hubertf's NetBSD Blog
Send interesting links to hubert at feyrer dot de!
[20070816] Network auto-detection scripts
Some time ago I had to redo the network auto-detection scripts on my laptop when the harddisk crashed and I had no backup. Here's an attempt at documenting things.

The picture: My laptop has an ethernet and a wireless card, tlp0 and ath0. Ethernet can be plugged in at times, and should have precedence over wireless -- this is mostly to prevent a wifi network bouncing up and down interrupting operating via the cable. Wireless can be configured in several ways, including no security, WEP or WPA.

The machine should try to find network when waking up from APM, when ethernet is plugged in, or when a wireless network is found (using whatever SSID).

The idea is to use wpa_supplicant(8) to detect wifi networks and mark the ath0 interface as "connected". NetBSD's ifwatchd(8) is used to detect if either ethernet or wifi is "connected" or disconnected when the machine's either running, or returning from sleep. A shell script then runs dhcp and does assorted setup and cleanup.

The main engine in this setup is ifwatchd(8), which basically handles all the work that's either induced by kicking wpa_supplicant(8) via APM, wpa_supplicant(8) finding a working wifi network, or by plugging in/out an ethernet cable.

The configuration:

  1. /etc/rc.conf:
    wpa_supplicant_flags="-B -iath0 -c/root/wpa.conf"
    ifwatchd_flags="-c /root/ifwatch-up -n /root/ifwatch-down tlp0 ath0" 

  2. WPA supplicant config: /root/wpa.conf

    Here's a sample config file for wpa_supplicant(8) that I use for University, home and another place. Note that the WPA in there is a bit more complex than in a home-setup with just a pre-shared key (PSK):

    % cat /root/wpa.conf
    # WPA-enabled network with identities 
    # (used at and
    # An unencrypted (open) network:
    # A WEP-encrypted network with pre-shared key:

  3. Watching interfaces: /root/ifwatch-updown

    ifwatchd(8) can't pass parameters, so I'm using two different scripts, and then look at $0 to see if we're going up or down:

    % ls -la /root/ifwatch-*
    lrwxr-xr-x  1 root  wheel   14 Mar 10 12:27 /root/ifwatch-down -> ifwatch-updown
    lrwxr-xr-x  1 root  wheel   14 Mar 10 12:27 /root/ifwatch-up -> ifwatch-updown
    -rwxr-xr-x  1 root  wheel  760 Aug 16 11:45 /root/ifwatch-updown
    Here is the script that handles ethernet and wifi networks going up and down:

    % cat /root/ifwatch-updown
    # See if network is going up or down, to be called via ifwatchd(8)
    # Copyright (c) 2007 Hubert Feyrer <>
    # All rights reserved.
    case $0 in
            case $1 in
                    # Disable wireless bouncing up and down if we're on wire
                    logger stopping wpa_supplicant
                    sh /etc/rc.d/wpa_supplicant stop
            pkill dhclient
            sh /etc/rc.d/network restart
            dhclient $1
            sh /etc/rc.d/ntpd restart
            case $1 in
                    # Re-enable wireless if we go off-wire
                    logger starting wpa_supplicant
                    sh /etc/rc.d/wpa_supplicant start
            pkill -x ssh
            sh /etc/rc.d/ntpd stop
            pkill dhclient
            sh /etc/rc.d/network stop
            route delete
            logger "$0 $@": unknown 
    logger "$0 $@" done.
    echo ^G >/dev/console

    A few comments:

    • As the comment says, if the ethernet interface (tlp) is found to be connected, wpa_supplicant(8) is stopped to prevent it from bouncing up and down and possibly disrupt things.
    • I stop the network at every time, to flush routes and everything. This mostly works, but not completely, thus I remove one route manually. Someone please fix "route flush"...
    • I use NTP, and to prevent ntpd(8) from spamming the logs when offline, I disable it when offline.
    • When network goes away, I kill my ssh sessions. I prefer this over dead sessions that I have to kill with ~.
    • The echo-command in the last line sends a beep with ^G to give a signal that network's up/down now.

  4. APM setup:

    During my experiments, wpa_supplicant(8) died during suspend/resume, I thus stop it before suspending, and start after resuming. This may also have positive effects on power consumption (if not it should probably be hooked in here). My machine uses APM, and I mostly use /usr/share/examples/apm/script, see that file for install instructions.

    Here's the diff that I use to handle wpa_supplicant - dhclient is restarted via ifwatchd:

    % diff -u /usr/share/examples/apm/script /etc/apm/battery
    --- /usr/share/examples/apm/script      2003-03-11 15:56:54.000000000 +0100
    +++ /etc/apm/battery    2007-03-10 12:57:21.000000000 +0100
    @@ -25,7 +25,7 @@
     # What my network card's recognized as:
     LOGGER='logger -t apm'
    @@ -43,8 +43,11 @@
            # In case some NFS mounts still exist - we don't want them to hang:
            umount -a    -t nfs
            umount -a -f -t nfs
    -       ifconfig $if down
    -       sh /etc/rc.d/dhclient stop
    +       sh /etc/rc.d/wpa_supplicant stop
    +       cd /usr/tmp ; make off
            $LOGGER 'Suspending done.'
    @@ -62,7 +65,9 @@
            $LOGGER 'Resuming...'
            noise $S/KDE_Startup.wav
    -       sh /etc/rc.d/dhclient start
    +       sh /etc/rc.d/wpa_supplicant start
            # mount /home
            # mount /data
            $LOGGER 'Resuming done.'

    The "make off" when shutting down the machine unmounts the cgf-encrypted data partition that I'm using for SSH and PGP keys. I manually mount it when I need it again.

With these four steps -- rc.conf, wpa.conf, ifwatch-script, and APM script -- things should be in place to auto-detect cable and wifi networks, and get things online.

The future -- more work on this would include adding ACPI/powerd(8) scripts, and putting all of this either into the default NetBSD install, or at least into NetBSD's /usr/share/examples.

[Tags: , , , , , , ]

[20070105] Article: Verschluesselte Dateisysteme fuer NetBSD
The December 2006 issue of UpTime, the magazine of the German Unix User Group (GUUG) has an article by Stefan Schumacher titled ``Verschlüsselte Dateisysteme für NetBSD'' (encrypted file systems with NetBSD).

The german-language article introduces two ways to implement encrypted file systems under NetBSD. CGD is a NetBSD-specific solution which works on the disk-block layer, the other one is CFS, which uses the NFS server interface and works under BSD, Linux and Solaris. Thus, CFS can be used in heterogenous networks and on changable media to exchange data.

[Tags: , , , ]

[20060823] CryptoGraphicFile (CGF), or how to keep sensitive data on your laptop (Updated)
OK, a friend of mine blogged the other day about setting up encrypted disk on FreeBSD, which reminded me of this thing I'm using on my laptop to carry sensitive things like SSH keys, my address database etc. which I've come up with I went to the USA for a few months last year.

After reading the CGD chapter of the NetBSD Guide I had a rough idea on how to do the whole thing on a disk partition, but I wanted to keep everything in a file so I would not have to re-partition my laptop. Ignoring the Guide's warning that cgd(4) on vnd(4) doesn't work (and proving it wrong, for me :-), I've used vnd(4) happily since for the task.

Below, I'll outline the tasks for

  1. setting up my "CryptoGraphicFile" (CGF) using cgd-in-vnd,
  2. what to do to use the data
  3. what to do to stash things away again

1) Setting up my CryptoGraphicFile (CGF)

  1. Decide on a place for the actual data and the amount of data you want to protect. "du -sm ~/.ssh ~/.gnupg" tells me that 10MB is plenty, and I'll use these values here.
         # base=$HOME/S
         # size=10 
    Also, the (decrypted) data will be mounted on /secure.

  2. The first step of creating a $size MB big file and making it accessible as vnd(4) device is pretty easy:
         # dd if=/dev/zero of=$base bs=1m count=$size
         10+0 records in
         10+0 records out
         10485760 bytes transferred in 0.479 secs (21890939 bytes/sec)
         # chmod go-rwx $base
         # vnconfig vnd0 $base
  3. Next we create a parameter file for cgd(4). We use AES encryption with 256 bit:
         # cgdconfig -g -V disklabel -o $base.cgd aes-cbc 256
    If this step fails with
         cgdconfig: could not calibrate pkcs5_pbkdf2
         cgdconfig: Failed to generate defaults for keygen 
    make sure that you have enough bits of entropy available for /dev/random. Just open up an xterm and run something like "ls -lR /" in it.

  4. Next, the disk can be configured and newfs'd. This is the step where the password for the CGF is set, and you'd better not forget this:
         # cgdconfig -V re-enter cgd0 /dev/vnd0a $base.cgd
         /dev/vnd0a's passphrase:
         re-enter device's passphrase:
         # newfs /dev/cgd0a
         /dev/cgd0a: 10.0MB (20480 sectors) block size 4096, fragment size 512
    	     using 4 cylinder groups of 2.50MB, 640 blks, 1184 inodes.
         super-block backups (for fsck_ffs -b #) at:
    	 32,  5152, 10272, 15392,
  5. Now the CGF can be mounted:
         # mount /dev/cgd0a /secure
         # df -h /secure
         Filesystem    Size      Used     Avail Capacity  Mounted on
         /dev/cgd0a    9.4M     512B      8.9M     0%    /secure
         # ls /secure
  6. Of course there's nothing on the newly created CGF. Let's undo things for the first-time configuration to finish our first step:
         # umount /secure
         # cgdconfig -u cgd0
         # vnconfig -u vnd0
    If you get a "Filesystem busy" in the first step, remember to "cd /". :)

We have created a filesystem inside a disk-file in $HOME/S in this step. The file is protected by a password which needs to be entered when used. Security of the data in that filesystem depends on this password alone, e.g. if this is on your laptop and the laptop's stolen, so make sure you use something non-trivial!

2) Using the encrypted data

After we have created a secure filesystem inside a file in $HOME/S now, we can configure it for using with the following steps:

     # base=$HOME/S
     # vnconfig vnd0 $base
     # cgdconfig -V none cgd0 /dev/vnd0a $base.cgd
     # fsck -p /dev/cgd0a
     # mount /dev/cgd0a /secure
The cgdconfig-command above will ask for the password. Be sure to enter the same one that you gave it during the steps above!

After these steps, /secure is accessible again, and will be so until you shutdown the system or unconfigure it as shown below.

Before repeating how to unconfigure the CGF, the disk should probably be populated with a few precious files. To still make the files accessible in a transparent way (when /secure is mounted!), symlinks can be used. E.g the following will put an especially precious SSH key onto this secure file:

     # mv ~feyrer/.ssh/important_key /secure
     # ln -s /secure/important_key ~feyrer/.ssh
With appropriate SSH configuration, I will be able to use that key only when /secure is mounted. If it's not: bad luck. (Of course this whole example is somewhat artificial as you could just trust your key to a proper passphrase as well, but well :).

Other examples I've used this with is are PGP keys, my private addres database, calendar and some other files I prefer to have near me when traveling.

3) What to do to stash things away again

To make things safe again, either shutdown the system, or run these steps:

     # umount /secure
     # cgdconfig -u cgd0
     # vnconfig -u vnd0
Of course the steps to configure/unconfigure the CGF can be put into shell scripts (which I've done; I should probably make a package out of this...) for easy automation.

One such place where the above commands can be very handy is when suspending a laptop via APM: Place them into /etc/apm/suspend, and you won't have to worry about your files when your laptop is in suspended state. When you need your secured files again, a script with the commands noted under 2) can be run.

I'm using this setup on my laptop, and I'm quite happy with things that way. Maybe you will be, too!

Update: Curt Sampson wrote me about a nice way to lock the machine in case someon un-suspends it: simply run xlock *on suspend*. When X is started in a way that it won't get back to the shell upon ctrl-alt-backspace, this won't allow access to any file in case the machine gets stolen.

One other precaution that could be taken is to use encrypted swap, to prevent sensitive data getting into swap, and a mallicious hacker getting it from there after taking the disk out of the machine. A good hint, from someone (name forgotten) on #NetBSD.

[Tags: , , , ]

[20051004] Big numbers 2: cgd-on-vnd results (not only) on Xen
Johnny Lam was wondering what the best cgd algorithm was to protect his Xen "user" domains from being read from the Xen "domain0" master domain. As such, he configured CGD to use various algorithms and measured their read and write speed in relation to filesystem block sizes. See his posting to port-xen for some interesting numbers on what algorithm to use or avoid.

[Tags: , ]

[20050510] NetBSD CGD Setup
Here is another page describing a very brief setup of NetBSD's cryptographic disk driver (cgd). Nice: Contains a list of other information, including this article, the NetBSD guide's CGD chapter and Roland Cowdeswell and John Ioannidis' original CGD paper.

[Tags: , , ]

Tags: , 2bsd, 34c3, 3com, 501c3, 64bit, acl, acls, acm, acorn, acpi, acpitz, adobe, adsense, advocacy, Advocacy, advogato, aes, afs, aiglx, aio, airport, alereon, alex, alix, alpha, altq, am64t, amazon, amd64, anatomy, ansible, apache, apm, apple, arkeia, arla, arm, art, Article, Articles, ascii, asiabsdcon, aslr, asterisk, asus, atf, ath, atheros, atmel, audio, audiocodes, autoconf, avocent, avr32, aws, axigen, azure, backup, balloon, banners, basename, bash, bc, beaglebone, benchmark, bigip, bind, blackmouse, bldgblog, blog, blogs, blosxom, bluetooth, board, bonjour, books, boot, boot-z, bootprops, bozohttpd, bs2000, bsd, bsdca, bsdcan, bsdcertification, bsdcg, bsdforen, bsdfreak, bsdmac, bsdmagazine, bsdnexus, bsdnow, bsdstats, bsdtalk, bsdtracker, bug,, busybox, buttons, bzip, c-jump, c99, cafepress, calendar, callweaver, camera, can, candy, capabilities, card, carp, cars, cauldron, ccc, ccd, cd, cddl, cdrom, cdrtools, cebit, centrino, cephes, cert, certification, cfs, cgd, cgf, checkpointing, china, christos, cisco, cloud, clt, cobalt, coccinelle, codian, colossus, common-criteria, community, compat, compiz, compsci, concept04, config, console, contest, copyright, core, cortina, coverity, cpu, cradlepoint, cray, crosscompile, crunchgen, cryptography, csh, cu, cuneiform, curses, curtain, cuwin, cvs, cvs-digest, cvsup, cygwin, daemon, daemonforums, daimer, danger, darwin, data, date, dd, debian, debugging, dell, desktop, devd, devfs, devotionalia, df, dfd_keeper, dhcp, dhcpcd, dhcpd, dhs, diezeit, digest, digests, dilbert, dirhash, disklabel, distcc, dmesg, Docs, Documentation, donations, draco, dracopkg, dragonflybsd, dreamcast, dri, driver, drivers, drm, dsl, dst, dtrace, dvb, ec2, eclipse, eeepc, eeepca, ehci, ehsm, eifel, elf, em64t, Embedded, embedded, emips, emulate, encoding, envsys, eol, espresso, etcupdate, etherip, euca2ools, eucalyptus, eurobsdcon, eurosys, Events, exascale, ext3, f5, facebook, falken, fan, faq, fatbinary, features, fefe, ffs, filesystem, fileysstem, firefox, firewire, fireworks, flag, flash, flashsucks, flickr, flyer, fmslabs, force10, fortunes, fosdem, fpga, freebsd, freedarwin, freescale, freex, freshbsd, friendlyAam, friendlyarm, fritzbox, froscamp, fsck, fss, fstat, ftp, ftpd, fujitsu, fun, fundraising, funds, funny, fuse, fusion, g4u, g5, galaxy, games, gcc, gdb, gentoo, geode, getty, gimstix, git, gnome, google, google-soc, googlecomputeengine, gpio, gpl, gprs, gracetech, gre, groff, groupwise, growfs, grub, gumstix, guug, gzip, hackathon, hackbench, hal, hanoi, happabsd, hardware, Hardware, haze, hdaudio, heat, heimdal, hf6to4, hfblog, hfs, history, hosting, hotplug, hp, hp700, hpcarm, hpcsh, hpux, html, httpd, hubertf, hurd, i18n, i386, i386pkg, ia64, ian, ibm, ids, ieee, ifwatchd, igd, iij, image, images, imx233, imx7, information, init, initrd, install, intel, interix, internet2, interview, interviews, io, ioccc, iostat, ipbt, ipfilter, ipmi, ipplug, ipsec, ipv6, irbsd, irc, irix, iscsi, isdn, iso, isp, itojun, jail, jails, japanese, java, javascript, jetson, jibbed, jihbed, jobs, jokes, journaling, kame, kauth, kde, kerberos, kergis, kernel, keyboardcolemak, kirkwood, kitt, kmod, kolab, kvm, kylin, l10n, landisk, laptop, laptops, law,, ldap, lehmanns, lenovo, lfs, libc, license, licensing, linkedin, links, linksys, linux, linuxtag, live-cd, lkm, localtime, locate.updatedb, logfile, logging, logo, logos, lom, lte, lvm, m68k, macmini, macppc, macromedia, magicmouse, mahesha, mail, makefs, malo, mame, manpages, marvell, matlab, maus, max3232, mbr95, mbuf, mca, mdns, mediant, mediapack, meetbsd, mercedesbenz, mercurial, mesh, meshcube, mfs, mhonarc, microkernel, microsoft, midi, mini2440, miniroot, minix, mips, mirbsd, missile, mit, mixer, mobile-ip, modula3, modules, money, mouse, mp3, mpls, mprotect, mtftp, mult, multics, multilib, multimedia, music, mysql, named, nas, nasa, nat, ncode, ncq, ndis, nec, nemo, neo1973, netbook, netboot, netbsd,, nethack, nethence, netksb, netstat, netwalker, networking, neutrino, nforce, nfs, nis, npf, npwr, nroff, nslu2, nspluginwrapper, ntfs-3f, ntp, nullfs, numa, nvi, nvidia, nycbsdcon, office, ofppc, ohloh, olimex, olinuxino, olpc, onetbsd, openat, openbgpd, openblocks, openbsd, opencrypto, opendarwin, opengrok, openmoko, openoffice, openpam, openrisk, opensolaris, openssl, or1k, oracle, oreilly, oscon, osf1, osjb, paas, packages, pad, pae, pam, pan, panasonic, parallels, pascal, patch, patents, pax, paypal, pc532, pc98, pcc, pci, pdf, pegasos, penguin, performance, pexpect, pf, pfsync, pgx32, php, pie, pike, pinderkent, pkg_install, pkg_select, pkgin, pkglint, pkgmanager, pkgsrc,, pkgsrcCon, pkgsrccon, Platforms, plathome, pleiades, pocketsan, podcast, pofacs, politics, polls, polybsd, portability, posix, postinstall, power3, powernow, powerpc, powerpf, pppoe, precedence, preemption, prep, presentations, prezi, Products, products, proplib, protectdrive, proxy, ps, ps3, psp, psrset, pthread, ptp, ptyfs, Publications, puffs, puredarwin, pxe, qemu, qnx, qos, qt, quality-management, quine, quote, quotes, r-project, ra5370, radio, radiotap, raid, raidframe, rants, raptor, raq, raspberrypi, rc.d, readahead, realtime, record, refuse, reiserfs, Release, releases, Releases, releng, reports, resize, restore, ricoh, rijndael, rip, riscos, rng, roadmap, robopkg, robot, robots, roff, rootserver, rotfl, rox, rs323, rs6k, rss, ruby, rump, rzip, sa, safenet, san, sata, savin, sbsd, scampi, scheduler, scheduling, schmonz, sco, screen, script, sdf, sdtemp, secmodel, security, Security, sed, segvguard, seil, sendmail, serial, serveraptor, sfu, sge, sgi, sgimips, sh, sha2, shark, sharp, shisa, shutdown, sidekick, size, slackware, slashdot, slides, slit, smbus, smp, sockstat, soekris, softdep, softlayer, software, solaris, sony, sound, source, source-changes, spanish, sparc, sparc64, spider, spreadshirt, spz, squid, ssh, sshfs, ssp, statistics, stereostream, stickers, storage, stty, studybsd, subfile, sudbury, sudo, summit, sun, sun2, sun3, sunfire, sunpci, support, sus, suse, sushi, susv3, svn, swcrypto, symlinks, sysbench, sysctl, sysinst, sysjail, syslog, syspkg, systat, systrace, sysupdate, t-shirt, tabs, talks, tanenbaum, tape, tcp, tcp/ip, tcpdrop, tcpmux, tcsh, teamasa, tegra, teredo, termcap, terminfo, testdrive, testing, tetris, tex, TeXlive, thecus, theopengroup, thin-client, thinkgeek, thorpej, threads, time, time_t, timecounters, tip, tk1, tme, tmp, tmpfs, tnf, toaster, todo, toolchain, top, torvalds, toshiba, touchpanel, training, translation, tso, tty, ttyrec, tulip, tun, tuning, uboot, ucom, udf, ufs, ukfs, ums, unetbootin, unicos, unix, updating, upnp, uptime, usb, usenix, useradd, userconf, userfriendly, usermode, usl, utc, utf8, uucp, uvc, uvm, valgrind, vax, vcfe, vcr, veriexec, vesa, video, videos, virtex, virtualization, vm, vmware, vnd, vobb, voip, voltalinux, vpn, vpnc, vulab, w-zero3, wallpaper, wapbl, wargames, wasabi, webcam, webfwlog, wedges, wgt624v3, wiki, willcom, wimax, window, windows, winmodem, wireless, wizd, wlan, wordle, wpa, wscons, wstablet, X,, x11, x2apic, xbox, xcast, xen, Xen, xfree, xfs, xgalaxy, xilinx, xkcd, xlockmore, xmms, xmp, xorg, xscale, youos, youtube, zaurus, zdump, zfs, zlib

'nuff. Grab the RSS-feed, index, or go back to my regular NetBSD page

Disclaimer: All opinion expressed here is purely my own. No responsibility is taken for anything.

Access count: 35494782
Copyright (c) Hubert Feyrer