Skip to content

Instantly share code, notes, and snippets.

View daemonhorn's full-sized avatar

daemonhorn

1 follower · 6 following
View GitHub Profile
@daemonhorn
daemonhorn / FreeBSD-Dell_7550.md
Last active October 16, 2023 22:24
FreeBSD on Dell Precision 7550 Laptop

Overview

This is my notes from configuring a functional FreeBSD 13/14 (started with 13.1-RELEASE and moved to stable/14 branch) on my Dell Precision 7550 Laptop with Dell Thunderbolt 3 Dock.

What works out of the box

  1. Install from 14-Beta5 release memstick image worked great with UEFI (Secure Boot disabled), and boot config in BIOS/UEFI setup for AHCI access (NOT Intel Raid) to nvme drives.
  2. iwl Wi-Fi card from Intel, no issues as long as I don't try to change regulatory domain from defaults. WPA2 authentication worked as I expected, WPA3 is not there yet in the FreeBSD 802.11 stack.
iwlwifi0@pci0:0:20:3:	class=0x028000 rev=0x00 hdr=0x00 vendor=0x8086 device=0x06f0 subvendor=0x8086 subdevice=0x4070
    vendor     = 'Intel Corporation'
 device = 'Comet Lake PCH CNVi WiFi'
@daemonhorn
daemonhorn / Windows_FIDO2_Yubikey_SoloKey_Hello_ssh.md
Last active May 19, 2024 11:48
Setting up Yubikey/Solokey(v2)/Windows Hello for OpenSSH via PIV or FIDO authentication on Windows

Overview

This guide covers using both PIV smartcard and FIDO2 features of your Yubikey, SoloKey(v2), and Windows Hello for SSH authentication in a secure and portable manner. FIDO2 support works with YubiKey, SoloKey(v2), and Windows Hello(biometric:face, biometric:fingerprint, secure-element/pin) with OpenSSH as a relatively new feature which requires updated client and server versions. PIV support has been around with PKCS#11 for many years in the OpenSSH codebase, and is considered a more stable and ubiquitous solution when an applicable PKCS#11 library is available for your platform.

Windows Yubikey for ssh via PIV

Example below assumes that you have a piv key already generated in a yubikey slot the way you want. If you need to generate a new one, read the excellent documentation here: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html and https://support.yubico.com/hc/en-us/articles/360021606180-Using-YubiKey-PIV-with-Windows-native-SSH-client

  • This explains basic con
@daemonhorn
daemonhorn / freebsd_yubikey_authentication.md
Last active May 29, 2024 18:03
Setting up yubikey/solo2 for piv, fido, and gpg on FreeBSD (Firefox, Chromium, PAM, SSH, and GnuPG)

Overview

How to configure FreeBSD and applicable applications to work with Yubikey for authentication. This serves as my work-in-progress documentation of the configuration knobs needed to make this work properly.

  • FreeBSD ssh with piv smartcard slot on Yubikey (pkcs11 via libykcs11.so)
  • FreeBSD ssh with fido support on Yubikey
  • FreeBSD Firefox/Chromium with fido + webauthn support on Yubikey
  • FreeBSD local console and gdm authentication using pam on Yubikey
  • FreeBSD official YubiKey tools

Latest Tested FreeBSD versions

  • FreeBSD 13.2 Testing (Aug 2023)
  • FreeBSD stable/13 Testing (Aug 2023) with OpenSSH_9.3p2
@daemonhorn
daemonhorn / patch-prefixconf.c
Last active January 2, 2023 15:24
PfSense patch to wide-dhcp6 client to support IA_NA on IA_PD interface. This is a temporary workaround for FIOS IPv6 router.
--- prefixconf.c.orig 2017-02-28 19:06:15.000000000 +0000
+++ prefixconf.c 2022-02-13 19:16:41.144605000 +0000
@@ -201,20 +201,6 @@
if (sp->prefix.vltime != 0 && spcreate) {
for (pif = TAILQ_FIRST(iac_pd->pifc_head); pif;
pif = TAILQ_NEXT(pif, link)) {
- /*
- * The requesting router MUST NOT assign any delegated
- * prefixes or subnets from the delegated prefix(es) to
- * the link through which it received the DHCP message
@daemonhorn
daemonhorn / .tcshrc
Created January 2, 2021 16:48
tmux and powerline configs
# $FreeBSD: releng/12.0/share/skel/dot.cshrc 337497 2018-08-08 19:24:20Z asomers $
#
# .cshrc - csh resource script, read at beginning of execution by each shell
#
# see also csh(1), environ(7).
# more examples available at /usr/share/examples/csh/
#
alias h history 25
alias j jobs -l
@daemonhorn
daemonhorn / country.sh
Created January 2, 2021 16:30
Country block ipfw script
#!/bin/sh
# See ipdeny.com for listings of possible country codes
# Read the ipfw man page for details on ipfw rulesets (ipfw set)
# This is just an example shell script for downloading, and blocking country specific ip address ranges
# Please customize for actual needs as required.
# Command line error checking
[ -z $1 ] && printf "Error: Please enter valid country code from ipdeny.com\n Example: `basename $0` cn 10\nThis will block all China addresses on ruleset 10\n" && exit 1
@daemonhorn
daemonhorn / rc.firewall
Created December 31, 2020 18:02
rc.firewall with added ipv6 features - freebsd
#!/bin/sh -
# Copyright (c) 1996 Poul-Henning Kamp
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
@daemonhorn
daemonhorn / wireguard_pfsense_setup_readme.md
Last active July 4, 2023 00:33
Wireguard on PFSense
@daemonhorn
daemonhorn / yubikey_putty_wincrypt_readme.txt
Last active March 19, 2020 06:36
Yubikey with Putty WinCrypt (PIV) for SSH
Notes:
0) WinCryptSSHAgent - https://github.com/buptczq/WinCryptSSHAgent
* Supports every Windows client interface needed for most applications (pageant/auth_sock/securecrt)
* This interface just selects "all" certificates that it beleives are applicable
* At auth time, pin will be requested from windows wincrypt api as needed
* Notifications when PIV certificates are being used (even with downstream ssh agent passthrough if enabled, nice!)
1) Putty Wincrypt - https://github.com/ufrisk/puttywincrypt
* Supports RSA 1024/2048 Keys generated by Yubikey manager
* Will support Yubikey with both USB and NFC interface (with appropriate NFC reader)