receipt printers? Does anybody have a recommendation for
those?

Happy OpenBSDing!

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: pass 'password manager' problem

[Rubén Llorente]

As far as I have seen in the pass script, --batch mode is oly invoked if you 
are running a gpg agent or are running gpg2.

Do you have gpg2 installed?

Do you have a gpg agent configured?

You may need to include the following line in your ~.profile :
export GPG_TTY=$(tty)

Shadrock Uhuru  wrote:
> [-- text/plain, encoding 8bit, charset: utf-8, 61 lines --]
> 
> Hi
> 
>>From: Rubén Llorente 
>>To: misc@openbsd.org
>>Subject: Re: pass 'password manager' problem
>>Date: Fri, 21 Feb 2020 16:22:37 - (UTC)
>>
>>Do you have a ~.gnupg/gpg.conf ? Pass works fine for me.
>>
>>Shadrock Uhuru  wrote:
>>> [-- text/plain, encoding 7bit, charset: utf-8, 6 lines --]
>>>
>>> running 'pass username' returns
>>> "gpg: Sorry, we are in batchmode - can't get input",
>>> am i missing a piece of software or setting ?
>>>
>>> shadrock
>>>
> 
> yes i have the following 
> cat ~/.gnupg/gpg.conf
> 
> use-agent
> pinentry-mode loopback
> personal-cipher-preferences CAMELLIA256 AES256 AES192 AES CAST5
> # personal-cipher-preferences AES256 AES192 AES CAST5 CAMELLIA192
> # BLOWFISH TWOFISH CAMELLIA128 3DES
> personal-digest-preferences SHA512 SHA384 SHA256 SHA224
> personal-compress-preferences BZIP2 ZIP ZLIB
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
> CAST5 ZLIB BZIP2 ZIP Uncompressed
> cert-digest-algo SHA512
> digest-algo SHA256
> s2k-mode 3
> s2k-digest-algo SHA512
> s2k-cipher-algo AES256
> s2k-count 1015808
> charset utf-8
> fixed-list-mode
> no-greeting
> no-secmem-warning
> no-comments
> no-emit-version
> keyid-format 0xlong
> list-options show-uid-validity
> verify-options show-uid-validity
> keyserver-options import-clean-sigs import-clean-uids export-clean-sigs
> export-clean-uids
> keyserver hkp://hkps.pool.sks-keyservers.net
> keyserver-options auto-key-retrieve
> keyserver-options no-honor-keyserver-url
> escape-from-lines
> bzip2-compress-level 9
> compress-level 9
> with-fingerprint
> 
> 
> ---
> 
> shadrock
> 
> [-- application/x-pkcs7-signature, encoding base64, 67 lines, name: smime.p7s 
> --]

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: pass 'password manager' problem

[Rubén Llorente]

Do you have a ~.gnupg/gpg.conf ? Pass works fine for me.

Shadrock Uhuru  wrote:
> [-- text/plain, encoding 7bit, charset: utf-8, 6 lines --]
> 
> running 'pass username' returns 
> "gpg: Sorry, we are in batchmode - can't get input",
> am i missing a piece of software or setting ?
> 
> shadrock
> 
> [-- application/x-pkcs7-signature, encoding base64, 67 lines, name: smime.p7s 
> --]

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: Smartphone Alternatives

[Rubén Llorente]

Hi there.

I have yet to see a smartphone I would trust with anything important.

Nowadays I have a real laptop for computer stuff and leech free wifi, and a 
Nokia feature phone from 2016.

I tried to get an Android phone into a "secure state" by replacing the OS with 
LineageOS, but the Android base is just very bad. The encryption subsystem 
encrypts what it wants and leaves the rest unprotected, proxy settings across 
the OS are not applied consistently... Two days after I left it in a state I 
liked, my favourite mare stepped on it accidentally.

Predrag Punosevac  wrote:
> Hi,
> 
> I would firstly like to apologize to developers as the question I am
> about to ask has little to do with OpenBSD. However, in my experience
> the number of security conscious people lurking on this mailing list is
> such that I could not resist.
> 
> Long story short one of my virtual servers (running Red Hat) got hacked
> by cryptomining folks. I noticed 100% load on CPUs coming out of a cron
> job and traced everything to a cryptomining scripts. Sure enough there
> was an ssh-key .ssh/authorized_keys which was not suppose to be there.
> Incidentally, I had to turn off Duo 2-factor authentication as one of my
> users insisted on having GUI access via X2go-client. 
> 
> I am not much of a security expert so my instinct is that account was
> compromised by scooping account information from a browser cash or my
> "smart" phone while reading email from Office 365. I have log files and
> I am going through them. Browser cash problem hopefully will be offset
> now when I have 2-factor enabled for Office 365 email and using only
> browser on my locked down OpenBSD desktop. 
> 
> However, that still leaves me with a damn Android smartphone. I already
> deleted/disabled email clients but the more I look the more I feel
> stupid for having that crap. I am looking now at purchasing something
> like Nokia 106. Note that I use one of USA T-Mobile plans and my current
> smartphone works well across the globe. It looks like Nokia 106 doesn't
> work in Europe. 
> 
> I would appreciate any advises, comments, suggestions on the choice of
> mobile device for basic phone calls and texting. It would be painful to
> carry around a small laptop for web browsing, maps, and few other
> useful things but it looks like I am heading there. 
> 
> Thanks for your help.
> 
> Predrag Punosevac
> 
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: Thinking of changing DNS Service provider, looking for recommendations

[Rubén Llorente]

If it is for your personal use only, you can have a look at the Opennic Project.

They have an alternate DNS structure separated for the regular DNS Root. They 
provide Dynamic DNS for their .dyn unofficial TDL.

It is free of charge and you need no special client for it to work, only 
ftp/curl/wget and cron.

The catch is that, for a computer to be able to access the .dyn TDL, it needs 
to use Opennic DNS servers. If it is just for you, you can configure your 
computers anr routers to use them and be done with it. If your need the general 
public to access it, you are out of luck with Opennic.

Jay Hart  wrote:
> Hey all, and Happy New Years!!!
> 
> I am currently using DYN.COM for DNS service. A few months back they changed 
> there payment
> methodology and I am now considering finding another solution. DYN charges me 
> $5 US monthly so its
> not a huge financial burden. That said, if I could find a free service 
> provider, all the better.
> 
> My only real requirement is they must be able to support OpenBSD based 
> system.  Currently using
> DDclient. It works fine, has been for years.
> 
> This would be for a residential connection.
> 
> Guess what I'm really looking for, from the list, is a OpenBSD friendly 
> provider, and a brief
> write up on how you are connected.  I've looked over a few sites but nothing 
> stood out as being
> OpenBSD friendly.
> 
> Thanks in Advance,
> 
> Jay
> 
> 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

OpenJDK and support for JCE Unlimited Strength Jurisdiction Policy

[Rubén Llorente]

Hello.

I am running a Java application that throws a non-fatal warning when used. The
warning states that, in order for the application to work properly, the JCE
Unlimited Strength Jurisdiction Policy files should be downloaded to
/usr/local/jre-1.8.0/lib/security

I used to think that OpenJDK already included the Unlimited Strength Policies,
so this is a bit confusing.

Is there an easy way for checking myself if such policies are installed and
working on the system?

For the record, I am running OpenBSD 6.0 amd64. 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: SSH key encryption when using FDE

[Rubén Llorente]

Nick Holland  wrote:
> Now, I suspect (nb: I am not a cryptographer or SSH coder. But I sat at
> a table with one once, and was completely in awe) the key has to be held
> in unlocked form in RAM, so perhaps a very serious breach that allowed
> the raw access of system RAM might produce it...but would also produce a
> lot of other nifty things, and by that point, your system is so
> completely compromised, not much is trustworthy anymore.
> 
> Nick.

I have actually seen step by step instructions for doing just that, but I
don't have the link around. You essentially need root permissions for
pulling that off.

Ssh-agent prevents an intruder from stealing the key material in any
useful form, but it does not prevent him from using the material that is
already kept by the agent - if he is able to send a query to your agent,
he will be able to use the keys even if he does not get to see them.

I encrypt my key materials even when I am using PFDE, I just don't think
the agent is something it is not.

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: Impossibility of cryptographic verification of downloads

[Rubén Llorente]

Eduard - Gabriel Munteanu  wrote:
> Hi,
> 
> It currently seems impossible to verify downloads from a computer
> without OpenBSD, for a few reasons:
> 
> 1. No securely-distributed public key
> 2. Lack of signify packages in e.g. Linux distros, or
> securely-distributed sources

I have not used them, but signify seems to have been ported to Linux and
at least some ports are available.

https://github.com/chneukirchen/signify

Regarding the key distribution, I suggest you to read Ted's comments on
the matter. Many people is just uding the TOFU model with the keys. 

https://www.openbsd.org/papers/bsdcan-signify.html

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: light browsers

[Rubén Llorente]

Dmitrij D. Czarkoff  wrote:
> Webkit1-based browsers (Luakit, Midori, surf, Vimb and Xombrero) use
> unmaintained engine, so nobody fixes even known issues.  People who care
> about security should probably avoid these.

I heard the developer of Surf (Webkit-1 based browser) say that he
suspects that Webkit2 is still a worse option to use than Webkit1 even
if you acknowledge that Webkit1 is EOled. There is some work being
done in a Webkit2 version of Surf, but he said that Webkit2 was likely
a bigger problem than a Webkit1 with known unpatched issues. 

I have not checked the facts so I can't back any of these engines, but
I thought this post was going to be relevant to the conversation. 

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: TLS now supported on openbsd.org?

[Rubén Llorente]

Giancarlo Razzolini  wrote:
> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https? 

I dislike the idea.

An http->https redirect does not prevent a MITM by itself.

It also prevents the easy use of caching or proper proxies with the site.
Purely informative sites are ok without https for the most part. If
the user feels that TLS is somehow required, he can enable it by
different means. http->https redirection does not add much in terms of
security unless the user takes additional steps, but if the user is
going to take additional steps he does not really require the
redirection.

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: TLS now supported on openbsd.org?

[Rubén Llorente]

Giancarlo Razzolini  wrote:
> It is really nice to finally see TLS on openbsd.org. How about redirecting
> http to https? 

I dislike the idea.

For one, it does not stop a MITM by itself. 

In addition, enforced encryption makes it hard to cache and/or use proper 
http proxies with the site.

Purely informative sites don't need TLS. The user can opt to use TLS if
he thinks the content he needs to read is somehow sensitive, or configure
his browser not to use the regular http version if he feels like doing
 that. A pure simple redirect does not add much to security unless the
user takes extra steps - but if the user takes extra steps he does not
need a redirect at all.  

-- 
OpenPGP Key Fingerprint:
BB5A C2A2 2CAD ACB7 D50D  C081 1DB9 6FC4 5AB7 92FA

Re: OpenBSD mailserver success stories ?

[Rubén Llorente]

On Tue, 26 Apr 2016 12:32:22 -0400, stan wrote:

> Given that, most of the things we are doing with FreeBSD,  Apache,
> Samba, NFS etc, do not concern me as to doing them with OpenBSD. but I
> am a bit concerned about the mailserver. We use it for internal mail,
> and it gets mail from a large variety of systems, and devices, not all
> of which are modern. also I offer our users many options for retrieving
> their mail. With this in mid, I'd like to hear the experience of others
> using OpenBSD for mailserver.
> 
> Thanks.

I have set OpenSMTPD for small deployments and it does the trick. It is 
just easier to configure than any other SMTP daemon I have dealt with.

If you want to know if OpenSMTPD is good for your user case, you are 
better off asking if it can do X and Y and Z, and how well it does them.

If your deployment is any serious you should test the software in 
controlled conditions before you take a decision and install it.

Re: Creating a blog using OpenBSD: technology choices and security considerations

[Rubén Llorente]

On Tue, 26 Apr 2016 06:15:22 +, David Lou wrote:

> When I say 'blog', I'm referring to a website that contains essentially
> many pages of content. Each content page has attributes such as title,
> date, category, tags, and so on. When a user browsers this website, the
> content pages are served in a visually attractive layout, with possible
> bells and whistles such as Facebook/Twitter share buttons, and comment
> sections. Additional features may include a search bar and an archive
> page.
> 
> I'm shying away from popular solutions such as WordPress because (1) I'm
> not sure if it even installs on OpenBSD and more importantly (2) I'm not
> convinced that it adheres to the OpenBSD principles of correctness and
> proactive security.

Hello, and welcome.

A static website generator is a safe bet. You can use bashblog or any 
similar alternative, for example. Bashblog can be seen in action at 
http://www.richard-falken.com

Bashblog might need some hacking in the code in order to include social 
media buttons, but the CSS is easy enough to configure. No native comment 
services exist, but it can integrate with external ones.

For the record, I don't like commentary mechanisms that work as an 
external service to your website. In fact, I would not care for a 
commentary mechanism unless you really needed it. A commentary mechanism 
forces you to deploy anti-spam defenses, to police against trolls and is 
one of those things that don't let you stop worrying about the 
administrative aspects of being running a website.

Regards.