Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD Interview: Strengths, Tradeoffs And Plans

Posted by Nik on from the NP:-Honey dept.

Duke of URL writes: "Boardwatch interviewed OpenBSD contributor Louis Bertrand. It's an excellent article about OpenBSD's niche and mission. They discussed the continued code audit, OpenSSH, and future version plans, including SMP development, ports rework, and continued integration of IPv6. Journalist Jeffrey Carl does a good job of pointing out OpenBSD's strengths and tradeoffs."

6 of 161 comments (clear)

  1. Re:OpenBSD goes overboard by Frater+219 · · Score: 4

    FWIW, you can get a proper su (in Debian, at least) by installing the secure-su package.

  2. Are you good enough to be a security admin? by Skapare · · Score: 4

    Are you good enough to be a security admin?

    Part of the problem is too many people just installing some packaged software, which they picked for reasons related to how many other clueless people picked it, and they expect it to be rock solid secure as installed without any configuration or tuning. They also expect top notch performance.

    If you want security, then you have to understand security, or you have to get something that is guaranteed to be secure right from the box, or hire someone who knows security (and please, no whining about lack of technical people when technical people are still looking for decent jobs where their employers respect their skills). OpenBSD probably is the most secure system available right now, as installed, although even I would not trust it without looking under the hood.

    A system/network security expert can make most systems secure (even NT if enough information can be had). Businesses have to commit to the attitude of security and trust a security expert to set it up for them. If you can't trust someone, then you better pull the plug on that internet connection right now (and probably also fire all your employees).

    --
    now we need to go OSS in diesel cars
  3. Re:OpenBSD goes overboard by Tim+Pierce · · Score: 4

    Straight off, I get the message that this user is not in the appropriate group to su to root.

    This is pretty common behavior on non-Linux machines and certainly did not originate with OpenBSD. In order to su root, you must be in the wheel group.

    Linux does not require this because it uses the GNU version of su, which is intended specifically not to have this requirement. Here is an explanation for this decision:

    Why GNU su does not support the wheel group (by Richard Stallman)

    Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

    However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

    I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

  4. Ugh... by pb · · Score: 5
    Why do people have to mangle the charset on these pages? It's almost unreadable in Solaris, with all those "?"'s littering it.

    It's good to see something like this in an interview, though:


    Unless security is your primary consideration, you probably aren?t going to use OpenBSD for all of your Unix servers. Linux, FreeBSD and NetBSD all
    excel in various areas where OpenBSD does not. However, OpenBSD certainly has its place, and should be part of any network administrator?s toolkit.
    For your most security-sensitive tasks, OpenBSD is very likely to be ?the right tool for the right job.?


    Many Linux distros are great for a catch-all, newbie-friendly OS, whereas most BSD's (I've heard, I haven't used any of them extensively) feel more like a traditional Unix out-of-the-box.

    (*please*, no "*BSD is Unix, Linux is not blah blah blah" comments. Because they're free, they both have *no* official "Unix" code, it was taken out of *BSD, and was never in Linux, but they share the same kernel interface, which is good enough for me)

    For a Linux alternative, use FreeBSD. For other platforms, use NetBSD. If you like the way Linux does things, use Linux. Need security? Run OpenBSD. Want media/SMP goodies and a pretty interface? Get BeOS. etc., etc., etc.

    They all have their niches, and *advocacy* involves recognizing that, and using the tool that's right for the job. So it's good to see some real BSD advocacy.
    ---
    pb Reply or e-mail; don't vaguely moderate.
    --
    pb Reply or e-mail; don't vaguely moderate.
  5. This article really doesn't touch on strengths.. by Blue+Lang · · Score: 5

    or weaknesses of OpenBSD.

    I installed it for the first time about 3 weeks ago, and I can't believe how much I love it. (I use linux as my workstation, and work on AIX, Solaris, etc.)

    Everyone talks a lot about how secure it is, but that doesn't help anyone who actually wants to USE it. If you're wondering how useable it is, the answer is, "very!"

    I would say its strengths, as far as a server OS, are:

    1) Tiny, tiny footprint. Full server install w/out X windows is like 100 MB.

    2) Nice, full man pages.

    3) It comes with a ton of preconfigured firewall and gateway scripts, along with a ton of info on what they do.

    4) It, by default, emails you every day with info on what's going on on your system. This is the type of thing most sysadmins spend their first four or five months writing for Slowaris/AIX/etc.

    5) It has GREAT networking support. Tunnels, VPN, etc, etc are right there ready to rock from the word 'go.'

    6) It really does only run a tiny set of services on startup. I think it starts with like, 6 processes, by default. That's a very nice base from which to build.

    7) Ports rock my little world. They make life very, very nice.

    On the downside:

    1) The install is amazingly terrifying the first few times. If you don't know what partitions are, if you don't understand hard drive geometry, don't even bother with OBSD. Get FreeBSD and install it a few times first. It follows the same concepts, and has a more clear explanation of what's going on.

    2) The filesystem sucks raw ass. Even mounted noatime and.. whatever else the other mount option is to make things faster.. :P .. it's slow as hell.

    That's pretty much the only bad things I'd say aobut it. I _love_ it as a firewall OS, and I might use it as a web server or something.. The FS performance scares me.

    All in all, the article was lame, as far as explaining why anyone would use OBSD. :P

    --
    blue

    --
    i browse at -1 because they're funnier than you are.
  6. My experiences with OpenBSD by pkj · · Score: 5
    First off, let me state that I am OS slut. I've done my stint with Solaris, Irix, FreeBSD and for the past two years Linux. (And I even develop a fair bit of software they gets deployed under 'doze, but we don't need to talk about that.) All have their strengths and weaknesses, and I'm not terribly partial to any of them.

    I have been meaning to play with OpenBSD for quite some time now, and finally decided to deploy it on my gateway/firewall which had been running RedHat 5.2 for the past two years. From all that I had read, this seemed to be the perfect application of OpenBSD. The install went very smoothly and I was very impressed by installation/sysadmin documentation available on the openbsd web site. The only install problem was my 2gig SCSI disk, of which only 1 gig was recognized. This was no big deal, as 1 gig was plenty, but this is aparently a known limitation of OpenBSD and some drives/BIOSs.

    The first thing I noticed was that the openbsd firewall code is lacking all the plug-ins for mangling complicated protocols like irc, realaudio, quake, etc. Even the use of non-passive ftp required the use of a proxy. This wasn't a big deal for me since I don't use any of these, but I know that many linux users would see this as a big problem.

    A day or so after my install, I noticed that througput on my cable modem was just really sucking to some sites, and I could not connect to others at all. I figured this was a problem with the cable service, which has actually been quite good for me. After jacking my laptop directly into the cable box, I realized that there was nothing wrong with my net connection and that the openbsd machine was fubaring the connections.

    No problem, I'll post to the openbsd mailing list and see what the problem is. I got several replies that I must have something configured improperly. No, said I, the system is virtually stock, and I get excellent throughput to most sites. After much bitching, someone eventually notified me that the NE2000 device driver had known problems. So I replaced the cards with 3c509s (don't laugh, it's all I had on hand) and most of my problems went away. Thanks guys, if you had *told* me the driver was buggy, I could have saved myself a few days of headaches.

    I say *most* of my problems, because I had very similar problems with the 3c509 cards, although they were not nearly as bad. Eventually, I was able to get someone to admit to the fact the the 3c509 driver was buggy as well.

    Needless to say, at this point I was quite pissed as I had lost several days of work debugging and swapping hardware. I don't mind the fact that there are bugs in free software, but what really pissed me off was the fact that (1) the cards were listed as being supported (2) there was absolutely indication of problems with the drivers for these cards in any of the documentation when in fact they had been reported my many people before me and (3) the attitude of the people on the openbsd mailing list who outright assumed that because things were not working that I had done something wrong.

    I'm sorry, but it was a terribly souring experience for me, and I am not likely to go back any time soon. In all fairness, however, I must say that openbsd performed flawlessly for 2-3 weeks aside from the problems I had with device drivers. In mentioning this to other people, I almost always got the response, "Yeah, the openbsd drivers suck." Perhaps I was just terribly unlucky. Who knows...

    As an addendum, I switched back to Linux and my machine has been very happy ever since. There's a lot of stuff I don't like about Linux (design and implementation) but I really must concede that things Just Work(TM) a remarkably large percentage of the time. And perhaps more importantly, I have been much more impressed by the attitudes and helpfullness of people in the Linux community. I don't always get the right answer to questions I post, but I usually get enough to be helpful...

    And finally, to the Openbsd people who happen to stumble across this message, I do hope that you will take my comments as constructive criticism, for that is how they are intended.

    -p.