DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th May 2017
amphibious
-Guest-
 
Posts: n/a
Default Single user modes appears to be a bit dangerous.

I was just able to recover my forgotten username and password credentials by using single user mode. What would stop an unauthorized employee who has physical access to my router from doing the same thing??? It was way too easy to do that. Does OpenBSD not protect against such a possible attack vector?
Reply With Quote
  #2   (View Single Post)  
Old 30th May 2017
PapaParrot's Avatar
PapaParrot PapaParrot is offline
parrot
 
Join Date: Jul 2015
Location: Durango, Mx.
Posts: 472
Default

It is pretty simple, so that is a good question.
I am not sure what others will say for answers, but where I used to work , the owner of the business had the router, and modems in a cabinet, that was locked,..
Quote:
What would stop an unauthorized employee who has physical access to my router from doing the same thing???
And I have seen the same kind of set up in other offices, they simply do not give physical access to unauthorized persons or employees.
Do you leave cash in you desk drawer, ? What would stop unauthorized persons from
just opening the drawer and taking the cash ? Most people keep things like that locked.

Similar, the "automated teller" machines for banks, they all have a computer inside,..obviously they do not give unauthorized people physical access to that.
How ever, if and when something goes wrong, a technician , that is authorized and
has the key, can open it up and make any repairs necessary.
__________________
My best friends are parrots
Reply With Quote
  #3   (View Single Post)  
Old 30th May 2017
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

If somebody has physical access to hardware, by default there is nothing set up to protect data on most systems (Windows, Gnu/Linux, OpenBSD), except passwords by hashing function. Of course legitimate user can use encryption (Bitlocker, LUKS/dm-crypt, softraid-based crypto) to protect data, but it is not done by default.
Adversary can reinstall OS anyway, whether data is encrypted or not. Adversary with enough resources can also try "Evil maid" attack. As a measure against using malicious bootloader implanted by adversary one could use bootloader on separate, physically-secured memory such as pendrive in your pocket, but even this is not perfectly safe.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #4   (View Single Post)  
Old 30th May 2017
amphibious
-Guest-
 
Posts: n/a
Default

Quote:
Originally Posted by e1-531g View Post
If somebody has physical access to hardware, by default there is nothing set up to protect data on most systems (Windows, Gnu/Linux, OpenBSD), except passwords by hashing function. Of course legitimate user can use encryption (Bitlocker, LUKS/dm-crypt, softraid-based crypto) to protect data, but it is not done by default.
Adversary can reinstall OS anyway, whether data is encrypted or not. Adversary with enough resources can also try "Evil maid" attack. As a measure against using malicious bootloader implanted by adversary one could use bootloader on separate, physically-secured memory such as pendrive in your pocket, but even this is not perfectly safe.
I did take a look at the link for the evil maid attack, and I was aware that such techniques exist. As far as I can remember, OpenBSD (geli) encrypts the bootloader. Please correct me if I am wrong, making such an attack more difficult to conduct?

Furthermore, in regards to single usermode, is there a way to disable it? I have no need for such a feature, should I forget my password again, I'll just re-install.

Thank-you.
Reply With Quote
  #5   (View Single Post)  
Old 30th May 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

  1. You are confused regarding the bootloader. It cannot be encrypted, as the BIOS loads and executes it directly. But .. the bootloader does have the ability to load a kernel from an encrypted disk, using a passphrase and/or a separate keydisk. This is used with Full Disk Encryption ("FDE"). See softraid(4) and bioctl(8).
  2. You can eliminate the boot> prompt as a normal operation of the bootloader via boot.conf(5) setting, but that does not stop someone from holding down a Control key during boot to force its appearance.
Edited to add:


Full Disk Encryption is also in the FAQ: http://www.openbsd.org/faq/faq14.html#softraid
Reply With Quote
  #6   (View Single Post)  
Old 30th May 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

My laptop is configured with FDE that uses a passphrase for decryption. The bootloader prompts for the passphrase. Without the passphrase, the bootloader cannot find any kernels on the encrypted disk.

And without the passphrase, the encrypted disk is a large collection of ones and zeros.

The laptop contains personal information and I want that data protected in the event of a loss. As long as the laptop is shutdown when lost or stolen, my data is protected from theft.

My servers, both local and remote, do not use FDE. I want them to be able to reboot automatically, without any physical intervention.
Reply With Quote
  #7   (View Single Post)  
Old 31st May 2017
girarde girarde is offline
Fdisk Soldier
 
Join Date: Nov 2010
Location: NW FL
Posts: 75
Default

Quote:
Originally Posted by jggimi View Post
......My servers, both local and remote, do not use FDE. I want them to be able to reboot automatically, without any physical intervention.
And are, no doubt, not easily accessed by hoi polloi.
Reply With Quote
  #8   (View Single Post)  
Old 31st May 2017
jjstorm jjstorm is offline
Package Pilot
 
Join Date: Nov 2014
Location: Buenos Aires, AR
Posts: 144
Default

Quote:
Originally Posted by jggimi View Post
You are confused regarding the bootloader.
I meant to say boot partition
Reply With Quote
  #9   (View Single Post)  
Old 31st May 2017
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

I guess one could use the Bios Boot Selector to first boot a live CD or USB stick (which never leaves one's possession), and this could (optionally check and) restore the MBR and any other critical unencrypted sectors to what they should be. Then reboot. This assumes the BIOS itself is ok.
Reply With Quote
Old 31st May 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by girarde View Post
And are, no doubt, not easily accessed by hoi polloi.
Good question. The local servers have the physical security of a locked home.

The remote server, however, is in the "cloud" and runs in a virtual machine provided by a remote service provider. This is worth discussing.

It is as vulnerable as any other guest VM running anywhere. I cannot control physical access, I cannot control access to data flowing through and in the VM. Adding FDE requires intervention for every reboot, and I perceive it would add little security benefit for me if I were to add it. In that environment it would only protect data at rest -- and that is vulnerable because the keys are in kernel memory.
Reply With Quote
Old 31st May 2017
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Quote:
Originally Posted by jggimi View Post
It is as vulnerable as any other guest VM running anywhere. I cannot control physical access, I cannot control access to data flowing through and in the VM. Adding FDE requires intervention for every reboot, and I perceive it would add little security benefit for me if I were to add it. In that environment it would only protect data at rest -- and that is vulnerable because the keys are in kernel memory.
It is also worth to note about possible side-channel leaks in remote or cloud scenario. Your guest VM can be on the same the same physical computer running other, malicious guest VM.
Example: https://www.cs.unc.edu/~reiter/papers/2012/CCS.pdf
Quote:
This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized using a modern VMM (Xen).[..]
This paper addresses these challenges and demonstrates the attack in a lab setting by extracting an ElGamal decryption key from a victim using the most recent version of the libgcrypt cryptographic library.
https://blog.cryptographyengineering...iming-attacks/
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 31st May 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Indeed. While my virtual machine uses a different technology (KVM), risks of data exposure still exist. The server is an MTA and contains no private information.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
This is the most dangerous time for our planet - Stephen Hawking J65nko Off-Topic 10 23rd July 2017 11:17 AM
Open source licences: the GPL appears to be declining J65nko News 0 20th December 2011 08:10 AM
Single and Multi User Mode Logging chicago OpenBSD General 2 13th May 2011 06:51 PM
OpenBSD + BCM4312 [it appears that its BCM4315] marc OpenBSD Installation and Upgrading 22 14th March 2009 05:10 PM
The Internet is a dangerous place jggimi Off-Topic 20 22nd June 2008 04:42 AM


All times are GMT. The time now is 09:52 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick