TOTP apps, and WebAuthn recommended devices?
2FA is increasingly required, which is fine, but I wonder about strategies for coping as a NetBSD user. One thing is TOTP. There are Android apps from f-droid (which suits me but not everyone), and there is vaultwarden which should allow bitwarden to do TOTP. I wonder if there are good TOTP programs in pkgsrc and what people recommend. The other thing is WebAuthn which is apparently the new U2F. I'd like to get some security keys for this, probably 3 (carry, non-carried backup, offsite cold storage) for long-term availability. What devices are recommended, meeting: allow enrolling in a bunch of different sites (dozenish, not 1000s) work on NetBSD with firefox (netbsd 9 amd64 at the moment) work on Android with free software only, preferably with NFC work on GNU/Linux and macOS available from a vendor that I've heard of I am not super concerned about state-level supply chain attacks, but since I know some of you are Wicked Paranoid as we say in Boston, bonus points if I can walk into Walmart/Target and pay cash :-) It looks like the Yubikey 5 might fit the bill.
Re: TOTP apps, and WebAuthn recommended devices?
On Thu, Mar 23, 2023 at 09:51:17AM -0400, Greg Troxel wrote:
> It looks like the Yubikey 5 might fit the bill.
I am totally happy with my Yubikey and its usage in NetBSD and Firefox
(but I use 10_BETA and -current, though that probably only makes a difference
for the ssh usage).
I am regularily using WebAuthN with firefox for various sites and it
works perfectly.
I am also using it for Github (to log into the webpage) but also for
ecdsa-sk ssh keys (ssh agent pops up and asks me to insert and tap the
key whenever that ssh key is used for the first time).
For TOTP there are various python and ruby based solutions
in pkgsrc/security (and its trivial).
I use a few homgrown scripts (few lines) around pyotp, like:
print(pyotp.TOTP('MYSECRET').now())
where MYSECRET was the code the web page gave me when registering.
Martin
Re: TOTP apps, and WebAuthn recommended devices?
On Thu, 23 Mar 2023 at 13:51, Greg Troxel wrote: > > 2FA is increasingly required, which is fine, but I wonder about > strategies for coping as a NetBSD user. > > One thing is TOTP. There are Android apps from f-droid (which suits me > but not everyone), and there is vaultwarden which should allow bitwarden > to do TOTP. I wonder if there are good TOTP programs in pkgsrc and what > people recommend. I have to just chime in from the "moderate security level" as a happy Bitwarden TOTP user. I switched everything from the dumpster fire which is Google Authenticator to just plain Bitwarden a while back and being able to paste into a TOTP form directly in Firefox on NetBSD without having to switch to a phone was a real pleasure. (I'm forking out a whole $10/year to use TOTP on Bitwarden servers - though I keep planning to setup vaultwarden :) > The other thing is WebAuthn which is apparently the new U2F. Also very curious about this - I bought a YubiKey 5C back... before Boris Johnson had the opportunity to break any self-isolation laws, but never ended up setting it up. David
Re: TOTP apps, and WebAuthn recommended devices?
On Thu, 23 Mar 2023, Greg Troxel wrote: 2FA is increasingly required, which is fine, but I wonder about strategies for coping as a NetBSD user. One thing is TOTP. There are Android apps from f-droid (which suits me but not everyone), and there is vaultwarden which should allow bitwarden to do TOTP. I wonder if there are good TOTP programs in pkgsrc and what people recommend. security/oath-toolkit work well for me -- Stephen
Re: Running NetBSD as qemu guest on laptop, camouflaging as host
On Thu, Mar 23, 2023 at 11:31:00AM +0530, Mayuresh wrote: > I am using qemu with "-vga vmware". Retracted that. With this the mouse wasn't visible. Now not giving any vga option, which means it's '-vga std' > Yes, the vesa mode setting at boot time works for me. > > But I'd actually like to start x11, which also works. But I just can't > rotate the screen to make it vertical. The same idea worked for me by choosing the highest resolution at boot time, which gives me a high resolution X11. My window manager (ratpoison) allows me to pad pixels on the sides. So I get exactly the size I need by padding. Now only problem left is a bit of noise when playing videos. I am not sure when it started, as it was playing smoothly a day ago. I also upgraded from 9.3 to -current. Not sure if that mattered. -- Mayuresh
Re: Running NetBSD as qemu guest on laptop, camouflaging as host
On Thu, Mar 23, 2023 at 08:59:21PM +0530, Mayuresh wrote: > The same idea worked for me by choosing the highest resolution at boot > time, which gives me a high resolution X11. My window manager (ratpoison) > allows me to pad pixels on the sides. So I get exactly the size I need by > padding. > > Now only problem left is a bit of noise when playing videos. I am not sure > when it started, as it was playing smoothly a day ago. I also upgraded > from 9.3 to -current. Not sure if that mattered. It appears that above two points are related. If I pad spaces at the window manager level the audio quality suffers! If I concede some screen space and reduce the amount of padding the sound quality is better again. Is there some way at xorg server level to "crop" the display size? I am using native xorg and I am on -current 10.99.2. (xrandr based new mode creation or rotation etc aren't working, as shared before) -- Mayuresh
Re: TOTP apps, and WebAuthn recommended devices?
> I wonder if there are good TOTP programs in pkgsrc and what
> people recommend.
I'm a happy user of "oath-toolkit', too.
I wrapped that into a small shell script which lets me easily select
any of the few TOTP secrets I have collected so far. It also tracks
the token changes on the full and half minute.
Have fun, Martin
#/bin/sh
case "$1" in
-h*)secret=YOUR ;;
-z*)secret=SECRETS ;;
-m*)secret=GO_HERE ;;
?*) secret=$1 ;;
"") echo "usage: $0 [ -h | -z | -m | ]"
exit 1
;;
esac
# https://www.youtube.com/watch?v=Q3mgapAcVdU
# we gotta get out of this place, but cleanly:
trap "exit 0" INT
while true; do
t=`date +%S`
date +"%T, current & next token (changes on seconds :00 and :30):"
oathtool --totp -w1 -b $secret
# gotcha! SOMETIMES, $t may come in as 08 or 09 which would be
# illegal octal numbers -- we need to nuke a leading "0":
sleep $(( 1 + 30 - (${t#0} % 30) ))
done
# and if it's the last thing we ever do...
# 2FA -- 2 Factor Audio, here's the 2nd factor:
# https://www.youtube.com/watch?v=lsuQO77n9SE
Re: TOTP apps, and WebAuthn recommended devices?
On Thu, Mar 23, 2023 at 03:23:40PM +, Stephen Borrill wrote: > On Thu, 23 Mar 2023, Greg Troxel wrote: > > 2FA is increasingly required, which is fine, but I wonder about > > strategies for coping as a NetBSD user. > > > > One thing is TOTP. There are Android apps from f-droid (which suits me > > but not everyone), and there is vaultwarden which should allow bitwarden > > to do TOTP. I wonder if there are good TOTP programs in pkgsrc and what > > people recommend. > > security/oath-toolkit work well for me ... For TOTP (and HOTP <- is this commonly/ever used, btw?), I found oath-toolkit/oathtool very helpful as well. I've been using it for a couple years. Recently, I also discovered "susam/mintotp" on github; and it's been very useful too, in a situation helping others where the laptop in use was running the mainstream, proprietary OS (rather than NetBSD). Slightly "off question", maybe, but I mention it because the mintotp.py implementation seems minimal & elegant (less than 1KB of python code--and depends on, IIRC, only stock python libs: so it simply worked with the proprietary OS's Python version from its online app store). The mintotp repo also has almost 2 orders of magnitude more documentation than code--and yet even that was a manageable quantity. Something about this made me happy... I was able to look over mintotp.py and be fairly confident that it wasn't revealing the OTP shared secret (or other information) to a third party.[*] The simplicity of the implementation may mean that it will run easily on a smart- phone's Python too, although I haven't tried. And of course it runs on stock pkgsrc Python under NetBSD; although mintotp itself isn't packaged. Best, -D [*] I'm not a code auditing expert by any means, however; so take that with a grain of salt. And obviously, it isn't of as much value if one is already running in a proprietary OS.
