DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 4th December 2022
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,854
Default

Quote:
Originally Posted by Entropic View Post
... it seems provisioning isn't necessary for my em0 ethernet (and thus internet) to work.. right?
No. During boot, rc(8) executes netstart(8) which provisions NICs from hostname.if(5) files. Without a provisioning file, a NIC will not be provisioned automatically on boot. Otherwise, the admin must manually issue ifconfig(8) commands to configure network connections.

During installation, the install script asks the admin which physical NICs to provision and creates these hostname.if(5) files.
Quote:
If by "correct" you mean the hostname.tun0 shows up in an ls command...
I meant that the contents were confirmed correct. Use a pager such as less(1), an editor such as vi(1), or a cat(1) command to display the contents of the file and confirm it contains no mistakes.
Quote:
To re-ask: is my "appending" (see previous post) at the top of the hostname.tun0 file "correct".. Still waiting on a response to this if anyone can help..
Your asking me to explain terminology used by the author of an unassociated, third-party web page. I believe -- without any actual knowledge -- that the use of the word "append" is unintentional, and that the author meant to use the word "create". But for clarity, you should reach out to the author directly. I can see that the website supports comments, where you might be able to reach out and obtain needed clarity about their published content.
Quote:
Why for example, would a prompt for authentication be of concern here? You seem to relate it to netstart not being interactive, but as I demonstrated above, it seems netstart isn't involved or necessary for my internet connection (em0) to work.. yet alone for OpenVPN...
It absolutely is a concern. The netstart(8) utility is not intended to support interaction. The second line of your hostname.tun0 file executes a command which (as configured) prompts for interactive input. I can be wrong, of course, but I don't believe it should.
Quote:
What I have noticed since creating the hostname.tun0 file in /etc/openvpn is that when I start my OpenBSD system, it no longer goes straight through to the x-window login screen with the blowfish pic. Instead it prompts me beforehand, in terminal, for the user authentication and pw. I assume this is the openvpn daemon starting up at startup?
Probably. But I cannot tell you if your responses are captured by the program or not.
Quote:
Either way, when I enter the details (user and pass), and go through and login normally at the main login screen, a "ifconfig tun0" reveals "down" still for my openvpn connection, and thats in spite of having working internet otherwise.
How is em0 provisioned, if you do not have a hostname.em0 file in /etc?
Quote:
I tried $ pgreg -lf openvpn and it says pgreg is not known in ksh..
As noted, you had a typo. The pgrep(1) command is a process finder, named after the many "grep" utilities that parse regular expressions.
Reply With Quote
Old 4th December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 71
Default

Quote:
Originally Posted by J65nko View Post
The shell cannot find 'pgreg' because that is not an existing program. Is a typo . It should be:
Code:
$ pgrep -lf openvpn
That's a helluva typo jggimi... Seems you're living up to your sig re: the noise>signal after all .-)

Ok, I've just loaded up the system where as usual it now prompts for the "Auth user name" and then "password" before proceeding to the main login screen Xterm window.

After typing
Code:
pgrep -lf openvpn
it returns me to the # prompt as if its done something, but its unclear what in the absence of any verbose output. An
Code:
ifconfig tun0
done afterwards reveals the usual "down" for the connection status so I guess we've just proven its not working from two different commands. Again the internet is working fine as confirmed by ping 1.1.1.1 responses. I've still got no response regarding the vi input and whether my method of 'appending' should be fine. I'm guessing by the changed startup pattern since editing/saving the hostname.tun0 file that its working fine as I'm now prompted for that Auth user name and PW after the network starts, but before the main BSD login window... So why isn't it connecting. I notice that if I enter any old user or pw at these prompts that it progresses without any error msg to the main login screen btw... That's a bit weird isn't it?

I feel like theres just some minor thing preventing this from all working and it might just be another matter of solving another typo.... Jasenko, judging by your sig you may have more than a good idea what the problem is given the various posts above... and jggimi, even if you're not directly familiar with OpenVPN surely you have some idea of whats going on (or wrong) here because you clearly known the standard function/locations of these hostname files, and if there's one thing I've learnt from my short time on OpenBSD its that everything tends to operate in a very simple and standardised way across many different programmes.... Why should OpenVPN be any different?... EDIT: It seems from your reply that my vi input to make the hostname.tun0 file is fine, but why do I get no obvious error or response on running
Code:
pgrep -lf openvpn
...

Last edited by Entropic; 4th December 2022 at 02:27 PM.
Reply With Quote
Old 4th December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 71
Default

Quote:
Originally Posted by jggimi View Post
No. During boot, rc(8) executes netstart(8) which provisions NICs from hostname.if(5) files. Without a provisioning file, a NIC will not be provisioned automatically on boot. Otherwise, the admin must manually issue ifconfig(8) commands to configure network connections.
How many times do I have to say it: I've got full working internet (albeit without OpenVPN) without any hostnames.* files in /etc other than the hostname.tun0 that I created as part of the OpenVPN setup, and no action taken by me after startup other than plugging the ethernet cable in (its on DHCP if that makes any difference?). So if I have no "provisioning" file and yet I've got a working internet connection on em0 (ethernet) then doesn't this prove that the provisioning is'nt required, or is at least done with a file that's in a location other than /etc ??

Quote:
Your asking me to explain terminology used by the author of an unassociated, third-party web page. I believe -- without any actual knowledge -- that the use of the word "append" is unintentional, and that the author meant to use the word "create".
That's all I was after jggimi. Just your honest opinion of what it likely meant. It seems that 'append' is not a term being used to indicate a special placement of the proposed vi input within the hostname.tun0 file after all meaning my input is probably fine.. and thus we can rule that out...

Quote:
It absolutely is a concern. The netstart(8) utility is not intended to support interaction.
Doesn't this therefore suggest that the input I'm being prompted for is interacting with something other than netstart? What might that be? the openvpn daemon perhaps?

Quote:
The second line of your hostname.tun0 file executes a command which (as configured) prompts for interactive input. I can be wrong, of course, but I don't believe it should.Probably. But I cannot tell you if your responses are captured by the program or not.How is em0 provisioned, if you do not have a hostname.em0 file in /etc?
Well perhaps you can explain it to me noting my observation that (1) I have working internet from startup with no command line input (2) I have no hostname.* files other than hostname.tun0 in /etc. ... If I were to extrapolate your apparent concern over this 'provisioning' to a higher level explanation: are you basically suggesting that even with working internet, I need my ethernet (em0) provisioned before the openvpn programme will be able to use it? If so do you you have some quick tips on how to provision it. Knowing OpenBSD it's probably just a couple command line inputs like ifconfig inet autoconf, or as I've just learnt "dhcp" alone..

Quote:
As noted, you had a typo. The pgrep(1) command is a process finder, named after the many "grep" utilities that parse regular expressions.
Yeh, thanks for giving me this typo to begin with !!
Reply With Quote
Old 4th December 2022
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,854
Default

Only NICs that have a hostname.if(5) file will be provisioned on boot by the OS. The netstart(8) script scans for these files, and takes no action when it doesn't find them.

First: confirm your em0 network connection has been provisioned on your running system. Do this by issuing the command $ ifconfig em0, and review the output. If your em0 NIC has an IP address and netmask assigned, and an active status, the NIC has been provisioned. If you don't have an active em0 NIC, then issue $ ifconfig by itself and get a list of all your NICs. You'll have a loopback pseudo-NIC, all physical NICs, an IPSec encapsulation pseudo-NIC, and your non-working OpenVPN tunnel pseudo-NIC.

Second: If em0 has been provisioned, it had to have been provisioned somewhere. Either via netstart -- which you have told us does not have a provisioning file for em0 -- or by an rc.local(8) script, which you haven't mentioned and is therefore unlikely, or by manually entering ifconfig(8) provisioning commands some time after booting, which you haven't mentioned doing.

If you are manually entering a command like # ifconfig em0 inet autoconf after your system is already running, this would be after your OpenVPN connection has already failed to start.

If em0 has been provisioned with an IP address, and a) you do not have an /etc/hostname.em0 file, and b) you do not have an /etc/rc.local file, and c) you are not manually provisioning em0 ... then the only other remaining possibility is the openvpn client application is somehow doing the provisioning. Which is improbable, but not completely impossible. You can test this improbability by temporarily renaming the file to something netstart(8) will not act on, such as: # mv /etc/hostname.tun0 /etc/do.not.start.tun0 and reboot. If, on reboot, em0 is no longer provisioned you will know the improbable became possible. To rename the file back, you would use # mv /etc/do.not.start.tun0 /etc/hostname.tun0.
Reply With Quote
Old 5th December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 71
Default

Quote:
Originally Posted by jggimi View Post
Only NICs that have a hostname.if(5) file will be provisioned on boot by the OS. The netstart(8) script scans for these files, and takes no action when it doesn't find them.

First: confirm your em0 network connection has been provisioned on your running system. Do this by issuing the command $ ifconfig em0, and review the output. If your em0 NIC has an IP address and netmask assigned, and an active status, the NIC has been provisioned. If you don't have an active em0 NIC, then issue $ ifconfig by itself and get a list of all your NICs. You'll have a loopback pseudo-NIC, all physical NICs, an IPSec encapsulation pseudo-NIC, and your non-working OpenVPN tunnel pseudo-NIC.
I've rechecked the /etc directory and there is indeed two files: hostname.em0 and hostname.tun0. On typing "more hostname.em0" its got "inet autoconf" as its sole line of code.

Without the ability to upload the script here (No explanations were given when I asked about how I'd browse to a file from within openBSD firefox to upload earlier in this thread), I can report the following following "ifconfig":

em0: flags=xxxxxx<UP, BROADCAST, RUNNING, SIMPLEX, MULTICAST, AUTOCONF4> mtu 1500
lladr: xxxxxxxxx
index 1 priority 0 llprio 3
groups: egress
media: ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.xxx.x netmask broadcast 192.168.xxx.255

tun0: flags=xxxx <UP, POINTOPOINT, RUNNING, MULTICAST> mtu 1500
Index: 5 priority 0 llprio 3
groups: tun
status: down

pflog0: flags=141 <UP, RUNNING, PROMISC> mtu 33136.
index 6 priority 0 llprio 3
groups: pflog

There's a bunch of other interfaces in there such as iwn0 (WLAN - wireless), enc0 (active - whatever this is: Bluetooth?, lo0 (127.0.xxx - loopback?)
but I doubt these are relevant. I'm listing them in case they might be...

Quote:
Second: If em0 has been provisioned, it had to have been provisioned somewhere. Either via netstart -- which you have told us does not have a provisioning file for em0 -- or by an rc.local(8) script, which you haven't mentioned and is therefore unlikely, or by manually entering ifconfig(8) provisioning commands some time after booting, which you haven't mentioned doing.
Ok this is now clarified: netstart is provisioning the em0 ethernet NIC via hostname.em0 containing "inet autoconf" for its DHCP connection from the router.

Quote:
If you are manually entering a command like # ifconfig em0 inet autoconf after your system is already running, this would be after your OpenVPN connection has already failed to start.
Yes, this would from my understanding be the exact scenario I'm in right now with working internet on an active em0 interface, but "down" for the tun0 (OpenVPN) status..

Frankly I don't see how this really takes me any further. I'd already established in previous posts that my internet was working, and that its the OpenVPN thats not. This troubleshooting just done merely confirms what we already knew and doesn't do anything to resolve the lack of OpenVPN... Can anyone help here noting the very detailed posts earlier in this thread clearly explaining both system observations and actions taken to try and get OpenVPN working? i.e. openvpn has been installed successfully, my openvpn (.ovpn) files have been placed in /etc/openvpn where they should be, and hostname.tun0 has been edited with vi to include the appropriate
"up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/openbsd.ovpn" command which seems to be doing something because on startup I'm being prompted for an auth username and pw.. yet still openvpn (tun0) is reporting "down" on ifconfig checking.
Reply With Quote
Old 5th December 2022
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,854
Default

Quote:
Originally Posted by Entropic View Post
No explanations were given when I asked about how I'd browse to a file from within openBSD firefox to upload earlier in this thread....
I'm sorry, I thought I had explained that Firefox is protected from itself on OpenBSD. It is restricted to reading (and writing) from most directories on the OS. The user's $HOME/Download directory (which also called be referred to as "~/Download"), the /tmp directory, and Firefox provisioning and cache directoriess are pretty much all it can access, by default. You can copy files you want to upload with Firefox into /tmp or your ~/Download directory, or, you can reduce how Firefox is secured by increasing its access to directories. Guidance on reducing security can be found in /usr/local/share/doc/pkg-readmes/firefox, under the section "pledge(2) and unveil(2) Support".
Quote:
There's a bunch of other interfaces in there such as iwn0 (WLAN - wireless), enc0 (active - whatever this is: Bluetooth?, lo0 (127.0.xxx - loopback?)
Your lo(4) pseudo-NIC is used for loopback connections. The first (and usually only) loopback NIC, lo0, is created during boot by netstart(8). Your iwn(4) NIC is a physical WiFi, as you'd noted, and your enc(4) pseudo-NIC can be ignored, it is only utilized when using ipsec(4). It's used during packet filtering of IPSec encapsulated traffic.
Quote:
Frankly I don't see how this really takes me any further.
It clarifies communication between us, if nothing else. Now, you are left with a non-functional OpenVPN client system, and for that, I cannot help. You will have to wait for others on this forum, who to date have been silent on OpenVPN, or, you will have to reach out to the author of your guide, who has both comment tools on his web page as well a link at his site that provides an email address for more private contact or questions.
Reply With Quote
Old 5th December 2022
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,854
Default

Another typo - The $HOME/Download directory name should be Downloads.
Reply With Quote
Old 6th December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 71
Default

Quote:
Originally Posted by jggimi View Post
I'm sorry, I thought I had explained that Firefox is protected from itself on OpenBSD. It is restricted to reading (and writing) from most directories on the OS. The user's $HOME/Download directory (which also called be referred to as "~/Download"), the /tmp directory, and Firefox provisioning and cache directoriess are pretty much all it can access, by default. You can copy files you want to upload with Firefox into /tmp or your ~/Download directory, or, you can reduce how Firefox is secured by increasing its access to directories. Guidance on reducing security can be found in /usr/local/share/doc/pkg-readmes/firefox, under the section "pledge(2) and unveil
This is useful - thankyou. So now if in future I want to submit some terminal output I'll type
Code:
script -a /tmp <filename.typescript>
and it will generate the terminal output as a readable file in the /tmp directory that FFox can access by default?

Quote:
It clarifies communication between us, if nothing else. Now, you are left with a non-functional OpenVPN client system, and for that, I cannot help. You will have to wait for others on this forum, who to date have been silent on OpenVPN, or, you will have to reach out to the author of your guide, who has both comment tools on his web page as well a link at his site that provides an email address for more private contact or questions.
It looks that way and so I'm waiting on a reply from that articles author having now sumarised the issue to him. In the meantime, to troubleshoot it myself, I've just used
Code:
cat sweden.ovpn
to compare the contents of my .ovpn file to what I've seen posted online by other users who have setup it up successfully. It looks similar, and its autogenerated by my VPN provider (ExpressVPN) so its probably sound code wise. the first line is
Code:
dev tun
but apparently thats fine even when the hostname file makes reference to it being a tun0 (I thought that might have been the discrepancy). One thing that is different is the line which must be specifying the VPN servers URL
Code:
remote switzerland-ca-version-2.expressnetw.com 1195
where the port looks different to the 443 (HTTPS) that I see specified in other users .ovpn files. Is it possible that pf doesn't like 1195 and its blocking it, whereas 443, being a more standard port, is allowed?
Reply With Quote
Old 6th December 2022
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,854
Default

Quote:
Originally Posted by Entropic View Post
This is useful - thankyou. So now if in future I want to submit some terminal output I'll type
Code:
script -a /tmp <filename.typescript>
and it will generate the terminal output as a readable file in the /tmp directory that FFox can access by default?
Yes. Keep in mind two things: 1. the script(1) output file will not be complete until you exit the subshell console session it creates for you, and 2. the output file will have control characters in it -- particularly carriage return characters. These and any backspaces can be removed for clarity with the col(1) utility, using a command such as $ col -b < input.file > output.file or $ cat input.file | col -b > output.file.
Quote:
Is it possible that pf doesn't like 1195 and its blocking it, whereas 443, being a more standard port, is allowed?
Not unless you've provisioned it. By default -- which I assume you are using -- PF blocks stateless traffic, blocks incoming X Terminal traffic, and blocks any network traffic by the user that builds packages from the Ports tree. See your /etc/pf.conf file for this default provisioning.

Last edited by jggimi; 6th December 2022 at 01:13 PM. Reason: typos
Reply With Quote
Old 13th December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 71
Default

Beaten but not broken. I'm back after a week giving this all a break to come back with fresh eyes. I think it's time I got some typescript files up here so you can see exactly what I'm facing in getting this OpenVPN connection to my VPN provider (as client) sorted. There's a couple of things I need to sort out before I do so, however:
(1) How do I output a limited typescript file that won't include sensitive info like root passwords etc ?
(2) What's the command for checking for all running daemons. I'm sure I've seen the instruction somewhere but on re-checking the man pages for daemon I found no such instruction :/
Reply With Quote
Old 13th December 2022
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,854
Default

Quote:
Originally Posted by Entropic View Post
(1) How do I output a limited typescript file that won't include sensitive info like root passwords etc ?
After running col(1) to strip control characters, edit the resulting file to remove anything you want redacted before posting.
Quote:
(2) What's the command for checking for all running daemons.
There are two ways:
  1. If started through rc.conf(8) at boot, the rcctl(8) utility can show you running daemons with # rcctl ls started. There are a wide variety of options to the rcctl ls subcommand, please see the rcctl(8) man page for more information.
  2. The previously discussed -- recall my inadvertent typo for -- the pgrep(1) utility.
Reply With Quote
Old 14th December 2022
Entropic Entropic is offline
Fdisk Soldier
 
Join Date: Nov 2022
Posts: 71
Default

Quote:
Originally Posted by jggimi View Post
After running col(1) to strip control characters, edit the resulting file to remove anything you want redacted before posting.There are two ways:
Thanks, but when I try editing the .typescript file that I created using script -a /etc/scripts/blahblah.typescript using vi as follows:
Code:
 vi /etc/scripts/blahblah.typescript
I can't move the cursor to the section I want to redact (the ip address starting with 192). I tried navigating manually using the j and k keys (in command mode), but its stuck on the last page. Apparently the vi command to move the cursor to this part of the output is
Code:
/text
where 192 is entered instead of text. but this doesn't do anything! I can see the relevant text within vi as I scroll up and down using [CMD]SHIFT-PGUP[/CMD] to find IP ADDR: 192.168.x.x.. but if I use the officlally recommended command [CMD]/192[/CMD] it doesn't give me squat!


So what else can I use to "edit" this typescript file and redact the sensitive bits? I tried ed(1) already btw but its hopeless. It seems to have the same inane secret handshake methodologies for performing basic functions as vi, but unfortunately not the same specific shortcuts as vi's... and I'm just going nowhere with it, even with the man pages... So what else can I use to edit the file, and why is vi failing me?

Quote:
  1. If started through rc.conf(8) at boot, the rcctl(8) utility can show you running daemons with # rcctl ls started. There are a wide variety of options to the rcctl ls subcommand, please see the rcctl(8) man page for more information.
  2. The previously discussed -- recall my inadvertent typo for -- the pgrep(1) utility.
Ok great, using this I've now got a list of the running daemons and of course openvpn isn't one of them. Interesting side note: I found that by pressing the power button I can be taken back to the ttys screen showing the last part of the startup output before the main login window appears, and it clearly showed "Starting package daemons: openvpn(failed)"

Thinking that perhaps I messed up the openvpn installation at some point of my creating / deleting the config file I used
Code:
pkg_delete openvpn
to delete it before reinstalling after reboot using
Code:
pkg_add -vv openvpn
, where this time I've selected the [3] option "openvpn -embedtls" in case my previous installation of just "openvpn2.5.7" meant I was missing something necessary... Will this mbedtls version of openvpn work the same for this simple client connection purposes?
Reply With Quote
Old 14th December 2022
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,854
Default

Quote:
Originally Posted by Entropic View Post
So what else can I use to "edit" this typescript file and redact the sensitive bits?
I recommend installing one of the third-party editors, there are nearly 70 to choose from. One of these is nano, which I have never used but I understand from others that it is considered simple and intuitive.

OpenBSD comes with vi(1), mg(1), ed(1), and sed(1), and to be honest there's a learning curve for all of them.
Quote:
I found that by pressing the power button I can be taken back to the ttys screen showing the last part of the startup output before the main login window appears, and it clearly showed "Starting package daemons: openvpn(failed)"
You should be able to reach the console on amd64 with this three-finger salute: CTRL-ALT-F1, and return to your X11 session with CTRL-ALT-F5.

You may be able to find out why OpenVPN is failing to start, with: # rcctl -d start openvpn. The rc.d(8) man page describes the -d option:
Code:
     -d      Setting this option will print the function names as they are
             called and prevent the rc.subr(8) framework from redirecting
             stdout and stderr to /dev/null.  This is used to allow debugging
             of failed actions.
It was my prior guess that your interactive requirements are a cause, if not the root cause, for the daemon's failure.
Quote:
Will this mbedtls version of openvpn work the same for this simple client connection purposes?
I think its an option to the client, and not a different version of the client. But in answer, I don't know what services your vendor requires, and I have no OpenVPN experience to aid you with properly provisioning the client.

Last edited by jggimi; 14th December 2022 at 09:49 PM. Reason: clarity, typo
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD Vlan setup Crypt OpenBSD Security 6 13th August 2020 01:25 AM
Your OpenBSD shell setup hanzer OpenBSD General 11 23rd October 2017 09:35 PM
OpenBSD Multiple VPN Setup Dr-D OpenBSD Security 10 7th April 2014 10:50 AM
OpenBSD VPN Setup Dr-D OpenBSD Security 2 4th April 2014 01:23 PM
how setup arpwatch for OpenBSD mfaridi OpenBSD Packages and Ports 1 11th December 2008 05:22 PM


All times are GMT. The time now is 11:44 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick