From jondrews at fastmail.com Wed Jun 2 06:03:23 2021 From: jondrews at fastmail.com (Jonathan Drews) Date: Wed, 2 Jun 2021 04:03:23 -0600 Subject: [Semibug] OpenBSD - Authenticate boot into single user mode Message-ID: Hi People: I have an OpneBSD laptop. I was distrurbed to find this: I Forgot My Root Password https://www.openbsd.org/faq/faq8.html You boot into single user mode; boot> boot -s and now have root privliges and can change the root password! My question is how do I prevent this? I thought of using a BIOS level password. That would suspend the boot process until you entered a password. However the thief could remove the CMOS battery and the BIOS would reset. How can I require authentcation on single user mode boot in OpenBSD? Kind regards, Jonathan From josh at jggimi.net Wed Jun 2 07:02:09 2021 From: josh at jggimi.net (Josh Grosse) Date: Wed, 2 Jun 2021 07:02:09 -0400 Subject: [Semibug] OpenBSD - Authenticate boot into single user mode In-Reply-To: References: Message-ID: On Wed, Jun 02, 2021 at 04:03:23AM -0600, Jonathan Drews wrote: > Hi People: > > I have an OpneBSD laptop. I was distrurbed to find this: > > I Forgot My Root Password > https://www.openbsd.org/faq/faq8.html > > You boot into single user mode; > boot> boot -s > > and now have root privliges and can change the root password! > > My question is how do I prevent this? I thought of using a BIOS > level password. That would suspend the boot process until you > entered a password. However the thief could remove the CMOS battery > and the BIOS would reset. > > How can I require authentcation on single user mode boot in OpenBSD? > > > Kind regards, > > Jonathan A password protected boot alone does not prevent a wide variety of Evil Maid attacks, such as adding key loggers, or replicating data from disk drives. Physical security is outside the scope of software. With that understanding, OpenBSD offers Full Disk Encryption ("FDE") through the softraid(4) driver's CRYPTO discipline, where the bootloader will require either a key disk or prompt for a passphrase in order to boot an encrypted drive. This FDE solution is available for the amd64, i386, and sparc64 architectures. This does not eliminate all Evil Maid attacks, but it does protect data-at-rest by encrypting all data but the bootloader, physical disklabel(5), and MBR or GPT. On all architectures non-boot disk encryption is available at the filesystem level either through softraid(4) or via vnconfig(8). From josh at jggimi.net Wed Jun 2 07:06:14 2021 From: josh at jggimi.net (Josh Grosse) Date: Wed, 2 Jun 2021 07:06:14 -0400 Subject: [Semibug] OpenBSD - Authenticate boot into single user mode In-Reply-To: References: Message-ID: I neglected to point to a discussion of Full Disk Encryption installation procedures in the OpenBSD FAQ. See the "Full Disk Encryption" section in: http://www.openbsd.org/faq/faq14.html#softraid From jondrews at fastmail.com Wed Jun 2 07:56:17 2021 From: jondrews at fastmail.com (Jonathan Drews) Date: Wed, 2 Jun 2021 05:56:17 -0600 Subject: [Semibug] OpenBSD - Authenticate boot into single user mode In-Reply-To: References: Message-ID: On Wed, Jun 02, 2021 at 06:30:01AM -0400, Bob Schubert wrote: > See full disk encryption here: > https://www.openbsd.org/faq/faq14.html#softraidFDE > > Thanks very much guys. I will read up on this and try to implement it at some later time. Kind regards, Jonathan From semibug15 at post.wayne47.com Wed Jun 2 15:53:04 2021 From: semibug15 at post.wayne47.com (Mike Wayne) Date: Wed, 2 Jun 2021 15:53:04 -0400 Subject: [Semibug] OpenBSD - Authenticate boot into single user mode In-Reply-To: References: Message-ID: <20210602195304.GC13083@post.wayne47.com> On Wed, Jun 02, 2021 at 04:03:23AM -0600, Jonathan Drews wrote: > Hi People: > > I have an OpneBSD laptop. I was distrurbed to find this: > > I Forgot My Root Password > https://www.openbsd.org/faq/faq8.html > > You boot into single user mode; > boot> boot -s > > and now have root privliges and can change the root password! > > My question is how do I prevent this? I thought of using a BIOS > level password. That would suspend the boot process until you > entered a password. However the thief could remove the CMOS battery > and the BIOS would reset. This is sort of a religous issue. If you have physical access to the machine, you can find SOME way to read the disk. So "protecting" the system in single user mode is just silly since the reaon you are doing this is likely that you are recovering a machine that you do not know root password and all you are doing is making it more complicated for the user. If the person doing the recovery is the original owner (the most common case), you are just making their life more difficult. If the person doing it is nefarious, they will eventually succeed anyway From acascianelli at icloud.com Wed Jun 2 16:28:17 2021 From: acascianelli at icloud.com (Anthony Cascianelli) Date: Wed, 02 Jun 2021 20:28:17 -0000 Subject: [Semibug] =?utf-8?q?OpenBSD_-_Authenticate_boot_into_single_user?= =?utf-8?q?_mode?= References: <20210602195304.GC13083@post.wayne47.com> Message-ID: It was mentioned earlier how pulling the battery off the laptop would clear any boot password set up.? I thought most modern BIOS/UEFI passwords were in non-volatile memory and would persist even if the batteries were pulled. On June 2, 2021 at 3:53 PM, Mike Wayne wrote: On Wed, Jun 02, 2021 at 04:03:23AM -0600, Jonathan Drews wrote: Hi People: I have an OpneBSD laptop. I was distrurbed to find this: I Forgot My Root Password https://www.openbsd.org/faq/faq8.html You boot into single user mode; boot> boot -s and now have root privliges and can change the root password! My question is how do I prevent this? I thought of using a BIOS level password. That would suspend the boot process until you entered a password. However the thief could remove the CMOS battery and the BIOS would reset. This is sort of a religous issue. If you have physical access to the machine, you can find SOME way to read the disk. So "protecting" the system in single user mode is just silly since the reaon you are doing this is likely that you are recovering a machine that you do not know root password and all you are doing is making it more complicated for the user. If the person doing the recovery is the original owner (the most common case), you are just making their life more difficult. If the person doing it is nefarious, they will eventually succeed anyway _______________________________________________ Semibug mailing list Semibug at lists.nycbug.org http://lists.nycbug.org:8080/mailman/listinfo/semibug -------------- next part -------------- An HTML attachment was scrubbed... URL: From semi at schoeby.com Wed Jun 2 17:37:58 2021 From: semi at schoeby.com (Bob Schubert) Date: Wed, 2 Jun 2021 17:37:58 -0400 Subject: [Semibug] OpenBSD - Authenticate boot into single user mode In-Reply-To: References: <20210602195304.GC13083@post.wayne47.com> Message-ID: On Wed, Jun 2, 2021, 4:46 PM Anthony Cascianelli wrote: > It was mentioned earlier how pulling the battery off the laptop would > clear any boot password set up. I thought most modern BIOS/UEFI passwords > were in non-volatile memory and would persist even if the batteries were > pulled. > As the bad actor, I would already have control of the hardware so I would just move the drive to another machine and have access. I believe drive encryption mentioned is a pretty safe bet, for now, assuming the bad actor has physical access to the hardware. -------------- next part -------------- An HTML attachment was scrubbed... URL: From semi at schoeby.com Wed Jun 2 17:44:29 2021 From: semi at schoeby.com (Bob Schubert) Date: Wed, 2 Jun 2021 17:44:29 -0400 Subject: [Semibug] OpenBSD - Authenticate boot into single user mode In-Reply-To: References: <20210602195304.GC13083@post.wayne47.com> Message-ID: Rather than physical access, it should read console access. That doesn't necessarily mean the same location I suppose these days (post 1990? Lol) On Wed, Jun 2, 2021, 5:37 PM Bob Schubert wrote: > > > On Wed, Jun 2, 2021, 4:46 PM Anthony Cascianelli > wrote: > >> It was mentioned earlier how pulling the battery off the laptop would >> clear any boot password set up. I thought most modern BIOS/UEFI passwords >> were in non-volatile memory and would persist even if the batteries were >> pulled. >> > > As the bad actor, I would already have control of the hardware so I would > just move the drive to another machine and have access. > > I believe drive encryption mentioned is a pretty safe bet, for now, > assuming the bad actor has physical access to the hardware. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeff at nucleus.mi.org Tue Jun 29 09:02:38 2021 From: jeff at nucleus.mi.org (Jeffrey David Marraccini) Date: Tue, 29 Jun 2021 09:02:38 -0400 Subject: [Semibug] FYI, Altair HQ is closed through October 2021 Message-ID: <819F9E2F-4FA5-47A3-9251-65ADC2AAADEF@nucleus.mi.org> All, I will not be able to host any meetings at Altair any time soon. We are work from home, and as I have left IT (no longer an in-person essential worker) I do not want to abuse their kindness, through October 2021. I know the Delta COVID-19 variant and continued concerns about vaccination rates mean indoor meetings are still unlikely, but I wanted to let you know of this constraint on my side. I am glad to host an outdoor meeting if useful while the weather is good. I have a sheltered porch that has a nice view and easy access to bathrooms, etc. Also glad to help host a virtual meeting. Thank you all and be safe, Jeff From jondrews at fastmail.com Tue Jun 29 10:30:13 2021 From: jondrews at fastmail.com (Jonathan Drews) Date: Tue, 29 Jun 2021 08:30:13 -0600 Subject: [Semibug] Online Meetings Message-ID: Hi All: Given the announcement by Jeff that Altair is closed through October of this year, maybe we can have an online Jitsi meeting in July? It looks like what Michael Lucas said has come true: "I would not be shocked if after this, various spaces stopped hosting guests indefinitely. :-(" I am desirous of online meetings because most user groups are devoted to Linux and not *BSD. I think linux is fine; I just prefer OpenBSD for my desktop. Kind Regards, Jonathan From mwlucas at michaelwlucas.com Tue Jun 29 11:00:45 2021 From: mwlucas at michaelwlucas.com (Michael W. Lucas) Date: Tue, 29 Jun 2021 11:00:45 -0400 Subject: [Semibug] Online Meetings In-Reply-To: References: Message-ID: FWIW, I hate being right. I am down with online meetings. Unfortunately, I cannot coordinate them or gather speakers. (My wife is in health care and the plague is still kicking butt.) I'd show up to meetings. I'd even chair meetings if wanted. But someone else will need to step up to make the meeting happen, and get us speakers. ==ml On Tue, Jun 29, 2021 at 08:30:13AM -0600, Jonathan Drews wrote: > Hi All: > > Given the announcement by Jeff that Altair is closed through > October of this year, maybe we can have an online Jitsi meeting in > July? It looks like what Michael Lucas said has come true: > > "I would not be shocked if after this, various spaces stopped > hosting guests indefinitely. :-(" > > I am desirous of online meetings because most user groups are > devoted to Linux and not *BSD. I think linux is fine; I just prefer > OpenBSD for my desktop. > > Kind Regards, > > Jonathan > > _______________________________________________ > Semibug mailing list > Semibug at lists.nycbug.org > http://lists.nycbug.org:8080/mailman/listinfo/semibug -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Immortal Clay, PGP & GPG, Absolute FreeBSD, etc, etc, etc... ### New books: SNMP Mastery, the Networknomicon, Drinking Heavy Water ### From jondrews at fastmail.com Tue Jun 29 14:54:00 2021 From: jondrews at fastmail.com (Jonathan Drews) Date: Tue, 29 Jun 2021 12:54:00 -0600 Subject: [Semibug] Pledge and Jitsi on OpenBSD Message-ID: Guys and Gals: I have run into a big difficulty with using Jitsi on OpenBSD. When I attempt to share my desktop through Jitsi, then Firefox crashes. I get the following report in my dmesg output: firefox[17370]: pledge "", syscall 289 I am sure this is due to pledge (man -s 2 pledge) and I have no way of fixing this. My only solution is to share the desktop from a Linux computer, in able to make a presentation. Any suggestions would be welcome. I am really hesitant to disable pledge. Other than the crash caused by sharing my desktop, Jitsi works fine on OpenBSD. -- Kind regards, Jonathan From jondrews at fastmail.com Tue Jun 29 14:40:17 2021 From: jondrews at fastmail.com (Jonathan Drews) Date: Tue, 29 Jun 2021 12:40:17 -0600 Subject: [Semibug] Online Meetings In-Reply-To: References: Message-ID: On Tue, Jun 29, 2021 at 11:00:45AM -0400, Michael W. Lucas wrote: > > > FWIW, I hate being right. > > I am down with online meetings. Unfortunately, I cannot coordinate > them or gather speakers. (My wife is in health care and the plague is > still kicking butt.) > > I'd show up to meetings. I'd even chair meetings if wanted. > > But someone else will need to step up to make the meeting happen, and > get us speakers. > I propose that we hold the meeting on the date and time given in the Google calendar. Namely July 15th at 1900 hours. I am trying to get speakers/presenters but no luck so far. I am an OpenBSD amateur but I could give a presentation on Korn Shell 93 in OpenBSD if no presenters can be found. Ksh93 probably isn't the most thrilling presntation but at least it's a fun shell to experiment with Kind regards, Jonathan > ==ml From jondrews at fastmail.com Tue Jun 29 16:05:48 2021 From: jondrews at fastmail.com (Jonathan Drews) Date: Tue, 29 Jun 2021 14:05:48 -0600 Subject: [Semibug] Pledge and Jitsi on OpenBSD In-Reply-To: References: Message-ID: On Tue, Jun 29, 2021 at 12:54:00PM -0600, Jonathan Drews wrote: > Guys and Gals: > > I have run into a big difficulty with using Jitsi on OpenBSD. When I > attempt to share my desktop through Jitsi, then Firefox crashes. I get > the following report in my dmesg output: > > firefox[17370]: pledge "", syscall 289 I have come up with a solution to this problem. I will email the Libreoffice *.odp presentation to the attendees before the Jitsi meeting. Late comers can fetch a copy off the Semi-BUG webiste. Jitsi's desktop sharing is less than optimal Kind regards, Jonathan From jondrews at fastmail.com Tue Jun 29 16:24:53 2021 From: jondrews at fastmail.com (Jonathan Drews) Date: Tue, 29 Jun 2021 14:24:53 -0600 Subject: [Semibug] Good Tutorial on using Libreoffice *.odp Message-ID: This is a good tutorial on how to use Libreoffice Impress (*.odp) https://thefrugalcomputerguy.com/seriespg.php?ser=19 The Frugal Computer Guy website. -- Kind regards, Jonathan