2018-09-25

Running pkgsrc on OpenBSD

After a discussion somewhere on teh webs, I decided to dig into the state of PHP 7.1 and PHP 7.2 on OpenBSD. The short version is "we're working on it" (in OpenBSD ports) but no ETA. However, being keen to NetBSD's pkgsrc distribution, I knew that they had been cooking up newer versions in their software tree. So I decided to kick the tires.

Pkgsrc is roughly NetBSD's equivalent to the OpenBSD/FreeBSD "Ports" repository, however, they've put significant effort into making it quite portable. It works in one way or another on other BSDs, Linux, OS X and even more esoteric platforms like Haiku and Illumos.

Initially, bootstrapping pkgsrc on OpenBSD 6.3-STABLE didn't work. Buried deep in my inbox from the pkgsrc mailing list in April, I found a hint from Sevan Janiyan about some patches that are needed to make it work. Partially, this is because OpenBSD uses both clang and gcc compilers in the base distribution on modern hardware.

Anyhow, on with the show.

First, check out the pkgsrc repository. You can do it with cvs:

env CVS_RSH=ssh cvs -d anoncvs@anoncvs.NetBSD.org:/cvsroot checkout -P pkgsrc

It's going to churn for a few minutes while it downloads all the files.

When it's done downloading, you can move it to /usr (/usr/pkgsrc) if you want, but I usually just leave the pkgsrc tree in my home directory. Change into the pkgsrc directory:
cd pkgsrc

make a file called pkgsrc.patch with the following contents:

--- archivers/libarchive/files/libarchive/archive_openssl_hmac_private.h
1 Aug 2017 22:21:17 -0000       1.1.1.2
+++ archivers/libarchive/files/libarchive/archive_openssl_hmac_private.h
5 Apr 2018 20:50:09 -0000
@@ -28,7 +28,8 @@
 #include
 #include

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
+    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
 #include /* malloc, free */
 #include /* memset */
 static inline HMAC_CTX *HMAC_CTX_new(void)

Apply the patch:
patch -p0 < pkgsrc.patch

cd bootstrap

A "privileged" install requires root (via doas or su) but will store all of the binaries into /usr/pkg:
doas ./bootstrap --compiler clang

-- OR --

If you wish to build "unprivileged" without root, the binary packages will be installed in the "pkg" directory under your home dir.
./bootstrap --unprivileged --compiler clang

Then go have a coffee or something. It takes a while.

If it finishes up with out a screen full of errors, you're almost all the way there:


You'll need to edit your .profile (or .bashrc if you roll that way) to add the pkg/bin directory to your path. In a privileged install, add /usr/pkg/bin and /usr/pkg/sbin to your path. In an unprivileged install, add ~/pkg/bin and ~/pkg/sbin instead.

Adding these paths to the end of the PATH line in the default .profile should work for a privileged pkgsrc install:

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:/usr/pkg/bin:/usr/pkg/sbin

You need that in your path, because pkgsrc portable requires you to use NetBSD's "bmake" in the pkgsrc tree, and bmake is compiled as part of the bootstrap. You can log out and log back in, or just run this command to get bmake into your working path.

PATH=$PATH:/usr/pkg/bin:/usr/pkg/sbin

Let's try building something. It works a lot like ports. It will recursively build any dependencies or libraries that are needed, and install them into the pkg directory before building the application you're trying to compile. I'll start with the latest version of PHP in pkgsrc, PHP 7.2, since that's how this whole journey started. I'm using doas since I did a privileged install.

cd pkgsrc/lang/php72
doas bmake

It compiled.



I'm going to run doas bmake install without running bmake test because pkgsrc isn't the boss of me.



And it all works.

2018-07-12

Wi-Fi on OpenBSD just got a lot easier

... if you're running the latest OpenBSD-CURRENT snapshot, at any rate...

Last night, Reyk Floeter posted this teaser, hinting that phessler@'s work on this feature was inching toward completion.

And it's already in snapshots dated July 12, 2018 and newer. Some mirrors haven't gotten this snapshot yet, as of the time of publication. What this means is that you can load up all of your frequently-used wireless networks into your wifi adapter's /etc/hostname.if file, and it will attempt to auto-join them in the order they're listed. It'll be interesting to see if the installer for OpenBSD 6.4 uses this syntax if you set up a wireless network during the install process.

I like the simplicity of this, versus the complexity of configuring wpa_supplicant, NetworkManager, NetCtl and similar tools. I suspect if you've got only wpa-enabled networks in the list, it should be resistant to most evil twin attacks such as Karma, but I haven't tried that yet.

Documentation of this feature doesn't seem to be covered in the hostname.if or individual wireless driver man pages yet, but the above photo was obvious enough for me to create a working example configuration file for my daily-driver laptop running -CURRENT (on which I'm writing this article).

It looks like a lot of other good things are coming out of the g2k18 hackaton, including advances on unveil, a simple way to control filesystem-level access on a per-process basis, which Bob Beck presented at BSDCan 2018.

2018-04-23

PHP/MySQL Articles updated for OpenBSD 6.3

No surprises, the existing instructions from OpenBSD 6.1 worked flawlessly for both the httpd and nginx web servers. I just made sure everything still works and updated some version numbers. Once again, I did all of the testing using OpenBSD's built-in vmm hypervisor on my personal laptop, and it did remind me of a few recent changes in vmm's network configuration that I had forgotten about.

2018-04-02

OpenBSD 6.3 Early Release!

OpenBSD 6.3 was slated for release on April 15th, but it's already showing up on mirrors this morning. It looks like the full package tree is available only for the most popular platforms at the moment, but the install sets for all supported architectures are live on the two mirrors I use most frequently (sonic and ftp5). I haven't checked the rest of the mirrors. Elsewhere on the Internet, I saw a number of core developers confirm the release is underway almost two weeks ahead of schedule.

I'm looking forward to using the improved install script ("Please Listen Carefully as Our Menu Options Have Recently Changed") and taking advantage of some iterative improvements to the VMM hypervisor, such as snapshots and the ability to attach ISO images to VMs.


2018-02-07

Bad idea? Let's put a Windows 2000 server on the Internet.

Today, I decided to install Windows 2000 Advanced Server onto my Dell Latitude D610. The laptop itself is a workhorse, if a bit dated. Mostly, I was just curious what would happen if I left it out on the Internet without any service packs or firewall rules* and I live-tweeted it as I did my research.

Here's my twitter thread with just a few additional notes added. pcap and IDS alerts are at the end:







Alright, so my ISP is giving me some firewall rules of their own, probably to stop the spread of EternalBlue exploit bots and WannaCry ransomware. Honestly, I appreciate it, but it's not helping me get pwned.





With that, here are the links to those:
Sanitized pcap (gzip): http://stuff.h-i-r.net/win2k.pcap.gz
Sanitized IDS log: http://stuff.h-i-r.net/win2k-ids-alerts.txt

2018-01-21

Recovering passwords from a Casio graphing calculator

I bought this Casio CFX-9800G calculator in 1995. It's been through everything with me, even, apparently, my college electronics courses (per the "ELEC 120 Progs" thing I found on it):


I bought it because it was about 2/3 the price of the competing TI-81 calculator that was "required" for whatever math class I'd found myself sucked into that semester (I think statistics) and because it was the first calculator I'd ever seen with a color display, even if it was only 3 colors (Orange, green and blue). My math teachers hated anything that wasn't Texas Instruments, because they'd received formal training and supplies from TI. Of course, this extra annoyance was a bit of a pride point for me, and the one kid with his HP 48G.

Now, it sits on my desk at home for calculations that exceed the easy capacity of bc(1) and xcalc. Poking through the program menu, I ran into a few games and helper scripts I've written over the years. Some were password-protected.

It was about this time that I recalled buying the data cable and software. Somehow, I still had the CD on a spindle of old commercial software (among gems like Need For Speed SE, MechWarrior II, and CheckPoint Firewall-1 4.0) and my cable stash is organized enough that it was easy to find in the bucket labeled "Strange proprietary serial cables". One problem: Windows 10 doesn't like 25 year old Casio software. Rebooting my OpenBSD netbook into Windows 7 Starter Edition (ugh) did the trick, though. Add a USB/Serial dongle, and we're off!

I connect the cable, put the Casio software into "receive" mode, then do a data dump from the calculator itself. Things are looking up! Unfortunately, I can only see that these programs exist on the calculator, I can't do much with them aside from delete them from the archive.


I open the file in Notepad++ for giggles, and I'm pleasantly surprised. This whole catalog is ASCII. And I also found a password I haven't used since the late 90s.