From george at ceetonetechnology.com Mon Apr 6 11:22:13 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 06 Apr 2015 11:22:13 -0400 Subject: [talk] NYC*BUG: April 8 Christos Z on Blacklistd Message-ID: <5522A4A5.3070103@ceetonetechnology.com> Lots of upcoming meetings planned and set. Blacklistd, Christos Zoulas 18:45, Stone Creek Bar & Lounge 140 E 27th St Abstract Today's systems expose multiple network daemons and are constantly attacked by a fleet of zombie bots or determined attackers. Scanning logs to determine if an attack is in place in order to modify a firewall to block an attack is an ad-hoc inelegant solution. Blacklistd is a daemon and a library interface that attempts to correct this problem. Speaker Bio Christos' first experience with Unix was in 1983 while studying at Cornell. He currently maintains a few Unix programs (file, tcsh, libedit, rdist6) and he contributes to many others. He is a board member of the NetBSD Foundation and a recipient of the Usenix Lifetime Achievement Award for contributions to the Unix operating system. His day job is in Finance. ***** Other Upcoming May 6 - Bitrig, John C Vernaleo June 3 - FreeBSD's NUMA, John Baldwin BSDCan, June 12-13, Ottawa, Canada July 1 - Staying in sync with the Precision Time Protocol, Steven Kreuzer Aug 5 - What's New with OpenBSD, Brian Callahan From george at ceetonetechnology.com Mon Apr 6 11:28:54 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 06 Apr 2015 11:28:54 -0400 Subject: [talk] Ingo's mandoc meeting Message-ID: <5522A636.40200@ceetonetechnology.com> We are really fortunate to have OpenBSD developer Ingo Schwarze coming through NYC for a couple of days in June, and he's going to speak about mandoc. We will probably have two nights with him. June 18, the Thursday, will be his meeting, and Friday, the 19th will be a loose social event. However, we need a good meeting space for the June 18 meeting. Our current location, Stone Creek, is booked. If you have any ideas/leads let admin@ know. Ideally the space does NOT require RSVPs. g From george at ceetonetechnology.com Tue Apr 7 11:51:28 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 07 Apr 2015 11:51:28 -0400 Subject: [talk] OPNsense Added to NYC*BUG Mirrors Message-ID: <5523FD00.2020504@ceetonetechnology.com> The New York City *BSD User Group (NYC*BUG) is proud to announce mirror hosting for the OPNsense project. NYC*BUG is the first community hosted mirror for OPNsense. NYC*BUG maintains a mirror for a variety of BSD-related projects at http://mirrors.nycbug.org. From mark.saad at ymail.com Wed Apr 8 10:54:01 2015 From: mark.saad at ymail.com (Mark Saad) Date: Wed, 08 Apr 2015 10:54:01 -0400 Subject: [talk] Need ideas for a replacement SAS controller Message-ID: <55254109.7000203@ymail.com> Hi Talk I am looking for a SAS Raid card to swap in , in place of a dead areca ARC-1680IX-24 PCIe x8 SAS RAID Card . The issue here is this card is attached to 20 disks in a 4U supermicro chassis. I want to switch to a LSI Megaraid but I cant find any with 20 ports. The closest I found was this gem LSI MegaRAID SAS 9280-16i4e . It has 16 internal ports and 4 external. Anyone have any recommendations. This is for a FreeBSD 10.1 ZFS box. I dont need RAID just SAS to drive the 3G SAS disks. -- Mark Saad | msaad at ymail.com From george at ceetonetechnology.com Wed Apr 8 14:30:22 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 08 Apr 2015 14:30:22 -0400 Subject: [talk] NYC*BUG Tonight: Christos Z on Blacklistd Message-ID: <552573BE.4040306@ceetonetechnology.com> Wednesday, April 8 Blacklistd, Christos Zoulas 18:45, Stone Creek Bar & Lounge backroom: 140 E 27th St Abstract Today's systems expose multiple network daemons and are constantly attacked by a fleet of zombie bots or determined attackers. Scanning logs to determine if an attack is in place in order to modify a firewall to block an attack is an adhoc inelegant solution. Blacklistd is a daemon and a library interface that attempts to correct this problem. Speaker Bio Christos' first experience with Unix was in 1983 while studying at Cornell. He currently maintains a few Unix programs (file, tcsh, libedit, rdist6) and he contributes to many others. He is a board member of the NetBSD Foundation and a recipient of the Usenix Lifetime Achievement Award for contributions to the Unix operating system. His day job is in Finance. From mspitzer at gmail.com Fri Apr 10 17:50:09 2015 From: mspitzer at gmail.com (Marc Spitzer) Date: Fri, 10 Apr 2015 17:50:09 -0400 Subject: [talk] very handy gmake trick Message-ID: the core is: If you're using GNU make and you need help debugging a makefile then there's a single line your should add. And it's so useful that you should add it to every makefile you create. It's: print-%: ; @echo $*=$($*) It allows you to quickly get the value of any makefile variable. For example, suppose you want to know the value of a variable called SOURCE_FILES. You'd just type: make print-SOURCE_FILES If you are using GNU make 3.82 or above it's not even necessary to modify the makefile itself. Just do make --eval="print-%: ; @echo $*=$($*)" print-SOURCE_FILES to get the value of SOURCE_FILES. It 'adds' the line above to the makefile by evaluating it. The --eval parameteris a handy way of adding to an existing makefile without modifying it. And a bit more at the below link http://blog.jgc.org/2015/04/the-one-line-you-should-add-to-every.html File under stupid, but handy, unix tricks Marc -- Freedom is nothing but a chance to be better. --Albert Camus The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries. -- Winston Churchill Do the arithmetic or be doomed to talk nonsense. --John McCarthy -------------- next part -------------- An HTML attachment was scrubbed... URL: From george at ceetonetechnology.com Sat Apr 11 20:42:15 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Sat, 11 Apr 2015 20:42:15 -0400 Subject: [talk] blacklistd slides Message-ID: <5529BF67.20901@ceetonetechnology.com> Posted: http://www.nycbug.org/index.cgi?action=event&do=view&id=10358 IMHO, more people should be playing with it... g From jpb at jimby.name Sun Apr 12 13:58:57 2015 From: jpb at jimby.name (Jim B.) Date: Sun, 12 Apr 2015 13:58:57 -0400 Subject: [talk] USB Wireless Recommendations In-Reply-To: <20150322021911.GB85280@jimby.name> References: <20150322021911.GB85280@jimby.name> Message-ID: <20150412175857.GB47407@jimby.name> * Jim B. [2015-03-21 22:20]: > > Hello gang, > > I'm looking for recommendations for reliable USB wireless > adapters that work with FreeBSD. I've bought several > that don't work (apparently no driver support) and before > I shell out more cash I figured someone on this list > will know. > > > Any advice much appreciated! > > Jim B. > So, I ended up searching for the specific chipset (RT5370) that is known to work with FreeBSD. Amazon URL for this item was http://www.amazon.com/gp/product/B00ABD4AXO/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1 Dru and I both placed orders at the same time for the same item. Hers arrived first, and didn't work. Mine arrived and did work. The packaging was very, very similar, but when I closely examined the back of the package for both they were different. One specifically says "Chipset Ralink", the other does not. See the attached image. Since mine did work and I need more of them, I place another order for a larger quantity and sent a note to the seller (JM Electronics) stating that I needed the "Chipset Ralink" version. I also included the same image. We will see what happens. Hope they follow my request. Cheers, Jim B. -------------- next part -------------- A non-text attachment was scrubbed... Name: AmazonOrder2.png Type: image/png Size: 188800 bytes Desc: not available URL: From jpb at jimby.name Sun Apr 12 14:42:23 2015 From: jpb at jimby.name (Jim B.) Date: Sun, 12 Apr 2015 14:42:23 -0400 Subject: [talk] USB Wireless Recommendations In-Reply-To: <20150412175857.GB47407@jimby.name> References: <20150322021911.GB85280@jimby.name> <20150412175857.GB47407@jimby.name> Message-ID: <20150412184223.GA47536@jimby.name> * Jim B. [2015-04-12 13:59]: > * Jim B. [2015-03-21 22:20]: > > > > Hello gang, > > > > I'm looking for recommendations for reliable USB wireless > > adapters that work with FreeBSD. I've bought several > > that don't work (apparently no driver support) and before > > I shell out more cash I figured someone on this list > > will know. > > > > > > Any advice much appreciated! > > > > Jim B. > > > > > So, I ended up searching for the specific chipset (RT5370) that > is known to work with FreeBSD. Amazon URL for this item was > http://www.amazon.com/gp/product/B00ABD4AXO/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1 > > Dru and I both placed orders at the same time for the same item. > > Hers arrived first, and didn't work. > > Mine arrived and did work. The packaging was very, very similar, but > when I closely examined the back of the package for both they were different. > > One specifically says "Chipset Ralink", the other does not. > > See the attached image. Since mine did work and I need more of them, > I place another order for a larger quantity and sent a note to the > seller (JM Electronics) stating that I needed the "Chipset Ralink" > version. I also included the same image. > > We will see what happens. Hope they follow my request. > > > Cheers, > Jim B. > In case anyone is interested, here are the usbconfig dumps for both: This one does not work: [jpb at pcbsd-6404 ~]$ usbconfig -u 0 -a 2 dump_device_desc ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (160mA) bLength = 0x0012 bDescriptorType = 0x0001 bcdUSB = 0x0201 bDeviceClass = 0x0000 bDeviceSubClass = 0x0000 bDeviceProtocol = 0x0000 bMaxPacketSize0 = 0x0040 idVendor = 0x148f idProduct = 0x7601 bcdDevice = 0x0000 iManufacturer = 0x0001 iProduct = 0x0002 iSerialNumber = 0x0003 bNumConfigurations = 0x0001 This one does work: [jpb at pcbsd-6404 ~]$ usbconfig -u 0 -a 2 dump_device_desc ugen0.2: <802.11 n WLAN Ralink> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (450mA) bLength = 0x0012 bDescriptorType = 0x0001 bcdUSB = 0x0200 bDeviceClass = 0x0000 bDeviceSubClass = 0x0000 bDeviceProtocol = 0x0000 bMaxPacketSize0 = 0x0040 idVendor = 0x148f idProduct = 0x5370 bcdDevice = 0x0101 iManufacturer = 0x0001 iProduct = 0x0002 <802.11 n WLAN> iSerialNumber = 0x0003 <1.0> bNumConfigurations = 0x0001 $ uname -a FreeBSD pcbsd-6404 10.1-RELEASE-p17 FreeBSD 10.1-RELEASE-p17 #0: Wed Feb 25 19:37:57 UTC 2015 root at amd64-builder.pcbsd.org:/usr/obj/usr/src/sys/GENERIC amd64 Cheers, Jim B. From scottro at nyc.rr.com Sun Apr 12 16:28:35 2015 From: scottro at nyc.rr.com (Scott Robbins) Date: Sun, 12 Apr 2015 16:28:35 -0400 Subject: [talk] USB Wireless Recommendations In-Reply-To: <20150412184223.GA47536@jimby.name> References: <20150322021911.GB85280@jimby.name> <20150412175857.GB47407@jimby.name> <20150412184223.GA47536@jimby.name> Message-ID: <20150412202835.GA30417@scott1.scottro.net> On Sun, Apr 12, 2015 at 02:42:23PM -0400, Jim B. wrote: > * Jim B. [2015-04-12 13:59]: > > * Jim B. [2015-03-21 22:20]: > > > > > > Hello gang, > > > > > > I'm looking for recommendations for reliable USB wireless > > > adapters that work with FreeBSD. I've bought several > > > that don't work (apparently no driver support) and before > > > I shell out more cash I figured someone on this list > > > will know. http://www.newegg.com/Product/Product.aspx?Item=N82E16833315091 works perfectly for me on FreeBSD-10.1, but doesn't work with FreeBSD-9.x. The one caveat is that I have to add a line accepting the license to /boot/loader.conf legal.realtek.license_ack=1 -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 From scottro at nyc.rr.com Sun Apr 12 16:55:57 2015 From: scottro at nyc.rr.com (Scott Robbins) Date: Sun, 12 Apr 2015 16:55:57 -0400 Subject: [talk] USB Wireless Recommendations In-Reply-To: <20150412202835.GA30417@scott1.scottro.net> References: <20150322021911.GB85280@jimby.name> <20150412175857.GB47407@jimby.name> <20150412184223.GA47536@jimby.name> <20150412202835.GA30417@scott1.scottro.net> Message-ID: <20150412205557.GA6519@scott1.scottro.net> On Sun, Apr 12, 2015 at 04:28:35PM -0400, Scott Robbins wrote: > On Sun, Apr 12, 2015 at 02:42:23PM -0400, Jim B. wrote: > > * Jim B. [2015-04-12 13:59]: > > > * Jim B. [2015-03-21 22:20]: > > > > > > > > Hello gang, > > > > > > > > I'm looking for recommendations for reliable USB wireless > > > > adapters that work with FreeBSD. I've bought several > > > > that don't work (apparently no driver support) and before > > > > I shell out more cash I figured someone on this list > > > > will know. > > http://www.newegg.com/Product/Product.aspx?Item=N82E16833315091 > works perfectly for me on FreeBSD-10.1, but doesn't work with FreeBSD-9.x. > The one caveat is that I have to add a line accepting the license to > /boot/loader.conf > > legal.realtek.license_ack=1 And I see I gave that info back in March...sorry. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 From george at ceetonetechnology.com Sun Apr 12 18:32:51 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Sun, 12 Apr 2015 18:32:51 -0400 Subject: [talk] USB Wireless Recommendations In-Reply-To: <20150412184223.GA47536@jimby.name> References: <20150322021911.GB85280@jimby.name> <20150412175857.GB47407@jimby.name> <20150412184223.GA47536@jimby.name> Message-ID: <552AF293.7020802@ceetonetechnology.com> Jim B.: > * Jim B. [2015-04-12 13:59]: >> * Jim B. [2015-03-21 22:20]: >>> >>> Hello gang, >>> >>> I'm looking for recommendations for reliable USB wireless >>> adapters that work with FreeBSD. I've bought several >>> that don't work (apparently no driver support) and before >>> I shell out more cash I figured someone on this list >>> will know. >>> >>> >>> Any advice much appreciated! >>> >>> Jim B. >>> >> >> >> So, I ended up searching for the specific chipset (RT5370) that >> is known to work with FreeBSD. Amazon URL for this item was >> http://www.amazon.com/gp/product/B00ABD4AXO/ref=oh_aui_detailpage_o01_s00?ie=UTF8&psc=1 >> >> Dru and I both placed orders at the same time for the same item. >> >> Hers arrived first, and didn't work. >> >> Mine arrived and did work. The packaging was very, very similar, but >> when I closely examined the back of the package for both they were different. >> >> One specifically says "Chipset Ralink", the other does not. >> >> See the attached image. Since mine did work and I need more of them, >> I place another order for a larger quantity and sent a note to the >> seller (JM Electronics) stating that I needed the "Chipset Ralink" >> version. I also included the same image. >> >> We will see what happens. Hope they follow my request. >> >> >> Cheers, >> Jim B. >> > > > In case anyone is interested, here are the usbconfig dumps for both: > > This one does not work: > > > [jpb at pcbsd-6404 ~]$ usbconfig -u 0 -a 2 dump_device_desc > ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (160mA) > > bLength = 0x0012 > bDescriptorType = 0x0001 > bcdUSB = 0x0201 > bDeviceClass = 0x0000 > bDeviceSubClass = 0x0000 > bDeviceProtocol = 0x0000 > bMaxPacketSize0 = 0x0040 > idVendor = 0x148f > idProduct = 0x7601 > bcdDevice = 0x0000 > iManufacturer = 0x0001 > iProduct = 0x0002 > iSerialNumber = 0x0003 > bNumConfigurations = 0x0001 > > > This one does work: > > > [jpb at pcbsd-6404 ~]$ usbconfig -u 0 -a 2 dump_device_desc > ugen0.2: <802.11 n WLAN Ralink> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (450mA) > > bLength = 0x0012 > bDescriptorType = 0x0001 > bcdUSB = 0x0200 > bDeviceClass = 0x0000 > bDeviceSubClass = 0x0000 > bDeviceProtocol = 0x0000 > bMaxPacketSize0 = 0x0040 > idVendor = 0x148f > idProduct = 0x5370 > bcdDevice = 0x0101 > iManufacturer = 0x0001 > iProduct = 0x0002 <802.11 n WLAN> > iSerialNumber = 0x0003 <1.0> > bNumConfigurations = 0x0001 > > > $ uname -a > FreeBSD pcbsd-6404 10.1-RELEASE-p17 FreeBSD 10.1-RELEASE-p17 #0: Wed Feb 25 19:37:57 UTC 2015 root at amd64-builder.pcbsd.org:/usr/obj/usr/src/sys/GENERIC amd64 So it said "Ralink" and the vendor ids are both 0x148f... which comes up as Plant Equipment, which I assume is a subcon manufacturer for Ralink? But again, same vendor ID... If I see you in June, I'll bring you a run(4) or two... it's the Tenda w311m1 with rt5390. g From jpb at jimby.name Mon Apr 13 06:59:50 2015 From: jpb at jimby.name (Jim B.) Date: Mon, 13 Apr 2015 06:59:50 -0400 Subject: [talk] USB Wireless Recommendations In-Reply-To: <552AF293.7020802@ceetonetechnology.com> References: <20150322021911.GB85280@jimby.name> <20150412175857.GB47407@jimby.name> <20150412184223.GA47536@jimby.name> <552AF293.7020802@ceetonetechnology.com> Message-ID: <20150413105950.GA49558@jimby.name> * George Rosamond [2015-04-12 18:34]: > Jim B.: > > * Jim B. [2015-04-12 13:59]: > >> * Jim B. [2015-03-21 22:20]: > >>> > > [jpb at pcbsd-6404 ~]$ usbconfig -u 0 -a 2 dump_device_desc > > ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (160mA) > > > > bLength = 0x0012 > > bDescriptorType = 0x0001 > > bcdUSB = 0x0201 > > bDeviceClass = 0x0000 > > bDeviceSubClass = 0x0000 > > bDeviceProtocol = 0x0000 > > bMaxPacketSize0 = 0x0040 > > idVendor = 0x148f > > idProduct = 0x7601 > > bcdDevice = 0x0000 > > iManufacturer = 0x0001 > > iProduct = 0x0002 > > iSerialNumber = 0x0003 > > bNumConfigurations = 0x0001 > > > > > > So it said "Ralink" and the vendor ids are both 0x148f... which comes up > as Plant Equipment, which I assume is a subcon manufacturer for Ralink? > > But again, same vendor ID... So I looked it up on linux-usb.org and while the idVendor is Ralink, the idProduct field comes up as MT7601U which apparently a Mediatek chipset. still could not get it to work. > > If I see you in June, I'll bring you a run(4) or two... it's the Tenda > w311m1 with rt5390. awesome! looking forward to seeing you. > > g > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From mcevoy.pat at gmail.com Mon Apr 13 08:35:51 2015 From: mcevoy.pat at gmail.com (Patrick McEvoy) Date: Mon, 13 Apr 2015 08:35:51 -0400 Subject: [talk] blacklistd Message-ID: <552BB827.3020506@gmail.com> Hey Folks, Blacklistd video posted. Enjoy. P https://youtu.be/0UKCAsezF3Q From george at ceetonetechnology.com Mon Apr 13 09:17:14 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 13 Apr 2015 09:17:14 -0400 Subject: [talk] USB Wireless Recommendations In-Reply-To: <20150413105950.GA49558@jimby.name> References: <20150322021911.GB85280@jimby.name> <20150412175857.GB47407@jimby.name> <20150412184223.GA47536@jimby.name> <552AF293.7020802@ceetonetechnology.com> <20150413105950.GA49558@jimby.name> Message-ID: <552BC1DA.9080905@ceetonetechnology.com> Jim B.: > * George Rosamond [2015-04-12 18:34]: >> Jim B.: >>> * Jim B. [2015-04-12 13:59]: >>>> * Jim B. [2015-03-21 22:20]: >>>>> > > >>> [jpb at pcbsd-6404 ~]$ usbconfig -u 0 -a 2 dump_device_desc >>> ugen0.2: at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (160mA) >>> >>> bLength = 0x0012 >>> bDescriptorType = 0x0001 >>> bcdUSB = 0x0201 >>> bDeviceClass = 0x0000 >>> bDeviceSubClass = 0x0000 >>> bDeviceProtocol = 0x0000 >>> bMaxPacketSize0 = 0x0040 >>> idVendor = 0x148f >>> idProduct = 0x7601 >>> bcdDevice = 0x0000 >>> iManufacturer = 0x0001 >>> iProduct = 0x0002 >>> iSerialNumber = 0x0003 >>> bNumConfigurations = 0x0001 >>> >>> > > >> >> So it said "Ralink" and the vendor ids are both 0x148f... which comes up >> as Plant Equipment, which I assume is a subcon manufacturer for Ralink? >> >> But again, same vendor ID... > > So I looked it up on linux-usb.org and while the idVendor is > Ralink, the idProduct field comes up as MT7601U which > apparently a Mediatek chipset. > > still could not get it to work. > >> >> If I see you in June, I'll bring you a run(4) or two... it's the Tenda >> w311m1 with rt5390. > > awesome! looking forward to seeing you. FWIW, I'm using run(4) on OpenBSD, not FreeBSD, but it appeared to be fine on FreeBSD. If there's other decent ones without firmware, I'd be interested to know about it. I do have one labeled "802.11n" with this output: <802.11n NIC Realtek> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA) Doesn't come up in either OpenBSD or FreeBSD... but it looks like an RTL8188- g From george at ceetonetechnology.com Thu Apr 16 09:25:34 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 16 Apr 2015 09:25:34 -0400 Subject: [talk] NYC*BUG Announcements Message-ID: <552FB84E.1010004@ceetonetechnology.com> A few things to note. First, NYC*BUG hosts a lot of resources for the broader *BSD community, but we tend to not publicize it widely. A few days ago, we set up a mailing list for a new BUG in Poland. It's the "Subcarpathian BSD Users Group" (Podkarpacka grupa u?ytkownik?w BSD) based in southeast Poland. http://lists.nycbug.org/mailman/listinfo/sbug **** We have a great list of upcoming meetings set for the next few months. May 6 - "Bitrig" John C. Vernaleo June 3 - "FreeBSD's NUMA" John Baldwin ->June 12-13, BSDCan, Ottawa, Canada June 18 - "mandoc: from scratch to the standard BSD documentation toolkit in 6 years" Ingo Schwarze June 19 - social event with Ingo (location TBA) July 1 - "Staying in sync with the Precision Time Protocol" Steven Kreuzer August 5 - "What's New with OpenBSD" Brian Callahan ->October 1-2, EuroBSDCon, Stockholm, Sweden Rumor has it, another vBSDCon is being planned for the fall in Virginia. **** All the NYC*BUG meetings are at Stone Creek, except for the special June 18th meeting with Ingo Schwarze on mandoc. Let us know if you have any good leads. A place without RSVPs and with food/drinks is ideal. The September meeting is looking like it will feature a veteran of the Bell Labs/Bellcore days, whose work continued into Plan 9. It's a meeting we're extremely excited for. NYC*BUG has always emphasized the larger Unix thread that we see the *BSDs as a fundamental part of. **** The video for Christos' Blacklistd meeting is posted at https://youtu.be/0UKCAsezF3Q. Huge thanks Patrick M. From pete at nomadlogic.org Fri Apr 17 12:41:30 2015 From: pete at nomadlogic.org (Pete Wright) Date: Fri, 17 Apr 2015 09:41:30 -0700 Subject: [talk] NYC*BUG Announcements In-Reply-To: <552FB84E.1010004@ceetonetechnology.com> References: <552FB84E.1010004@ceetonetechnology.com> Message-ID: <553137BA.8050409@nomadlogic.org> On 04/16/15 06:25, George Rosamond wrote: > > June 3 - "FreeBSD's NUMA" John Baldwin > oh shit this is huge! i can't wait to watch the video of this talk. do we know if there is any doc's available on this topic already? NUMA is something of a black-art on linux so I am keen to see where FreeBSD is in terms of it's implementation...also I have gear to test this on... cheers, -pete -- Pete Wright pete at nomadlogic.org twitter => @nomadlogicLA From ike at blackskyresearch.net Sun Apr 19 13:29:53 2015 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Sun, 19 Apr 2015 13:29:53 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec Message-ID: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> Hi All, So I thought folks here may have words on a topic which has hit this list in years past: VPN choices. Choices are great, but now I'm trying to choose one. :) Until recently I've been able to escape the complexity altogether, but now I have need to roll out and manage roving VPN connectivity, and I'm in a quandary with which tech to start with- and would love to hear any experiences or tid-bits on each. THE CHOICES, AS I SEE IT -- PPTP - off the table, deader than dead. L2TP/IPsec - Contender + easy/reliable cert-based client integration (mostly Macs for my world) + well worn (many platforms, many years now) - IPsec traffic hassles from clients in restrictive/unreliable networks - These days I shy away from the muddled state of IPsec (1) - Troubleshooting issues: difficult, complex and opaque in tooling. OpenVPN - Contender + Robust reliability on restrictive/unreliable networks + Clear cert-based client integration on many platforms - Needs third party software for most user applications - less well worn (some sharp edges here and there for users) + and -, SSL based crypto transport - OpenSSL base, (2) ENDLESS QUESTIONS --- What's it like for users these days? What's it like for administrators these days? Multi-factor auth? Key management? What networking 'gotchas' are folks dealing with? Anyone rockin' IPv6 inside/outside their tunnls (I'll be trying...)? What crypto concerns do folks here have? Even anecdotes about life with commercial products at either end is informative, although I'm obviously interested in open tech. Best, .ike -- Footnotes: 1) IPsec is awesome, but lets face it, also muddled. It's not unreasonable that some major flaw could be discovered which exposes a fundamental flaw or even intentional backdoor in coming years: http://www.mail-archive.com/cryptography at metzdowd.com/msg12325.html For the time being, IPsec holds strong with no known weaknesses- but even the fact that it was backported from IPv6 bits makes it even more complicated to keep track of... 2) LibreSSL, BoringSSL, and good ol' OpenSSL- a discussion deserving it's own thread :) http://www.libressl.org/ http://article.gmane.org/gmane.os.openbsd.tech/37174 https://boringssl.googlesource.com/boringssl/ https://www.openssl.org/ From justin at shiningsilence.com Sun Apr 19 18:14:14 2015 From: justin at shiningsilence.com (Justin Sherrill) Date: Sun, 19 Apr 2015 18:14:14 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> Message-ID: On Sun, Apr 19, 2015 at 1:29 PM, Isaac (.ike) Levy wrote: > THE CHOICES, AS I SEE IT I have the same dilemma at work; we've used SSTP for some Windows machines, but that's it. I have used OpenVPN with a Mac client, as a test. The default client isn't something I'd want to give to non-technical users, but I haven't gone past that to any sort of deployment. So, this isn't a helpful answer; it's a "me too". From scottro at nyc.rr.com Sun Apr 19 18:51:36 2015 From: scottro at nyc.rr.com (Scott Robbins) Date: Sun, 19 Apr 2015 18:51:36 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> Message-ID: <20150419225136.GA8977@scott1.scottro.net> On Sun, Apr 19, 2015 at 06:14:14PM -0400, Justin Sherrill wrote: > On Sun, Apr 19, 2015 at 1:29 PM, Isaac (.ike) Levy > wrote: > > THE CHOICES, AS I SEE IT > > I have the same dilemma at work; we've used SSTP for some Windows > machines, but that's it. I have used OpenVPN with a Mac client, as a > test. The default client isn't something I'd want to give to > non-technical users, but I haven't gone past that to any sort of > deployment. We've used openvpn at work. I haven't worked with setting up clients, only co-workers, who are technical. However, I think that it's fairly easy for Windows users as well--I believe there is one central cert, then a key for the individual, then a configuration file. (I'm looking at what I have to connect to our VPN. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 From ike at blackskyresearch.net Sun Apr 19 18:52:36 2015 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Sun, 19 Apr 2015 18:52:36 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> Message-ID: <1429483982-6250594.47700049.ft3JMqaFu017555@rs149.luxsci.com> On 04/19/15 18:14, Justin Sherrill wrote: > On Sun, Apr 19, 2015 at 1:29 PM, Isaac (.ike) Levy > wrote: >> THE CHOICES, AS I SEE IT > > I have the same dilemma at work; we've used SSTP for some Windows > machines, but that's it. I have used OpenVPN with a Mac client, as a > test. The default client isn't something I'd want to give to > non-technical users, but I haven't gone past that to any sort of > deployment. Which client exactly are you using on that Mac? For OpenVPN mac cient use, I was evaluating Viscosity, https://www.sparklabs.com/viscosity/ Not awful, but I need to try to actually live with it for a bit and see... > > So, this isn't a helpful answer; it's a "me too". Seems like a lot of us are in the same boat, I've had several other off-list replies so far today with people expressing similar needs. Hrmph... Best, .ike From spork at bway.net Sun Apr 19 19:02:13 2015 From: spork at bway.net (Charles Sprickman) Date: Sun, 19 Apr 2015 19:02:13 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> Message-ID: On Apr 19, 2015, at 6:14 PM, Justin Sherrill wrote: > On Sun, Apr 19, 2015 at 1:29 PM, Isaac (.ike) Levy > wrote: >> THE CHOICES, AS I SEE IT > > I have the same dilemma at work; we've used SSTP for some Windows > machines, but that's it. I have used OpenVPN with a Mac client, as a > test. The default client isn't something I'd want to give to > non-technical users, but I haven't gone past that to any sort of > deployment. > > So, this isn't a helpful answer; it's a "me too?. ?Me too?. :) I steered away from IPSEC since it seems like something that?s very easy for a poorly-managed hotel wifi service or similar to break, but maybe the ?L2TP? part does away with that (no GRE needed?). OpenVPN has mostly served me well - at the very least it?s pretty easy to have it listen on TCP 443 and be able to reach it from all but the most draconian public wifi hotspots. And if you?re scared of OpenSSL, FreeBSD at least offers the opportunity to use PolarSSL in the port. The downside is the really big one for the non-tech users or users with their own devices - it?s not built-in to anything, so they have to grab a client. I?ve had little experience on the windows side, but on OS-X, I use Viscosity and Tunnelblick. Viscosity is a paid ($10?) app that?s somewhat slick, Tunnelblick is free. Sadly, I find them both equally spotty at times. Both tend to sometimes leave the network config in an odd state after abrupt disconnects, which means your end users need to know when to turn their wifi on/off or plug/unplug their ethernet cable to regain their normal internet connection. OpenVPN also has that sort of TrueCrypt ?who makes this and why?? aspect to it, and I cannot think of a single commercial networking/security firm that includes OpenVPN alongside other VPN options. On the plus side, if you run pfsense as the server, the certificate management and the openvpn client config exporter are pretty nice. You can fetch a ready-made zip for either tunnelblick or viscosity from the pfsense GUI. Charles > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From christos at zoulas.com Sun Apr 19 19:25:49 2015 From: christos at zoulas.com (Christos Zoulas) Date: Sun, 19 Apr 2015 19:25:49 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> from "Isaac (.ike) Levy" (Apr 19, 1:29pm) Message-ID: <20150419232549.26A7E17FDAA@rebar.astron.com> On Apr 19, 1:29pm, ike at blackskyresearch.net ("Isaac (.ike) Levy") wrote: -- Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec | Hi All, | | So I thought folks here may have words on a topic which has hit this | list in years past: VPN choices. I am using L2TP/IPSEC on NetBSD using racoon, xl2tpd from pkgsrc. It works just fine with my mac and iphone. I've put some instructions on how to do it here: https://wiki.netbsd.org/tutorials/how_to_create_an_l2tp_ipsec_tunnel_between_an_android_or_iphone_or_ios_device_to_netbsd/ christos From ike at blackskyresearch.net Sun Apr 19 19:33:37 2015 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Sun, 19 Apr 2015 19:33:37 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> Message-ID: <1429486442-241637.80218533.ft3JNXbD4014922@rs149.luxsci.com> On 04/19/15 19:02, Charles Sprickman wrote: > On Apr 19, 2015, at 6:14 PM, Justin Sherrill > wrote: > >> On Sun, Apr 19, 2015 at 1:29 PM, Isaac (.ike) Levy >> wrote: >>> THE CHOICES, AS I SEE IT >> >> I have the same dilemma at work; we've used SSTP for some Windows >> machines, but that's it. I have used OpenVPN with a Mac client, as >> a test. The default client isn't something I'd want to give to >> non-technical users, but I haven't gone past that to any sort of >> deployment. >> >> So, this isn't a helpful answer; it's a "me too?. > > ?Me too?. :) Awwww man... > > I steered away from IPSEC since it seems like something that?s very > easy for a poorly-managed hotel wifi service or similar to break, but > maybe the ?L2TP? part does away with that (no GRE needed?). Well, not really- it basically makes things a bit more complicated even. The L2TP part rides on top of IPSec, so all the IPSec tunnel/connection problems exist, just like they always have. The L2TP part adds another layer of complexity for the actual networking tunnel. This particular aspect of L2TP make want to go toward OpenVPN right out the gate. > > OpenVPN has mostly served me well - at the very least it?s pretty > easy to have it listen on TCP 443 and be able to reach it from all > but the most draconian public wifi hotspots. Yep, same experience here... > And if you?re scared of > OpenSSL, FreeBSD at least offers the opportunity to use PolarSSL in > the port. Interesting. Is this it: https://tls.mbed.org/ "mbed TLS (formerly known as PolarSSL)" But my target audience are Macs, so this appears moot. Wah. > The downside is the really big one for the non-tech users or users > with their own devices - it?s not built-in to anything, so they have > to grab a client. Hrm... In practice, since I'll be generating/distributing cert material and configs to load, distributing the software isn't that hard either. > I?ve had little experience on the windows side, > but on OS-X, I use Viscosity and Tunnelblick. Viscosity is a paid > ($10?) app that?s somewhat slick, Tunnelblick is free. Sadly, I find > them both equally spotty at times. I find them roughly the same in use experience, do you know any really compelling real-world features that make Viscosity worth the $10? Since Viscosity requires a licence, that actually adds one more barrier to deploy across my group- one more unique thing to distribute to users... > Both tend to sometimes leave the > network config in an odd state after abrupt disconnects, which means > your end users need to know when to turn their wifi on/off or > plug/unplug their ethernet cable to regain their normal internet > connection. Understood, and in my experience on Macs, the same is true with the L2TP/IPSec setup. > > OpenVPN also has that sort of TrueCrypt ?who makes this and why?? > aspect to it, and I cannot think of a single commercial > networking/security firm that includes OpenVPN alongside other VPN > options. Now this topic I'd *love* to hear more about, seeing as this issue really is at the heart of why to use VPN's in the first place... Charles (or all), have you seen any good discussions or analysis of this online, or do you have thoughts on it? > > On the plus side, if you run pfsense as the server, the certificate > management and the openvpn client config exporter are pretty nice. > You can fetch a ready-made zip for either tunnelblick or viscosity > from the pfsense GUI. Yeah- at least one thing has changed for the better in the last decade: automation in config is now the norm, not the exception- across the board. Best, .ike From ike at blackskyresearch.net Sun Apr 19 19:39:50 2015 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Sun, 19 Apr 2015 19:39:50 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <20150419232549.26A7E17FDAA@rebar.astron.com> References: <20150419232549.26A7E17FDAA@rebar.astron.com> Message-ID: <1429486803-5385969.97285.ft3JNdojJ018225@rs149.luxsci.com> On 04/19/15 19:25, Christos Zoulas wrote: > On Apr 19, 1:29pm, ike at blackskyresearch.net ("Isaac (.ike) Levy") wrote: > -- Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec > > | Hi All, > | > | So I thought folks here may have words on a topic which has hit this > | list in years past: VPN choices. > > I am using L2TP/IPSEC on NetBSD using racoon, xl2tpd from pkgsrc. It works > just fine with my mac and iphone. > > I've put some instructions on how to do it here: > > https://wiki.netbsd.org/tutorials/how_to_create_an_l2tp_ipsec_tunnel_between_an_android_or_iphone_or_ios_device_to_netbsd/ Cool write-up, thanks! Christos, I don't mean to put you on the spot, but I figure you're a great person to thoughtfully comment on the relative security of IPSec itself these days? Problems like these worry me, http://www.mail-archive.com/cryptography at metzdowd.com/msg12325.html To me, it IPSec seems ripe for a very serious design flaw to come to light in coming years- and at the least, all the fuss surrounding it- and it's relative complexity- bothers me more. I'm curious to hear your thoughts here? Best, .ike From mirimir at riseup.net Sun Apr 19 20:15:42 2015 From: mirimir at riseup.net (Mirimir) Date: Sun, 19 Apr 2015 18:15:42 -0600 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> Message-ID: <5534452E.4070502@riseup.net> On 04/19/2015 11:29 AM, Isaac (.ike) Levy wrote: > Hi All, > > So I thought folks here may have words on a topic which has hit this > list in years past: VPN choices. For roving VPN connectivity, OpenVPN would be easy, and would require less user support than IPSec. Clients are available for all common operating systems, and generally no user customization is needed. For Linux servers, there's a prebuilt Access Server.[0] And there's a server in pfSense that's very easy to setup. The most complicated aspect is user management. Both the OpenVPN Access Server and pfSense server can manage clients locally. With, plain packages, you're on your own.[1] [0] http://openvpn.net/index.php/access-server/download-openvpn-as-sw.html [1] http://openvpn.net/index.php/open-source/documentation/howto.html From christos at zoulas.com Sun Apr 19 20:42:09 2015 From: christos at zoulas.com (Christos Zoulas) Date: Sun, 19 Apr 2015 20:42:09 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <1429486803-5385969.97285.ft3JNdojJ018225@rs149.luxsci.com> from "Isaac (.ike) Levy" (Apr 19, 7:39pm) Message-ID: <20150420004209.4D1CE17FDAA@rebar.astron.com> On Apr 19, 7:39pm, ike at blackskyresearch.net ("Isaac (.ike) Levy") wrote: -- Subject: Re: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec | Christos, I don't mean to put you on the spot, but I figure you're a | great person to thoughtfully comment on the relative security of IPSec | itself these days? | | Problems like these worry me, | http://www.mail-archive.com/cryptography at metzdowd.com/msg12325.html I've read this article and I agree with all its points. While I agree, I don't see many alternatives out there -- you mentioned most of them (and nobody has published an exploit that I know of). | To me, it IPSec seems ripe for a very serious design flaw to come to | light in coming years- and at the least, all the fuss surrounding it- | and it's relative complexity- bothers me more. What makes things worse is that the "roadwarrior" configuration everyone uses utilizes a common shared secret (which makes things easier to abuse and to break since now you only have to find the username and password) and also needs a wildcard match since we don't know a-priori the address of the client endpoint. This is explained here (ENABLE_WILDCARD_MATCH explanation about shared secret problems): http://www.daemon-systems.org/man/racoon.conf.5.html I would not feel comfortable deploying that configuration to customer connections (unless I only had one customer), but this is what I use for home (where I am the only customer). Others don't seem to mind, and sell such tunnels for a few bucks a month... It is the ease of stealing ones credentials from those tunnels that compelled me to deploy my own. I think that the OpenVPN solution is easier to deploy. I chose to use IPSEC+L2TP mostly because I wanted to have a kernel supported, standards compliant tunnel solution on NetBSD working. christos From nikolai at fetissov.org Mon Apr 20 13:49:23 2015 From: nikolai at fetissov.org (Nikolai Fetissov) Date: Mon, 20 Apr 2015 13:49:23 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> Message-ID: <8CB4103A-827C-4F1E-86BD-8E608711B7EF@fetissov.org> Ike, Definitely go with OpenVPN for roaming users. It's just way easier then anything else. Clients for all relevant platforms are free (use tunnelblick on Mac: https://code.google.com/p/tunnelblick/), there's even a free iPhone app. You would need to manage the certs and crls, but that comes required with any of your contenders. OpenVPN at least gives you a nice set of tools to do this with easyrsa. Use default UDP transport. It's way faster then doing the same over TCP. I have the server side running on open with chroot and privsep, and custom krb5 auth, which I'm too lazy to clean up and submit as a package. Cheers, -- Nikolai > On Apr 19, 2015, at 1:29 PM, Isaac (.ike) Levy wrote: > > Hi All, > > So I thought folks here may have words on a topic which has hit this > list in years past: VPN choices. > > Choices are great, but now I'm trying to choose one. :) > > Until recently I've been able to escape the complexity altogether, but > now I have need to roll out and manage roving VPN connectivity, and I'm > in a quandary with which tech to start with- and would love to hear any > experiences or tid-bits on each. > > THE CHOICES, AS I SEE IT > -- > > PPTP - off the table, deader than dead. > > L2TP/IPsec - Contender > + easy/reliable cert-based client integration (mostly Macs for my world) > + well worn (many platforms, many years now) > - IPsec traffic hassles from clients in restrictive/unreliable networks > - These days I shy away from the muddled state of IPsec (1) > - Troubleshooting issues: difficult, complex and opaque in tooling. > > OpenVPN - Contender > + Robust reliability on restrictive/unreliable networks > + Clear cert-based client integration on many platforms > - Needs third party software for most user applications > - less well worn (some sharp edges here and there for users) > + and -, SSL based crypto transport > - OpenSSL base, (2) > > > ENDLESS QUESTIONS > --- > What's it like for users these days? > What's it like for administrators these days? > Multi-factor auth? Key management? > What networking 'gotchas' are folks dealing with? > Anyone rockin' IPv6 inside/outside their tunnls (I'll be trying...)? > What crypto concerns do folks here have? > > Even anecdotes about life with commercial products at either end is > informative, although I'm obviously interested in open tech. > > Best, > .ike > > > > -- > Footnotes: > 1) IPsec is awesome, but lets face it, also muddled. It's not > unreasonable that some major flaw could be discovered which exposes a > fundamental flaw or even intentional backdoor in coming years: > http://www.mail-archive.com/cryptography at metzdowd.com/msg12325.html > For the time being, IPsec holds strong with no known weaknesses- but > even the fact that it was backported from IPv6 bits makes it even more > complicated to keep track of... > > 2) LibreSSL, BoringSSL, and good ol' OpenSSL- a discussion deserving > it's own thread :) > http://www.libressl.org/ > http://article.gmane.org/gmane.os.openbsd.tech/37174 > https://boringssl.googlesource.com/boringssl/ > https://www.openssl.org/ > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -------------- next part -------------- An HTML attachment was scrubbed... URL: From ski at skicentral.tv Mon Apr 20 18:20:00 2015 From: ski at skicentral.tv (Darryl Wisneski) Date: Mon, 20 Apr 2015 18:20:00 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <1429486442-241637.80218533.ft3JNXbD4014922@rs149.luxsci.com> References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> <1429486442-241637.80218533.ft3JNXbD4014922@rs149.luxsci.com> Message-ID: <20150420222000.GJ3453@commwebworks.com> On Sun, Apr 19, 2015 at 07:33:37PM -0400, Isaac (.ike) Levy wrote: > On 04/19/15 19:02, Charles Sprickman wrote: > > > > OpenVPN has mostly served me well - at the very least it?s pretty > > easy to have it listen on TCP 443 and be able to reach it from all > > but the most draconian public wifi hotspots. > > Yep, same experience here... > > But my target audience are Macs, so this appears moot. Wah. > > > The downside is the really big one for the non-tech users or users > > with their own devices - it?s not built-in to anything, so they have > > to grab a client. > > Hrm... In practice, since I'll be generating/distributing cert material > and configs to load, distributing the software isn't that hard either. > > > I?ve had little experience on the windows side, > > but on OS-X, I use Viscosity and Tunnelblick. Viscosity is a paid > > ($10?) app that?s somewhat slick, Tunnelblick is free. Sadly, I find > > them both equally spotty at times. > > I find them roughly the same in use experience, do you know any really > compelling real-world features that make Viscosity worth the $10? > > Since Viscosity requires a licence, that actually adds one more barrier > to deploy across my group- one more unique thing to distribute to users... > > > Both tend to sometimes leave the > > network config in an odd state after abrupt disconnects, which means > > your end users need to know when to turn their wifi on/off or > > plug/unplug their ethernet cable to regain their normal internet > > connection. > > Understood, and in my experience on Macs, the same is true with the > L2TP/IPSec setup. Viscosity worked a lot better than tunnelblick at zero-configuration magic and roadwarrioring; it required a lot less rebooting as viscosity got confused less. Having flat DNS (no private DNS) helped too, and not pushing DNS to the client, but that is really bad for sane security minds. If you can keep the VPN setup to a single tunnel you will have greater stability. The openvpn windows client worked well enough in the little time devoted to supporting it. We had a script that bundled the client and cert together and the user could one-time download it. > > > > > OpenVPN also has that sort of TrueCrypt ?who makes this and why?? > > aspect to it, and I cannot think of a single commercial > > networking/security firm that includes OpenVPN alongside other VPN > > options. > I considered it to be a feature that ios and android users couldn't get a tun interface easily. It appears that has changed. -dkw From ike at blackskyresearch.net Mon Apr 20 20:16:27 2015 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Mon, 20 Apr 2015 20:16:27 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <20150420004209.4D1CE17FDAA@rebar.astron.com> References: <20150420004209.4D1CE17FDAA@rebar.astron.com> Message-ID: <1429575422-537109.124287698.ft3L0GSaj003575@rs149.luxsci.com> Thanks for this thoughtful response Christos, On 04/19/15 20:42, Christos Zoulas wrote: > On Apr 19, 7:39pm, ike at blackskyresearch.net ("Isaac (.ike) Levy") wrote: > -- Subject: Re: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec > > | Christos, I don't mean to put you on the spot, but I figure you're a > | great person to thoughtfully comment on the relative security of IPSec > | itself these days? > | > | Problems like these worry me, > | http://www.mail-archive.com/cryptography at metzdowd.com/msg12325.html > > I've read this article and I agree with all its points. While I agree, > I don't see many alternatives out there -- you mentioned most of them > (and nobody has published an exploit that I know of). And we all sigh a big, loud, collective sigh. I think we can pretty much all agree, VPN tech an area in computing which desperately needs some attention. Scrutiny and thoughtful cleanup to the applied bits, at the very least. > > | To me, it IPSec seems ripe for a very serious design flaw to come to > | light in coming years- and at the least, all the fuss surrounding it- > | and it's relative complexity- bothers me more. > > What makes things worse is that the "roadwarrior" configuration > everyone uses utilizes a common shared secret (which makes things > easier to abuse and to break since now you only have to find the > username and password) and also needs a wildcard match since we > don't know a-priori the address of the client endpoint. This is > explained here Yep, it bothers me. Even with a multi-factor auth hw token or something to offset the common shared secret, the bar is still low. (This reminds me of the earliest weaknesses in PPTP years ago- all about weak auth...) > (ENABLE_WILDCARD_MATCH explanation about shared > secret problems): > > I would not feel comfortable deploying that configuration to customer > connections (unless I only had one customer), but this is what I use > for home (where I am the only customer). Others don't seem to mind, > and sell such tunnels for a few bucks a month... It is the ease of > stealing ones credentials from those tunnels that compelled me > to deploy my own. understood. > > I think that the OpenVPN solution is easier to deploy. Yes indeed, by an order of magnitude in complexity. I just sat and did a side-by-side comparison of OpenVPN and L2TP/IPSsec today: L2TP/IPSEC was seriously a great deal more complex, including un-fun gotchas like having to pull a gateway(ish) IP from outside the distributable range. Bits like the shared secret were not very transparent to troubleshoot, (took me some time to figure out I fat fingered a character). I fat-fingered some OpenVPN bits too, and even the log messages made it quick and simple to replace. The OpenVPN bits were so much simpler in fact, that I went whole hog and had enough time to setup the comparison using signed client certificates- pretty hot IMHO. Even the netblocks and routing was cleaner to sew into a dev network. > I chose to > use IPSEC+L2TP mostly because I wanted to have a kernel supported, > standards compliant tunnel solution on NetBSD working. Well, so yeah- there's the rub. OpenVPN still bothers me on several levels- from ssl/tls, to the mere fact that the nice GUI clients for users are 3rd party things. Hrmph. We'll be deciding our path tomorrow, I'll follow up here if any more fun notes come out of it. Best, .ike > > christos > From ike at blackskyresearch.net Mon Apr 20 22:44:24 2015 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Mon, 20 Apr 2015 22:44:24 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <20150420222000.GJ3453@commwebworks.com> References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> <1429486442-241637.80218533.ft3JNXbD4014922@rs149.luxsci.com> <20150420222000.GJ3453@commwebworks.com> Message-ID: <1429584302-1543485.21050149.ft3L2iO6X017456@rs149.luxsci.com> Thanks Darryl, On 04/20/15 18:20, Darryl Wisneski wrote: >> > >> > Understood, and in my experience on Macs, the same is true with the >> > L2TP/IPSec setup. > Viscosity worked a lot better than tunnelblick at zero-configuration > magic and roadwarrioring; it required a lot less rebooting as viscosity > got confused less. Having flat DNS (no private DNS) helped too, and not > pushing DNS to the client, but that is really bad for sane security minds. > If you can keep the VPN setup to a single tunnel you will have greater > stability. > > The openvpn windows client worked well enough in the little time devoted > to supporting it. That's extremely good info to know, I know this need is inevitable down the road... > > We had a script that bundled the client and cert together and the user > could one-time download it. Cool- that's roughly how I was hacking around with it today. I'm really impressed how transparent and clear the OpenVPN bits are. > >> > >>> > > >>> > > OpenVPN also has that sort of TrueCrypt ?who makes this and why?? >>> > > aspect to it, and I cannot think of a single commercial >>> > > networking/security firm that includes OpenVPN alongside other VPN >>> > > options. >> > > I considered it to be a feature that ios and android users couldn't get > a tun interface easily. It appears that has changed. I certainly share your centiment there. > > -dkw Excellent report and notes, I really appreciate it! Best, .ike From ike at blackskyresearch.net Mon Apr 20 23:41:42 2015 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Mon, 20 Apr 2015 23:41:42 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <8CB4103A-827C-4F1E-86BD-8E608711B7EF@fetissov.org> References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> <8CB4103A-827C-4F1E-86BD-8E608711B7EF@fetissov.org> Message-ID: <1429587725-5151396.27767656.ft3L3fgQc008587@rs149.luxsci.com> On 04/20/15 13:49, Nikolai Fetissov wrote: > Ike, > > Definitely go with OpenVPN for roaming users. It's just way easier > then anything else. Clients for all relevant platforms are free (use > tunnelblick on Mac: https://code.google.com/p/tunnelblick/), there's > even a free iPhone app. You would need to manage the certs and crls, > but that comes required with any of your contenders. OpenVPN at least > gives you a nice set of tools to do this with easyrsa. Use default > UDP transport. It's way faster then doing the same over TCP. Ah, but one slick trick I learned from a fine Op today: running an additional server on port 443/TCP is extremely useful for the road warrior thing... But yeah- they reported severe degredation on lousy networks, e.g. may as well be trying to pummel ssh tunnels with less management pain... > > I have the server side running on open with chroot and privsep, and > custom krb5 auth, which I'm too lazy to clean up and submit as a > package. > > Cheers, -- Nikolai Ha- I'd love to hear your krb notes sometime, (though that begs my next question coming to list).... Best, .ike From ike at blackskyresearch.net Mon Apr 20 23:50:04 2015 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Mon, 20 Apr 2015 23:50:04 -0400 Subject: [talk] [nycbug-talk] Reducing password fatigue on OpenBSD (or any BSD) In-Reply-To: <20131111183411.GA3643@vm.eradman.com> References: <20131110014127.GA18293@vm.eradman.com> <20131111183411.GA3643@vm.eradman.com> Message-ID: <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> Raising this thread, On 11/11/13 13:34, Eric Radman wrote: > On Mon, Nov 11, 2013 at 12:19:34PM -0500, Raul Cuza wrote: >> > On Sat, Nov 9, 2013 at 8:41 PM, Eric Radman wrote: >>> > > >>> > > Are there any well-respected practices for keying off of data stored on >>> > > a USB stick? How might one collapse two of these steps in a reasonably >>> > > secure way? >> > >> > It seems like any automation between the volume decryption and getting >> > s*$+ done would leave you vulnerable in some way. It is not like a >> > unique code can be generated on the output of one step that can be >> > part of the input of the next step. > I agree, but isn't this basically what single sign-on systems do? > >> > What about something like the Yubi key? It means you have to have a >> > USB port (which you do not seem to be opposed to) and you don't have >> > to type your passphrase(s) over and over. See >> > http://geekyschmidt.com/2010/12/27/yubikey-and-my-desire-to-beat-the-feds-to-hspd12-compliance >> > for a post about it. > Thanks, this is exactly what I was looking for. also suggested > this on IRC. YubiKey is brilliant because generating one-time keys can > be used as a replacement for passwords OR as an inexpensive way to set > up two-factor authentication. > (http://undeadly.org/cgi?action=article&sid=20130616112437) > > Eric Just started playing with a Yubikey. Didn't really understand the thing at first. And then it hit me: this is the cheap, easily introspectable, hardware auth token I've been dying for for like a decade... - No batteries (like RSA keys) - No special software API (it shows up as a USB keyboard) I'm not sure I grok the U2F spec versions, but the OTP versions are outright the coolest little thing I've seen in a while... -- First thought, has anyone done/seen/hacked-up anything to use Yubikeys as a RADIUS auth server? I mean, everything but the keys themselves, would be FOSS... (I'm not talking about their cloud service, I'm talking about using their open libs to hook PAM and make FreeRADIUS run...) https://developers.yubico.com/yubico-pam/YubiKey_and_FreeRADIUS_via_PAM.html Has anyone done any of this? (In light of my post yesterday on VPN's, this Yubikey has me totally captivated.) Best, .ike From sjt.kar at gmail.com Tue Apr 21 00:58:56 2015 From: sjt.kar at gmail.com (Sujit K M) Date: Tue, 21 Apr 2015 10:28:56 +0530 Subject: [talk] [nycbug-talk] Reducing password fatigue on OpenBSD (or any BSD) In-Reply-To: <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> References: <20131110014127.GA18293@vm.eradman.com> <20131111183411.GA3643@vm.eradman.com> <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> Message-ID: > Just started playing with a Yubikey. Didn't really understand the thing > at first. Even simpler http://docs.oracle.com/cd/E21764_01/apirefs.1111/e13952/taskhelp/security/ConfigureKeystoresAndSSL.html I had made changes during my professional experience to actually allow only people with enough permissions to make build(java), basically system admins. If a system admin leaves the company, you can revoke the permission. From spork at bway.net Tue Apr 21 00:59:48 2015 From: spork at bway.net (Charles Sprickman) Date: Tue, 21 Apr 2015 00:59:48 -0400 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <1429587725-5151396.27767656.ft3L3fgQc008587@rs149.luxsci.com> References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> <8CB4103A-827C-4F1E-86BD-8E608711B7EF@fetissov.org> <1429587725-5151396.27767656.ft3L3fgQc008587@rs149.luxsci.com> Message-ID: <6716B602-C6F1-4EFB-80BA-3E80F6B3FAFC@bway.net> On Apr 20, 2015, at 11:41 PM, Isaac (.ike) Levy wrote: > On 04/20/15 13:49, Nikolai Fetissov wrote: >> Ike, >> >> Definitely go with OpenVPN for roaming users. It's just way easier >> then anything else. Clients for all relevant platforms are free (use >> tunnelblick on Mac: https://code.google.com/p/tunnelblick/), there's >> even a free iPhone app. You would need to manage the certs and crls, >> but that comes required with any of your contenders. OpenVPN at least >> gives you a nice set of tools to do this with easyrsa. Use default >> UDP transport. It's way faster then doing the same over TCP. > > Ah, but one slick trick I learned from a fine Op today: running an > additional server on port 443/TCP is extremely useful for the road > warrior thing... > > But yeah- they reported severe degredation on lousy networks, e.g. may > as well be trying to pummel ssh tunnels with less management pain? Im late to the "work at starbucks" party (actually here in the hinterlands, its usually Panera Bread), but recently I?ve been doing that sort of thing to try to get rid of some of the distractions/boredom of working on the couch. I?ve been trying to ramp up my wifi knowledge for various projects, and what I?m realizing as I sample various free wifi options is that its really evolved - a decade ago, Id be bitching about a whole cafe sharing a measly T1. Now I?m bitching about the latency, jitter and loss on that first hop (wireless). Fun fact - with the right number of devices with marginal connections, you can render a single AP basically useless. Im going to blame all the smartphones. Too many people assume wifi is simple or that the laws of physics don?t apply because THE INTERNET or something. Ah, my point, dont necessarily blame the VPN, its just amplifying the crappiness, which any tunnel will do. My best free tip is that if your users are cable subscribers and are therefore able to use the Comcast/TWC/Cablevision public APs for free, that?s often a great option when the cafe, hotel, or whatever other wifi is acting up - pull up the provider?s map, and get near a window facing the closest AP. Those things seem to be uncongested in general. I just did this today - the Panera wifi had an RSSI of -50db, which is great, but meaningless. Packet loss was around 15% and I?m trying to type in iterm+tmux ssh sessions over a TCP openvpn connection - painful. Flipped to a comcast node and it was like I was the only one on it. C >> >> I have the server side running on open with chroot and privsep, and >> custom krb5 auth, which I'm too lazy to clean up and submit as a >> package. >> >> Cheers, -- Nikolai > > Ha- I'd love to hear your krb notes sometime, (though that begs my next > question coming to list).... > > Best, > .ike > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From sjt.kar at gmail.com Tue Apr 21 01:48:07 2015 From: sjt.kar at gmail.com (Sujit K M) Date: Tue, 21 Apr 2015 11:18:07 +0530 Subject: [talk] VPNs: Choosing between OpenVPN and L2TP/IPsec In-Reply-To: <1429587725-5151396.27767656.ft3L3fgQc008587@rs149.luxsci.com> References: <1429464602-9478219.6178615.ft3JHTrBG009644@rs149.luxsci.com> <8CB4103A-827C-4F1E-86BD-8E608711B7EF@fetissov.org> <1429587725-5151396.27767656.ft3L3fgQc008587@rs149.luxsci.com> Message-ID: Hi Ike On Tue, Apr 21, 2015 at 9:11 AM, Isaac (.ike) Levy wrote: > On 04/20/15 13:49, Nikolai Fetissov wrote: >> Ike, >> >> Definitely go with OpenVPN for roaming users. It's just way easier >> then anything else. Clients for all relevant platforms are free (use >> tunnelblick on Mac: https://code.google.com/p/tunnelblick/), there's >> even a free iPhone app. You would need to manage the certs and crls, >> but that comes required with any of your contenders. OpenVPN at least >> gives you a nice set of tools to do this with easyrsa. Use default >> UDP transport. It's way faster then doing the same over TCP. > > Ah, but one slick trick I learned from a fine Op today: running an > additional server on port 443/TCP is extremely useful for the road > warrior thing... I find tunnelblick to be very bad in slow networks. Ideally you should have a list of other performance/power/support rather than just specific issues. Might throw up more questions. -- -- Sujit K M blog(http://kmsujit.blogspot.com/) From njt at ayvali.org Tue Apr 21 02:38:52 2015 From: njt at ayvali.org (N.J. Thomas) Date: Tue, 21 Apr 2015 02:38:52 -0400 Subject: [talk] 2FA on BSD (was Re: Reducing password fatigue on OpenBSD (or any BSD)) In-Reply-To: <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> References: <20131110014127.GA18293@vm.eradman.com> <20131111183411.GA3643@vm.eradman.com> <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> Message-ID: <20150421063852.GB88836@zaph.org> * Isaac (.ike) Levy [2015-04-20 23:50:04-0400]: > Just started playing with a Yubikey. Didn't really understand the > thing at first. > > And then it hit me: this is the cheap, easily introspectable, hardware > auth token I've been dying for for like a decade... On a slightly tangential note, I started playing with Google Authenticator recently: https://github.com/google/google-authenticator/ It's worked very well so far: - there are iPhone/Android apps for it - there is a port on FreeBSD to build a PAM module out of the box (security/pam_google_authenticator) - it only took me a few minutes to get my FreeBSD servers running it (basically building the port and adding a single line to /etc/pam.d/sshd) - in addition to TOTP (time based one time passwords) it also gives you some single use OTPs (is that redundant?) that you print and put in your wallet or wherever to use if your phone is not available - it works with LastPass as well The nice thing about Google Authenticator is that apart from the smartphone app, there is no physical token to carry around. Whether or not that makes it less secure, I'm not entirely sure. The TOTP Wikipedia page mentions that printed codes and email resets (which LastPass allows) is a weakness which allows for additional exploitable vectors, so be aware of that if you are using it. Thomas From sjt.kar at gmail.com Tue Apr 21 07:44:34 2015 From: sjt.kar at gmail.com (Sujit K M) Date: Tue, 21 Apr 2015 17:14:34 +0530 Subject: [talk] 2FA on BSD (was Re: Reducing password fatigue on OpenBSD (or any BSD)) In-Reply-To: <20150421063852.GB88836@zaph.org> References: <20131110014127.GA18293@vm.eradman.com> <20131111183411.GA3643@vm.eradman.com> <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> <20150421063852.GB88836@zaph.org> Message-ID: > On a slightly tangential note, I started playing with Google > Authenticator recently: > > https://github.com/google/google-authenticator/ > > It's worked very well so far: But how does it plugin to other tools. Would it run over SSH and do authentication on top of it. From mikel.king at gmail.com Tue Apr 21 09:16:27 2015 From: mikel.king at gmail.com (Mikel King) Date: Tue, 21 Apr 2015 09:16:27 -0400 Subject: [talk] 2FA on BSD (was Re: Reducing password fatigue on OpenBSD (or any BSD)) In-Reply-To: References: <20131110014127.GA18293@vm.eradman.com> <20131111183411.GA3643@vm.eradman.com> <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> <20150421063852.GB88836@zaph.org> Message-ID: Sujit, I wrote a how-to about Duo's free solution. They have some really good docs and support as well. More importantly they have an active app for your mobile device. http://jafdip.com/securing-freebsd-2fa-two-factor-authentication/ Cheers, m On Tue, Apr 21, 2015 at 7:44 AM, Sujit K M wrote: > > On a slightly tangential note, I started playing with Google > > Authenticator recently: > > > > https://github.com/google/google-authenticator/ > > > > It's worked very well so far: > > But how does it plugin to other tools. Would it run over SSH and do > authentication on > top of it. > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From njt at ayvali.org Tue Apr 21 10:55:29 2015 From: njt at ayvali.org (N.J. Thomas) Date: Tue, 21 Apr 2015 10:55:29 -0400 Subject: [talk] 2FA on BSD (was Re: Reducing password fatigue on OpenBSD (or any BSD)) In-Reply-To: References: <20131110014127.GA18293@vm.eradman.com> <20131111183411.GA3643@vm.eradman.com> <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> <20150421063852.GB88836@zaph.org> Message-ID: <20150421145529.GB94154@zaph.org> * Sujit K M [2015-04-21 17:14:34+0530]: > > On a slightly tangential note, I started playing with Google > > Authenticator recently: > > > > https://github.com/google/google-authenticator/ > > > > It's worked very well so far: > > But how does it plugin to other tools. Would it run over SSH and do > authentication on > top of it. For ssh, it's a PAM module. If you ssh in using a key, then it's bypassed. But if you ssh in and a password is needed to authenticate, it will ask for the verification code on top of that. Observe: $ ssh example.org Password for user at example.org: [enter password here] Verification code: [enter TOTP here] Last login: Fri Apr 3 02:12:48 2015 from example.edu FreeBSD 10.1-RELEASE-p6 (GENERIC) #0: Tue Feb 24 19:00:21 UTC 2015 Welcome to FreeBSD! [...] The only difference from a normal ssh session is the addition of that verification code prompt. hth, Thomas From eksffa at freebsdbrasil.com.br Tue Apr 21 11:18:08 2015 From: eksffa at freebsdbrasil.com.br (Patrick Tracanelli) Date: Tue, 21 Apr 2015 12:18:08 -0300 Subject: [talk] 2FA on BSD (was Re: Reducing password fatigue on OpenBSD (or any BSD)) In-Reply-To: <20150421063852.GB88836@zaph.org> References: <20131110014127.GA18293@vm.eradman.com> <20131111183411.GA3643@vm.eradman.com> <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> <20150421063852.GB88836@zaph.org> Message-ID: <0F56EE69-3697-4070-8611-E0651567955A@freebsdbrasil.com.br> > On 21/04/2015, at 03:38, N.J. Thomas wrote: > > * Isaac (.ike) Levy [2015-04-20 23:50:04-0400]: >> Just started playing with a Yubikey. Didn't really understand the >> thing at first. >> >> And then it hit me: this is the cheap, easily introspectable, hardware >> auth token I've been dying for for like a decade... > > On a slightly tangential note, I started playing with Google > Authenticator recently: > > https://github.com/google/google-authenticator/ > > It's worked very well so far: > > - there are iPhone/Android apps for it > > - there is a port on FreeBSD to build a PAM module out of the box > (security/pam_google_authenticator) > > - it only took me a few minutes to get my FreeBSD servers running it > (basically building the port and adding a single line to > /etc/pam.d/sshd) > > - in addition to TOTP (time based one time passwords) it also > gives you some single use OTPs (is that redundant?) that you print > and put in your wallet or wherever to use if your phone is not > available > > - it works with LastPass as well > > The nice thing about Google Authenticator is that apart from the > smartphone app, there is no physical token to carry around. Whether or > not that makes it less secure, I'm not entirely sure. The TOTP Wikipedia > page mentions that printed codes and email resets (which LastPass > allows) is a weakness which allows for additional exploitable vectors, > so be aware of that if you are using it. Well other than Google Authenticator I would also point to the great Archie Cobbs? mod-authn-otp[1] for Apache and oathtoken[2] app for iPhone. The first one as the name suggest is for protecting web server realms with 2FA other than Digest/Basic/Etc auth mechanisms, and the iPhone app is the companion token. The iPhone app is open source as well and it can be fully integrated with Google Authenticator, (I mean, by manually adding a new config and using a converted base16 secret). I use this app to concentrate all my 2FA credentials, Google, Dropbox, SSH access, Apache Auth and banking token which is also RFC-4226 compliant. But the cool thing is otptool that comes with the Apache module. It?s a command line utility one can use to test, generate and verify OTP/HOTP access, probably it was written primarily for automation and debugging but it?s easy enough to integrate it with Radius and OpenVPN as well. I have used it to add 2FA to OpenVPN and to PPPoE authentication based on FreeBSD+MPD authenticating from a FreeRADIUS system. I have tried a Samba setup to replace the reusable password with the OTP value and it works as well. It?s not a 2-FA strategy since the first authentication method is fully replaced by the OTP pass, however it?s a very nice security possibility as well, forcing users to have their token in hand to actually find out what?s the current required time-based credentials to log in their Windows workstations. I found out otptool can also be wrapped around OS X?s dscl and therefore Apple?s OD with a simple shell script, which will also allow for an OTP based auth on OS X based networks authenticating on OD. So in the end I found out otptool[3] to be more valuable than Google Authenticator?s PAM module or Apache module for the flexibility it adds. You can pretty much integrated 2FA in virtually anything this way, using just extendable auth mechanisms, scripting or by some minor code hacking or wrapping. Just for fun, I have also slightly modified the iPhone app and added user-defined passphrase for the AES cryptogragy (oath token already uses it, but it?s not user defined) and added some Geolocation features. The app won?t show the OTP password if user-passphrase is not entered, if the app won?t have GPS/location access or if the device is located a few miles away from the authorized geolocation radius, so adding a simple Geolocation Authorized/Denied test on the app will somehow add a third authentication factor mechanism. It?s a 3FA protection tested before the 2FA code is shown. It?s a lot of fun to have all those pieces of good open source (BSD licensed) software available. Best, Patrick Tracanelli [1] https://code.google.com/p/mod-authn-otp/ [2] https://code.google.com/p/oathtoken/ [3] https://code.google.com/p/mod-authn-otp/wiki/OTPTool [4]http://www.proapps.com.br//images/proapps/screen/2fa/app2.png From george at ceetonetechnology.com Tue Apr 21 21:53:49 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 21 Apr 2015 21:53:49 -0400 Subject: [talk] some notes on flashrd Message-ID: <5536FF2D.8000700@ceetonetechnology.com> flashrd (www.nmedia.net/flashrd) has been around a long long time. It is a light weight build system for embedded OpenBSD for flash media. It was created and is maintained by Chris Cappuccio, among others. The current image at images/20150320 doesn't boot due to PIE settings, but I can provide an image if anyone's interested until it's resolved. I also have a build script that isn't quite elegant shell (yet), but it does simplify configuring a build. Importantly, the build machine must match the platform, so to build i386, you need an i386 box, unless you're using a virtualized build system. Lots of funky features, such as switching between read-only and read-write modes, the use of vnodes, etc. I started hacking on it last week. There's a certain simplicity that is nice. I imagine that if FreeBSD's Crochet was limited to one board, the two build systems would have a lot in common. My build is only using bsd*.tgz and etc*.tgz files. Adding a swap file is vital to do anything interesting with a Soekris of course. What's truly impressive is that I pulled out two ancient Soekris 4801s with that potent 266mhz CPU and 128M of RAM, and it works fine. Remote upgrades and fallback to the previous configuration if any problems is simple and straight-forward. There are regular DMA errors when booting off old CF cards. I'm having an issues forcing PIO mode and disabling DMA, as the changes to the kernel don't seem to stick from UKC. Any input appreciated. boot> boot -c wd* flags changed to 0x0ffc and 0x0ff0, but neither sticks after a reboot. Anyways, worth checking out as a solution for small systems. g From george at ceetonetechnology.com Tue Apr 21 23:00:46 2015 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 21 Apr 2015 23:00:46 -0400 Subject: [talk] some notes on flashrd In-Reply-To: <5536FF2D.8000700@ceetonetechnology.com> References: <5536FF2D.8000700@ceetonetechnology.com> Message-ID: <55370EDE.4020306@ceetonetechnology.com> George Rosamond: > flashrd (www.nmedia.net/flashrd) has been around a long long time. It > is a light weight build system for embedded OpenBSD for flash media. It > was created and is maintained by Chris Cappuccio, among others. > > The current image at images/20150320 doesn't boot due to PIE settings, > but I can provide an image if anyone's interested until it's resolved. I > also have a build script that isn't quite elegant shell (yet), but it > does simplify configuring a build. Importantly, the build machine must > match the platform, so to build i386, you need an i386 box, unless > you're using a virtualized build system. > > Lots of funky features, such as switching between read-only and > read-write modes, the use of vnodes, etc. > > I started hacking on it last week. There's a certain simplicity that is > nice. I imagine that if FreeBSD's Crochet was limited to one board, the > two build systems would have a lot in common. > > My build is only using bsd*.tgz and etc*.tgz files. Adding a swap file > is vital to do anything interesting with a Soekris of course. > > What's truly impressive is that I pulled out two ancient Soekris 4801s > with that potent 266mhz CPU and 128M of RAM, and it works fine. > > Remote upgrades and fallback to the previous configuration if any > problems is simple and straight-forward. > > There are regular DMA errors when booting off old CF cards. I'm having > an issues forcing PIO mode and disabling DMA, as the changes to the > kernel don't seem to stick from UKC. Any input appreciated. > > boot> boot -c > > wd* flags changed to 0x0ffc and 0x0ff0, but neither sticks after a reboot. > Duh, my bad... been a while since I changed kernel parameters with config(8)... www.openbsd.org/faq/faq5.html#config > Anyways, worth checking out as a solution for small systems. g From gnn at neville-neil.com Tue Apr 21 21:24:07 2015 From: gnn at neville-neil.com (George Neville-Neil) Date: Tue, 21 Apr 2015 21:24:07 -0400 Subject: [talk] 2FA on BSD (was Re: Reducing password fatigue on OpenBSD (or any BSD)) In-Reply-To: References: <20131110014127.GA18293@vm.eradman.com> <20131111183411.GA3643@vm.eradman.com> <1429588262-2144806.07833206.ft3L3o4T0017441@rs149.luxsci.com> <20150421063852.GB88836@zaph.org> Message-ID: <96CEA9F0-4353-40F5-A41A-8AB07CEEB711@neville-neil.com> And they support FreeBSD quite well. I've been using Duo for several years now. Best, George On 21 Apr 2015, at 9:16, Mikel King wrote: > Sujit, > > I wrote a how-to about Duo's free solution. They have some really good docs > and support as well. More importantly they have an active app for your > mobile device. > > http://jafdip.com/securing-freebsd-2fa-two-factor-authentication/ > > Cheers, > m > > On Tue, Apr 21, 2015 at 7:44 AM, Sujit K M wrote: > >>> On a slightly tangential note, I started playing with Google >>> Authenticator recently: >>> >>> https://github.com/google/google-authenticator/ >>> >>> It's worked very well so far: >> >> But how does it plugin to other tools. Would it run over SSH and do >> authentication on >> top of it. >> _______________________________________________ >> talk mailing list >> talk at lists.nycbug.org >> http://lists.nycbug.org/mailman/listinfo/talk >> > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk From zippy1981 at gmail.com Fri Apr 24 13:26:43 2015 From: zippy1981 at gmail.com (Justin Dearing) Date: Fri, 24 Apr 2015 13:26:43 -0400 Subject: [talk] Is anyone doing GIS stuff in FreeBSD with Python 3? Message-ID: Hey all, I've been working on some Geospatial web apps written in python 3.4 with flask. Deploying them to Centos has proven problemsome due to the GDAL libraries being old. The FreeBSD ports collection has up to date ports for the stuff I need. Before I go building a FreeBSD box, I was wondering if there were any caveats I should worry about on FreeBSD from someone who does GIS stuff with Python in FreeBSD, and know the pain of projections being renamed and the gdal exception handler not working in python. Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: From ike at blackskyresearch.net Thu Apr 30 11:16:31 2015 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Thu, 30 Apr 2015 15:16:31 +0000 Subject: [talk] I can't tell if this is a joke, or for real. Message-ID: <201504301516.t3UFGVTO000342@rs101.luxsci.com> Hi All, Warning: this post will waste your time. (No code, tech, or engineering discourse- just another bloody movement). Buzzing around me today, http://notcp.io I thought it was a clever and cynical April fools joke, but some folks appear to be taking this seriously. I hope you chortle your way through this, should you choose to read even a line or two. Best, .ike From pete at nomadlogic.org Thu Apr 30 13:00:24 2015 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 30 Apr 2015 10:00:24 -0700 Subject: [talk] I can't tell if this is a joke, or for real. In-Reply-To: <201504301516.t3UFGVTO000342@rs101.luxsci.com> References: <201504301516.t3UFGVTO000342@rs101.luxsci.com> Message-ID: <55425FA8.8020104@nomadlogic.org> On 04/30/15 08:16, Isaac (.ike) Levy wrote: > > Hi All, > > Warning: this post will waste your time. > (No code, tech, or engineering discourse- just another bloody movement). > > Buzzing around me today, > > http://notcp.io > > I thought it was a clever and cynical April fools joke, but some folks > appear to be taking this seriously. I hope you chortle your way through > this, should you choose to read even a line or two. > heh - pretty funny although a little to close to home for me - dealing with a lot of "devops" people lately where then answer is "docker!" to a question no-one asked. kinda bummed they didn't mention sctp which is clearly more artisnal than the corporate google QUIC protocol. missed opportunity to actually educate people... -pete -- Pete Wright pete at nomadlogic.org twitter => @nomadlogicLA From edlinuxguru at gmail.com Thu Apr 30 13:20:56 2015 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 30 Apr 2015 13:20:56 -0400 Subject: [talk] I can't tell if this is a joke, or for real. In-Reply-To: <55425FA8.8020104@nomadlogic.org> References: <201504301516.t3UFGVTO000342@rs101.luxsci.com> <55425FA8.8020104@nomadlogic.org> Message-ID: I have a similar even broader rant: Everything is the HTTP protocol. You have HTTP based sub-technologies like web-sockets and ajax. People trying to make what was originally a stateless post/reply protocol into something else. Corporate firewalls control what ports are "safe" and "unsafe" 80 and 443 are considered "safe". Getting any other port open is a lot of hoopla. Google's are so large they can innovate and deliver a clearly better implementation like https://developers.google.com/speed/spdy/ for modern needs. But for the rest of us trying convince someone that TCP is not the answer is off the mark. You have to start by convincing the world that "Not everything is http", which from my experience is nearly a mission impossible proposition. On Thu, Apr 30, 2015 at 1:00 PM, Pete Wright wrote: > > > On 04/30/15 08:16, Isaac (.ike) Levy wrote: > > > > Hi All, > > > > Warning: this post will waste your time. > > (No code, tech, or engineering discourse- just another bloody movement). > > > > Buzzing around me today, > > > > http://notcp.io > > > > I thought it was a clever and cynical April fools joke, but some folks > > appear to be taking this seriously. I hope you chortle your way through > > this, should you choose to read even a line or two. > > > > heh - pretty funny although a little to close to home for me - dealing > with a lot of "devops" people lately where then answer is "docker!" to a > question no-one asked. > > kinda bummed they didn't mention sctp which is clearly more artisnal > than the corporate google QUIC protocol. missed opportunity to actually > educate people... > > -pete > > -- > Pete Wright > pete at nomadlogic.org > twitter => @nomadlogicLA > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk > -------------- next part -------------- An HTML attachment was scrubbed... URL: From njt at ayvali.org Thu Apr 30 14:33:14 2015 From: njt at ayvali.org (N.J. Thomas) Date: Thu, 30 Apr 2015 14:33:14 -0400 Subject: [talk] I can't tell if this is a joke, or for real. In-Reply-To: <55425FA8.8020104@nomadlogic.org> References: <201504301516.t3UFGVTO000342@rs101.luxsci.com> <55425FA8.8020104@nomadlogic.org> Message-ID: <20150430183314.GK19747@zaph.org> * Pete Wright [2015-04-30 10:00:24-0700]: > dealing with a lot of "devops" people lately where then answer is > "docker!" to a question no-one asked. I'm so glad I'm not the only one dealing with this. =-/ Thomas From pete at nomadlogic.org Thu Apr 30 16:41:26 2015 From: pete at nomadlogic.org (Pete Wright) Date: Thu, 30 Apr 2015 13:41:26 -0700 Subject: [talk] I can't tell if this is a joke, or for real. In-Reply-To: References: <201504301516.t3UFGVTO000342@rs101.luxsci.com> <55425FA8.8020104@nomadlogic.org> Message-ID: <55429376.6000600@nomadlogic.org> On 04/30/15 10:20, Edward Capriolo wrote: > I have a similar even broader rant: Everything is the HTTP protocol. You > have HTTP based sub-technologies like web-sockets and ajax. People > trying to make what was originally a stateless post/reply protocol into > something else. Corporate firewalls control what ports are "safe" and > "unsafe" 80 and 443 are considered "safe". Getting any other port open > is a lot of hoopla. > > Google's are so large they can innovate and deliver a clearly better > implementation like https://developers.google.com/speed/spdy/ for modern > needs. > But for the rest of us trying convince someone that TCP is not the > answer is off the mark. You have to start by convincing the world that > "Not everything is http", which from my experience is nearly a mission > impossible proposition. to bring this back to *BSD: http://queue.acm.org/detail.cfm?id=2716278 basically lamenting the fact that http/2.0 is spdy and what that's a bad thing. -pete -- Pete Wright pete at nomadlogic.org twitter => @nomadlogicLA From slynch2112 at me.com Thu Apr 30 17:04:55 2015 From: slynch2112 at me.com (Siobhan Lynch) Date: Thu, 30 Apr 2015 17:04:55 -0400 Subject: [talk] I can't tell if this is a joke, or for real. In-Reply-To: <55429376.6000600@nomadlogic.org> References: <201504301516.t3UFGVTO000342@rs101.luxsci.com> <55425FA8.8020104@nomadlogic.org> <55429376.6000600@nomadlogic.org> Message-ID: <090C93D7-606D-459B-8D3E-70DACAD0AE48@me.com> > On Apr 30, 2015, at 4:41 PM, Pete Wright wrote: > > > > to bring this back to *BSD: > > http://queue.acm.org/detail.cfm?id=2716278 > > basically lamenting the fact that http/2.0 is spdy and what that's a bad > thing. > > -pete Oh my, this may not be an April Fools Joke, but its clearly technical satire? and actually good satire at that. I keep telling clients these days that buzzwords generally are just new words for old technology, some of us worked with building private ?clouds? years ago? The difference is that Amazon and others are letting us do it on their hardware now, sometimes saving cost, sometimes saving time, but it gives up the idea of hardware control when needed. Its still not one size fits all. And to make it BSD relevant, I got my one client to switch to FreeBSD VMs at Amazon recently? because of my past experience with speed increase over linux regarding java. -Trish > > -- > Pete Wright > pete at nomadlogic.org > twitter => @nomadlogicLA > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk -------------- next part -------------- An HTML attachment was scrubbed... URL: From mark.saad at ymail.com Thu Apr 30 18:38:16 2015 From: mark.saad at ymail.com (Mark Saad) Date: Thu, 30 Apr 2015 18:38:16 -0400 Subject: [talk] I can't tell if this is a joke, or for real. In-Reply-To: <55429376.6000600@nomadlogic.org> References: <201504301516.t3UFGVTO000342@rs101.luxsci.com> <55425FA8.8020104@nomadlogic.org> <55429376.6000600@nomadlogic.org> Message-ID: <432D73AE-87AB-442E-8B3E-6D1CFC5D511C@ymail.com> > On Apr 30, 2015, at 4:41 PM, Pete Wright wrote: > > > >> On 04/30/15 10:20, Edward Capriolo wrote: >> I have a similar even broader rant: Everything is the HTTP protocol. You >> have HTTP based sub-technologies like web-sockets and ajax. People >> trying to make what was originally a stateless post/reply protocol into >> something else. Corporate firewalls control what ports are "safe" and >> "unsafe" 80 and 443 are considered "safe". Getting any other port open >> is a lot of hoopla. >> +1 Ed >> Google's are so large they can innovate and deliver a clearly better >> implementation like https://developers.google.com/speed/spdy/ for modern >> needs. >> But for the rest of us trying convince someone that TCP is not the >> answer is off the mark. You have to start by convincing the world that >> "Not everything is http", which from my experience is nearly a mission >> impossible proposition. > > > to bring this back to *BSD: > > http://queue.acm.org/detail.cfm?id=2716278 > > basically lamenting the fact that http/2.0 is spdy and what that's a bad > thing. > > -pete > > -- > Pete Wright > pete at nomadlogic.org > twitter => @nomadlogicLA > Let's just say for a second tcp is evil and so is udp . What do "you" propose "we" replace it with ? For some boundaries this new protocol lives on top on ip . Now let's say "you" go to cook something up with gnn's pcs , what do you target , the kitchen sink , one lightweight container or do you make 100 things for each issue , for instance the streaming video protocol over ip , the Remote Desktop protocol over ip etc etc etc . Next say "you" cool up the perfect solution , how do you even test it ? So afaict this isn't a post about anything sensible. It's tech link bait , we all read this now what ? What for it ...... .... ..... .. A month goes by ..... [OP] Solution , in my new docker images I have an Ubuntu setup , to send node request to each other via a node app the setups a server to ......... ..... A few hundred lines of tech mombo jumbo .. And then after you have that you get node over netbeui over udp for inter node stuff. > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > http://lists.nycbug.org/mailman/listinfo/talk ;) --- Mark Saad | mark.saad at ymail.com