OpenBSD Interview: Strengths, Tradeoffs And Plans

Duke of URL writes: "Boardwatch interviewed OpenBSD contributor Louis Bertrand. It's an excellent article about OpenBSD's niche and mission. They discussed the continued code audit, OpenSSH, and future version plans, including SMP development, ports rework, and continued integration of IPv6. Journalist Jeffrey Carl does a good job of pointing out OpenBSD's strengths and tradeoffs."

personality conflicts

FreeBSD is in very deep trouble. And while FreeBSD is beset with its own internal strife. It is not the only BSD to be affected by this cancer.

I read all of the T. Deraadt email thread when I first looked at OpenBSD, and my initial impression was that Theo had a real baaaaadddd attitude. I do know for a fact that a lot of the NetBSD folks were upset to see him leave and fork off his own version of the OS, and to lose him as a developer. But in reading his email he obviously has a problem with taking any criticism, and had no problem with jumping down someone's throat with a flamethrower and foul language. Denial, it's not just a river in Egypt...

Not that I wouldn't use the OpenBSD or any operating system that met my technical needs, whatever the personality of the people involved. I've dealt with enough bad attitudes from commercial OS vendors in all my years in the industry to be able to deal with it if I had to. It just seems that BSD has an extra heaping helping of bad attitudes that make commercial vendors look like pikers.

If you *really* read that email thread you would see the attitude loud and clear. "We do not think that it helps anything for you to tell someone he's a fu*khead when he's posting a message trying to help with the OS development." "FU*K YOU, *I* want control of the source and if you don't like it I'll fork my own off!"

That's my impression of it. Theo sounded like an immature little upset kid to me. The development of any of the O.S. OS's is a group effort, and having one person think they have all the answers and have to be the one in control is dead wrong. So Theo now *has* control of his own fork of BSD, and lost the ability to maintain many of the various platform ports because he has no developers. Thus, the OpenBSD page says that for a VAX port, for instance, "support can be easily ported over from NetBSD". Why all these problems are so prevalent under FreeBSD/OpenBSD/NetBSD remains something of a mystery. These systems seem to be self selective in their attraction to weirdos and big egos.

The split had nothing to do with the quality of his coding work but everything to do with his very nasty attitude towards people... and NOT just the people of NetBSD Core, but other people who were just civilians trying to help out, or looking for help. No wonder BSD is losing.

Re:personality conflicts

[NovaX]

Well, if you weren't taking a spin on things in an effort to attack BSD as a whole, you might not have posted anonymously. In fact, as I recall from readign the archives, Theo did have some right to be angry. His temper is known quite well, and after the recent 'NetBSD blocking OpenBSD mail' junk a month or so ago, its pretty obvious he hasn't changed.

Now, Theo asked for months for core membership again, and waited after being told over and over again everything would be sorted out shortly. You also must remember he didn't apologize not only ut of being hubris, but because the person in question spammed him. This was unknown when he was removed from core, and came to light afterwards. Theo should have been allowed to continue on core, or at least should not have been left hanging. If you DID read the archive, then you'd see that (it seems) only one member had a grudge against Theo enough to screw around with him. His attitude was a problem, but no one denies Theo is a marvelous hacker.

NetBSD folks wanted him to stay, and wanted the political bullshit to end, and repeatedly chimmed in that while Theo needed to calm down, he's contributions were more than enouh to warrent tolerance. They wanted him back! And many wanted the code he developed over the 3 month leave, which Theo kept to himself. This was out of pride, and surely as an incentive to get things back together. When OpenBSD was released, this code was out for the NetBSD folks to grab and use. BSD allows pollination, and really this is a great benefit.

So, the guy Theo flamed was an ass, and by going under the BSDL Theo did not restrict his code. He forked because he cofounded NetBSD, and his passion/ego was great enough he had to be in the top ranks. And heck, his ego is deserved after all.

Theo has less control than Linux of his fork of NetBSD, because no one makes him some god. Now that is immature. And Linus has said the GNU model basically forces this (read OpenSources, appendix). His ego is from brats telling him how leet he is. Linus deserves a lot of what came about, but his hack of UNIX is a far cry from staying in form. Of course, he switches this as saying the other forms must have been arciech, which generally seems more of an excuse than anything else.

I wont even bother withthe VAX bit because that's just so dumb on your part...

The split happened due to Theo's relationship with a core member, due to his attitude. No one has ever said otherwise, and Theo has a well deserved reputation. Personally, I respect Theo and Jordon Hubbard, among other developers on their core team, far more than Linux developers. That's due to their design models, their skill, and their passion. I think people accept Linux's faults like they do Microsoft's, ie for the latter.. 'its ok to reboot at least once a day.' Of course, I think Microsoft gets to much flame for bs madeup by people who know jackshit.. but I'm sure Linux gets the same. Heck.. I may be one of them.

All in all, take everything anyone says with a grain of salt. And BSD isn't losing, or else no one would ever talk about it. Media is up. Who ever said we must live in a single OS (and OS design) world? Personally, the more ideas that come into the world, the better. The better usually bubblesort themselves to the top. The best doesn't always win, but one better than the old does.

Re:personality conflicts

[edhall]

You posted this same article four times. Yet no matter how many times you say "FreeBSD is in very deep trouble," you say absolutely nothing to support that claim. In fact, the FreeBSD team seems in better shape than it has been in ages, and their latest release, 4.0, shows it. The NetBSD and OpenBSD groups both show more life and vigor than they have in a long time.

It's all a bit like a dog who keeps returning to sniff his own vomit--both your SPAM-posting and this obsessive need you, like some others, seem to have to keep revisiting the whole Theo flame-fest. The whole incident is long in the past, but you just have to keep coming back to sniff at it. (Alas, this same behavior is shared by some of the BSD folks--including some of the participants--but fortunately many of them have been able to turn their differences into a positive force, creating useful technical distinctions and not just meaningless personal ones.)

I suspect that your real motivation is contained in your need to see BSD as somehow "losing." Losing what? This is free software. OpenBSD, FreeBSD, and NetBSD aren't companies who must maintain market-share or go under--nor is Linux, for that matter. They aren't sports teams or rock bands. They don't need to cannibalize each other's user base to survive. They are all developed by teams that are actually quite a bit more stable and harmonious than most commercial software development teams (where the average developer lasts a bit over a year). They really don't need cheering sections, especially ones composed of gossips nattering away like old ladies over personalities.

-Ed

Re:personality conflicts

[edhall]

BSDI is an interesting case, given that they've just had a little encounter with the Open-Source freight train. Although I know it rankles many BSDI fans to hear it, I'm sure that more than one customer has been asking themselves why they should pay thousands of dollars for BSD/OS (or whatever BSDI is calling it thse days) when they can get FreeBSD/NetBSD/OpenBSD for free? Well, they are now beginning the process of merging their system with FreeBSD and changing their business model to something more along the lines of a Red Hat. But even then, the fortunes and misfortunes of BSDI are only peripherally related to the success of BSD in general.

The general trends are positive ones. Not only is there the BSDI/FreeBSD latchup, but sharing among the three free BSD's has been increasing, and although it might be a little while before it's reflected in marketing surveys, interest in BSD is on the rise (in part because of the Linux explosion, and in part because of the success of BSD users such as Yahoo!).

Things might be grim in your little neck of the woods. But they look pretty bright in mine.

-Ed

I Don't Use Canadian Software

I only use good ol' American software like Linux. Yeah, yeah, I know Linus was from Finland, but he's one of us now. Also, Alan Cox is a Brit and they want to be us so damn bad you can almost count him as an American too.

Re:OpenBSD goes overboard

By default, any other Unix out there cannot even connect to an OpenBSD box, b/c ssh isn't standard. FTP? HA! This is lack of funcionality.

OpenBSD used to have telnetd and ftpd enabled by default. There is no security problem with that since the daemons have been audited. However, with the integration of OpenSSH, OpenBSD errs on the side of caution. There have been no known remote exploits for OpenBSD in the last few years. As administrator, enabling ftpd is rather easy, if that service is required. There is no real necessity for telnetd any longer.

On the other hand, a friend just told me how his Linux machine got rooted in seconds after he started his ftpd. Maybe having a cable modem can be a problem.

Additonally, ssh is a standard and already very popular. In the future, I expect to see the number of ssh users to grow even more. OpenSSH being free will help achieving that.

OpenBSD is right on the point where security is considered.

Re:OpenBSD goes overboard

Given the number of Linux hacks posted to Bugtraq and floating around, I disagree. Ironicly, in some ways, it's not paranoid enough, but that's another matter and one more affiliated with religion than rationale.

For the normal, competent user who has used BSD systems in the past, such as SunOS, and even a decently competent linux user who reads man pages, does a little research, and doesn't mind spending time (unlike you), OpenBSD is fun to work with. And you can do real work on it without worrying about reading bugtraq every evening.

I don't know where you get off saying it's completely unworkable. SQL? Available without a single hitch. Netscape? Ditto. Samba? There. Drivers? There. USB? There. SCSI support? There. Linux emulation? There. POSIX compliance? Integrated soon. SSH? There and free.

What they *hell* isn't there that you really use as a "normal" user?

If OpenBSD goes overboard, what is underboard? Linux? FreeBSD? CERT is lame and even they have posted holes in the past year for both platforms. I CANNOT do work if I don't believe my data's integrity hasn't been compromised or remote user can scuttle my machine. If I want something usable for a normal user and insecure, I'd buy Windows.

Re:It's UNICODE

[whoop]

W3C, what do they know bout the 'Web? Microsoft is the one that's innovatin' here.

Speaking of which, you seen that commercial MS is running with Bill talking about how they will always "innovate?" Guess they are just now starting the anti-DOJ PR campaign.

Re:This article really doesn't touch on strengths.

[Brian+Feldman]

It shouldn't be beta in OpenBSD, since it's production in FreeBSD. I only say "should" because SoftUpdates was developed first and reached production level first on BSD/OS, and it definitely does have some deep changes necessary to the UFS and VFS code for integration.

--

Re:OpenBSD should be more recognized

[Brian+Feldman]

What do you mean, "FreeBSD is in deap trouble"? Any time you have more than 200 people working on something, you'll have some conflict. There's no huge divisive war in FreeBSD, even if there are sometimes conflicts between a few people here and there.

--

Re:Bah

[pb]

Well, I've seen some of the e-mails that were tossed around when OpenBSD split, and some of the server logs...

You're right about the "script kiddies don't write their own material" part, in the strict definition of one, Theo knows enough to write his own tools if he has to.

But he *acts* like a script kiddie, which I guess was my point. Also, OpenBSD would be a good target user base. Hey, at least we'd get some script kiddies with real sysadmin skills, right? Future BOFH's of the world, unite!
---
pb Reply or e-mail; don't vaguely moderate.

Re:Ugh...

[pb]

Oh yeah, I know how it happens, but I don't know why they do it. But these are technical sites, people! They should know enough not to do this, or at least clean up after a bad authoring tool.

(My text editor never uses a non-standard character set, therefore it's a great authoring tool! ;)

I've seen this the most with Office--the latest version of Office only outputs good HTML for the latest version of IE for the latest version of Windows--sometimes.

(no, of course they aren't tied together, Microsoft would *never* do that, they just make up standards that no one has heard of before--the Microsoft Standards. Fun fun fun...)
---
pb Reply or e-mail; don't vaguely moderate.

Re:Bah

[pb]

Well, make your own decisions. The information is easy enough to find, and Theo's e-mail is damning enough.

However, this is what I was talking about before -- I finally found the reference. It's sad how information can die out, on the net.
---
pb Reply or e-mail; don't vaguely moderate.

Re:Bah

[pb]

Yep, it's good to have the OS creator set an example for the users. Then if you want to be that profile, you can use that OS, right?

Bill Gates -- rich capitalist demigod
Linus Torvalds -- kernel hacker and all around nice guy
Theo de Raadt -- K-K00l 5kR1p7 k1DD1e!!1!

OpenBSD: the choice of the next generation of Slashdot users. *sigh*
---
pb Reply or e-mail; don't vaguely moderate.

Re:Open BSD is our choice

[C.Lee]

>Personally I think the whole OpenBSD thing is nice, but overrated.
>Will someone please tell me what OpenBSD can do that Linux/FreeBSD
>cannot? I'm assuming a Unix user is smarter that the average Windows
>lover, so I don't want to hear 'out of the box'. The only way I see
>OpenBSD securer than other OS's is that it FORCES you to be secure,
>whether it applies to your setup or not, which I consider a
>limitation, not a feature.

You're right. Not to put it down but OpenBSD is exactly what you said it is. The only real advantage it had was because of the US crypto laws and that's going to change pretty soon. Take a look at the direction Redhat 6.2 is heading in for instance. The other BSD and Linux dists will be talking similar steps as well.

Re:Why hasn't someone done a secure linux?

[kwalker]

Well, mainly because most people don't think of securing Linux. They think of other things (speed, stability, performance, support, toys, etc). However, there are a couple of different projects aiming at security on Linux...

The first I can think of is Kaos Linux. It's a volunteer-run distro (I don't think they've made a release yet) that is aiming to be the OpenBSD of Linux distros. I used to have the URL but I've been up WAY too long for my brain to be able to pull up that kind of information.

The other is the Bastille Linux Project (May not be the OFFICIAL name, but you should be able to find it) which is just a patch to harden up some things in Red Hat Linux. They've actually reached 1.0 I believe.

If you want more information, go to Freshmeat.net and browse the console/os section of the appindex. It should have something that grabs ya.

Be careful about hardware and software support

[embobo]

With Linux nowadays most hardware and (good) software is supported. OpenBSD has considerably less hw and sw support.

Before trying to install OpenBSD you should verify that your hardware is supported. For example, the CMD640 PCI IDE controller is not. The CMD640 is common in many older Dell boxes (e.g., the $100 133Mhz Pentiums you can find by the boatload at Boeing Surplus). It has a nasty bug where simulatenous access to both channels causes servere data corruption. A generic PCI IDE driver will work mostly but will not prevent this problem.

Do not assume that just because a piece of software works on many Unix-style systems it will work on OpenBSD. Even sw that works on FreeBSD may not work on OpenBSD. Two examples that bit me are: 1.

• The latest postgresql. Each OS has its own odd way of implementing atomic test and set lock. There must be a specific postgresql interface to this written for each OS. There is (could be was) none for OpenBSD.
• Apache::Session::SysVSemaphoreLocker does not work on OpenBSD. I believe OpenBSD SysV semaphores are broken. mod_ssl used to have a problem with this but Engenschall has worked around it.

If your hw/sw is supported by OpenBSD, then you should seriously consider using it.

Re:Be careful about hardware and software support

[Skapare]

I've always wanted to know ... did the people who designed the CMD640 actually lose their jobs as they should have, or was the whole company a loser?

Re:Be careful about hardware and software support

[chriscappuccio]

The cmd 0640 has been supported since OpenBSD 2.6
Even with a work-around for it's stupid bug!!

Re:My experiences with OpenBSD

[mikpos]

The difference is that you're lying: Microsoft never says that. Cite evidence.

Re:Why hasn't someone done a secure linux?

[flashboy]

Someone have:
http://www.trustix.net/

flashboy

It's Not UNICODE

[Yath]

Seeing these characters myself, I extracted the codes and looked them up. The code I get where I expected the ASCII symmetrical apostrophe is actually the UNICODE right apostrophe.

What you extracted was character #146, a reserved character in ISO 8859-1 (the default character set for HTML). In Microsoft's character set, #146 is the right apostrophe.

It's sad, but in some ways, Microsoft is actually LEADING technology. In this case it is the adoption of UNICODE international character set. I wish the Unix/BSD/Linux community would get their act together and get these things working.

Bzzt. Try again. This is the unicode entity for a right single quote: ’

Browsers on Linux display it just fine, but they DON'T display Microsoft's proprietary replacement. The "Unix camp" is quite up to date in this regard. The problem is, as stated before, ignorant webmasters - who don't know that Microsoft's proprietary extensions are a Bad Thing, and worse still, don't understand that the proper character to use for an apostrophe is.. an apostrophe, character #39.

Reference: The Windows Character Set

Openbsd and ipf is a pleasure to use

[Empty+Sands]

Personally I've found ipf and openbsd to be much easier to understand and maintain than ipfwadm or ipchains. With new firewall tools in 2.4 I'm glad I made the investment and switched. My suggestion if you want to use ipf, is definitely read the ipf howto.

Re:OpenBSD should be more recognized

[elflord]

Yet another smug little Debian weenie with the "if they only had used Debian GNU-Linux, they wouldn't have been cracked". Yeah, but OpenBSDs superior security has more to it than just disabling daemons. Sure, Debian doesn't run every daemon under the sun by default, but it's still Linux, and does not have the same quality control process as BSD. There is a definite tradeoff here -- in Linux, you get more features, and less well-checked code, because the developers are adding more code all the time as opposed to fixing the code they've already got.

Re:shutup.

[elflord]

Well speaking for myself, I am aware that Open BSDs better security is part of a trade off -- namely, they don't add features to their OS nearly as quickly as they could if they didn't spend so much time proof-reading their code. Their is a definite tradeoff -- features versus security. Linux supports much more hardware than OpenBSD, and is much more user-friendly. But OpenBSD is much more solid from a security standpoint.

Sure, the "next exploit is waiting to be discovered", and nothing is 100% secure, but it just so happens that it's going to get discovered much faster on Linux or NT than it is on OpenBSD. And the less often exploits are discovered, the less chance that someone will break in.

Re:OpenBSD should be more recognized

[elflord]

Linux can be made secure with some work.

Of course it can -- it's OpenSource. Go audit the kernel and get back to us when you're done. There is more to OpenBSD's security than turning off inetd and turning on sshd.

Re:Open BSD is our choice

[elflord]

Depends on your defn of secure. You can make Linux "secure" and OpenBSD "SECURE". You're right -- for many things Linux's ease of use outweighs OpenBSD's security. But if security is your first priority, and you only want to run a few daemons ( rather than a multi-purpose server with 101 daemons going ) then OpenBSD is a great choice.

Re:Ah richard stallman

[elflord]

Mr. Socialism himself. Spread the wealth, everyone is the same, no one can be better than the rest. The rich must give their money to the poor. He should love communist china.

I'm not clear what "communist China" ( rally more like "state capitalist" ) has to do with "spread the wealth", "everyone is the same" and "no one can be better than the rest". China has entrepreneurs, and inequitable distribution of wealth ( more so than the US ).

You've just demonstrated that you know jack-shit minus epsilon about "communist" China.

HAND

Re:My experiences with OpenBSD

[elflord]

OpenBSD's hardware support is admittedly not as good as Linux's.

HAND,

Re:ROFL.

[elflord]

Your psots are a riot.
Cheers,

Su/wheel in Linux (Re:OpenBSD goes overboard)

[Yenya]

In all PAM-ified systems (such as RedHat and others) you can add a check for a wheel group by just adding the following line to /etc/pam.d/su:

su auth required pam_wheel.so

Welcome to the flexible and configurable world of UNIX.
--

Re:wasn�t proftp an ugly security nightmare, too?

[mattc]

Yes. I think Debian also made similar remarks.

But it is the most flexible and easy to use ftpd. I use it on my home machine but would never use it on a production server (for security reasons).

Too bad there isn't a secure AND flexible ftpd!

Re:OpenBSD should be more recognized

[um...+Lucas]

I too would really like to start using OpenBSD... It just seem like an concept I'm ready for... But aside from installing the MacOS, Windows 95, 98, NT Workstation 4, NT Server 4, OpenLinux and Redhat Linux, I'm just not sure if i've the actual know-how to pull off an OpenBSD install... Can anyone share their experiences with me/us?

Is it a really technical process, or is it like the others where you just plop in a CD, choose some options, set some settings, sit back and babysit and viola! you've got an almost working machine? Somehow i doubt it's like that, though.

It's UNICODE

[Skapare]

Seeing these characters myself, I extracted the codes and looked them up. The code I get where I expected the ASCII symmetrical apostrophe is actually the UNICODE right apostrophe.

It's sad, but in some ways, Microsoft is actually LEADING technology. In this case it is the adoption of UNICODE international character set. I wish the Unix/BSD/Linux community would get their act together and get these things working.

Re:It's UNICODE

[Skapare]

Since the code was a TWO BYTE code, and the browser displayed it as ONE question mark, then the browser knew how to convert UTF-8 encoding into a raw numeric code. It just didn't have a glyph to render it with, so it substituted the question mark.

That may NOT be the standard, but it is also the case that many standards groups are spending (wasting?) too much time with making things like XML more complicated than they need to be, and not keeping all aspects of standards up to date (like officially supporting UTF-8 encoded UNICODE, which is trivial to implement in validators ... for those who use such things).

It is already common for standards to be extended and the extensions to be accepted. Netscape added animation to GIF, and while there were some purists crying foul, others just got on with making things better, leaving standards group to eat their dust. I extended GIF to support true-color images and browsers support that, too (Netscape, Explorer, and Opera, that I have tested). People did bitch and whine about it because it wasn't described in the standard for GIF, but it did work, it did not conflict with the literal standard, and it was the only way to get true-color into web pages until PNG came along (which admittedly was slowed due to browser makers dragging their feet).

So I suspect as soon as you have full UNICODE support in X windows and/or the font server, with proper fonts, it will work fine (despite what some useless validator says).

Re:It's UNICODE

[Rob_u]

Which is all well and good, but SGML (and hence HTML) doesn't use a Unicode character set. It uses 7-bit ASCII. When you send pages with those sorts of characters through something like the W3C's HTML validation program, they show up as errors.

Re:It's UNICODE

[Recall]

Um, not quite. Unless otherwise labeled, HTML is assumed to be ISO8859-1. All these pages using the Windows character encoding wouldn't bother me so much if they were shipped with a proper content encoding label.

And for what it is worth, SGML is character encoding neutral. The default SGML declaration sets things up for 7-bit ASCII but it is trivial to use SGML with any encoding you darn well please. The SGML declaration for HTML does exactly this to include the top half of ISO8859-1.

Re:It's UNICODE

[spitzak]

Uh, no, the character is not Unicode.

The byte produced by MicroSoft word is actually in the range 0x80-0x9F. The real Unicode character would be greater than 0xFF. The official Unicode spec says these are the "C1 control characters". MicroSoft has actually invented non-standard meanings for these bytes, since it was much easier than supporting UTF-8 to get these symbols into their 8-bit programs.

However I would not be too hard on MicroSoft, because:

This "C1 reserved area" is an ancient back-compatability hack to avoid accidentally producing control characters on systems that strip off the high bit. We should not be making stupid standards just for back compatability with obsolete equipment!

MicroSoft has used these values to encode typographic symbols that real people really, really, want!. They did not use them for more obscure letters. This encoding serves far more people than almost any of the Unicode pages.

NetScape and Unix still stink when handling UTF-8. They just display question marks. At least MSoft displays a square box, and it even correctly displays all codes that are in the 0-0xff range or are in the Symbols character set.

I very much recommend that the Linux/Unix/Unicode world swallow their pride and adopt the MicroSoft assignments for the characters in the range 0x80-0x9F as part of the Unicode standard, and that everybody (X and the console) fix their fonts to display these characters as soon as possible!!!

I would complain though about MicroSoft's "smart" quotes. It changes apostrophe into a single-close quote character. This is wrong, they should leave it an apostrophe. This breaks all search engines and keywording of files! The text ``this isn't quoted'' should display as ?this isn't quoted' on NetScape, not ?this isn?t quoted?.

Re:Open BSD is our choice

[Skapare]

A reasonably knowledgeable person can download the latest version of the source for the services you actually do run, and install them, in hours, not weeks.

I'm not trying to demerit OpenBSD, because I believe OpenBSD is a great system, and should be seriously considered, especially for firewall points. But if there is some reason that would weigh in favor of some other operating system, such as familiarity (I am far more familiar with Linux, especially Slackware, than I am of OpenBSD), then you might still choose something other than OpenBSD, and you can still make it be secure with reasonable effort. If you're a business, just hire someone who knows what they are doing, not someone who has to piddle around the newsgroups for the next couple months to learn how to recognize a security clue.

Re:ipfilter by Darren Reed

[JunkMale]

If the main reason you use OpenBSD is because of ipf, why don't you use one of the other operating systems on which ipf runs? There must be other reasons specific to OpenBSD to attract you to it.

Re:jail()

[blasphemi]

jail is in FreeBSD-4.0 Release and 4 Stable and in FreeBSD-5 current (no doubt).

Details.. :)

Re:OpenBSD goes overboard

[blackc]

Quoting OpenBSD man su:

If group 0 (normally ``wheel'') has users listed then only those users can su to ``root''.

So, if you want GNUish behavoir, just remove root from that group. And everybody will be allowed to su. The reason it's the way it is -- 'secure by default'.

Linux Security? ( oxymoron)

[keepper]

Am i the only one that finds the following a bit disturbing?
And then they wonder why i wouldn't trust any linux distribution in any critical enviroment

HEH
Why GNU su does not support the wheel group (by Richard Stallman)

• Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

• However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

  I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

Re:OpenBSD goes overboard

[Lazaru5]

Just letting you know that the whole "must be in the wheel group to su to root" is a BSDism, and is not limited to OpenBSD. Any BSD based OS (Early SunOS, Ultrix, etc) uses the wheel group to prevent non admins from becoming root. If Linux is your only Unix experience, then you're forgiven. :)

Anyway, the wheel thing is a poor example of how OpenBSD is overly paranoid. Is it really that much trouble to vi /etc/group? Also, if you're not overly paranoid, then you're not good at security. They go hand in hand.

Choice

[JatTDB]

It's all about choice...which is (in my opinion, at least) a big part of what open source is all about. OS A has something you want? Use it. OS B pisses you off? Don't use it. Kinda like OS C but you feel it could be done a little better? Modify it.

As far as the "problem" you had with your user account, you probably could have guessed that a proactively secure OS would not put a user account into an su-enabled group by default, and you could have placed that user in the proper group before going a few steps further then getting all pissy about it.

Just remember kids, nobody's forcing you to use one OS or the other, and that's the damn point.

Re:SU

[JatTDB]

Damn right...su functionality is definitely one place where I want my system to act like a heavy-handed hateful dictator from hell.

There's a reason the root account is referred to as the SUPERUSER....he is supposed to have unwarranted power over other users.

I can't think of many situations where having su capability from any user would have any advantage over the proper method except perhaps a little convenience. And we're unix people...since when did we give a damn about convenience?

Re:This article really doesn't touch on strengths.

[NightParrot]

Now, now. You're bagging on the install but you're only really talking about one part of it. disklabel is harrowing, particularly for those used to DOS/linux-style fdisk. Once you're past disklabel, the install is like settling into a big pile of fluffy pillows.

Okay, there are one or two other tiny things, such as that just before the very first prompt, you get the spurious non-error:

sh: /etc/rc: No such file or directory

which you probably won't know isn't a problem unless you have INSTALL.i386 right in front of you and are following along.

So that's how installation should be done, at least until you're used to it: print out INSTALL.i386 and log26.txt and if something looks weird, don't panic until you've read them both.

Don�t blame the user for a flawed system

[FutileRedemption]

Blaming the user for a flawed system is silly.

If it isnt secure out of the box, its flawed.

Its a flawed concept to launch all kinds of stupid daemons as installation default.

Its idiotic to expect users to fiddle with a number of strange configuration files if they REALLY want the thing to be secure.

AND EVEN IF YOU CHANGE ALL THIS, you still get cracked due to bad software with silly design (bind, imap, sendmail, etc.).

No so with OpenBSD, as seems.

If just one very good bastard can take you out, your system is not worth much (think of credit card information).

The agonizing thing is, that SuSE, RedHat et al are exceptionally clueless when it comes to security.

wasn�t proftp an ugly security nightmare, too?

[FutileRedemption]

I seem remember a number of SuSE security reports until they finally simply advised to uninstall the thing...

Re:OpenBSD should be more recognized

[Foogle]

As much as I like Linux, OpenBSD really is better suited to the job of a firewall/NAT box. The setup for that functionality is pretty darn simple, and unlike most Linux distros, you don't have to go out of your way to lock-down an OpenBSD machine, when security is an issue. Really, I think the only word to describe OpenBSD is jizzmatic

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:OpenBSD should be more recognized

[Foogle]

No, I like OpenBSD. Enough to make me... uh, well you know.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:This article really doesn't touch on strengths.

[gael]

Well, at least with FreeBSD there is a 'softupdates'
kernel options which makes ufs way faster than
ext2 on linux... But there are copyright restrictions
so they can't include it on the stock kernel.

This is maybe on OpenBSD

Re:OpenBSD goes overboard

[Zurk]

simple. turn off all services in inetd.conf ( or kill inetd ), turn on firewalling in your kernel and execute ipchains to deny all ports input. now try and hack a machine such as this one. you can *never* break a box like this no matter what distro you use or how many buffer overflows are in it. and its more secure than obsd default anyway. happy?

Re:its not asinine

[Zurk]

two celerons = $100
one abit BP6 = $125
SMP = priceless (or $225)

any questions ?

Re:Listen Up Non-Believers !!!

[Zurk]

secure by default is worthless IMHO. a clueless admin can easily botch a secure by default system. much better to let the user learn the hard way even if its more painful. i personally spend at least a full day securing my linux boxen with ipchains, portsentry, sentinel, nmap etc after installation. its a good thing too - you learn a lot.

Re:its not asinine

[Zurk]

i dont hate it. it has its places..and i hate people carping about how secure it is out of the box when *nothing* is secure unless you actually look at it with a magnifying glass. i dont like the pace of development (too slow) and the lack of drivers. other than thats its just unix.

SU

[Skratch]

OpenBSD does it the correct way and requires a user to be in the group "wheel" in order to su to root. It's Linux that is backwards on this, and I personnaly think it's a much more secure model than the Linux way. It may not seem to it like most, but Linux is actually the oddball when it comes to a lot of things, like IP Masquerading, the rest of the world calls it IP NAT (Network Address Translation). There's quite a few examples like this that kind of make me not appreciate Linux as much, since it doesn't educate people correctly on the 'Unix way' of doing things.

Don't get me wrong though, I almost exclusively run Linux myself.

Re:SU

[psmith]

From the su manpage in GNU shellutils:

This program does not support a "wheel group" that restricts who can su to super-user accounts, because that can help fascist system administrators hold unwarranted power over other users.

Myself, I tend to be one of the aforementioned fascists, so in the past I've installed a version of su that's wheel group-aware.

Now, you can enable 'wheel group only' behavior with PAM.

Re:SU

[nuggz]

wheel group only this isn't a major issue, you could
1. patch it
2. use the OpenBSD su, or other similar su
3. chmod o-x /bin/su ; chgrp wheel /bin/su

Option 3 is what I use for /dev/dsp on my linux box, works pretty nicely.

There IS more then one way to do it.

Didn't quite cut it for me...

[Skratch]

It's sad to say, but OpenBSD just didn't work for me. It's an awesome OS, and I wish I had a reason to use it, but when I set it up as a Firewall/NAT box, the ftp proxy simply didn't work. Not only does the ftp proxy not work for me, but appearently it doesn't work for a lot of people, no one knows why either, it just arbitrarily decides if it wants to work on your system or not. Not only that, but I installed Webmin, a sweetass web based administration tool onto my OpenBSD box just to see what it was like on OpenBSD, and you wanna know what it's like? Two words: KERNEL PANIC. Webmin (v .77) actually kernel panicked my OpenBSD box. I was able to reproduce it over and over.

Needless to say, I installed RedHat on it and havn't had a problem since, FTP proxy and all that good shit works fine, and no kernel panics. It's a shame though, OpenBSD seems like a much better designed OS, and it's easy as shit to use and learn....

Re:Didn't quite cut it for me...

[jbarnett]

I don't think most people think "have to have a firewall", most people have a couple personal computers (see college) running off one Internet connection (see cable mode/dsl) and setup NAT or a proxy to services all the machines though one connection. See they are going the 1 IP address, 3 college buddies that want Internet access, "might as well" put up a strong firewall, just for "extra" security. Just having a firewall doesn't insure security, but having a firewall as "bonus" security can work out well. Plus some people just like to learn how to do it because they are bored, curious or find it Intersting.

If setup properly and configured properly it can add extra security to your network and might save your ass if you misconfigure or have a buggy deamon/wrapper on your system. I view firewalls as "just in case" security. It does piss me off though when people just have nothing but a firewall and claim to be complete secure, it takes more than a firewall to lock down a network, but a properly setup firewall can't hurt.

Re:Didn't quite cut it for me...

[Karn]

I find it amusing that so many people thing that firewalling is the answer.
It's like people are totally oblivious to the fact that they have services running that they don't need and they know nothing about Wrappers. Firewalling is good for corporations who want to ensure their mission-critical data is as safe as possible. Personally, the only data I really need of my HD is my bookmarks and maybe a few files.
Script kiddies will not get past a system that has all unused services off, and Wrappers set up. Ok, so there are some people who can actually spot a vulnerability and MAYBE get around the wrapper, but the chances of that happening are about as good as yours are to get struck by lightening.
And why would someone who is NOT a script kiddie waste time on your box? That whole 'have to have a firewall' issue is somewhat egotistical.

Or am I just trolling? :)

Re:Didn't quite cut it for me...

[Karn]

Agreed. No, a firewall doesn't hurt at all. If you don't know anything about services, etc, how can you know anything about correctly configuring a firewall? I am fully aware of the 1 connection, multi user scene, for I used to have IPMASQ setup so my girlfriend could surf while I played.

I think, based on personal experience, that firewalling your home machine is a bit too much, UNLESS you have mission critical stuff on your box and you don't backup. If you're already setting something up and you decide 'while setting up masq..' then cool. I just think it's funny when people act like before OpenBSD there was no way in hell they could sleep at night b/c they are worried about getting rooted. I just think it would be HIGHLY unlikely that someone that has taken all the precautions to secure their box would get cracked. If you have a firewall, better yet. THe bottom line, however, is if they person wanting your box is good enough to get around wrappers and knows of exploits that aren't documented, firewall or no, they can probably have your box.

Public Enemy #1: Script Kiddies
Easily defeated by patching KNOWN vulnerabilies, wrappers, etc.

Re:What about Bastille Linux?

[WillAffleck]

Now, don't go losing your head over that ...

I'm sure both OpenBSD and Bastille Linux are both good, but no sense getting locked up over the relative merits of both. Security is all well and good, but we need our daily bread, lest we hunger for cake.

Re:OpenBSD should be more recognized

[Mut]

Hi.

I too would really like to start using OpenBSD... It just seem like an concept I'm ready for... But aside from installing the MacOS, Windows 95, 98, NT Workstation 4, NT Server 4, OpenLinux and Redhat Linux, I'm just not sure if i've the actual know-how to pull off an OpenBSD install... Can anyone share their experiences with me/us?

I switched my boxes OpenBSD 2.6 a couple of months back; it was surprisingly easy. You may actually have more experience in relevant areas than I had - my background was in NT admin, though I use various flavours of UNIX (as an ordinary user) a lot at work.

I have a couple of suggestions, though: first, read the FAQ on the OpenBSD site thoroughly beforehand. Several times, for preference - it really does help. Second, try an install or two in VMware first if you can - the install routine can be a bit unfriendly the first time, but is efficient once you've got used to it. (Some things're also organised differently from Linux, so it's good to get used to that in advance as well.)

(As to how much work is needed once it's installed - that depends on what you want to do with it. Several bits of server are integrated and ready to go - Apache, OpenSSH and Sendmail, for instance - but if you're looking to use it as a workstation, you'll need to add quite a few apps. That's generally easy if they've been ported, though - the ports and packages system works well, but is a bit limited compared to what's on offer for Linux or FreeBSD.)

Cheers,

Mat.

Re:Why hasn't someone done a secure linux?

[nitehorse]

LOL- you hit it right on the head with your last comment; Linux-Mandrake has security settings. I'm amazed you don't know about it. : )

I'm not sure that it's definitely a "secure" linux but it has configurable security options, which is definitely a step above the rest of the distros; maybe you should grab a copy of Mandrake7.0. Or maybe you meant something totally different and I'm just stupid.

-Chris

Listen Up Non-Believers !!!

[theSpartan]

Much as I love Linux, let me get right to the point. For all you people spouting off the same old argument (I can just turn off the services and install ssh and poof! OpenBSD) you have NO IDEA what this is really about. Do any of you even really know what a buffer overrun or an audit really is? Didn't think so. Just install OpenBSD and learn a few things

Re:My experiences with OpenBSD

[pkj]

AC writes: When installing anything and run into problems, you check the lists for relevant info. NE2000 cards come up again and again on the mailing list as having problems. If you would have looked instead of asking, it would have taken you 5 minutes of *glancing* at the archives to realize this. You lost several days of work due to your inability to do this, not bad drivers. Yes, NE2000 cards suck in general. I'm aware of the lack of standards. I'm aware that there are a lot of sucko cards in particular. I'm using cards with the RealTek chipset which is known to be one of the best out there.

WRT to the mailing lists, I did an exhaustive search before I posted my first message. I always search before posting. There was nothing in the openbsd list archives indicating problems similar to mine. If there were, I missed them. I tend to think this is not the case, as most people learn pretty quickly that they have posted a FAQ to a mailing list.

If you saw a lot of messages recently, chances are they were actually written by me or on responce to me. ;-)

How do you lose several days debugging and swapping hardware? You swap the hardware (10 minutes max) and move on.

The problem was that the cards were listed as supported, that they were recognized, and that for the most part they did work. Connections to most sites were *flawlwss.* The problem was that there was a bizarre interaction between the driver and the TCP stack that was only triggered under very unique (but always replicatable) conditions.

With 20/20 hindsight, yeah, I *could* have found the problem with a 10 minute hardware swap. But we *all* know how good our hindsight is...

-p.

Re:You missed the main point of OpenBSD

[Knitebane]

You are trolling.

If you would actually read the exploit you'd realize that the problem existed in ALL versions of SSH as well as OpenSSH.

Indeed, there are no fixes for the standard SSH client, but the OpenSSH client put out by OpenBSD has been patched.

Re:OpenBSD goes overboard

[Cuthalion]

I think that limiting yourself to non-SMP because SMP hardware is more expensive is asinine

I think it's reasonable to not spend a large ammount of time solving and debugging a difficult problem that exists only on hardware that most of the users of your product can't even afford. Now that SMP motherboards ('hardware') is lower in price (BP6 anyone?) they are considering reevaluating that stance.

It's not like they have unlimited resources to implement everything, you know.

I would also be content with an answer "SMP adds a LOT more complexity, and we don't feel it CAN be as solid as a single processor" (and even if that's not the reason stated, I am positive that that influenced their decisions.)

Re:OpenBSD should be more recognized

[LiNT_]

btw a good book on using OpenBSD for this stuff is Configuring Linux and OpenBSD Firewalls, it's like $35

I'm going to have to disagree with you on this one. While I do think the book is decent overall, I found Linux Firewalls by Robert Ziegler goes into much more detail on what exactly needs to be let in and out to get a working firewall. Even for OpenBSD I think this book will help people more in the long run. All the information in "Building Linux and OpenBSD Firewalls" as it pertains to OpenBSD is readily available in the OpenBSD FAQ and the IPFilter how-to.

Of course, I'd also recommend Orielly's Building Internet Firewalls as an excellent resource for those looking into building a firewall. Yeah, yeah, it's a little out of date but the majority of the material still stands today.

LiNT

Re:OpenBSD should be more recognized

[LiNT_]

I suppose I'll share my two bits here.

I'm pretty new to OpenBSD myself. So far, I think it's the greatest OS ever.

My advice to new users would be under ideal conditions, use a seperate computer and a full hard disk. Don't try dual booting or you'll end up kicking yourself in the end. On your first install, leave out X. See how things run and get used to the OS, then install X. Start off by completely reading through the FAQ and the install walkthrough for your architecture. Finally, once you've got it installed don't forget to check man afterboot.

ahhh, I still remember my first install. I kept thinking I did something wrong because it went by so fast. 10 minutes in and out.

LiNT

Re:Bah

[uSuRa]

OpenBSD is nice OS, I even use it now. I even can be found on the OpenBSD donations page. (I wonder how long that will be up)

The whole OpenSSH saga is sad. Unfortunately the only response I got from the OpenSSH/OpenBSD crew on my rebuttal/offer at org-vs-com was a changed index page at openssh.com.

But you need two to Tango as the saying goes ..

Re:OpenBSD goes overboard

[bssea]

Um.. it's easier to take a secure machine and make it insecure than to do the opposite. With OpenBSD, I have the choice which services to turn on and I have the choice of how much or little security I want.

The difference isn't in the choice, both OSs have that choice. It's the fact that I *know* OpenBSD is more secure than Linux, given the same amount of services are activated, because of the auditing done by the OBSD group.

What about Bastille Linux?

[MrEfficient]

I believe that OpenBSD is probably the most secure free OS out there, but how does a redhat system after running Bastille Linux compare with it. I would think OpenBSD would be much more secure due to the code auditing, but Bastille Linux would seem to give you a very secure system yet retain all of the flexibility and usability of Linux.

Re:OpenBSD goes overboard

[kkenn]

> Straight off, I get the message that this user is not in the appropriate group to su to root.

This has been the default behaviour in BSD-derived UNIXes since the 80s. For example, under FreeBSD:

bash-2.03$ su

su: you are not in the correct group to su root.

You have to be in the 'wheel' group to su to root. I think some versions of Linux don't do it this way (i.e. joe random luser can su to root if he knows the password), but thats hardly a reason to blame OpenBSD for it.

I'm sure OpenBSD's installation lets you specify the groups you want your user account to be in, so this could have easily been overcome if you knew the basics of administering a BSD-derived UNIX.

Re:My experiences with OpenBSD

[AntiBasic]

The entire BSD unfriendliness is merely a lie propogated by the Linux zealots. It is very similar to the way the AT&T type UNIX vendors claimed that AT&T style kernels configured themselves. It is more like they forged blindly ahead then begged for forgiveness when something went inevitably wrong. Many crossovers here...

This sort of elitism is one of the reasons they have so few users (compared to linux), IMO

This kind of ignorance could only come from an Anonymous coward on slashdot. Time to dispel this sophistry as well. Voices from the Open Source Revolution Learn why those nasty Net/2 lawsuits crippled BSD from reaching the masses!

Re:Ugh...

[Freedent]

I note that you're posting as an AC, so you're probably not going to read the reply, but did you actually *read* the email thead posted on DeRaadt's homepage?

http://zeus.theos.com/deraadt/coremail.html

Theo's got a "bad attitude", but from the looks of the email on that page, no worse than any of the other NetBSD founders. At least DeRaadt seems to give an honest opinion, instead of playing politics.

--sarcasm alert--
And, OH, MY, GOD! Someone in a linux/BSD forum who's rude and unfriendly to people who are flooding them. Who the fuck would think they've got the right to be rude, or curse via electronic communications.

Obviously you've never been to #linux on DALnet or EFnet.

Re:Secure Mandrake install

[muwahaha]

I set up Mandrake with the 'paranoid' security
option. Afterward, I was unable to log in except
as root, because root was the only one who could
read any files on the system! I fixed this with
the command

find / -type d | xargs chmod a+rx

...but did I open any security holes in the
process?

Alex.

I must say

[KaosDG]

I can see a lot of people don't understand what OpenBSD is about here...

It's not about not leaving in.fingerd open to the world, or not allowing root telnets.
It's also about the developers scrutinizing the code that is in the OS to make sure things like buffer overruns, race conditions and symlink vulnerabilities don't happen.

We can all turn off port access, run Intrusion detections, and stay up watching /var/log/messages until our eyes bleed, but if (per se) your beloved intrusion detector barfs when it has to read in more then sizeof(int) characters, you're toast. that's what OpenBSD is taking care of.
Their code audits are making sure the *real* crackers aren't getting in. Not some script kiddie running the latest 'sploit against your box.

btw... I was a linux zealot until I tried OpenBSD. I still run linux, but behind my OpenBSD firewalls.

BIND _NOT_ the only choice

[Technik~]

Just nitpicking, but BIND isn't the only game in town: TinyDNS by D.J. Bernstein, the author of qmail, is much better if you take the time to figure it out.

It is complemented by DNSCache, for (obviously) caching, and others tools.

All have small footprints, are highly efficient, and were designed to be secure.


- Technik

Re:BIND _NOT_ the only choice

[Mullen]

Ya, that is the one I was talking about. I just could not remember the name. Shame on me since I am such a qmail fan.

Re:BIND _NOT_ the only choice

[Mullen]

I forgot to add in all of this, D.J. Bernsteins explanations of how things work are some of the best. Just check out the qmail documentation and the TinyDNS FAQ's on how things work. Its just nice to see someone make good quality software and documentation.

Re:shutup.

[mikefe]

Sure, the "next exploit is waiting to be discovered", and nothing is 100% secure, but it just so happens that it's going to get discovered much faster on Linux or NT than it is on OpenBSD. And the less often exploits are discovered, the less chance that someone will break in.

The whole idea of the audits is to find the hole before it is found, thus making fewer holes to exploit.

I haven't used openBSD, but I will eventually. I have used linux since kernel 2.0.35. Everyone always laments about the newbies and their redhat/mandrake/etc distros and all the daemons available to crack into.

I think this article might start more people (hopefully the distro makers) on this very good habbit.

Mike

Re:OpenBSD should be more recognized

[mikefe]

OpenBSD plants the seed in everyone head that there box is ultra secure and you have nothing to worry about. Then system administrators have a blind outlook that there box is so secure and that they can sloppily leave uneccessary services open. OpenBSD developers are only human and can make mistakes and overlook certain aspects. So its foolish to think the way u think. I have a OpenBSD and i still take time "secure the system" cause u can never be sure. None the less i applaud OpenBSD for being the first vendor and currently the only vendor for auditing there software.

The thing is, according to the article, and from other posts, there aren't any exploits to close in the initial install config.

I haven't used openBSD, so I can't tell for sure. Kinda like "IANAL". ;)

Re:OpenBSD should be more recognized

[mikefe]

True, very true.

I haven't used anything besides linux in the *nix os area, but I can see why this happens.

Linux is saying "we're better than microsoft".

FreeBSD says "We're faster than Linux".

NetBSD says "We'll run on your watch, and your toaster and...".

OpenBSD says "We're almost uncrackable and better than FreeBSD, so we're better than linux too!".

This is just like music. Everyone has their preference, and some like almost all of them.

Let's look at it this way. We're all basically all Unix. So, we should unite against Microsoft! Ok, now I got that out of my system.

BSD, Linux, Solarix, etc, became so solid because their developers concentrated on the quality/features/stability of the project. Be it a kernel, server daemon or utility.

I think if we look at similar, but seperate projects, such as the xBSDs and linux, we can see something we should be doing and learn. "Can't we all just get along?" Even if the sayer (Rodney King, of LA, California) of the quote isn't the best example, it applies in this case.

I think linux will eventually have a dist much like OpenBSD, with it's auditing and all. Probabl Debian.

Mike

Re:NetBSD vs. OpenBSD for firewall/NAT box?

[mikefe]

I'd like to know. What does ipfilter in "stateful" mode do that ipchains doesn't?

Re:You missed the main point of OpenBSD

[Anony+Mouse]

To each his/her own. :)

-- Anony Mouse

ipfilter by Darren Reed

[tmu]

The main reason that we use OpenBSD for firewalls is the presence of ipfilter. the stateful inspection of ipfilter makes it easier to configure secure firewalls and is the only way of configuring securely in certain kinds of conditions (windows, for example, treats an incoming packet with SYN+ACK as a SYN and cheerfully opens the connection, so unless you have state on your firewall, you won't catch that the connection doesn't already exist).

ipfilter doesn't work on modern linuxes because of the lack of support of the bpf (berkely packet filter) hack.

Re:ipfilter by Darren Reed

[tmu]

ipfilter doesn't run on modern versions of linux (there are some patches to get it to compile under libc5 i think, but no glibc at all, eg).

so the next question becomes what variant of BSD do you want to run. if you're running a general purpose server or workstation, FreeBSD seems appropriate: full featured, well configured and basically solid. But if you're running ipfilter, you don't care about what *does* run on the box, you care about what *doesn't*.

OpenBSD has been thoroughly audited by some very paranoid people for a long time. that makes me feel much better about my firewalls.

Re:Bah

[tmu]

All great developers have crappy personalities. djb (Daniel Bernstein, of qmail fame) is high on the list of "the usual buttheads". the problem is that he is always right. Wietse Venema is a jerk lots of the time. even linus (who is positively easy going compared to djb) can be pretty acerbic and short with people.

who cares? choosing your OS or MTA by the personality of the developer is just backwards. evaluate the code, evaluate the features. people who are on a mission are obnoxious but do good work (except for the kooks). the rest of us should just learn to live with that.

Re:Yo

[retep]

Manual pages just aren't enough. The Linux HOWTO's are a great resource. Even with a well written man page and other documentation it's still easy to get lost. A HOWTO OTOH can provide good step-by-step info for a beginner. The HOWTO's aren't supplimentry anymore, they are *standard* documentation.

Re:Yo

[retep]

Only when "standard" means often outdated, scattered across a thousand websites, and lacking real detail on anything but the common case.

You must be talking about different HOWTO's. I'm thinking of the Linux Documentation Project HOWTOs, and only them.

In the mean time I've installed and used both OpenBSD and many different Linux installations. I perfer the Linux HOWTO system to mailing list archives. For starters HOWTOs are standard and come with the installation. The OpenBSD FAQ isn't good enough, plenty of stuff is missing such as a HOWTO-style intro on setting up networking. (firewalls, nat etc.)

Re:You missed the main point of OpenBSD

[emir]

sendmail is not default smtpd for debian, you can basicaly change your smtpd in 2-3 seconds with dselects/apt's help

Re:Ugh...

[TrickyRick]

Why was this moderated down to -1. I believe it is true and it is more on topic than the posts about the appostraphe question mark thing. It makes me regret letting my modarator points expire last weekend when I see this kind of moderation. I guess rather than post this I should email it to CmdrTaco but maybe somebody who cares will see it before it is moderated down.

Re:Ugh...

[fsck]

As far as your questions on the mangled characters on some pages, they come from people authoring thier web pages with Microsoft programs, such as FrontProstitute. I asked about this in the Microsoft Loses article a few days ago and got some resonses.

http://slashdot.org/com ments.pl?sid=00/04/03/1644221&cid=416

Check out all the hardware tech sites, they have perverted charactersets too, and this problem is only going to get worse as more retards make web pages with ever popular Microsoft authoring tools.

Re:OpenBSD goes overboard

[The+Madpostal+Worker]

Im pretty sure there is a PAM module to take care of that for other distros too.. pam_su or pam_whell maybe.

Re:Bah

[jallen02]

Im just going to do a generic response to everyones posts Ive seen. To the guy who thinks everyone is assholes. I care about next to no one for believing the same thing. Ive been burned by a lot of things. I unfortuantely have to disagree since ive met some truly great people in my life.

Theo has an opportunity to do more and possibly better things while maintaining his philosophy but his personality stands in the way some? I dont know this is speculation. I think somewhere in that statement there is some truth however.

Now, did I ANY WHERE say that I do not use OpenBSD for something silly and philisophical such as the leader of the project is a bit nuts? No I did not in fact I think the opearting system is very good for what its designed for. I was making a comment about him I to can give a SHIT about him but I think that it could be hurting an opearting system I happen to like. And yeah BillG is prolly a nice fellow but I dont use windows based on his personality just like I dont use OpenBSD for Theo's personality. That is a bit silly, but to be so naieve as to not think that the way the main and most influential members of the project members act is going to affect the operating system your wrong. So in the words of a poster here I would MUCH rather him pretend to be a nice guy and let OpenBSD grow and flourish in ways I think hes holding the OS and the code base they have developed back. Again these are my extremely subjective and untried and most likely always untried theories, but again I am saying this with a little more than a poof of smoke from my ass, I know several of the guys from NetBSD, who correspond with FreeBSD and OpenBSD folks.. So be a little more thoughtful and less assumptive thanks and sorry for any spelling errors

Jeremy

Re:Bah

[jallen02]

A good point. Mr. De Raat seems a bit radical, and I have read and heard from many people who develop for NetBSD that he is a grade A Prick.

Re:OpenBSD should be more recognized

[trott]

It's very easy. In most cases:

1. Boot off of CD.
2. Answer the usual types of questions you answer when doing a Linux or FreeBSD install from CD.
3. Reboot.

I've been running OpenBSD on my HTTP/SMTP server for about a year and a half. Securing the machine and (this is the really important part) keeping it secure have been very easy. It's nice to not have to spend all my time reading advisories and applying patches.

Re:Bah

[jbarnett]

I heard Bill Gates was a really nice guy in person, maybe we should all use Windows95 for high profile web sites. I meet Steve Jobs once, he was really polite, so I switched all my web servers/databases over to MacOS 6.5!

Who really cares?!? DeRaat seems to care a lot about code quality, security and a "job well done", just because he lacks on socail skills or doesn't obey social norms doesn't mean he is a bad person.

This is offtopic, but I think everyone in the world is a prick. But there is 2 types of people in this world, the assholes that let you know they are assholes, and then their are assholes that try to hide the fact they are assholes. Honestity or social acceptance though lies? Which is the worst of the two evils?

Re:OpenBSD should be more recognized

[jbarnett]

Forgot about `ed` : ) `vi` is really full feartured now that I think about it.

What is 'PEDANTIC'? is that some sort of flame?

Re:OpenBSD should be more recognized

[jbarnett]

Was...just released a BSOD exploit on bugtraq. The BSOD is run with admin privelages to get the main memory dump to print out, by exploiting bsod.exe with a buffer over flow you can insert random ASM codes that are run with admin privelages/access. The code will have to fork before the memory dump and it can only run as long as it takes for the memory dump to the screen, at that time the machine is locked/freezed (not on purpose) and no more code can be executed till a reboot.

If you can fork of fast enough and wipe the mbr before the bsod is done dumping core, this exploit could have dangerous effects.

Re:OpenBSD should be more recognized

[jbarnett]

I got 2.6 awhile a go, setup my bios (i386) to boot from CD-ROM, put the CD-ROM in booted, it booted from CD-ROM, it asked me how to setup the hard drive (really simple, "kinda" like Linux fdisk), setup the hard drive, selected what packages where to be installed, setup hostname, etc. Done, it worked.

If you can do a Linux install you can do a OpenBSD install without any docs. They include a cd-"cover" pull out that explains all the steps of the setup, but rarely would it be used.

If you can install Linux you can install OpenBSD. After it is booted it sends you an email telling you to do a couple things to configure the system and the man page 'afterboot' explains other things that need to be done (setup mail, if this is going to be a mail server, and gives you "leads" on how to do it).

By far, OpenBSD has the best man pages of ANY Unix out there. There isn't allot of document, I will admit, but the documents on it are VERY well written and current. Quality not quanity, should be OpenBSD's motto for their docs.

I though that OpenBSD was going to be a really hard system to work with, because 'easy-to-use == insecure (see: Windows)', but really OpenBSD is _clean_, if you do it right, it will work, no questions asked, it won't core dump any of the default programs, a daemon won't suddenly "disappear". Setup it, config it, secure it, re-check it, leave it in the server room for 6 months at a time without worry.

The other thing that I notice is that OpenBSD feels like "real" Unix. Once in awhile when I am hacking on it via the console (don't have X installed on it (it does come with X though, just didn't install it)) I feel and think "WOW! this must have been what it felt like for the "orginal" (read old school) Unix hackers seen, touched, tasted, this is what it was probably like 20 years around when real men edited everything though `vi` and not some nice pretty GUI widget tool. They had `vi` and `man` and didn't bitch or moan about the complexity of it, but did it for the love of it and seen past all of it and became one with their machine, and understood the system and just didn't point and click pretty widgets" or sometimes I get into the "power trip" mode and become more aware of security issuses.

I used OpenBSD as servers, haven't tried them as desktops, use Linux for my workstation/desktop/personal computer, KDE is really nice, and Linux has allot of typical "user" programs. I won't recommened OpenBSD as a desktop/personal computer to my mom, but I would recommened it to anyone that either wants a secure server that is _clean_ or someone that wants to learn about security or learn how to old school Unix geeks did it (hint `vi` was there editor, the only documents they had where in `man`, Perl/shell scripting wasn't concerned real programming (for the record I am NOT a real programmer :(

I like it, it has it's place. They say OpenBSD is a niche market, it is hard to believe that "security" and doing things the Right Way, to get the best possiable stable code, is consider a niche market. Just because something works, doesn't mean that it is Right. If something works, it can go faster, stay up longer, be more secure. Nothing is prefect, some claim otherwise (see: Microsoft), but no matter how good something it is, it can be better. I get the impress that the OpenBSD group is really doing it for the love of their OS, they are doing it because they enjoy doing it, they do it because it is the Right Way to do it. (I am not part of the OpenBSD development team, and these MAY not be their reasons for working on OpenBSD, this is just my personal impression of them, I could be wrong)

I highly respect all the OpenBSD development members and their OS is extremely put together in a _clean_ and _secure_ fashion, my hat is off to them!

(note: I am not on the OpenBSD team, and the only thing I get from OpenBSD is a secure system. I am not FUDing Linux, {Net|Free}BSD or other Unii, they all have there place, right now it is OpenBSD turn to be in the "spot light" (see: slashdotted :)

Re:OpenBSD goes overboard

[jbarnett]

On Linux (and other System V Unii) you can make a "fake" wheel group without any real hacking. In "/etc/group", make the group wheel, put all users in this group that are allowed to su into root. (`vi /etc/group`) After you have done that, change the group on `/bin/su` (or `/usr/sbin/su`) to group 'wheel' (`chgrp wheel /usr/sbin/su`). Then change the permission on the `su` command to 4750 (`chmod 4750 /usr/sbin/su`) and when users that don't belong to the wheel group they will get a permission denied error. There is probably ways around this, and I don't think it is as secure as the *BSD `su` command, but it can be some what usefull at times.

Re:OpenBSD goes overboard

[jbarnett]

True SMP on OpenBSD is like a niche market inside a niche market! I really respect the OpenBSD group, and they seem to have their hands full with code auditing, kernel hacking, OpenSSH, driver support, checking/verfify default programs security/stablity. Now they want to take on SMP support!?! : ) I think we should all donate some jolt cola/coffee to their cause : )

I would understand and still respect them if they didn't take on SMP support. I will keep using OpenBSD regardless if it supports SMP or not.

Re:This article really doesn't touch on strengths.

[jbarnett]

2) The filesystem sucks raw ass. Even mounted noatime and.. whatever else the other mount option is to make things faster.. :P .. it's slow as hell

True, it's FS performance isn't in to "Top 10", but they do this for a reason. The OS has a "security first" policy, which means performance might have to come in second, or fourth... : )

IIRC the man reason they do it is to prevent data corruptions. IIRC it writes all data ASAP, where other OSes tend to write it when the hard drive is not busy (keeps it in RAM). If you write the data ASAP, if it crashes %99.9 of the time all data will have to flushed to disk unlike other OSes. If the data is still in RAM when your system crashes, there is a chance that it will not be recoverable.

It doesn't make it the fastest FS in the west, but it should hopefully save you some headaches when the power goes out.

Re:Bah

[Dahan]

and now NetBSD folks get all pissy when OpenBSD people integrate their code. Get a clue. You should be happy that people use your code in accordance with the license you release it under.

Well, I'm certainly not pissy that OpenBSD has integrated my code (although it is a bit annoying that they credit Allen Briggs, when he wrote none of the code. I mean the first line of the thing even says it's copyright David Huang... Allen was the NetBSD/mac68k portmaster, and certainly answered a lot of my questions and was very helpful in general though.)

Anyways, I think it's great that people are using my code, and I haven't seen any other NetBSD folks complain that OpenBSD is taking NetBSD code. I do see some grumbling when OpenBSD takes NetBSD code and makes out like it's some new feature of theirs, but that's human nature. They're not against OpenBSD taking the code, they just want some credit for it. NetBSD folks don't like Theo for a reason... while I've never met him in person, based on email conversations with him and watching him on the NetBSD mailing lists (before he was banned), he's rude and quite abrasive. To be fair, some NetBSD folks can be too, but Theo seems like that all the time :)

Re:NetBSD vs. OpenBSD for firewall/NAT box?

[Dahan]

Well, I'm probably biased since I'm a NetBSD user and have contributed some code to NetBSD, but I don't think there's that much difference in security between NetBSD and OpenBSD. NetBSD folks read the OpenBSD commit logs (and vice versa), so if OpenBSD makes any security fixes, NetBSD'll pull 'em in too. I'd say if NetBSD is working for you, stick with it. That said, I think if you switched to OpenBSD, you'd like it just fine too (assuming you like NetBSD :)... the two are really quite similar.

Also, perhaps you already know this, but ipfilter in NetBSD is the same ipfilter that's in OpenBSD... it's not like you'd be getting anything different if you switched (not sure why you think it's not that good either; seems great to me :)

I'm using a 386/33 with 8MB of RAM, cheap NE2000 compatible, and a 4 port 16650 card running NAT and routing for two ISDN connections (to separate places) (the other 2 ports are mostly unused... occasional modem dialin). It was also routing my wireless network (Aviator2.4), but then I upgraded the other end to Windoze 2000 and now NetBSD's driver doesn't want to talk to the Windows driver :( So I got a NT 4 box handling the wireless now... Anyways, the 386 has been doing NAT/routing for a few years and it works great :)

3C509 cards

[ArchieBunker]

I use two of those cards in my P75 firewall with OpenBSD 2.6. Never had a problem with them being recognized or supported. Considering the box came used from onsale.com its been Uber stable for months.

Re:OpenBSD goes overboard

[toppk]

There is no way around this, this is just as secure as the bsd way, except that you don't get logged attempts to run su (cause the user cannot run su if they aren't in wheel).

Re:This article really doesn't touch on strengths.

[xXIshmaelXx]

>2) The filesystem sucks raw ass. Even mounted >noatime and.. whatever else the other mount >option is to make things faster.. :P .. it's slow >as hell.

Did you recompile kernel and enable soft-updates?
This can greatly improve filesystem speed on the *BSD's.

Re:OpenBSD should be more recognized

[pe1rxq]

You forget that NT has 'security through increased down time' which makes is very secure!

RMS is a crackhead!

[Frank+T.+Lofaro+Jr.]

Good God! What is he smoking? Let's just make su give ANYONE a root shell without asking for a password. We do need some order here!

Posting as AC since I don't want to lose karma over this. I know how some people here get when someone flames their poster boy or believes in any kind of control.

P.S. No I don't support the MPAA or the DVDCCA or the NSA or the KKK or anything else of that nature. So if you are going to call me a Nazi go screw yourself.

Re:OpenBSD should be more recognized

[AjR]

Why do all these Linux/*BSD arguments make me think of the Monty Python film "Life of Brian"

Judean Peoples Front/ Popular Judean Front..

Explanation for the humour impaired - the above "skit" pointed out mankinds singular biggest failing.

Take 'x' small groups with a roughly similar agenda. Pit them against one large group with a polar opposite agenda. (x >= 3).

Together the 'x' groups have a similar size to the larger group (and for this argument, we could include the commercial *Nixes).

Watch as the 'x' groups bash each other without ever uniting to promote their common agenda.

Linux/*BSD doesn't need a Microsoft to wipe it out - these pathetic arguments will do it for them. The OpenBSD trolls shout "Security", the Linux Trolls shout "Popularity", the FreeBSD trolls shout "True Unix" while the NetBSD trolls shout "Availability of platforms" without ever getting together to declare as one voice...

Open Source - Security by Visibility

Surely the true point of Open Source is to allow and nurture a degree of deviation.

A Linux user who has no problem with the *BSD's - Every product has a natural place, evolution in action.

jail()

[Spoing]

FreeBSD 4.0 has a nifty security feature called jail(). Does OpenBSD have this feature too?

Re:OpenBSD should be more recognized

[kernelistic]

If FreeBSD only supports x86, what's my AlphaStation running?

Re:OpenBSD should be more recognized

[Pr0n+K1ng]

Oh man, you are so l33t! I too have been considering making the switch to one of the *BSD's, but haven't quite made up my mind yet. Linux used to be l33t, but as you said, it is becoming way to mainstream for my tastes. Which of the *BSD's do you think is better? Which one is used less? I think I'll go with the one that is used less, that way there is less support, and I won't have to listen to all the newbie complaints of "how do I do this?"

Pr0n K1ng

Soon to be downloading pr0n off of my new Free/Open/Net BSD box.

OpenBSD's future

[schnell]

One of my main goals in writing the article was to bring OpenBSD's work to light. After talking to Jordan Hubbard about FreeBSD, it's clear that their goal is to "eat OpenBSD's lunch" and move FreeBSD ahead in security reputation. However, I think that all comes down to a question of philosophy: "is security worth sacrificing features?"

My job at Boardwatch is to cover all free *nixes, but I'll admit that I prefer *BSD over Linux (for a variety of personal reasons). Which *BSD do I use for my personal servers? FreeBSD. But I see OpenBSD as being valuable for a number of reasons which return to the difference of philosophies.

I think that it boils down to this: OpenBSD is willing to miss out on the "latest and greatest" for various apps in order to maintain security. This is a very justifiable choice. Since, however, much of the user base I support demands the "latest and greatest," I use FreeBSD (but NetBSD on my Mac machines ... I hope to switch to Darwin soon). I'll admit that I'm willing to sacrifice some level of security for new features (and hope that reading buqtraq will fill in the holes), but that's also because the users I support on my personal boxes don't demand absolute security (e.g., CinemArcade or SchnellNet).

So, I guess the moral of the story is: is security your number one concern? If so, then you are far better off with OpenBSD. If not, then Linux or Free/NetBSD is where you want to be. I'd be very happy to hear what others think about this, as well as comments on the article itself (or ideas for future people/projects to interview).

RMS is just wrong on this one

[Ars-Fartsica]

The basic premise of security is that some rights simply must be made exclusive and unavailable to certain users. I find his justification laughable. Every now and then RMS goes right off the deep end. This is one of those cases.

Re:OpenBSD goes overboard

[Karn]

There is no real necessity for telnetd any longer.
Unforunately some of us administer older boxes that don't come with ssh. Until these machines go away, there is still a need for telnet.

On the other hand, a friend just told me how his Linux machine got rooted in seconds after he started his ftpd. Maybe having a cable modem can be a problem.
Yeah, Redhat is SO insecure that when you start it's ftp server, it TELLS people that it's up and it's vulnerable. Yeah. I don't think it's his distro's fault, I'd say it was his ignorance of networking and his OS.

I'll be the first to tell someone that Linux, and any other Unixes for that matter, are not for the faint-of-heart. It's not ready for the desktop. It's a multi-user OS and by running the system you should be aware of what could/does happen.

I guess most of the web gets hacked daily, for a large % of servers are running Linux and Apache. So many anon. ftp servers on Linux.. I'm surprised any sites that run a web server other than OpenBSD are up at all! Hehe. I just find it hard to believe that so many people posting security stuff here know more about sites such as Sourceforge, who are CRAZY enough to run Linux, and anon. ftp. They will probably be hacked any minute. :)

I prefer Linux over OpenBSD b/c it's the most usable OS. Personally I like the support Linux has, and the positive momentum it has. While OpenBSD ppl are looking for non-existant buffer overflows, Linux developers are adding support for current hardware. Since I can't write device drivers, they do that, and since securing a box is trivial, I do that.
I like the fact that my video card works, the sound works, and it runs the most current programs natively (IE No Emulation). Linux is moving forward, and at a very fast rate. BTW, it's so unbelievably easy to disable all services and add sshd.

Re:OpenBSD goes overboard

[Karn]

Ok, you want to know?
Step 1: Run ntysysv and remove asterisks from all unnecessary services (sendmail, nfs, samba, portmapper, etc)
Step 2: Comment out all services in inetd.conf
Step 3: Download and install sshd.
Step 4: Add sshd to inetd.conf
Step 5: Add ALL: ALL to hosts.deny
Step 6: Install Psionic portsentry and Logcheck.
Step 7: Setup ipchains to disallow incoming connections to low ports.

Only SSHD is running, same as OBSD, and firewalling is setup. This setup is BETTER than the default OBSD, for this system will TELL YOU when you're getting probed/attacked, if they get past the firewall that is.
Since this setup is for Linux, I get security AND all get to use all my favorite hardware (TNT2, onboard audio for my K7M, etc).

As you can see, this setup is for people who know a little about what they are doing. I guess if you know nothing about security, OBSD is for you.

Re:You missed the main point of OpenBSD

[Karn]

Yeah, no shit. I have OpenSSH (patched) on my RedHat box at work. Just wanted to point out one vulnerablility with OpenBSD. Some people think OBSD is perfect. It just has less vulnerabilites than an unpatched RedHat distro. Keyword *patched*.
And actually it really wasn't a troll, nitwit.

Re:OpenBSD goes overboard

[Karn]

There are less RedHat vulnerablity notices on Bugtraq than just about any *nix out there.
By default, any other Unix out there cannot even connect to an OpenBSD box, b/c ssh isn't standard. FTP? HA! This is lack of funcionality.
Securing a box is NOT a difficult task. If you think it is, then you should use Windows or MacOS exclusivly, and Unix has too much power/flexibility for you. I am glad they created a free implementation of SSH, but I can install that on Linux too.

At least in Linux i have the choice to make it Ultra-anal (yes,anal) secure. I don't like the idea of not having a choice (OpenBSD) in the matter.

Re:OpenBSD's initiatives

[Karn]

Oh, so do the script kiddies write their own buffer overflows or something?
Have one of your boxes ever been hacked?
Do you how wrappers works? Do you know how spoofing works? JUST disabling unneeded services will totally cut off any potential exploits for those services (finger, etc). Wrapping telnet will keep anyone from getting a login prompt.
What's left? Basically nothing a script kiddie can use. You obviously know nothing about security, and you probably believe in every conspiracy theory you hear.
Scripts are very noisy, and are easily spotted. The only people I worry about are the ones who don't use scripts, and I'm sure they have bigger fish to fry than my home machine running Linux.

And yes, I know what spoofing IP's entails.
So, how many successful scripts have you run against wrappered, unexploitable services? I bet you are baseing what you said on stuff you have heard/read, and not on personal experience.

Re:You missed the main point of OpenBSD

[Karn]

And exactly how big of a problem is Linux's source code, or any of RedHat 6.X's services source? Obviously not as bad as some of you make it out to be. How many times a week do you hear of people's boxes being rooted b/c somebody read Linux's source code, found a hole, and exploited a machine? Not everyone is as eleet as you and reads source code and finds buffer overflows in services(sarcasm) nightly.

This attitude reminds me of people who are afraid to fly b/c they don't want to crash... The chances of you actually being in a crash is almost nil. We will always have paranoid people though, who will not fly, and we will always have lamers speaking of incidents that they have only heard about.

Services like sendmail and apache have been around for a LONG time, and many vulnerabilities have been discovered, and fixed. If you are paranoid, use the oldest version that doesn't have known vulnerabilities. They (OS service developers) don't brag about formal 'line-by-line' autids of their sofware, but just because they don't have 'audits' doesn't mean that they lag behind on security. What mail service comes with OpenBSD? Surely they write their own, b/c Sendmail doesn't have 'security audits' of their code.

I can see the OpenBSD argument coming from an experienced admin who has can't keep crackers off his system, but it's coming from (mostly) people who use Unix as a hobby or for fun. Would an experienced admin who has had a box broken into (who will actually admit it) say something? I use Linux at work and take security very seriously. I can assure you, security is a MAJOR concern, but is not a problem.

I am a unix admin, and I can assure you that RedHat, Wrappers, and a few other tools do just fine 99% of the time (Yes, I hear you anals saying BUT..). I have yet to encounter the other 1%. If I had top secret data on my servers, I probably would be more paranoid about the other 1%, but I don't.

If you think OpenBSD has no vulnerabilities, you should go to
http://www.securityfocus.com/vdb/bottom.html?vid=1 006

Or am I just trolling?

Re:You missed the main point of OpenBSD

[Karn]

First of all, relax. There's no need to be so defensive. Nobody's saying that your favorite OS sucks! :) A compliment for OpenBSD is not (necessarily) a criticism of Linux.
I just think that people are way too paranoid. Patch your box and disable unneeded services. If you're using a Unix box to begin with, surely this isn't alot to ask. This is more than enough to keep script kiddies at bay. If you are worried about ppl who aren't script kiddies breaking into your box, you should ask yourself, "Why would this person take the time to break into MY box?" I can assure you, if it's patched and you have unnecessary services running, if they can even get in, it'll be hell to do it. IIRC the Linux PPC challenge was the contest for someone to break into a LinuxPPC box (IIRC). 1.) MANY people had a big incentive (a new computer) to break in, and it took a very LONG time, and this is with constant bombardment! 2.) They had telnet running (no sshd). 3.) They gave out the root password. Now, I ask you WHY does the average user need more security than that! And the only way the guy got in was some CGI crap. For the average user, web server = unnecessary service.

So, umm, this sounds like words of support for OpenBSD, because that's what OpenBSD does by default (do any Linux distributions take this approach?). It would be *a lot* of trouble to go around downgrading all of the critical network daemons on a Linux distribution to get it
Actually, I was referring to using tried and true versions of softare, as in a latest-1 version of a distro. It's not alot of work to install RH 6.1 instead of 6.1+X.
No matter which route you take there are tradeoffs. If you choose OpenBSD, you're choosing security over better hardware support, and basically having a more up-to-date OS.


My posts aren't pro-Linux or anti-OpenBSD. They're anti-paranoia. :)

Re:You missed the main point of OpenBSD

[Karn]

Actually, this thread was about security for the 'average' user.

Well, if you get off on having your home machine secure enough, in your own opinion, to have top secret data on it then I'm very happy for you.
Top secret data HAS to be secure, b/c by nature top secret data will want to be had.. I don't think people are going to spend weeks trying to break into my box, especially when I can reload the thing in an hour or so...

Re:OpenBSD goes overboard

[cheshire_cqx]

You make some useful observations but then wander off. Linux works well as a server, and also works well as a workstation. OpenBSD (and perhaps the whole *BSD family, to a degree) are more focused on networking and server roles ("The Power to Serve," remember?).

I use FreeBSD as a workstation and server at home, but would look at OpenBSD as a gateway or firewall box if I connect my office to the internet. I wouldn't care a whit about video cards, sound cards, and running the most current programs "natively." Nor would I want fast-paced change (probably introducting new security issues or "interesting" interactions. I would want a simple, robust, and well tested setup.

So, if I've said it once, I've said it once: TRTFTRJ (or, The Right Tool for the Right Job).

This is not to say you can't do this with Linux, but that's not an argument against OpenBSD! Also, what keeps you from compiling sshd on your "old boxes" if you administrate them??

Geoff

Re:SSH (was OpenBSD goes overboard)

[cheshire_cqx]

By default, any other Unix out there cannot even connect to an OpenBSD box, b/c ssh isn't standard.

This simply isn't true. SSH is a widely used and well known service which is a far better choice for remote access for most systems than telnetd or (gasp) rshd and friends.

There are even free Java clients avaible (google for MindTerm), so any system with a VM can log into a box running sshd.

My own system at home is FreeBSD, and the only service I run for remote access in OpenSSH. Nevertheless, I manage to connect just fine.

Geoff

Re:OpenBSD on the desktop

[LizardKing]

I have a dual boot machine with OpenBSD on the first drive and Linux on the second. This reflects our server setup - a combination of Linux database servers and OpenBSD webservers. As the connection to our ISP is awful and I'm only blessed with one development machine, I do all programming and testing on the one machine.

I've found OpenBSD to be an excellent alternative to Linux. The install is quick - just follow the instructions carefully the first time - and the man pages are very good.

As a reflection of OpenBSD's stripped down philosophy all I have installed above and beyond the core OS is:

NEdit (statically linked against Lesstif)
Gimp (development version and required libs)
Blackbox window manager
Netscape (the BSDI version - seems far more stable
than on any other platform I've used it on)


Chris Wareham

Character set issue explained

[Zombie]

The encoding of the document isn't specified, so it's the default ISO-Latin-1. The quotation mark used throughout the document, however, is encoded as character code 146. According to this page on Latin-1 and Unicode in HTML, the 128-159 range is invalid. M$'s codepage 1252, however, embraces and extends the standard.

Excerpt:

All the CP1252 characters are also available in Unicode. For example the CP1252 character 146 that you mentioned (RIGHT SINGLE QUOTATION MARK) has the Unicode number 8217, therefore you should use this number in order to conform to the HTML standard. Modern HTML browsers like Netscape 4.0 understand Unicode, and will automatically convert the Unicode character ’ back into the character 146 on MS-Windows machines, and into the appropriate character on other systems.

The funny thing is that this page actually renders properly on my Netscape for OS/2, the #1 victim of the embrace&extend strategy...

Re:security IS important if you're on the public n

[Mullen]

I hate to give you crap on this, as a sysadmin, I feel your pain, but....


after about 2 yrs being on the net (public email/web/cgi/ssh/sql services being run), I was broken into 3 times. each time it costed me a lot of effort and pain. plus downtime. and even lost files ;-( ;-(

It just sounds like your using the wrong software. Linux is not the most Secure OS out of the box, but if you work with it, it can be very secure.

One problem I notice is that people use the same crappy bug ridden buffer overflow software all the time. I am still amazed that anyone runs sendmail, wu-ftpd or bind (Well, bind is the only choice in DNS). How many exploits are there for just these three packages? Sendmail is the worst of all time.

What people need to do is black list bad software. Get X amount of security problems in previous versions, use different software. I won't touch sendmail since it has such a poor history of security. So what do I use? qmail! Same story for wu-ftpd. I use proftpd (Yes, they had an overflow in a beta, but it was only for writeable directories) since it is pretty secure. And for bind? Well, I am waiting for the author of qmail to finish up his DNSd package so I can use that. Until then, I keep an eye open on the mailing lists for the next bind exploit.

Re:Bah

[Mullen]

Wow!

What a bunch of children! I have alway heard of the NetBSD breakup as being pretty petty, but posting is quite clear on thing. They need to grow up.

I think this is why Linux is so hot. Just about everyone in the kernel development is pretty damn cool. Linus is a real 'net personality. In fact, I saw a long interview with him and his wife on Finish TV and was quite impressed with how nice and down to earth he and his wife is. Alan Cox and the other major contributors are also seem very nice. I have had email conversions with some of them and they seem to be down to earth people (Ya, I know its email, everyone sounds like that).

This may not sound like much; "Big deal, who cares if they are nice". When your getting started into something you have never done before, you would like people to be alittle friendly, even if they are not helpful. Sounds silly, but have you ever done something, in an area, where the people who also did it were assholes? Didn't think so.

For example, I wanted to try out FreeBSD a couple of years ago, but all the FreeBSD people talked crap about Linux and Linux people. Everything was, "X is better in FreeBSD than X in Linux.", "Linux sucks...blah blah blah". Worst of all, they were plain ole' dickheads. That kept me from trying out FreeBSD for a couple years until I had to for work. Now I work in a FreeBSD shop, and now I like FreeBSD, I just hate FreeBSD people.

Re:security IS important if you're on the public n

[rangek]

This is ridiculous. While I have no doubt at all that OpenBSD is a far more secure OS than Linux, I think the implication that you will be hacked if you are running Linux vs. OpenBSD is silly.

I am responsible for a dozen Liunx machines on the Internet (i.e., there is no firewall between us and the kiddies) and a couple of AIX boxes too. No sooner had our Linux boxes gone online than I had dozens of attacks each day. But by proper use of tcpwrappers and some commonsense security checks, we have yet to be broken into. As a matter of fact, i have found tcpwrappers to be quite a deterrent. Most people just give up an go away.

Now I am sure that some determined bastard (or bitch) could take us out if they really wanted. And I am sure that their job would be much harder if we ran OpenBSD instead. But your inability to properly secure your boxes under Linux does not mean OpenBSD is the correct solution. Especially if you are wasting a processor in an OpenBSD box.

Re:OpenBSD should be more recognized

[Mr.+Piccolo]

REAL old-school UNIX hackers don't use vi, they use ed. ed is the ORIGINAL, and still the standard, UNIX editor.

Compared to ed, vi is Office2000.

</PEDANTIC>

Re:OpenBSD goes overboard

[coreybrenner]

> Straight off, I get the message that this user is not in the appropriate group to su to root.

That is a *feature*, not a bug. Next time, put your "normal" user in the "wheel" group. Then, you'll be able to su just fine.

> I mean, how difficult would it be for the installer to list the services, (with all of them
> off by default) and let you choose which ones to install?

My first take on this is, "not hard". But, then I think a little deeper. If you do this, then a lot of clueless folks will do "enable everything", and you're back to square one. Best if you treat a Unix box like a Unix box, and learn what risks you take *before* opening yourself up to them.

> Or even to ask what normal user accounts should be in the admin group?

At install time, what "normal" user accounts does it know about? IIRC, it doesn't ask you to set up a normal user account - it assumes that you will know to do that (though it's been a good while since I've installed it - though I run it every day - so my memory may be Swiss cheese).

--Corey

Re:Bah

[JatTDB]

Eh. Who cares?

Quite simply, as long as the OpenBSD project stays true to its goals of a proactively secure open-source OS, I don't care if Theo eats children for breakfast and breaks the legs of people in nursing homes for fun. As long as it doesn't affect the code, I'm all for it.

OpenBSD goes overboard

[schatt]

I recently downloaded and installed OpenBSD on one of my machines. While I'll be the first to admit that I didn't work as hard as I could have at it, it still seemed to me to be completely paranoid. For instance, on my own machines, the first thing I do is create my user account, and then finish the setup by suing from there to root. (part of my setup on machines is to compile/install the necessary services, and I like having the source code owned by me, so that I can look at it without being a privelaged user). Straight off, I get the message that this user is not in the appropriate group to su to root.
All in all, the machine seemed overly paranoid, and completely unworkable for a normal user.
Reading the article, I discovered that I agree with most of their viewpoints (I think that limiting yourself to non-SMP because SMP hardware is more expensive is asinine - the power users are the ones most likely to need this kind of OS), but the hoops they make one jump to get a usable system are a pain. I mean, how difficult would it be for the installer to list the services, (with all of them off by default) and let you choose which ones to install? Or even to ask what normal user accounts should be in the admin group?
Basically, I guess that I just want to say, I admire the idea behind their software, I just really don't like the way that they implemented it.

Re:OpenBSD goes overboard

[krh]

Did you not read afterboot(8)? It covers just about everything you've asked.

Anyhow - why the hell would you want to go through forty minutes of saying 'Yes, I want nfsiod enabled on boot' in the install, when a simple vi /etc/rc.conf will do it? Minimalism saves everyone a lot of time. I don't want some overly extensive GUI that asks 93,000 questions. I can do that myself.

Please, read documentation before complaining about a product.

Re:OpenBSD goes overboard

[Frater+219]

FWIW, you can get a proper su (in Debian, at least) by installing the secure-su package.

Re:OpenBSD goes overboard

[Tim+Pierce]

Straight off, I get the message that this user is not in the appropriate group to su to root.

This is pretty common behavior on non-Linux machines and certainly did not originate with OpenBSD. In order to su root, you must be in the wheel group.

Linux does not require this because it uses the GNU version of su, which is intended specifically not to have this requirement. Here is an explanation for this decision:

Why GNU su does not support the wheel group (by Richard Stallman)

Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

Re:Bah

[El+Volio]

When I saw the /. story blurb, I was a little excited, hoping that maybe they had been able to shed some more light (or at least new information) on the whole OpenSSH fiasco. Unfortunately, I was disappointed.

Yes, I use OpenBSD because of its benefits. And I respect de Raadt's technical abilities. But his interpersonal skills leave a lot to be desired.

In first grade, they called this "Does not play well with others".

Re:My experiences with OpenBSD

[be-fan]

How is this any different from Microsoft who blames all of Window's problems on the user fuqing up?

Re:My experiences with OpenBSD

[be-fan]

I'm sorry, I can't give an exact reference and I don't have time to look now. But I remember a recent /. thread where there was references to MS blaming users on doing something wrong being a reason why NT was unstable. Weak evidance,I know, but if you look you can probably find something.

Re:OpenBSD should be more recognized

[ostiguy]

I am barely out of the ranks of newbies, but the text based install for OpenBSD does the job very well if you take the time to read what is asks of you. Also, print out the main FAQ and install stuff, or have it up on a browser on a pc next to you.

The partitioning took me a couple tries, but once I got that straightened out, I was happy with it. Once I got OpenBSD up, I had KDE up very quickly via their (limited compared to FreeBSD) ports collection.

Later that summer, I figured since this was a laptop, I ought to have the more populist FreeBSD installed so I would have increased access to ready made ports. Well, I had a helluva time getting KDE and XFree going on this Thinkpad, so from my history, I think the OpenBSD install is cleaner than FreeBSD's.

I still have FreeBSD on my laptop, and am running a OpenBSD box doing NAT at home. I really love the clean design of OpenBSD on servers- whats there is probably there because everyone uses it, but you are going to have to learn to activate it (sendmail as a daemon, for example) so you don't leave yourself wide open.

matt

Re:OpenBSD should be more recognized

[Dahan]

Which one is used less? I think I'll go with the one that is used less, that way there is less support, and I won't have to listen to all the newbie complaints of "how do I do this?"

Definitely NetBSD/pc532 :) Good luck finding a machine to run it on; less than 200 boards were made.

Re:Yo

[Keith+Maniac]

Manual pages just aren't enough.

They can be, when they're good. For cases when they aren't the OpenBSD FAQ and the mailing list archive will solve nearly any problem.

And, they're all located at one place: http://www.openbsd.org

The HOWTO's aren't supplimentry anymore, they are *standard* documentation.
Only when "standard" means often outdated, scattered across a thousand websites, and lacking real detail on anything but the common case.

OpenBSD docs used to be spotty, but they made a real effort to bring them up to speed, and keep them there.

The Linux community has yet to make this effort.

Re:security IS important if you're on the public n

[TheGratefulNet]

I think I was hacked due to bind. I was running the latest version (8.mumble) and lo and behold, I found traces (probably very intentional) of a breakin. there was a subdir under /var/named. harumph!

with openbsd, named runs as NON ROOT so I don't really have to worry much.

--

Re:security IS important if you're on the public n

[TheGratefulNet]

I am NOT a prominet site (its my dsl end-system with just my own personal stuff on it; demos of work that I did, etc).

yet I was hacked thrice. not sure what gives, but I just got tired of it.

not saying that linux is a Kiddie magnet - but if they portscan and find linux-like environments, they're more likely to hack it since linux is one of the most INSECURE unix's out there (IMHO, of course).

all I can say at this point is: if you run linux and don't religiously follow the *security* groups (most folks don't have that kind of spare time), then you ARE at risk. same with freebsd, too; I don't think its all that much more secure than linux.

--

Linux security resources

[Brian+Knotts]

I'd just like to add to what others have said. Linux, just like any operating system, takes a bit of work to make *and keep* secure. But there are some excellent tools at your disposal:

Secure-Linux is a Linux kernel patch that adds nifty security features, which eliminates many, if not most, buffer overflow attacks. I tested this with one of the ProFTPd exploits, and indeed, the exploit failed against a known vulnerable version of ProFTPd. Without the patch, the exploit worked.

Psionic PortSentry detects and responds to port scans in real time. It works with other Unixes as well.

With these tools, the standard ipchains stuff, and a willingness to not run *every* daemon under the sun, you can have a reasonably secure Linux box.

Also, to throw those k1dd13z for an extra loop, put all this on linuxppc. Let 'em chew on that for a while...

New XFMail home page

/bin/tcsh: Try it; you'll like it.

Why hasn't someone done a secure linux?

[Amphigory]

I looked a couple of weeks ago, and was unable to find anyone who had done a secure linux distro. Why would I rather have Linux?

• Faster. OpenBSD is slow on my boxes.
• Better hardware support.
• SMP
• Better commercial app support.
• Generally, easier install.

There are a couple of pages out there that describe products, but no downloadable distros. This sounds to me like a great market for someone to "do a mandrake" in.

--

Install isn't as bad as you make it out to be.

[Dast]

I just installed it tonight for the first time. The disk setup was a tad cryptic, but the documentation rocks, as long as you know what to look for. It was so clear I almost wanted to cry.

(BTW, where are the preconfigured firewall and gateway scripts installed by default?)

But I agree the article wasn't really that great.

OpenBSD should be more recognized

[linuxonceleron]

I've been looking into OpenBSD for a while to replace Linux on my firewall, and it seems like its much better suited for the job. Many people overlook the *BSDs, but Linux has become too mainstream for my tastes :). I should be putting OpenBSD 2.6(+?) on my IP Masq box over spring break...btw a good book on using OpenBSD for this stuff is Configuring Linux and OpenBSD Firewalls, it's like $35

Re:You missed the main point of OpenBSD

[Anony+Mouse]

And exactly how big of a problem is Linux's source code, or any of RedHat 6.X's services source? Obviously not as bad as some of you make it out to be. How many times a week do you hear of people's boxes being rooted b/c somebody read Linux's source code, found a hole, and exploited a machine? Not everyone is as eleet as you and reads source code and finds buffer overflows in services(sarcasm) nightly.

First of all, relax. There's no need to be so defensive. Nobody's saying that your favorite OS sucks! :) A compliment for OpenBSD is not (necessarily) a criticism of Linux.

Services like sendmail and apache have been around for a LONG time, and many vulnerabilities have been discovered, and fixed. If you are paranoid, use the oldest version that doesn't have known vulnerabilities.

So, umm, this sounds like words of support for OpenBSD, because that's what OpenBSD does by default (do any Linux distributions take this approach?). It would be *a lot* of trouble to go around downgrading all of the critical network daemons on a Linux distribution to get it secured down (not to mention the time spent finding the last "secure" version of those daemons). Just because someone hasn't broken into a system yet, does not mean that the system is secure! ;)

They (OS service developers) don't brag about formal 'line-by-line' autids of their sofware, but just because they don't have 'audits' doesn't mean that they lag behind on security.

Yes, it pretty much does. What you don't look for, you probably won't find. ;) For software of any significant size and complexity, unless you actively look for security holes (or bugs in general), chances are they exist. That said, it doesn't mean that Linux is grossly insecure, but it does lag behind OpenBSD in the security arena a bit.

What mail service comes with OpenBSD? Surely they write their own, b/c Sendmail doesn't have 'security audits' of their code.

OpenBSD 2.5 and FreeBSD 3.2 (the two distributions that I happen to have in front of me at the moment, which also happen to have been released around the same time) both shipped with the exact same version of sendmail (8.9.3). The difference? On FreeBSD, sendmail is eneabled by default (as I assume it is on most Linux distributions as well, but it has been a long while since I have administered one of those, so I can't speak for any of them).

On OpenBSD (/etc/rc.conf):
sendmail_flags=NO

On FreeBSD (/etc/defaults/rc.conf):
sendmail_enable="YES"

(actually, a quick diff of the source files shows that they are not exactly the same -- looks like some extra type casting and bounds checking has been added)

Don't get me wrong here, I love FreeBSD (and Linux), but this illustrates the point that Louis Bertrand is trying to make: if I had no knowledge of the security issues surrounding sendmail, the default would be for my OpenBSD system to be "secure" (in that regard) and my FreeBSD system to be potentially less so. I have plenty of other things to worry about than how secure every single network daemon on my system might be, and there is some comfort in knowing that the OpenBSD folks have already done a lot of that work.

-- Anony Mouse

p.s.
http://www.securityfocus.com/vdb/bottom.html?secti on=exploit&vid=1006
http://www.securityfocus.com/vdb/bottom.html?secti on=discussion&vid=1078

Open BSD is our choice

[348]

OpenBSD is absolutely the choice for me. Sure it has some problems, any SW product will. But with OpenBSD I get a relatively secure environment right from day one. I don't need to have our admins spend weeks implementing bolt-on's to make the environment fairly bulletproof. The only disapointment I have using OpenBSD is that it is very basic. However that is one of the things that our admins love about it. Less bells and whistles means less stuff to break.

security IS important if you're on the public net

[TheGratefulNet]

I just got tired of my linux box being hacked and broken into ;-(

after about 2 yrs being on the net (public email/web/cgi/ssh/sql services being run), I was broken into 3 times. each time it costed me a lot of effort and pain. plus downtime. and even lost files ;-( ;-(

so I decided to give openbsd a try. so far, its doing what I need it to. I'm wasting a dual BX board on openbsd (it does not have SMP like linux does; which is what my previous o/s was) but I'll exchange computes for secure computes anyday.

the way I see it is: if you're inside a protected region (inside the company firewall where there are no 'bad' people to screw you over) then linux on the desktop seems to rule for me. but for any kind of public box, the Kiddies all know about linux and its weaknesses. I'm not sure they know much about openbsd. and even if they did know about it, there's few (if any) open holes they could crawl thru.

today, I'm being ultra paraoid. I'm not running cgi's anymore, no networked sql, and I even dumped sendmail for qmail. so on my site, its qmail and ssh - THAT'S IT.

only time will tell - but I feel much better already, knowing that there has been a controlled audit of the openbsd code.

--

Are you good enough to be a security admin?

[Skapare]

Are you good enough to be a security admin?

Part of the problem is too many people just installing some packaged software, which they picked for reasons related to how many other clueless people picked it, and they expect it to be rock solid secure as installed without any configuration or tuning. They also expect top notch performance.

If you want security, then you have to understand security, or you have to get something that is guaranteed to be secure right from the box, or hire someone who knows security (and please, no whining about lack of technical people when technical people are still looking for decent jobs where their employers respect their skills). OpenBSD probably is the most secure system available right now, as installed, although even I would not trust it without looking under the hood.

A system/network security expert can make most systems secure (even NT if enough information can be had). Businesses have to commit to the attitude of security and trust a security expert to set it up for them. If you can't trust someone, then you better pull the plug on that internet connection right now (and probably also fire all your employees).

Ugh...

[pb]

Why do people have to mangle the charset on these pages? It's almost unreadable in Solaris, with all those "?"'s littering it.

It's good to see something like this in an interview, though:

Unless security is your primary consideration, you probably aren?t going to use OpenBSD for all of your Unix servers. Linux, FreeBSD and NetBSD all
excel in various areas where OpenBSD does not. However, OpenBSD certainly has its place, and should be part of any network administrator?s toolkit.
For your most security-sensitive tasks, OpenBSD is very likely to be ?the right tool for the right job.?

Many Linux distros are great for a catch-all, newbie-friendly OS, whereas most BSD's (I've heard, I haven't used any of them extensively) feel more like a traditional Unix out-of-the-box.

(*please*, no "*BSD is Unix, Linux is not blah blah blah" comments. Because they're free, they both have *no* official "Unix" code, it was taken out of *BSD, and was never in Linux, but they share the same kernel interface, which is good enough for me)

For a Linux alternative, use FreeBSD. For other platforms, use NetBSD. If you like the way Linux does things, use Linux. Need security? Run OpenBSD. Want media/SMP goodies and a pretty interface? Get BeOS. etc., etc., etc.

They all have their niches, and *advocacy* involves recognizing that, and using the tool that's right for the job. So it's good to see some real BSD advocacy.
---
pb Reply or e-mail; don't vaguely moderate.

This article really doesn't touch on strengths..

[Blue+Lang]

or weaknesses of OpenBSD.

I installed it for the first time about 3 weeks ago, and I can't believe how much I love it. (I use linux as my workstation, and work on AIX, Solaris, etc.)

Everyone talks a lot about how secure it is, but that doesn't help anyone who actually wants to USE it. If you're wondering how useable it is, the answer is, "very!"

I would say its strengths, as far as a server OS, are:

1) Tiny, tiny footprint. Full server install w/out X windows is like 100 MB.

2) Nice, full man pages.

3) It comes with a ton of preconfigured firewall and gateway scripts, along with a ton of info on what they do.

4) It, by default, emails you every day with info on what's going on on your system. This is the type of thing most sysadmins spend their first four or five months writing for Slowaris/AIX/etc.

5) It has GREAT networking support. Tunnels, VPN, etc, etc are right there ready to rock from the word 'go.'

6) It really does only run a tiny set of services on startup. I think it starts with like, 6 processes, by default. That's a very nice base from which to build.

7) Ports rock my little world. They make life very, very nice.

On the downside:

1) The install is amazingly terrifying the first few times. If you don't know what partitions are, if you don't understand hard drive geometry, don't even bother with OBSD. Get FreeBSD and install it a few times first. It follows the same concepts, and has a more clear explanation of what's going on.

2) The filesystem sucks raw ass. Even mounted noatime and.. whatever else the other mount option is to make things faster.. :P .. it's slow as hell.

That's pretty much the only bad things I'd say aobut it. I _love_ it as a firewall OS, and I might use it as a web server or something.. The FS performance scares me.

All in all, the article was lame, as far as explaining why anyone would use OBSD. :P

--
blue

My experiences with OpenBSD

[pkj]

First off, let me state that I am OS slut. I've done my stint with Solaris, Irix, FreeBSD and for the past two years Linux. (And I even develop a fair bit of software they gets deployed under 'doze, but we don't need to talk about that.) All have their strengths and weaknesses, and I'm not terribly partial to any of them.

I have been meaning to play with OpenBSD for quite some time now, and finally decided to deploy it on my gateway/firewall which had been running RedHat 5.2 for the past two years. From all that I had read, this seemed to be the perfect application of OpenBSD. The install went very smoothly and I was very impressed by installation/sysadmin documentation available on the openbsd web site. The only install problem was my 2gig SCSI disk, of which only 1 gig was recognized. This was no big deal, as 1 gig was plenty, but this is aparently a known limitation of OpenBSD and some drives/BIOSs.

The first thing I noticed was that the openbsd firewall code is lacking all the plug-ins for mangling complicated protocols like irc, realaudio, quake, etc. Even the use of non-passive ftp required the use of a proxy. This wasn't a big deal for me since I don't use any of these, but I know that many linux users would see this as a big problem.

A day or so after my install, I noticed that througput on my cable modem was just really sucking to some sites, and I could not connect to others at all. I figured this was a problem with the cable service, which has actually been quite good for me. After jacking my laptop directly into the cable box, I realized that there was nothing wrong with my net connection and that the openbsd machine was fubaring the connections.

No problem, I'll post to the openbsd mailing list and see what the problem is. I got several replies that I must have something configured improperly. No, said I, the system is virtually stock, and I get excellent throughput to most sites. After much bitching, someone eventually notified me that the NE2000 device driver had known problems. So I replaced the cards with 3c509s (don't laugh, it's all I had on hand) and most of my problems went away. Thanks guys, if you had *told* me the driver was buggy, I could have saved myself a few days of headaches.

I say *most* of my problems, because I had very similar problems with the 3c509 cards, although they were not nearly as bad. Eventually, I was able to get someone to admit to the fact the the 3c509 driver was buggy as well.

Needless to say, at this point I was quite pissed as I had lost several days of work debugging and swapping hardware. I don't mind the fact that there are bugs in free software, but what really pissed me off was the fact that (1) the cards were listed as being supported (2) there was absolutely indication of problems with the drivers for these cards in any of the documentation when in fact they had been reported my many people before me and (3) the attitude of the people on the openbsd mailing list who outright assumed that because things were not working that I had done something wrong.

I'm sorry, but it was a terribly souring experience for me, and I am not likely to go back any time soon. In all fairness, however, I must say that openbsd performed flawlessly for 2-3 weeks aside from the problems I had with device drivers. In mentioning this to other people, I almost always got the response, "Yeah, the openbsd drivers suck." Perhaps I was just terribly unlucky. Who knows...

As an addendum, I switched back to Linux and my machine has been very happy ever since. There's a lot of stuff I don't like about Linux (design and implementation) but I really must concede that things Just Work(TM) a remarkably large percentage of the time. And perhaps more importantly, I have been much more impressed by the attitudes and helpfullness of people in the Linux community. I don't always get the right answer to questions I post, but I usually get enough to be helpful...

And finally, to the Openbsd people who happen to stumble across this message, I do hope that you will take my comments as constructive criticism, for that is how they are intended.

-p.