Re: LibertyBSD, recently forked from OpenBSD, has been deblobbed as much as its creator could see?

2016-02-19 Thread laudarch 

I smell astroturfing troll machine.

On 2016-02-19 16:46, Giancarlo Razzolini wrote:

Em 19-02-2016 12:42, Jorge Luis escreveu:

"What is LibertyBSD?
OpenBSD is universally known as an operating system designed with 
security
in mind, proudly being able to say that it has had "Only two remote 
holes in

the default install, in a heck of a long time!"

Will you please, please, go away?

Re: Captive portal with OpenBSD as a hostap

2015-10-07 Thread laudarch 

Here is the diff I made,
it simply calls a program when a user logs in with authpf and when a
user logs out.

to use this diff you must add these lines to authpf.conf

start=/path/to/startsession.pl
end=/path/to/endsession.pl

follows is the diff

Index: src/usr.sbin/authpf/authpf.c
===
RCS file: /cvs/src/usr.sbin/authpf/authpf.c,v
retrieving revision 1.123
diff -u -r1.123 authpf.c
--- src/usr.sbin/authpf/authpf.c 21 Jan 2015 21:50:32 - 1.123
+++ src/usr.sbin/authpf/authpf.c 8 Oct 2015 01:21:58 -
@@ -52,12 +52,15 @@
static int change_filter(int, const char *, const char *);
static int change_table(int, const char *);
static void authpf_kill_states(void);
+static int exec_callback(int);

int dev; /* pf device */
char anchorname[PF_ANCHOR_NAME_SIZE] = "authpf";
char rulesetname[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2];
char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";
int user_ip = 1; /* controls whether $user_ip is set */
+char startcommand[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2] = "";
+char endcommand[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2] = "";

FILE *pidfp;
int pidfd = -1;
@@ -411,6 +414,19 @@
sizeof(tablename)) >= sizeof(tablename))
goto parse_error;
}
+ if (strcasecmp(pair[0], "start") == 0) {
+ if (!pair[1][0] || strlcpy(startcommand, pair[1],
+ sizeof(startcommand)) >= sizeof(startcommand))
+ goto parse_error;
+ syslog(LOG_INFO, "start: %s", startcommand);
+ }
+
+ if (strcasecmp(pair[0], "end") == 0) {
+ if (!pair[1][0] || strlcpy(endcommand, pair[1],
+ sizeof(endcommand)) >= sizeof(endcommand))
+ goto parse_error;
+ syslog(LOG_INFO, "end: %s", endcommand);
+ }
} while (!feof(f) && !ferror(f));
fclose(f);
return (0);
@@ -821,11 +837,23 @@
goto error;
}

+ if (startcommand != NULL) {
+ if (exec_callback(0) != 0) {
+ goto error;
+ }
+ }
+
gettimeofday(, NULL);
syslog(LOG_INFO, "allowing %s, user %s", ipsrc, luser);
} else {
remove_stale_rulesets();

+ if (endcommand != NULL) {
+ if (exec_callback(1) != 0) {
+ goto error;
+ }
+ }
+
gettimeofday(, NULL);
syslog(LOG_INFO, "removed %s, user %s - duration %d seconds",
ipsrc, luser, (int)(Tend.tv_sec - Tstart.tv_sec));
@@ -952,3 +980,78 @@
syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);
exit(ret);
}
+
+/*
+ * execute an external program on start and or end of session
+ */
+static int
+exec_callback(int end)
+{
+ pid_t pid;
+ gid_t gid;
+ int s;
+ char prog[PATH_MAX - PF_ANCHOR_NAME_SIZE - 2];
+ char *pargv[5] = {"/bin/ls", "luser", "ip", "pid", NULL};
+
+ if (end == 0) {
+ if (startcommand != NULL) {
+ strlcpy(prog, startcommand, sizeof(startcommand));
+ } else {
+ goto done;
+ }
+ }
+
+ if (end == 1) {
+ if (endcommand != NULL) {
+ strlcpy(prog, endcommand, sizeof(endcommand));
+ } else {
+ goto done;
+ }
+ }
+
+ pargv[0] = prog;
+ pargv[1] = luser;
+ pargv[2] = ipsrc;
+ if (asprintf([3], "%ld", (long)getpid()) == -1)
+ goto no_mem;
+
+ switch (pid = fork()) {
+ case -1:
+ syslog(LOG_ERR, "fork failed");
+ goto error;
+ case 0:
+ /* revoke group privs before exec */
+ gid = getgid();
+ if (setregid(gid, gid) == -1) {
+ err(1, "setregid");
+ }
+
+ execvp(prog, pargv);
+ syslog(LOG_INFO, "exec of %s %s %s %s", prog, pargv[1],
+ pargv[2], pargv[3]);
+ warn("exec of %s %s %s %s [] failed", prog, pargv[1],
+ pargv[2], pargv[3]);
+ _exit(1);
+ }
+
+ /* parent */
+ waitpid(pid, , 0);
+ if (s != 0) {
+ syslog(LOG_ERR, "%s exited abnormally", prog);
+ goto error;
+ }
+done:
+ return (0);
+
+no_mem:
+ if (errno == ENOMEM)
+ syslog(LOG_ERR, "calloc failed");
+ syslog(LOG_ERR, "NO MEM");
+ return (-1);
+
+error:
+ free(pargv[3]);
+ syslog(LOG_ERR, "ERROR RETURNING -1");
+ return (-1);
+}
+

PS: I have used this for a little pocket money ISP for three years now
along side a custom sqlite db for authentication on web, scraping
zeroed users in pf is the way to go with a cron job.


On 10/06/2015 07:43 AM, C. L. Martinez wrote:

On Mon, Oct 5, 2015 at 1:26 PM, laudarch <lauda...@host.sk> wrote:

I made a custom implementation and a diff to authpf, will share that
later just in case anyone wants it.

I hope this helps you, it pretty simple
http://bastienceriani.fr/?p=70



Thanks laudarch ... Very close to what I am searching... I will try 
your config.

Re: Captive portal with OpenBSD as a hostap

2015-10-05 Thread laudarch 

I made a custom implementation and a diff to authpf, will share that
later just in case anyone wants it.

I hope this helps you, it pretty simple
http://bastienceriani.fr/?p=70

On 2015-10-05 11:18, C.L. Martinez wrote:

Hi all,

 I have installed an openbsd vm to works as a hostap for tablets and
smartphones (android and iOS).

 All it is working ok: pf, hostapd and dhcpd server. All tablets and
smartphones that I have tested works ok, connects and surfs Internet.

 But now I am thinking to use some type of auth (user/pass using a
SSL/TLS channel) instead to use wpa/wpa2 keys.

 Sometime ago exists this project: Chillispot
(http://www.chillispot.org/) but it seems discontinued.

 Someone knows any type of project/software to accomplish?? I would
like to keep simple as much as I can.

Thanks.

Re: Authpf not working with ssh -fN session

2015-08-16 Thread laudarch 

authpf is not a shell

On 2015-08-16 19:13, Tom Van Looy wrote:

Hi

I'm using authfp to secure an NFS server (authpf required before 
mount).
This works when I use it interactively, but not when I try to 
background

the SSH session (ports stay closed).

I want to use this in a shell script. Something like this:

ssh -fN nas_u...@puffy.home.ctors.net
SSH_SESSION=$!
sudo mount -t nfs puffy.home.ctors.net:/home/nas ~/nas
# copy files ...
sudo umount ~/nas
kill $SSH_SESSION

The SSH command is in the ps output and in netstat on both sides 
(client
and server) but the mount won't work (timeout) because the firewall is 
not

changed by authpf.

I compared ssh -vvv output from the regular ssh session with the 
background

ssh and see that they are identical until Authenticated to
puffy.home.ctors.net. After that line I see that the regular session
prints stuff about ignoring env ... and the background one prints
forking to background. When the sessions are closed they both print 
that

data was transfered (send/receive) etc.

Is this something that can work and if so, what am I doing wrong of how 
do

I debug this any further? I'm stuck. :-)

Thanks,

Tom Van Looy