OpenBSD on DigitalOcean
> They are both sort of old at this point and with OpenBSD 6.6 out I ran into a bit of a snag. The default these days is to use a GPT partition table to enable EFI booting. This is generally pretty sane but it looks to me like the FreeBSD droplet doesn’t support this. After the installer rebooted the VM failed to boot, being unable to find the bootloader.
> Thankfully DigitalOcean has a recovery ISO that you can boot by simply switching to it and powering off and then on your Droplet.
dd miniroot over FreeBSD, reboot, lemonade!
e2k19 Hackathon Report: Stefan Sperling on GoT and wireless
OpenSSH Key Shielding
> On June 21, 2019, support for SSH key shielding was introduced into the OpenBSD tree, from which the OpenSSH releases are derived. SSH key shielding is a measure intended to protect private keys in RAM against attacks that abuse bugs in speculative execution that current CPUs exhibit. This functionality has been part of OpenSSH since the 8.1 release. SSH private keys are now being held in memory in a shielded form; keys are only unshielded when they are used and re‐shielded as soon as they are no longer in active use. When a key is shielded, it is encrypted in memory with AES‐256‐CTR; this is how it works:
Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)
> 1a/ we set the LD_LIBRARY_PATH environment variable to one single dot (the current working directory) and approximately ARG_MAX colons (the maximum number of bytes for the argument and environment list); as described in man ld.so:
> 1b/ we set the RLIMIT_DATA resource limit to ARG_MAX * sizeof(char *) (2MB on amd64, 1MB on i386); as described in man setrlimit:
Authentication vulnerabilities in OpenBSD
> We discovered an authentication-bypass vulnerability in OpenBSD’s authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
OpenBSD in 2019
> I’ve used OpenBSD on and off since 2.1. More back then than in the last 10 years or so though, so I thought I’d try it again.
Some good, some bad.
OpenBSD on Google Compute Engine
> This tutorial outlines a simple way to get OpenBSD working on GCE, utilizing only OpenBSD to create the image and send up into gcloud.
U2F support in OpenSSH
Game of Trees
> Game of Trees is a work-in-progress version control system which attempts to be appealing to OpenBSD developers.
Game of Trees
> Game of Trees (Got) is a version control system which prioritizes ease of use and simplicity over flexibility. Got is still under development; it is being developed exclusively on OpenBSD and its target audience are OpenBSD developers.
> For two years I’ve been driving myself crazy trying to figure out the source of a driver problem on OpenBSD: interrupts never arrived for certain touchpad devices. A couple weeks ago, I put out a public plea asking for help in case any non-OpenBSD developers recognized the problem, but while debugging an unrelated issue over the weekend, I finally solved it. It’s been a long journey and it’s a technical tale, but here it is.
Diving deep into the AML.
OpenBSD ttyplot examples
> I said I will rewrite ttyplot examples to make them work on OpenBSD. Here they are, but a small notice before:
Couple caveats, mostly want current.
g2k19 Hackathon Report: Stefan Sperling on Access Points and Ghosts
> This AP was promptly attacked! But with OpenBSD on both AP and client, I now had a full view of the battle field and made our hackroom’s wifi immune to de-auth attacks. I don’t have enough brain juice to come up with a good heuristic for this, so users need to manually cast a de-auth attack immunity spell by setting the new ‘stayauth’ nwflag with ifconfig(8). Note that this flag needs to be set on clients as well as the AP, because a de-auth army will target them separately.
BPF and formal verification
> I spent the spring of 2015 researching the Berkeley packet filter (BPF) and its formal verification with my programming languages professor, Joe Gibbs Politz. The project took some unexpected turns and we learned a lot about Coq and applied formal verification in the process.
WireGuard on OpenBSD
> Earlier this week I imported a port for WireGuard into the OpenBSD ports tree. At the moment we have the userland daemon and the tools available. The in-kernel implementation is only available for Linux. At the time of writing there are packages available for -current.
OpenBSD 6.5 released
> We are pleased to announce the official release of OpenBSD 6.5. This is our 46th release.
Categorizing OpenBSD Bugs
> I went through two years of OpenBSD errata for the most recent four releases (6.1, 6.2, 6.3 and 6.4) and categorized each bug.
t2k19 Hackathon Report: Putting the hack(6) in hackathon, and other stories
> The difference in behavior between my system and the OpenBSD project’s package build machines resulted from that plague of ports developers, hidden dependencies.
Using an OpenBSD Router with AT&T U-Verse
> I upgraded to AT&T’s U-verse Gigabit internet service in 2017 and it came with an Arris BGW-210 as the WiFi AP and router. The BGW-210 is not a terrible device, but I already had my own Airport Extreme APs wired throughout my house and an OpenBSD router configured with various things, so I had no use for this device. It’s also a potentially-insecure device that I can’t upgrade or fully disable remote control over.
> Fully removing the BGW-210 is not possible as we’ll see later, but it is possible to remove it from the routing path. This is how I did it with OpenBSD.
rdist(1) – when Ansible is too much
> We didn’t have a requirement to go full configuration management with tools like Ansible or Salt Stack. And there wasn’t any interest in building additional logic on top of rsync or repositories. Enter rdist(1), rdist is a program to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode, and mtime of files if possible and can update programs that are executing. The only tricky part with rdist(1) is that in order to copy files and restart services, owned by a privileged user, has to be done by root. Our solution to the problem was to wrap doas(1) around rdist(1).