OpenBSD

OpenBSD 7.6 - Python Crypto Library

OpenBSD

OpenBSD 7.6 / LibreSSl 4.0.0 / cryptography 43.0.1

seems that cryptography library is broken / not yet ready for libressl 4.0.0

Problems adding Crypto

cd /tmp
poetry new test_crypto
cd test_crypto/
poetry add cryptography

root@host /bin# cd tmp

root@host /tmp# poetry new test_crypto

Created package test_crypto in test_crypto
root@host /tmp# cd test_crypto/

root@host /tmp/test_crypto# poetry add cryptography                                                                                                                                                  
Creating virtualenv test-crypto in /tmp/test_crypto/.venv
Using version ^43.0.1 for cryptography

Updating dependencies
Resolving dependencies... (0.2s)

Package operations: 3 installs, 0 updates, 0 removals

  - Installing pycparser (2.22)
  - Installing cffi (1.17.1)
  - Installing cryptography (43.0.1): Failed

  ChefBuildError

  Backend subprocess exited when trying to invoke build_wheel
  
  Running `maturin pep517 build-wheel -i /tmp/tmpm4f6kesa/.venv/bin/python --compatibility off`
  📦 Including license file "/tmp/tmpzw46sfn4/cryptography-43.0.1/LICENSE"
  📦 Including license file "/tmp/tmpzw46sfn4/cryptography-43.0.1/LICENSE.APACHE"
  📦 Including license file "/tmp/tmpzw46sfn4/cryptography-43.0.1/LICENSE.BSD"
  🍹 Building a mixed python/rust project
  🔗 Found pyo3 bindings with abi3 support for Python ≥ 3.7
  🐍 Not using a specific python interpreter
  📡 Using build options features, locked from pyproject.toml
     Compiling proc-macro2 v1.0.86
     Compiling target-lexicon v0.12.15
     Compiling unicode-ident v1.0.12
     Compiling pyo3-build-config v0.22.2
     Compiling quote v1.0.36
     Compiling cc v1.1.6
     Compiling syn v2.0.71
     Compiling vcpkg v0.2.15
     Compiling pkg-config v0.3.30
     Compiling once_cell v1.19.0
     Compiling openssl-sys v0.9.103
  error: failed to run custom build command for `openssl-sys v0.9.103`
  
  Caused by:
    process didn't exit successfully: `/tmp/tmpzw46sfn4/cryptography-43.0.1/src/rust/target/release/build/openssl-sys-b9cf452982f5d9f0/build-script-main` (exit status: 101)
    --- stdout
    cargo:rustc-check-cfg=cfg(osslconf, values("OPENSSL_NO_OCB", "OPENSSL_NO_SM4", "OPENSSL_NO_SEED", "OPENSSL_NO_CHACHA", "OPENSSL_NO_CAST", "OPENSSL_NO_IDEA", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_RC4", "OPENSSL_NO_BF", "OPENSSL_NO_PSK", "OPENSSL_NO_DEPRECATED_3_0", "OPENSSL_NO_SCRYPT", "OPENSSL_NO_SM3", "OPENSSL_NO_RMD160", "OPENSSL_NO_EC2M", "OPENSSL_NO_OCSP", "OPENSSL_NO_CMS", "OPENSSL_NO_COMP", "OPENSSL_NO_SOCK", "OPENSSL_NO_STDIO"))
    cargo:rustc-check-cfg=cfg(openssl)
    cargo:rustc-check-cfg=cfg(libressl)
    cargo:rustc-check-cfg=cfg(boringssl)
    cargo:rustc-check-cfg=cfg(libressl250)
    cargo:rustc-check-cfg=cfg(libressl251)
    cargo:rustc-check-cfg=cfg(libressl252)
    cargo:rustc-check-cfg=cfg(libressl261)
    cargo:rustc-check-cfg=cfg(libressl270)
    cargo:rustc-check-cfg=cfg(libressl271)
    cargo:rustc-check-cfg=cfg(libressl273)
    cargo:rustc-check-cfg=cfg(libressl280)
    cargo:rustc-check-cfg=cfg(libressl281)
    cargo:rustc-check-cfg=cfg(libressl291)
    cargo:rustc-check-cfg=cfg(libressl310)
    cargo:rustc-check-cfg=cfg(libressl321)
    cargo:rustc-check-cfg=cfg(libressl332)
    cargo:rustc-check-cfg=cfg(libressl340)
    cargo:rustc-check-cfg=cfg(libressl350)
    cargo:rustc-check-cfg=cfg(libressl360)
    cargo:rustc-check-cfg=cfg(libressl361)
    cargo:rustc-check-cfg=cfg(libressl370)
    cargo:rustc-check-cfg=cfg(libressl380)
    cargo:rustc-check-cfg=cfg(libressl381)
    cargo:rustc-check-cfg=cfg(libressl382)
    cargo:rustc-check-cfg=cfg(libressl390)
    cargo:rustc-check-cfg=cfg(libressl400)
    cargo:rustc-check-cfg=cfg(ossl101)
    cargo:rustc-check-cfg=cfg(ossl102)
    cargo:rustc-check-cfg=cfg(ossl102f)
    cargo:rustc-check-cfg=cfg(ossl102h)
    cargo:rustc-check-cfg=cfg(ossl110)
    cargo:rustc-check-cfg=cfg(ossl110f)
    cargo:rustc-check-cfg=cfg(ossl110g)
    cargo:rustc-check-cfg=cfg(ossl110h)
    cargo:rustc-check-cfg=cfg(ossl111)
    cargo:rustc-check-cfg=cfg(ossl111b)
    cargo:rustc-check-cfg=cfg(ossl111c)
    cargo:rustc-check-cfg=cfg(ossl111d)
    cargo:rustc-check-cfg=cfg(ossl300)
    cargo:rustc-check-cfg=cfg(ossl310)
    cargo:rustc-check-cfg=cfg(ossl320)
    cargo:rustc-check-cfg=cfg(ossl330)
    cargo:rerun-if-env-changed=X86_64_UNKNOWN_OPENBSD_OPENSSL_LIB_DIR
    X86_64_UNKNOWN_OPENBSD_OPENSSL_LIB_DIR unset
    cargo:rerun-if-env-changed=OPENSSL_LIB_DIR
    OPENSSL_LIB_DIR unset
    cargo:rerun-if-env-changed=X86_64_UNKNOWN_OPENBSD_OPENSSL_INCLUDE_DIR
    X86_64_UNKNOWN_OPENBSD_OPENSSL_INCLUDE_DIR unset
    cargo:rerun-if-env-changed=OPENSSL_INCLUDE_DIR
    OPENSSL_INCLUDE_DIR unset
    cargo:rerun-if-env-changed=X86_64_UNKNOWN_OPENBSD_OPENSSL_DIR
    X86_64_UNKNOWN_OPENBSD_OPENSSL_DIR unset
    cargo:rerun-if-env-changed=OPENSSL_DIR
    OPENSSL_DIR unset
    cargo:rerun-if-env-changed=OPENSSL_NO_PKG_CONFIG
    cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-openbsd
    cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_openbsd
    cargo:rerun-if-env-changed=HOST_PKG_CONFIG
    cargo:rerun-if-env-changed=PKG_CONFIG
    cargo:rerun-if-env-changed=OPENSSL_STATIC
    cargo:rerun-if-env-changed=OPENSSL_DYNAMIC
    cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC
    cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC
    cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-openbsd
    cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_openbsd
    cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH
    cargo:rerun-if-env-changed=PKG_CONFIG_PATH
    cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-openbsd
    cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_openbsd
    cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR
    cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR
    cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-openbsd
    cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_openbsd
    cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR
    cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR
    cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR
    cargo:rerun-if-env-changed=SYSROOT
    cargo:rerun-if-env-changed=OPENSSL_STATIC
    cargo:rerun-if-env-changed=OPENSSL_DYNAMIC
    cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC
    cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC
    cargo:rustc-link-lib=ssl
    cargo:rustc-link-lib=crypto
    cargo:rerun-if-env-changed=PKG_CONFIG_x86_64-unknown-openbsd
    cargo:rerun-if-env-changed=PKG_CONFIG_x86_64_unknown_openbsd
    cargo:rerun-if-env-changed=HOST_PKG_CONFIG
    cargo:rerun-if-env-changed=PKG_CONFIG
    cargo:rerun-if-env-changed=OPENSSL_STATIC
    cargo:rerun-if-env-changed=OPENSSL_DYNAMIC
    cargo:rerun-if-env-changed=PKG_CONFIG_ALL_STATIC
    cargo:rerun-if-env-changed=PKG_CONFIG_ALL_DYNAMIC
    cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64-unknown-openbsd
    cargo:rerun-if-env-changed=PKG_CONFIG_PATH_x86_64_unknown_openbsd
    cargo:rerun-if-env-changed=HOST_PKG_CONFIG_PATH
    cargo:rerun-if-env-changed=PKG_CONFIG_PATH
    cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64-unknown-openbsd
    cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR_x86_64_unknown_openbsd
    cargo:rerun-if-env-changed=HOST_PKG_CONFIG_LIBDIR
    cargo:rerun-if-env-changed=PKG_CONFIG_LIBDIR
    cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64-unknown-openbsd
    cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR_x86_64_unknown_openbsd
    cargo:rerun-if-env-changed=HOST_PKG_CONFIG_SYSROOT_DIR
    cargo:rerun-if-env-changed=PKG_CONFIG_SYSROOT_DIR
    cargo:rerun-if-changed=build/expando.c
    OPT_LEVEL = Some(3)
    TARGET = Some(x86_64-unknown-openbsd)
    OUT_DIR = Some(/tmp/tmpzw46sfn4/cryptography-43.0.1/src/rust/target/release/build/openssl-sys-69c53327ca178616/out)
    HOST = Some(x86_64-unknown-openbsd)
    cargo:rerun-if-env-changed=CC_x86_64-unknown-openbsd
    CC_x86_64-unknown-openbsd = None
    cargo:rerun-if-env-changed=CC_x86_64_unknown_openbsd
    CC_x86_64_unknown_openbsd = None
    cargo:rerun-if-env-changed=HOST_CC
    HOST_CC = None
    cargo:rerun-if-env-changed=CC
    CC = None
    cargo:rerun-if-env-changed=CC_ENABLE_DEBUG_OUTPUT
    RUSTC_WRAPPER = None
    cargo:rerun-if-env-changed=CRATE_CC_NO_DEFAULTS
    CRATE_CC_NO_DEFAULTS = None
    DEBUG = Some(false)
    cargo:rerun-if-env-changed=CFLAGS_x86_64-unknown-openbsd
    CFLAGS_x86_64-unknown-openbsd = None
    cargo:rerun-if-env-changed=CFLAGS_x86_64_unknown_openbsd
    CFLAGS_x86_64_unknown_openbsd = None
    cargo:rerun-if-env-changed=HOST_CFLAGS
    HOST_CFLAGS = None
    cargo:rerun-if-env-changed=CFLAGS
    CFLAGS = None
    cargo:rustc-cfg=osslconf="OPENSSL_NO_BUF_FREELISTS"
    cargo:rustc-cfg=osslconf="OPENSSL_NO_COMP"
    cargo:rustc-cfg=osslconf="OPENSSL_NO_EC2M"
    cargo:rustc-cfg=osslconf="OPENSSL_NO_ENGINE"
    cargo:rustc-cfg=osslconf="OPENSSL_NO_KRB5"
    cargo:rustc-cfg=osslconf="OPENSSL_NO_PSK"
    cargo:rustc-cfg=osslconf="OPENSSL_NO_SRP"
    cargo:rustc-cfg=osslconf="OPENSSL_NO_SSL3_METHOD"
    cargo:rustc-cfg=osslconf="OPENSSL_NO_SEED"
    cargo:rustc-cfg=osslconf="OPENSSL_NO_SCRYPT"
    cargo:conf=OPENSSL_NO_BUF_FREELISTS,OPENSSL_NO_COMP,OPENSSL_NO_EC2M,OPENSSL_NO_ENGINE,OPENSSL_NO_KRB5,OPENSSL_NO_PSK,OPENSSL_NO_SRP,OPENSSL_NO_SSL3_METHOD,OPENSSL_NO_SEED,OPENSSL_NO_SCRYPT
    cargo:rustc-cfg=openssl
    cargo:rustc-cfg=libressl
    cargo:rustc-cfg=libressl251
    cargo:rustc-cfg=libressl252
    cargo:rustc-cfg=libressl261
    cargo:rustc-cfg=libressl270
    cargo:rustc-cfg=libressl271
    cargo:rustc-cfg=libressl273
    cargo:rustc-cfg=libressl280
    cargo:rustc-cfg=libressl281
    cargo:rustc-cfg=libressl291
    cargo:rustc-cfg=libressl310
    cargo:rustc-cfg=libressl321
    cargo:rustc-cfg=libressl332
    cargo:rustc-cfg=libressl340
    cargo:rustc-cfg=libressl350
    cargo:rustc-cfg=libressl360
    cargo:rustc-cfg=libressl370
    cargo:rustc-cfg=libressl380
    cargo:rustc-cfg=libressl381
    cargo:rustc-cfg=libressl382
    cargo:rustc-cfg=libressl390
    cargo:rustc-cfg=libressl400
    cargo:libressl_version_number=4000000f
  
    --- stderr
    thread 'main' panicked at /root/.cargo/registry/src/index.crates.io-6f17d22bba15001f/openssl-sys-0.9.103/build/main.rs:420:5:
  
  
    This crate is only compatible with OpenSSL (version 1.0.1 through 1.1.1, or 3), or LibreSSL 2.5
    through 3.9.x, but a different version of OpenSSL was found. The build is now aborting
    due to this version mismatch.
  
  
    note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
  warning: build failed, waiting for other jobs to finish...
  💥 maturin failed
    Caused by: Failed to build a native library through cargo
    Caused by: Cargo build finished with "exit status: 101": `env -u CARGO PYO3_ENVIRONMENT_SIGNATURE="cpython-3.11-64bit" PYO3_PYTHON="/tmp/tmpm4f6kesa/.venv/bin/python" PYTHON_SYS_EXECUTABLE="/tmp/tmpm4f6kesa/.venv/bin/python" "cargo" "rustc" "--features" "pyo3/abi3-py37" "--message-format" "json-render-diagnostics" "--locked" "--manifest-path" "/tmp/tmpzw46sfn4/cryptography-43.0.1/src/rust/Cargo.toml" "--release" "--lib"`
  Error: command ['maturin', 'pep517', 'build-wheel', '-i', '/tmp/tmpm4f6kesa/.venv/bin/python', '--compatibility', 'off'] returned non-zero exit status 1
  

  at ~/.local/lib/python3.11/site-packages/poetry/installation/chef.py:164 in _prepare
      160│ 
      161│                 error = ChefBuildError("\n\n".join(message_parts))
      162│ 
      163│             if error is not None:
    → 164│                 raise error from None
      165│ 
      166│             return path
      167│ 
      168│     def _prepare_sdist(self, archive: Path, destination: Path | None = None) -> Path:

Note: This error originates from the build backend, and is likely not a problem with poetry but with cryptography (43.0.1) not supporting PEP 517 builds. You can verify this by running 'pip wheel --no-cache-dir --use-pep517 "cryptography (==43.0.1)"'.

root@host 1 /tmp/test_crypto#

Install LibreSSL 3.9.2

cd /root
ftp https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.9.2.tar.gz
tar xzf libressl-3.9.2.tar.gz
cd libressl-3.9.2
./configure
make
make install DESTDIR=/tmp/

root@host /libressl-3.9.2# ./configure
checking build system type... x86_64-unknown-openbsd7.6
checking host system type... x86_64-unknown-openbsd7.6
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/local/bin/gmkdir -p
checking for gawk... no
checking for mawk... no
checking for nawk... no

...

config.status: creating libssl.pc
config.status: creating libtls.pc
config.status: creating openssl.pc
config.status: executing depfiles commands
config.status: executing libtool commands
root@host /libressl-3.9.2#

root@host /libressl-3.9.2# make        
Making all in include
Making all in openssl
echo "generating opensslconf.h ..."
generating opensslconf.h ...
cp ../../include/arch/amd64/opensslconf.h opensslconf.h
make  all-am
Making all in crypto
echo "generating crypto_portable.sym ..."
generating crypto_portable.sym ...
cp ../crypto/crypto.sym crypto_portable.sym
chmod u+w crypto_portable.sym
make  all-am
  CPPAS    aes/libcrypto_la-aes-elf-x86_64.lo
  CPPAS    aes/libcrypto_la-bsaes-elf-x86_64.lo
  CPPAS    aes/libcrypto_la-vpaes-elf-x86_64.lo

...

  CC       netcat.o
  CC       socks.o
  CC       compat/socket.o
  CC       compat/base64.o
  CCLD     nc
ld: warning: netcat.c:470(netcat.o:(main)): warning: mktemp() possibly used unsafely; consider using mkstemp()
Making all in man
Making all in tests
  CC       empty.lo
  CCLD     libtest.la
root@host /libressl-3.9.2#


root@host /libressl-3.9.2# make install DESTDIR=/tmp/
Making install in include
Making install in openssl
make  install-am
 /usr/local/bin/gmkdir -p '/tmp//usr/local/include/openssl'
 /usr/bin/install -c -m 644 opensslconf.h aes.h asn1.h asn1t.h bio.h blowfish.h bn.h buffer.h camellia.h cast.h chacha.h cmac.h cms.h comp.h conf.h conf_api.h crypto.h ct.h curve25519.h des.h dh.h dsa.h dtls1.h ec.h ecdh.h ecdsa.h engine.h err.h evp.h hkdf.h hmac.h idea.h kdf.h lhash.h md4.h md5.h modes.h obj_mac.h objects.h ocsp.h '/tmp//usr/local/include/openssl'
 /usr/bin/install -c -m 644 opensslfeatures.h opensslv.h ossl_typ.h pem.h pem2.h pkcs12.h pkcs7.h poly1305.h posix_time.h rand.h rc2.h rc4.h ripemd.h rsa.h safestack.h sha.h sm3.h sm4.h srtp.h ssl.h ssl2.h ssl23.h ssl3.h stack.h tls1.h ts.h txt_db.h ui.h ui_compat.h whrlpool.h x509.h x509_vfy.h x509v3.h '/tmp//usr/local/include/openssl'
 /usr/local/bin/gmkdir -p '/tmp//usr/local/include'
 /usr/bin/install -c -m 644 tls.h '/tmp//usr/local/include'
Making install in crypto
make  install-am
 /usr/local/bin/gmkdir -p '/tmp//usr/local/lib'
 /bin/sh ../libtool   --mode=install /usr/bin/install -c   libcrypto.la '/tmp//usr/local/lib'
libtool: install: /usr/bin/install -c -m 644 .libs/libcrypto.so.53.0 /tmp//usr/local/lib/libcrypto.so.53.0
libtool: install: /usr/bin/install -c -m 644 .libs/libcrypto.lai /tmp//usr/local/lib/libcrypto.la
libtool: install: /usr/bin/install -c .libs/libcrypto.a /tmp//usr/local/lib/libcrypto.a

...

ln -sf "x509_verify.3" "/tmp//usr/local/share/man/man3/x509_verify_ctx_set_purpose.3"
Making install in tests
make  install-exec-hook
 /usr/local/bin/gmkdir -p '/tmp//usr/local/lib/pkgconfig'
 /usr/bin/install -c -m 644 libtls.pc libcrypto.pc libssl.pc openssl.pc '/tmp//usr/local/lib/pkgconfig'
root@host /libressl-3.9.2#

Build Cryptography with LibreSSL 3.9.2

export OPENSSL_DIR="/tmp/usr/local/"; time poetry add cryptography@43

root@host /tmp/gugus# export OPENSSL_DIR="/tmp/usr/local/"; time poetry add cryptography@43 
Creating virtualenv gugus in /tmp/gugus/.venv

Updating dependencies
Resolving dependencies... (0.3s)

Package operations: 3 installs, 0 updates, 0 removals

  - Installing pycparser (2.22)
  - Installing cffi (1.17.1)
  - Installing cryptography (43.0.0)

Writing lock file
    1m40.77s real     2m31.68s user     0m15.74s system

root@host /tmp/gugus#

have phun!

OpenBSD 7.6

OpenBSD

OpenBSD 7.6 released

The 57th Release of OpenBSD was announced. My Upgrade Script is available here.

Highlights

  • UDP parallel input has been enabled
  • pfctl(8) and systat(1) now display fragment reassembly statistics
  • dhcp6leased(8), a DHCPv6 client daemon for IPv6 PD has been added
  • and lot more

see the Post on Undeadly for more Details, or the OpenBSD Page

Script

doas su -
cd /root
ftp https://blog.stoege.net/scripts/{.helpers,upgrade_to_76.sh}
chmod u+x upgrade_to_76.sh

Execute

do the Upgrade

SSH - Legacy Devices

OpenBSD

Intro

sometime, one have to access to old and legacy devices. they may do not support the current ciphers and key algorithms, so, we have to modify the “.ssh/config” File or provide some additional cli arguments.

If you have todo this regualary, you may wanna extend the current parameters with the legacy ones like this:

Backup old config

you never know ;)

mv /etc/ssh/ssh_config /etc/ssh/ssh_config-$(date "+%s")

Install Updated Version

you have to copy/paste as root

Knot

OpenBSD

KNOT DNS

some information related to knot dns / knot-dnsutils. Tested with ‘knotd (Knot DNS), version 3.3.3’ running on OpenBSD 7.5.

Install Knot

pkg_add knot

Build Config

we’re configure this server as “slave” which get’s it’s config from a Primary Nameserver

# /etc/knot/knot.conf 

server:
    rundir: "/var/run/knot"
    user: _knot:_knot
    automatic-acl: on
    listen: [ xx.xx.xx.xx@53, xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx@53 ]

log:
  - target: syslog
    any: info

database:
    storage: "/var/db/knot"

key:
  - id: mykey
    algorithm: hmac-sha256
    secret: xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx=

remote:
  - id: primary
    address: [ xx.xx.xx.xx@53, xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx@53 ] # IP Address of Primary Nameserver
    key: mykey

template:
  # default
  - id: default
    storage: "/var/db/knot"
    file: "%s.zone"
    global-module: mod-stats
    semantic-checks: on

zone:

  # Slave Zones
  - domain: your-domain.ch
    master: primary
  - domain: your-other-domain.de
    master: primary
  - domain: your-last-domain.com
    master: primary

enable and start service

rcctl enable knot
rcctl restart knot

zone backup

folder="/tmp/knot"
mkdir $folder
chown -R _knot $folder
knotc zone-backup +backupdir $folder

Build query File

cat ${folder}/zonefiles/stoege.net.zone |awk "{print \$1,\$3}" |grep -E "(NS|DS|A|AAAA|PTR|MX|SOA)$" |\
  sort -u -R > ${folder}/queries.txt

StressTests (from a Debian Box)

apt install knot-dnsutils
cd /tmp
scp root@45.32.159.233:/tmp/knot/queries.txt .

5k Queries

kxdpgun -i queries.txt 45.32.159.233

using interface ens18, XDP threads 1, UDP, native mode
thread#00: sent 5010, received 5010
total queries:     5010 (1002 pps)
total replies:     5010 (1002 pps) (100%)
average DNS reply size: 63 B
average Ethernet reply rate: 842459 bps (0.84 Mbps)
responded NOERROR:   5010
duration: 5 s

100k Queries

time kxdpgun -t 20 -Q 5000 -i queries.txt -b 20 -p 8853 45.32.159.233

using interface ens18, XDP threads 1, UDP, native mode
thread#00: sent 100020, received 0
total queries:     100020 (5001 pps)
total replies:     0 (0 pps) (0%)
average DNS reply size: 0 B
average Ethernet reply rate: 24 bps (0.00 Mbps)
duration: 20 s

real	0m22.052s
user	0m0.092s
sys	0m0.183s

khost – Simple DNS lookup utility¶

# khost stoege.net
stoege.net. has IPv4 address 159.69.214.12
stoege.net. has IPv6 address 2a01:4f8:c0c:fff7::2
stoege.net. mail is handled by 10 ideo.noflow.ch.

# khost stoege.net -t SOA
stoege.net. start of authority is ns1.noflow.ch. hostmaster.noflow.ch. 2024052701 3600 900 1209600 1800

kdig – Advanced DNS lookup utility¶

# kdig stoege.net A    
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 57426
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; stoege.net.         		IN	A

;; ANSWER SECTION:
stoege.net.         	1800	IN	A	159.69.214.12

;; Received 44 B
;; Time 2024-07-10 19:27:20 CEST
;; From 108.61.10.10@53(UDP) in 1.4 ms

short answer

# kdig +short stoege.net AAAA
2a01:4f8:c0c:fff7::2

output in json

# kdig +json stoege.net AAAA
{
  "dateString": "2024-07-10T19:28:01+0200",
  "dateSeconds": 1720632481,
  "msgLength": 56,
  "ID": 27609,
  "QR": 1,
  "Opcode": 0,
  "AA": 0,
  "TC": 0,
  "RD": 1,
  "RA": 1,
  "AD": 0,
  "CD": 0,
  "RCODE": 0,
  "QDCOUNT": 1,
  "ANCOUNT": 1,
  "NSCOUNT": 0,
  "ARCOUNT": 0,
  "QNAME": "stoege.net.",
  "QTYPE": 28,
  "QTYPEname": "AAAA",
  "QCLASS": 1,
  "QCLASSname": "IN",
  "answerRRs": [
    {
      "NAME": "stoege.net.",
      "TYPE": 28,
      "TYPEname": "AAAA",
      "CLASS": 1,
      "CLASSname": "IN",
      "TTL": 1800,
      "rdataAAAA": "2a01:4f8:c0c:fff7::2",
      "RDLENGTH": 16,
      "RDATAHEX": "2A0104F80C0CFFF70000000000000002"
    }
  ]
}
Any Comments ?

sha256: 4034db839fb307e487b0188f378a9bc142ededf7de783788811c270f126f03f5

Mariadb

OpenBSD

Install MariaDB on OpenBSD

Wanna install and Operate MariaDB on OpenBSD? Here a few hints …

Install Package

pkg_add mariadb-server mariadb-client

root@puffy /tmp# pkg_add mariadb-server                                                                                                                                    
quirks-7.14 signed on 2024-06-15T18:27:56Z
mariadb-server-10.9.8p0v1:lzo2-2.10p2: ok
mariadb-server-10.9.8p0v1:snappy-1.1.10p1: ok
mariadb-server-10.9.8p0v1:mariadb-client-10.9.8v1: ok
mariadb-server-10.9.8p0v1:p5-FreezeThaw-0.5001p0: ok
mariadb-server-10.9.8p0v1:p5-MLDBM-2.05p0: ok
mariadb-server-10.9.8p0v1:p5-Net-Daemon-0.49: ok
mariadb-server-10.9.8p0v1:p5-PlRPC-0.2020p0: ok
mariadb-server-10.9.8p0v1:p5-Math-Base-Convert-0.11p0: ok
mariadb-server-10.9.8p0v1:p5-Clone-0.46: ok
mariadb-server-10.9.8p0v1:p5-Module-Runtime-0.016p0: ok
mariadb-server-10.9.8p0v1:p5-Params-Util-1.102: ok
mariadb-server-10.9.8p0v1:p5-SQL-Statement-1.414: ok
mariadb-server-10.9.8p0v1:p5-DBI-1.643p0: ok
mariadb-server-10.9.8p0v1:p5-DBD-MariaDB-1.23: ok
mariadb-server-10.9.8p0v1:libxml-2.12.7: ok
mariadb-server-10.9.8p0v1: ok
Running tags: ok
The following new rcscripts were installed: /etc/rc.d/mysqld
See rcctl(8) for details.
New and changed readme(s):
	/usr/local/share/doc/pkg-readmes/mariadb-server

add MariaDB Tests

https://mariadb.com/kb/en/mariadb-test-overview/

SSHChat

OpenBSD

SSH Chat

how to run your own SSH Chat Server

Setup

# add go
pkg_add go

# add user 'sshchat'
adduser

# switch user
su - sshchat
ftp https://github.com/shazow/ssh-chat/archive/v1.10.tar.gz
tar zxf v1.10.tar.gz
cd ssh-chat-1.10/
make build

# back to root
exit
cp /home/sshchat/ssh-chat-1.10/ssh-chat /usr/local/bin/

sshchat - ipfile

manage whiteliste ip in dedicated file

# create folder
mkdir -p /etc/pf.d

# sample file
echo "127.0.0.1" > /etc/pf.d/sshchat

# set permission
chmod 600 /etc/pf.d/sshchat

pf.conf

update pf.conf appropriate

Borgbackup

OpenBSD

Prerequisite

  • you need a remote Borg Server (Unix/Linux Machine with Borg installed)
  • valid User and Key for SCP Transfer
  • SSH Key -> /backup/id_ed25519

Create Local Folder

test -d /backup || (mkdir /backup; chmod 700 /backup)

Borg Backup Script

cat << 'EOF2' > /backup/borg.sh
#!/usr/bin/env bash

# BorgBackup Script, v1.0, 2024-04-09, by @stoege

# Remote server details
REMOTE_USER="borguser"
REMOTE_HOST="your.remote.borg.server"
REMOTE_REPO="mysamplerepo"

# Local directory to backup
LOCAL_DIR="/"

# List of directories to exclude
EXCLUDE_DIRS=(
    "*/.cache/"
    "/tmp"
    "/restore"
)

# Set PassPhrase for the Backup Encryption (run: pwgen 32 1)
export BORG_PASSPHRASE="your-super-strong-password"
export BORG_RSH='ssh -i /backup/id_ed25519'


# Function to perform full backup
perform_full_backup() {

    # Construct exclude options
    exclude_opts=""
    for dir in "${EXCLUDE_DIRS[@]}"; do
        exclude_opts+="--exclude $dir "
    done

    # Run BorgBackup command
    borg create \
        --verbose \
        --stats \
        --progress \
        --compression lz4 \
        $REMOTE_USER@$REMOTE_HOST:$REMOTE_REPO::'{hostname}-{now:%Y-%m-%d_%H:%M:%S}' \
        $LOCAL_DIR \
        $exclude_opts \
    || borg init -e repokey-blake2 $REMOTE_USER@$REMOTE_HOST:$REMOTE_REPO
}

# Function to perform restore
perform_restore() {

    # Create Restore
    test -d /restore || mkdir /restore

    # Change Dir
    cd /restore
 
    # Run BorgBackup command to restore specific directory
    borg extract \
        --verbose \
        --progress \
        $REMOTE_USER@$REMOTE_HOST:$REMOTE_REPO::$1 \
        $2
}

# Function to list all backups
list_backups() {

    # Run BorgBackup command to list all archives
    borg list $REMOTE_USER@$REMOTE_HOST:$REMOTE_REPO

}


# Function to rotate backups
rotate_backups() {
    # Run BorgBackup command to prune archives based on retention policy
    borg prune \
        --verbose \
        --list \
        --glob-archives "${hostname}*" \
        --keep-hourly=2 \
        --keep-daily=2 \
        --keep-weekly=2 \
        --keep-monthly=2 \
        $REMOTE_USER@$REMOTE_HOST:$REMOTE_REPO
}

# Install on Host
install_myself() {

  # Folder
  f="/backup"

  # Create Directory, copy File
  test -d ${f} || (mkdir ${f}; chmod 700 ${f})
  cp $0 ${f}/
  
  # Inform User
  cat << EOF

# to install in Crontab:
crontab -e
5 6,12,18 * * * cd ${f}; $0 backup >> /var/log/borgbackup.log 2>&1

EOF

}

# Help
show_help() {
  echo "$0 [ backup | list | rotate | install | restore BACKUPNAME /etc ]"
  exit 1
}


# Main script
echo "Starting BorgBackup..."

# Check if BorgBackup is installed
if ! command -v borg &> /dev/null; then
    echo "Error: BorgBackup is not installed. Please install BorgBackup."
    exit 1
fi

# Check if parameter is provided
if [ $# -eq 0 ]; then
  show_help
fi

# Perform action based on parameter
case "$1" in
    "backup")
        echo "Performing full backup..."
        perform_full_backup
        rotate_backups
        ;;
    "restore")
        if [ $# -lt 3 ]; then
            echo "Error: Please specify a Backup Set and directory to restore."
            echo "$0 BACKUP_SET /FOLDER/TO/RESTORE"
            exit 1
        fi
        echo "Performing restore for directory '$3' on set '$2'"
        perform_restore $2 $3
        ;;
    "list")
        echo "Listing all backups..."
        list_backups
        ;;
    "rotate")
        echo "Rotating backups..."
        rotate_backups
        ;;
    "install")
        echo "Install Scripts"
        install_myself
        ;;
    *)
        show_help
        ;;
esac

# Check backup status
if [ $? -eq 0 ]; then
    echo "Action completed successfully."
else
    echo "Action failed."
fi

# Finally done
exit 0

EOF2
chmod 700 /backup/borg.sh

Execute It

Create Backup

/backup/borg.sh backup

List Backup

/backup/borg.sh list

Restore Folder

/backup/borg.sh restore hostname-date /etc"
Any Comments ?

sha256: 3adc039f17d2b87ef48b8e9d200c53675b430603c048d4879aacb2dabb3ce37f

OpenBSD Bridge

OpenBSD

Bridge Interfaces on APU

Let’s assume you have an APU2/3/4 and you wanna Bridge some of it’s Interfaces, em0/em1/em2

Create Bridge, add Interfaces

cat << 'EOF' > /etc/hostname.bridge0
add vether0
add em0
add em1
add em2
up
EOF

Create Interfaces

echo "up" >> /etc/hostname.em0
echo "up" >> /etc/hostname.em1
echo "up" >> /etc/hostname.em2

Create L3 Interface

cat << 'EOF' > /etc/hostname.vether0
inet  autoconf
inet6 autoconf -temporary -soii
up
EOF

Bring Up all together

sh /etc/netstart

or do a simpy reload

OpenBSD 7.5

OpenBSD

OpenBSD 7.5 finally released

The 56th Release of OpenBSD was announced. My Upgrade Script is available here.

Highlights

  • added support for various new hardware, numerous performance improvements and of course security enhancements.
  • IPv6 support in ppp(4)

see the Post on Undeadly for more Details, or the OpenBSD Page

Script

doas su -
cd /root
ftp https://blog.stoege.net/scripts/{.helpers,upgrade_to_75.sh}
chmod u+x upgrade_to_75.sh

Execute

do the Upgrade

./upgrade_to_75.sh

after the reboot

Upgrade Packages

just run the Script again

PF Basics

OpenBSD

Basic Ruleset

  • Full Connectifity v4/v6
  • allow SSH in from RFC1918
  • allow all outgoing
# Backup
cp /etc/pf.conf /etc/pf.conf.bak-$(date "+%s")

# Paste new Ruleset
cat << 'EOF' > /etc/pf.conf

#######################################################################################################################
#
# OpenBSD PF Template
#
#######################################################################################################################

########################
### DEFAULT SETTINGS ###
########################

set block-policy drop
set limit states 100000
set limit table-entries 1000000
set optimization normal
set ruleset-optimization none
set skip on { lo0 enc0  }
set syncookies adaptive (start 25%, end 12%)


########################
### MACROS           ###
########################

# log block
lb  = "log"

# log pass
lp  = "log"


########################
### NORMALIZATION    ###
########################

match inet  scrub (no-df max-mss 1380)
match inet6 scrub (max-mss 1360)


########################
### Block all / uRPF ###
########################

block     log
block in  log quick from urpf-failed label uRPF


############################
### DHCP & IPv6 Stuff    ###
############################

# Allow DHCP
pass      $lp quick inet  proto udp       from  any     port 68   to 255.255.255.255  port 67
pass      $lp quick inet  proto udp       from  any     port 68   to (self)           port 67
pass      $lp quick inet  proto udp       from  (self)  port 67   to any              port 68

# In
pass in   $lp quick inet6 proto ipv6-icmp all                           icmp6-type { unreach toobig neighbrsol neighbradv } keep state

# Out
pass out  $lp quick inet6 proto ipv6-icmp from (self)     to fe80::/10  icmp6-type { echoreq echorep neighbradv neighbrsol routeradv routersol } keep state
pass out  $lp quick inet6 proto ipv6-icmp from (self)     to ff02::/16  icmp6-type { echoreq echorep neighbradv neighbrsol routeradv routersol } keep state

# In
pass in   $lp quick inet6 proto ipv6-icmp from fe80::/10  to fe80::/10  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from fe80::/10  to ff02::/16  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from ff02::/16  to fe80::/10  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from ::         to ff02::/16  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state


############################
### MyTrust for Hosts    ###
############################

# Allow RFC1918
pass in   $lp quick inet  proto tcp   from { 10/8 172.16/12 192.168/16 }             to (self) port 22

# Allow all Out
pass out  $lp quick


#######################################################################################################################
# End
#######################################################################################################################
EOF

# check & reload
pfctl -nf /etc/pf.confad && pfctl -f /etc/pf.conf
Any Comments ?

sha256: e41b3f0d6bbb5edf23921f2f8bdc7fc83b9ed8676d7e3e62b746af25aae2f30c