Re: Secure end points for Internet tunnel, the most secure hardware
>That is a kernel level issue, not an SOC level one. Well, I have ordered a couple of Orange PI ONE. According to: http://philip.xinqu.net/orangepi.html it shall work on OpenBSD at least without a video port. Good features for my use case: 1) No video port means anyone non qualified enough cannot quickly boot and trojan it without a serial port. 2) This card is missing a WIFI which is good IMHO to avoid wireless exploits. 3) Small boot ROM, no other BLOBs like in Raspberry PI, and its BROM cannot be reflashed silently by someone while I am absent from home. 4) Its CPU is free of Spectre issues 5) Very cheap - used one costed me about 500 rub = $6.66 - already tested and includes a heat sink and a case :) The last question is how to deal with Nitrokey on OpenBSD, especially on the server side for keeping private key of the daemon. Anyone worked with Nitrokey on OpenBSD using ssh-pkcs11-helper? https://support.nitrokey.com/t/can-nitrokey-pro2-be-used-in-openbsd-with-ssh-and-gpg/2347/3 > In generic: you don’t need OpenSC to use gpg or ssh on *BSD. E.g. > “ssh-pkcs11-helper first appeared in OpenBSD 4.7” which will make the > connection to your token. Also gpg brings there own ssh/token agent in the > package. Will it work on OpenBSD server for SSHD daemon ?
Re: Secure end points for Internet tunnel, the most secure hardware
On Tue, May 12, 2020 at 1:27 PM wrote: > > Aaron, thank you for your suggestion. > > For now I prefer to try to use the oldest suitable hardware I can find, not > sure if it is a good idea. > YMMV. Don't fall into the sunk cost fallacy. > Please someone let me know if AllWinner SoC backdoor described at: > > https://www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_nasty_root_backdoor/ > > can be exploited in OpenBSD? > That is a kernel level issue, not an SOC level one. https://github.com/friendlyarm/h3_lichee/blob/master/linux-3.4/arch/arm/mach-sunxi/sunxi-debug.c Anyone who suggested this be put in OpenBSD's kernel would likely receive a visit from Theo brandishing a flamethrower fuelled by Substance N to melt their PC, house, land, self. > Is it a bad idea to run a small communication server on a AllWinner A20 board > like a Cubitruck if it works with OpenBSD (it is not on the list though). > What about other compatible boards like AllWinner A10 Orange PI One? > If it isn't on the list, it either isn't supported or hasn't been tested. If you have the hardware on hand, it never hurts to try the latest snap and send a dmesg to the the openbsd-arm mailing list so they can update their docs or get an idea of what's missing. > I just want my DNS (local) and postfix, dovecot (Internet) and SSH (local > and Internet) work on it protected from hackers. Running OpenBSD and spamd on your router and any non-internet facing services on other systems behind it, and not making silly decisions like password based root logins (or any login for that matter) and employing a default permit policy on your firewall are a good start. Anything else is service-specific. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Fwd: Secure end points for Internet tunnel, the most secure hardware
Dear OpenBSD gurus, Please suggest which one of the following types of CPU and preferably the whole system too is the most secure and backdoor free: ARM, PowerPC, SPARC64, SH-4, MIPS Can you please suggest a specific model of the board compatible with OpenBSD? Пересылаемое сообщение 11.05.2020, 09:14, i...@aulix.com: > I need a secure dedicated textual SSH console connected to Internet at home - > Console1 > and preferably a two ports router on another end of the Internet line to > accept my SSH connections - Router1. > > What is the most secure hardware (which was sold in public shops) for > Console1 and Router1 ? > > Can you offer anything better than Cortex A7 board which is immune to Spectre > like issues? > What is the most secure Cortex A7 board on which OpenBSD can run? I guess it > shall have as little BLOBs as possible - only a small Boot ROM like > Beaglebone Black which unfortunately is not Cortex A7, but rather Cortex A8.
Re: Secure end points for Internet tunnel, the most secure hardware
> What about other compatible boards like AllWinner A10 Orange PI One? Sorry for my mistake, Orange PI One is based on Cortex A7 AllWinner H3.
Re: Secure end points for Internet tunnel, the most secure hardware
Aaron, thank you for your suggestion. For now I prefer to try to use the oldest suitable hardware I can find, not sure if it is a good idea. Please someone let me know if AllWinner SoC backdoor described at: https://www.theregister.co.uk/2016/05/09/allwinners_allloser_custom_kernel_has_a_nasty_root_backdoor/ can be exploited in OpenBSD? Is it a bad idea to run a small communication server on a AllWinner A20 board like a Cubitruck if it works with OpenBSD (it is not on the list though). What about other compatible boards like AllWinner A10 Orange PI One? I just want my DNS (local) and postfix, dovecot (Internet) and SSH (local and Internet) work on it protected from hackers.
Re: Secure end points for Internet tunnel, the most secure hardware
On Mon, May 11, 2020 at 5:16 PM wrote: > > Hi, Hi! > > [SNIP] > > Can you offer anything better than Cortex A7 board which is immune to Spectre? > What is the most secure Cortex A7 board on which OpenBSD can run? I guess it > shall have as little BLOBs as possible - only a small Boot ROM like > Beaglebone Black which unfortunately is not Cortex A7, but rather Cortex A8. > The Pine A64 (US$15 for the 512mb version or US$21 for the 1GB plus version) and the Rock64 (US$24.95 for the 1GB version) that both use a Cortex-A53 CPU that is immune to Spectre, can't speak to the blobbiness, though. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Secure end points for Internet tunnel, the most secure hardware
Hi, Please let me know, is it a good idea to use OpenBSD to connect to a remote LAN via SSH? Port forwarding is enough for me, though I can pass-through OpenVPN via SSH forward too. SSH seems to me as the most secure channel compare to other software and it is easy to get it working. I need a secure dedicated textual SSH console connected to Internet at home - Console1 and preferably a two ports router on another end of the Internet line to accept my SSH connections - Router1. What are the best methods to keep private keys in a safe place? I do not know anything better than devices like Nitrokey Pro, though some PCI card (secure java card) reader devices exist too. Can OpenBSD use USB dongle (not a flash drive) Nitrokey Pro 2 to store SSH private keys BOTH on the server side and on the client side? One first dongle on the client and another second dongle on the server - two dongles in total :) What is the most secure hardware (which was sold in public shops) for Console1 and Router1 ? Can you offer anything better than Cortex A7 board which is immune to Spectre? What is the most secure Cortex A7 board on which OpenBSD can run? I guess it shall have as little BLOBs as possible - only a small Boot ROM like Beaglebone Black which unfortunately is not Cortex A7, but rather Cortex A8.
