Re: Samba on obsd

2020-03-25 Thread David Sastre
Depending on your requirements, e.g. Windows machined in your setup, you
can also try
https://www.freeipa.org
I would use Fedora, not CentOS.
It is an umbrella project for LDAP, Kerberos, DNS, NTP and some added
functionality on top you might or might not need/use.
It can also establish trust relationships with existing AD forests.
Worth checking out.
Regarding support for OpenBSD clients, I haven't tried, but you could hook
up direct LDAP access, for example.


On Wed, Mar 25, 2020 at 7:48 AM kasak  wrote:

>
> 25.03.2020 02:06, Lars Bonnesen пишет:
> > Hi. I am having a project on setting up Samba to work as a replacement
> for
> > MS AD.
> >
> > I would prefer to do it on OpenBSD, but how is the implementation of
> Samba
> > on OpenBSD? Is it enhanced in a way that will cause any known problems
> that
> > would not be on say... CentOS?
> >
> > Regards, Lars.
>
> samba ad is not working on OpenBSD because ffs has no ea support.
>
> centos is bad choise too, because of permanently outdated version of samba.
>
> You should try arch linux or freebsd for this project, both of them has
>
> nearly latest version of samba.
>
>


problems setting up PORTS_PRIVSEP

2020-03-25 Thread Moises Simon
Hi misc,

I'm trying to set the ports system to use PORT_PRIVSEP
according to bsd.port.mk(5) and
https://www.openbsd.org/faq/ports/ports.html#PortsConfig

but I'm getting the following error:

sirius$ make fetch
mkdir /usr/obj/ports: Permission denied at
/usr/ports/infrastructure/bin/portlock line 53.  *** Error 255 in
/usr/ports/mystuff/x11/dmenu (/usr/ports/infrastructure/mk/bsd.port.mk:2557
'fetch': @lock=dmenu-4.9; export _LOCKS_HELD="...

even after doing make fix-permissions. I'm not seens something.

cat /etc/mk.conf
SUDO=doas
CLEANDEPENDS=Yes
PORTS_PRIVSEP=Yes
WRKOBJDIR=/usr/obj/ports
DISTDIR=/usr/ports/distfiles
PACKAGE_REPOSITORY=/usr/ports/packages

cat /etc/doas.conf
permit nopass msv cmd touch
permit nopass setenv { TRUSTED_PKG_PATH TERM } msv cmd pkg_add
permit nopass setenv { TERM } msv cmd pkg_delete

permit keepenv nopass msv as _pbuild
permit keepenv nopass msv as _pfetch

permit msv as root



Re: Samba on obsd

2020-03-25 Thread Lars Bonnesen
It seems that Debian is also recommended as an AD replacement.


On Wed, Mar 25, 2020 at 12:13 PM David Sastre 
wrote:

> Depending on your requirements, e.g. Windows machined in your setup, you
> can also try
> https://www.freeipa.org
> I would use Fedora, not CentOS.
> It is an umbrella project for LDAP, Kerberos, DNS, NTP and some added
> functionality on top you might or might not need/use.
> It can also establish trust relationships with existing AD forests.
> Worth checking out.
> Regarding support for OpenBSD clients, I haven't tried, but you could hook
> up direct LDAP access, for example.
>
>
> On Wed, Mar 25, 2020 at 7:48 AM kasak  wrote:
>
>>
>> 25.03.2020 02:06, Lars Bonnesen пишет:
>> > Hi. I am having a project on setting up Samba to work as a replacement
>> for
>> > MS AD.
>> >
>> > I would prefer to do it on OpenBSD, but how is the implementation of
>> Samba
>> > on OpenBSD? Is it enhanced in a way that will cause any known problems
>> that
>> > would not be on say... CentOS?
>> >
>> > Regards, Lars.
>>
>> samba ad is not working on OpenBSD because ffs has no ea support.
>>
>> centos is bad choise too, because of permanently outdated version of
>> samba.
>>
>> You should try arch linux or freebsd for this project, both of them has
>>
>> nearly latest version of samba.
>>
>>


Re: Samba on obsd

2020-03-25 Thread Luke A. Call
On 03-25 12:42, Lars Bonnesen wrote:
> It seems that Debian is also recommended as an AD replacement.

And in my experience with packaging tools internals, policies,
standards support, etc (which was not with anything related to AD),
far superior to other Linux distros.  Ask me off-list if you want 
any details on that.
-Luke  (http://lukecall.net)
 



MITM ?

2020-03-25 Thread Cord
Hi,
some months ago I sent some emails to misc (search my email on google) because 
I believe my obsd laptop was been hacked.
Then I bought a new laptop because my suspicious were that some firmware or the 
bios had some infected code.
Then I taken the new laptop and I went in two wifi point (in two different days 
and in two different wifi spot) to install openbsd. I installed a basic system 
and firefox, after that I come back to home.
At home I tried to complete the installation adding other packages. After one 
hour between pkg_add and watching video on youtube my laptop was freezed. The 
freeze was happen im the middle of a pkg_add.
After that I forced a reboot and I completed the installation. Then I start to 
watch a video on youtube. Then after 15 or 20 minutes from the boot the system 
again has been frezzed. Again forced reboot. And again watching a youtube 
video, around 10-20 minutes again freeze. In total there was been 3 freeze, one 
on pkg_add and two during watching a youtube video.
At the fourth boot, I left the system disconnected from the wifi to verify if 
it was an hardware problem. After 15 minutes I connected to the wifi but 
without doing anything. Then after other 10 minutes I opened youtube but the 
system was pretty stable. Those freeze was happened maybe 10 days ago. But I 
haven't had other freeze.
Now the "signs" of the previous hacking are appeared again in the new laptop 
then most probably the laptop was been hacked again.

What is your opinion ?
could be a MITM from my router and a kernel 0day on the tcp/ip stack 
implementation ?
could be MITMed pkg_add ?
the encryption algorithm (AES_128_GCM) behind https is really secure ?
Can some code be injected in an encrypted stream ?

Thank you.
Cord.





Re: MITM ?

2020-03-25 Thread Chris Bennett
On Wed, Mar 25, 2020 at 07:17:59PM +, Cord wrote:

Go buy an ethernet cable. No WiFi.
Use someone's phone hotspot.
Use a fixed PKG_PATH instead of /etc/installurl

Read a LOT of man pages and misc@ tech@ ports@ bugs@

Maybe even tell us which version of VAX your laptop runs on?
Is it OpenBSD version 4.9?

I'm annoyed that our hotel room is sharing electrical circuit with the
room next to it and the power keeps tripping the circuit breaker.

I feel better now.

> Hi,
> some months ago I sent some emails to misc (search my email on google) 
> because I believe my obsd laptop was been hacked.
> Then I bought a new laptop because my suspicious were that some firmware or 
> the bios had some infected code.
> Then I taken the new laptop and I went in two wifi point (in two different 
> days and in two different wifi spot) to install openbsd. I installed a basic 
> system and firefox, after that I come back to home.
> At home I tried to complete the installation adding other packages. After one 
> hour between pkg_add and watching video on youtube my laptop was freezed. The 
> freeze was happen im the middle of a pkg_add.
> After that I forced a reboot and I completed the installation. Then I start 
> to watch a video on youtube. Then after 15 or 20 minutes from the boot the 
> system again has been frezzed. Again forced reboot. And again watching a 
> youtube video, around 10-20 minutes again freeze. In total there was been 3 
> freeze, one on pkg_add and two during watching a youtube video.
> At the fourth boot, I left the system disconnected from the wifi to verify if 
> it was an hardware problem. After 15 minutes I connected to the wifi but 
> without doing anything. Then after other 10 minutes I opened youtube but the 
> system was pretty stable. Those freeze was happened maybe 10 days ago. But I 
> haven't had other freeze.
> Now the "signs" of the previous hacking are appeared again in the new laptop 
> then most probably the laptop was been hacked again.
> 
> What is your opinion ?
> could be a MITM from my router and a kernel 0day on the tcp/ip stack 
> implementation ?
> could be MITMed pkg_add ?
> the encryption algorithm (AES_128_GCM) behind https is really secure ?
> Can some code be injected in an encrypted stream ?
> 
> Thank you.
> Cord.
> 
> 
> 



Re: MITM ?

2020-03-25 Thread Joe Davis
> > What is your opinion ?
> > could be a MITM from my router and a kernel 0day on the tcp/ip stack 
> > implementation ?
> > could be MITMed pkg_add ?
> > the encryption algorithm (AES_128_GCM) behind https is really secure ?
> > Can some code be injected in an encrypted stream ?

An internet connection might not suit your use case. Have you considered
a self imposed air-gap?



Managing multiple OpenBSD systems with a single base install

2020-03-25 Thread Demi M. Obenour
I am working on an OpenBSD-based QubesOS TemplateVM, and have run
into a few problems.

In QubesOS, all volumes of a TemplateVM are persistent.  AppVMs based
on a TemplateVM use a (copy of) the TemplateVM’s root partition,
but have their own private partition, which is set to zero when the
VM first boots up.  Finally, DispVMs have no persistent storage at all.

This leads to a few difficulties.  First, I found that I need to mount
various directories from the persistent volume (which I mounted at
/mnt/rw) over the root volumes (mounted at / and /usr in my case).
Linux AppVMs use bind mounts for that purpose, but OpenBSD doesn’t
have bind mounts, so I use NFS over loopback.  Since that is slow,
I symlinked /home to /mnt/rw/home.  Furthermore, when an AppVM first
starts up, /mnt/rw will not be mountable, as the underlying storage
will consist entirely of zeroes.  I wrote a C program that uses
disklabel(5) ioctls to handle this.  However, this breaks sysupgrade(8),
since /home is symlinked to /mnt/rw/home, which doesn’t exist until
/etc/rc.securelevel runs.  I fixed this by monkeypatching sysupgrade(8)
to download into /var/_sysupgrade instead, but that is an ugly hack.

The other problem is that I do not know of a reliable way to make
the boot process fail if my /etc/rc.securelevel fails.  This is
security-critical, as it does tasks like deleting SSH keys from
/etc/ssh so that they will be regenerated after /mnt/rw/export/etc/ssh
has been mounted over /etc/ssh.  If this fails, there is a chance that
two AppVMs could share the same SSH host keys, which would be bad.
Furthermore, if mounting /mnt/rw fails, I would much prefer to drop
into a single-user shell than to try to continue.  This is a trivial
patch to /etc/rc, but patching /etc/rc is strongly discouraged in
afterboot(8).

Are the solutions I came up with the best possible, or are there
better ones that I missed?  Any help will be greatly appreciated.

Sincerely,

Demi



signature.asc
Description: OpenPGP digital signature