OpenBSD 2.7 Released

dragonfly_blue writes: "Just wanted to let you know, OpenBSD 2.7 is out, with significant advances; including OpenSSH2, better Linux binary emulation, DSA encryption, and (my personal favorite) support for encrypting your swap space. Theo and the gang have also expanded the ports and packages collections considerably, so get 'em while they're hot!" (More.)

ocipio contributed some more tidbits, writing: " ... OpenBSD 2.7 improves support for high end system boards, SCSI controllers, ethernet interfaces, and adds gigabit ethernet drivers and IPv6 networking. OpenBSD's cryptography has been further enhanced by encrypting virtual memory swap space, and by more flexible ISAKMPD key exchange and operating modes for IP Security networking." To keep things interesting in BSD Land, he adds "According to Jordan Hubbard, FreeBSD's release engineer, FreeBSD 3.5 will be released June 20th."

Cool on all counts. Way to go, BSD crew! (And Thanks! to everyone who pointed out this release.)

Re:Is OpenBSD still relevant?

Actually you have your wires crossed. The TrustedBSD project (www.trustedbsd.org) is intended to add POSIX.1e security features to the FreeBSD system, including capabilities, MAC and kernel event auditing. It's not a code audit project - thats a separate project which also exists.

As for the amount of code to audit, OpenBSD includes a lot of "extra" stuff as well compared to e.g. FreeBSD: for example, apache, lynx, mg (an emacs-alike editor), etc. Checking the sizes of my OpenBSD and FreeBSD source trees, I show OpenBSD to be 335M, and FreeBSD to be something less than 370M (I have extra crap in my tree). Thats not that different, considering FreeBSD probably includes more code in /usr/src/contrib which isn't actually compiled (contrib/ accounts for about 120M of that figure).

Re:Is OpenBSD still relevant?

[kkenn]

Oops, slashdot ate my cookie. The parent comment was posted by me (I don't like to hide as an AC)

Re:This is nothing new

[thallgren]

Go grab a new 2.4.0-test1-ac* kernel, apply the 2.3.42 kerneli patches (which aren't available on ftp.kerneli.org, ironically. Check the linux-kernel archives.), handle the conflicts, and update the kernel utilities. If you don't want to mess with all this, you can get a 2.2 patch from ftp.kerneli.org and use it.

I'd like to do that to a mission-critical prodction server! ;-)

Regards, Tommy

Re:Impressed...very impressed

[be-fan]

Sorry. I'm cranky. I have to write a program in its entirity before tomarrow morning. I mean to include the :), really I did.

Re:Encrypting swap and RAM

[Shadowlion]

How much swap is truly necessary when you have large amounts of RAM?

My home machine - a dual PII/400 - has 512Mb of PC100 memory. I'm considering installing Debian 2.2 on it when it is released. Do I really even need swap space?

Re:Alpha?

[iota]

No alpha port this time due to lack of support from users. Check out http://www.openbsd.org/want.html :
"If we do not get some of these very soon, we are not going to ship OpenBSD/alpha on the 2.7 CD-ROM (it isn't worth our effort)."

Makes a lot of sense to me... unlike Linux distros and developers, who are backed by VC, IPOs, and cushy jobs, the OpenBSD team actually have to work for a living :)

jason

Re:Is OpenBSD still relevant?

[apilosov]

1. Theo's beef is with NetBSD, not FreeBSD.
2. If you don't wanna pay 25$ (miniscule), download it. Periodic CVS updates are recommended.

Re:How soon to Linux?

[Micah]

On September 20, when the #@$%#$@% RSA patent expires, it should be possible to ship OpenSSH as standard in the USA.

YESSSSS!!! That's only 3 more months! Wheee!!! Is anyone planning a party???

Re:"How do you like your OS?" "Slow, please."

[apilosov]

No. Do basic math: Swapping means at least 5 ms delay to throw data to disk, which is about as slow as anything can get. In these 5ms, you can encrypt quite a lot of data even with something as slow as DES. Blowfish would be blazingly fast.

In short: Encryption performance is about as fast as drive I/O, and initial delay on IO makes it unnoticeable.

Re:openbsd.org running solaris?!?!

[chris.dag]

Interesting...donated hardware or hosting perhaps?

Re:Why would you encrypt swap?

[apilosov]

Swap is never really reused anyway. Swap is encrypted to protect from stolen-harddrive-attack.

Re:oh my god things cost money!!

[ArchieBunker]

I'm not trying to belittle you, but the general attitude here at slashdot is that no one thinks they should pay for anything, just ask RMS about commercial software.

http://tlug.linux.or.jp/rms.html

"The only good thing about the unauthorized copy is that you avoid giving money to the owner. This is good, because the owner does not deserve a reward for making software proprietary"

If you are worried about distro cost cheapbytes sells the OpenBSD cd for $4.99.

Re:Why should I run OpenBSD?

[drinkypoo]

My problem with linux has been (lately) that when I try to install redhat, the install terminates.

This happens to me a lot on a lot of different machines, and in fact I couldn't get redhat to install even the minimal setup on my Celeron 366, nor could I get debian to even boot into the installer. OpenBSD, on the other hand, installed with no problems and very quickly.

If I were going to point a newbie at unix for the first time, though, I wouldn't send them to BSD. There's just not as many people out there willing to help a BSD newbie as there are those willing to help the linux kiddies. Then again, if you get on #linux as root, expect some hax0r1ng...

Re:Encrypting swap and RAM

[technos]

Swap partition, no. Swap file, yes.. Encrypted loopback, or an encrypted filesystem holding said swap file..

Now this is off the cuff; This prolly won't work, and even if it did, it's be as slow as Windows95 on a 386.. But it is food for thought.. Ramdisk in memory, containing the 'swap space' mounted via a encrypted loopback. Make the ramdisk size close to physical, and you now have encrypted DRAM..

Or switch platforms; The AS/400, the S/80 and a variety of other IBM midranges are capable of it, even if they don't come out of the box that way..

encrypted swap space

[tie_guy_matt]

Why stop there? Let's encrypt everything to the point of all we get on our screen will be a bunch of useless characters. We won't know what is going on, but the important part is neither will THEY! Encode our swap space, maybe that is exactly what they want us to do. Ever think about that?

Re:Encrypted swap space

It's only relevant for older machines and those are slow anyways

Not really. Even if you have lots of free memory, some operating systems will move unused stuff out to swap space to give themselves more room for stuff like disk caching, buffers, etc. I'm running Linux with 64MB of RAM - right now only 30MB is used, but I still have 8MB in swap space. My disk cache is 31MB.

Re:Encrypted swap space

[drinkypoo]

No, you still need to write Ordo vim (or maybe ordo mutt complium) because you don't want to be writing out temp files either. vim writes out unencrypted swap files...

Re:encrypted swap space

[technos]

Let's encrypt everything to the point of all we get on our screen will be a bunch of useless characters

This is assuming that you could make *nix any more cryptic than it is without hitting mental critical mass. Try it, and you'll probably see the fatality rate in *nix admins soar from cranial explosion..

Shit, I may have just given Microsoft an idea..

Re:Encrypted swap space

[Ice]

Actually, the swap space isn't used all that much anymore. Everyone usually has enough memory to handle running these OS' and never even come close to touching their swap space. In most of my machines I don't ever go near my swap. It's only relevant for older machines and those are slow anyways, what's a few more microseconds? =)

Re:encrypted swap space

[RollingThunder]

Well, what ELSE are we supposed to use CPU cycles for? We don't have Windows chewing 45% just moving the mouse around... ;)

Re:Encrypted swap space

[teste_2000]

top. Gtop if you have it installed, gives you neat little slice-charts of how much memory each running program is using. Of course that's in Linux.

Re:Encrypted swap space

[Hakakahn]

31 MB? How did you get this n8umber cucumber? Do you remember? Just curious..

Re:encrypted swap space

[gehirntot]

Why stop there? Let's encrypt everything to the point of all we get on our screen will be a bunch of useless characters. We won't know what is going on, but the important part is neither will THEY! Encode our swap space, maybe that is exactly what they want us to do. Ever think about that?

The idea is to prevent leakage of passwords or other secrets, like your private RSA keys for ssh.

Additionally, once you start using cryptographic file systems, you do not want all your precious secrets to appear as plaintext in the swap partition. From that point of view, encrypting your swap partition makes a lot of sense. You might actually say that you can not securely use a cryptographic file system, when you have unencrypted swap space.

And zeroing out the swap partition is way too expensive. It is also not possible to reliably delete data, check the literature on that.

Re:Why should I run OpenBSD?

[tve]

You say you set your 486 up as a cable-sharing gateway using FreeBSD. As I also want to setup a 486 for the exact same purpose, I'm exploring various options. Possible candidates I have in mind are Debian and OpenBSD. So, I have some questions:

1. What about speed? Do you know how the various BSD's compare to linux when serving as a gateway on a 486? What is your experience running FreeBSD on it?

2. Why did you pick FreeBSD instead of OpenBSD in your particular situation?

3. Any other suggestions? I'm perfectly willing to spend time learning something new, but I really don't feel like installing and configuring more than one os.

Re:Adding BSD to a Linux system...

[Syberghost]

This document makes a teensy error; it completely ignores the fact that the Linux swap space is not included in the Linux native file system; it has to be allocated on a separate partition with a different file system.

No, it doesn't ignore that; and no, it doesn't have to be on a seperate partition.

If you're not going to read the article, at least do a search for "swap" on it and read those lines.

Here's one for you from the article:

You will notice that I don't have a linux swap partition visible. My linux setup currently uses the OpenBSD swap area.

That's one way. Another is the use of a swap file on the Linux partition (or even on the BSD partition), which Linux can easily do.

How do you classify that as "ignoring" the question of swap space?

--

Re:So -- where's the list of ports ?

[q[alex]]

Check out: http://www.openbsd.org/ports.html for generat information on the ports, and http://www.openbsd.org/cgi-bin/cvsweb/ ports/ to browse (via cvs) the ports tree. Good luck.

Re:Encrypting swap and RAM

[LegacyMan]

I have the encrypted loopback working very nicely. I use it with reiser files systems. (a patch on a patch :o)
I was looking for your solution for the dynamic key generation and automounting of the swap device more than anything else.
Thanks for the reply though.

efs

[jbarnett]

Is there anyway to do a encrypted file system on OpenBSD?

Re:Why would you encrypt swap?

[nestler]

You would encrypt swap to prevent the leaking of any sensitive data that is resident in a processes memory (cleartext passwords, private or secret keys, etc.)

Without encrypted swap, an application with sensitive data may be swapped out at some point to the disk. Even if the process zeros its own memory eventually, this disk copy may be left around for prying eyes (another process does a large malloc and scans this dirty memory for keys/passwords).

It seems to me that zeroing the swap before reuse would be a cheaper alternative to this. Here is the argument for why I think encryption doesn't buy you any security that zeroing doesn't:

My reasoning is that another process would never get your old "dirty" memory with your key after a malloc. They would have to resort to spying in your memory in realtime.

As for someone looking at your actual memory in realtime, encrypted swap isn't going to stop that. If they are sufficiently powerful to do this, they are sufficiently powerful to go into the kernel, extract the swap encryption key and read things anyway.

Could someone more in the know explain what encryption buys you that kernel-level zeroing doesn't?

Re:How soon to Linux?

[rifter]

Yes I agree. The "Paranoid" option, with crypto installed is fairly locked down IMHO. It also illustrates the point that restricting access and functionality to what is required fr basic operation is the first step to securing a system.

Re:Why would you encrypt swap?

[jbarnett]

Would't a program running as a normal user be unable to access the raw swap partition?

Yea true, just like a normal user (or user program) can't grab a raw dump of kernel memory. Buy back in old Solaris or late SunOS, one of Sun's version shiped with incorrect premission on the kernel memory device, which allowed users (and user programs) to read any (or all) of the "primary" memory...

It is better to have a "backup" or "fail safe" plan when dealing with security. If my firewall is completly cracked, I still have tcpwrappers to defend off with. If I set the incorrect read permission on a senastive file, I still have it encrypted to defend off with. If some how anyone can start connecting to the telnet port, most of the users accounts have /bin/false as there shell....

The fact is, things do screw up, and when dealing with security it is a good idea to setup atleast 2 (if possiable) methods (if not more) incase the "main line" defense gets expoilted or breaks.

Also what if someone takes the swap drive out at night, dumps it, puts it back in without you noticing? OK that is super paranoid, but that it what I love about OpenBSD.

Mac OS X

[Arthropoid]

Anyone know if this will be integrated into the Mac OS X (more specifically, the Darwin) code base?

Re:Mac OS X

[TheGreek]

How can you be so ignorant? MacOS-Ten does not contain code from ANY of the free BSD's. It is based on NeXT which was based in part on some old BSD code from yesteryear.

Or, actually, it does. Darwin (the actual kernel bit of Mac OS X) was derived from FreeBSD 3.2-RELEASE sources and Mach 3. Go look it up.

Re:Mac OS X

[leereyno]

What??

Mac OS X is supposedly derived from FreeBSD. OpenBSD is another product altogether. They all ultimately come from BSD 4.4 Lite, but the code bases have branched away from each other to too great an extent to just cut and paste anything from OpenBSD into darwin.

What OpenBSD offers is security and stability. Those are features that should be included in any operating system. But if apple wants them for darwin/OSX, it will have to do the job themselves.

Lee

Re:OpenBSD Firewalls

[q[alex]]

This is not OpenBSD specific, but the best firewall book I've ever read is Firewalls and Internet Security (Repelling the Wily Hacker) by Cheswick and Bellovin. Published by Addison-Wesley. Good luck.

Re:How soon to Linux?

[rifter]

It could be his machine. True, the package selection system is easier than Win98 or NT in many respects, and if he is confused, well... maybe he would be happier with this manufacturer, as they make excellent machines with a very spiffy, powerful, and easy-to-use OS.

Nevertheless, I am usually not one to blame problems with a user interface on the user. That is a developer's trap. What we need to do is keep trying to make the interfaces as intuitive as possible. It is true there will always be some that will not want to think for themselves at all, but that is what defaults are for.. let the developer and the computer think for them and they should be happy... IF the defaults are sane!

Crypto

[1DeepThought]

This new crypto stuff is very cool. Can't wait to have a play with it. These are featurs that should be in every OS. Top work.

Re:How soon to Linux?

[rifter]

This is why it is better to use an OS for what it's intended. OpenBSD is not for playing games. It is not for using applications, generally, though it will apparently run linux apps with binary compatability and most others with a recompile. I can't speak for that personally, and to be honest I don't see the point. Adding applications adds instability and decreases security.

Basically, give NT to the Pointy-Haired Boss (though they will never admit they really need a Mac), Macintosh to the graphic designers (who *want* a Mac), use Linux for workstations and possibly web servers, and OpenBSD for firewalls and secure web servers.

Using BSD as your box to play Quake on is like driving a tank to work.

Re:Why would you encrypt swap?

[jbarnett]

Ok, zero-ing out the swap file is a good idea, but a couple of questions. What happens if the machine is shutdown unexpectly? For example, if you zero out the swap file in the shutdown run level, that is alright. But what if you say YANK the power cord from the wall, that bypasses the shutdown run level on the system and the swap is never zero-ed out?

Re:Why would you encrypt swap?

[rifter]

It really depends on what you are doing. Obviously if you are not hitting swap a lot, you will not see a decrease in performance. If your disk is slow, the proc being locked up doing encryption calculations is less noticable.

There are lies, damn lies, and benchmarks.

SMP??

[electricmonk]

" ... OpenBSD 2.7 improves support for high end system boards, SCSI controllers, ethernet interfaces, and adds gigabit ethernet drivers and IPv6 networking.

Wow, it supports all the components that you will likely find in high-end servers, except for the most important ones! When are they finally going to support multiple processors?

Re:openbsd.org running solaris?!?!

[RedGuard]

www.openbsd.org is actually
openbsd.sunsite.ualberta.ca, www.usa.openbsd.org
is actually running OpenBSD itself.

Re:openbsd.org running solaris?!?!

[Duke+of+URL]

Sure, I'd be glad to explain. You're wondering why www.OpenBSD.org is running on a Solaris server. See this comment from the misc OpenBSD mail archive.

Basically www.OpenBSD.org runs on a University of Alberta server. The bandwidth is provided free. OpenBSD is looking for venture capital and funds are limited so why look a gift horse in the mouth?

While you're looking around the site, check out their T-shirts. I like the fish-cipher t-shirt t-shirt that any open source guy would like. It has the Blowfish code printed on the t-shirt's back.

Re:OpenBSD Firewalls

[LiNT_]

Sounds strange but I'd actually recommend "linux firewalls" by Robert Ziegler.

I've read all of the books mentioned so far and I'd have to say first place goes to Orielly's even though it's a tad out of date. Second goes to Ziegler's book even though it's for Linux. It explains some important info in a very easy to understand layout that you need to get your firewall running.

Most importanly, don't forget the indespensable IPFilter FAQ someone mentioned above.

Good luck, LiNT

Re:FreeBSD 3.5?

[Jeff+Nelson]

4.0-S is still not considered "stable", as it is recommended for people who depend on the stability to wait for version 4.1-S. I have had no complaints on my 4.0 systems, but vinum still causes kernel panics when i have brain farts while setting up new arrays :0

correction: I omitted a word

[Duke+of+URL]

I said above: Basically www.OpenBSD.org runs on a University of Alberta server. The bandwidth is provided free. OpenBSD is looking for venture capital and funds are limited so why look a gift horse in the mouth?

I meant to write the OpenBSD group is NOT, repeat, NOT looking for venture capital, and they're not like other distros like Red Hat who are more able to spend money on bandwidth and not worry about how it will affect the project's overall finances. Basically the OpenBSD project has limited financial resources so they want to use all the free resources they can get.

Re:Impressed...very impressed

[Brew+Bird]

While IPv6 is supported in the linux kernel, I havn't seen too much work (yet) go into a full userland support

Re:oh my god things cost money!!

[OmegaDave]

How about you all stop being stupid? Archie's right, paying $30 for extremely nice operating system is not that bad. I mean, how much did you pay for the hardware? Did you bitch about that too? How are the OpenBSD people supposed to fund their project without money? And using the whole 'leave the girl alone' angle was just boring and old.

Re:Alpha?

[pope+nihil]

i think they dropped support for alpha due to lack of funding/hardware. i don't feel like digging through the archives, but if you take a little time i'm sure you'll find it.

Re:About as relevant as Solaris.

[The+Man]

Actually (ignoring the fact that your entire post is incorrect and filled with bogus information) OpenBSD is far more relevant than Solaris. Being operating systems, both are condemned to suck, but OpenBSD sucks far, far less. Solaris is slow, obsolete, and has more security holes than an unpatched Red Hat 5.0 [note to ignorant: that's a LOT]. OpenBSD is small, secure, and fast. If you're going to compare the relevance of OpenBSD, please compare it against that of a product with a future.

Re:Encrypting swap and RAM

[Detritus]

Also, are there any ways to encrypt the data in physical RAM, in any OS?

The Dallas Semiconductor 5002FP encrypts the address and data buses. It's an Intel 8051 compatible microprocessor, so forget about running Linux or *BSD.

How soon to Linux?

[tadas]

How soon are any of these ideas going to make it to Linux distributions?

In particular, I think it'd be great to have ssh ship with every Linux distribution.

I don't think I'm paranoid enough to encrypt my swap, though....

Re:How soon to Linux?

[Yakman]

How soon are any of these ideas going to make it to Linux distributions?

In particular, I think it'd be great to have ssh ship with every Linux distribution.

I downloaded a Debian (Potato) ISO a few weeks ago from an Australian mirror and it had OpenSSH as part of the install? [shrug] When booting you get "Starting OpenSSH daemon" or similar.

Re:How soon to Linux?

[penguinboy]

With regard to ssh, it can start shipping in distributions when encryption export regulations change. Currently though, Mandrake has an option to download encryption stuff during install.

Re:How soon to Linux?

[Hakakahn]

"You should have nothing to protect/hide". Then bury your weapon in the ground, before you get shot form your own kiddoes!! And your duff beer... better drink it when your son is already in bed, else he might ask you what this is.

Re:How soon to Linux?

[attobyte]

Mandrake is trying. They have a secure install option. Which is good, prob better in 7.1

atto

Re:Encrypting swap and RAM

[The+Man]

No, just that one. Actually, anyone who doesn't know can't call himself a unix admin anyway.

Why would you encrypt swap?

[Ron+Harwood]

Would that be to prevent your users from seeing what is in swap space? Or is this a paranoid "If the feds take my box..." kind of thing?

Re:Why would you encrypt swap?

[Elladan]

Another process doing some malloc()s to see your ram isn't a problem - the kernel in this situation is going to zero the ram before that process gets to read from their malloc area, and in any case it won't have any reason to read in from untouched swap.

Generally speaking, while the system is running and permissions are set, there's not going to be any difference between encrypted and unencrypted swap security wise. Programs won't be allowed to read from swap space, and they aren't allowed to read each other's ram or core files, either (at least, not without permission). About the only case where encrypted swap would help while the system is running is if swap was, for some reason, mounted over a network connection or someone was able to otherwise sniff the channel between the system bus and the actual swap storage device. This might be an actual possibility if you were dealing with, say, some sort of thin client which didn't have a hard disk and swapped to the server, for instance. Secrets wouldn't be accidentally transmitted in the clear due to some app on the client being swapped out. I suppose encrypted swap might also be useful in keeping superuser attacks from extracting information which is no longer resident, but was in the past too, but if you have a root compromise, you're screwed anyway.

The real point of encrypted swap space is that it keeps your secret information from showing up in the swap file if someone steals your machine. Normally, the OS doesn't try to keep swap space clean, so whenever something is paged out, it'll just sit there in the swap partition until it gets overwritten. So, if someone stole your computer, they could then just scan through the memory dumps in your swap partition looking for secret data, and they might well find it. There's no way you could ensure that they wouldn't.

Various other methods to encryption, such as zeroing, aren't really going to help. There are a number of flaws to the zeroing idea:

• The swap space can only be zeroed when you actually release it. Thus, the OS would clear the swap block when it's no longer in use. This has the disadvantage of causing more disk IO, but more to the point, if the OS never sees the block get released, it never zeroes it out. So, the gestapo kicks down your door and rips the power cord out of the computer, the OS never gets a chance to clear itself out, and they get your secrets too. Bad.
• Zeroing the data won't necessarily erase it very well. Look at the wipe utility and all the hoops it has to go to in an attempt to securely erase data from your disk (and even then, it has flaws). It's very possible for someone to go over a swap partition that's been zeroed, and still recover data, even if it was erased a couple times.

So, basically, it's a lot better to guarantee that your secret is never written to disk at all in an unencrypted form, if you're really worried about it. That means, either you encrypt the swap file, which is a general solution, or you write your software so that, if it knows it has a secret, it will make sure the secret is never written to swap (for instance, by locking the secret in ram so it can't be paged out). The latter solution is good practice, but it's very hard to ensure it works properly.

Re:Why would you encrypt swap?

[dcs]

If you can't think of anything other than feds, then YOU are paranoid.

Just take a look at all the hard disks stolen from Los Alamos, at all the notebooks stolen in a number of places. Espionage, including industrial espionage, exists.

If you keep your data encrypted, you decrease the chance of having it just stolen. But if the data is left unencrypted in the swap...

Re:Why would you encrypt swap?

[asland]

Its the "feds snatch the box" scenario. You do not want to create a record on disk of something that was decrypted, created before encryption, etc.

If sensitive data was written to the disk, it could be recovered even if written over (theoretically). This is protection for the extremely paranoid, but that is what OpenBSD is all about.

If you were booting with your root partition encrypted and all filesystems storing sensitive data encrypted, this is the final hole to plug to prevent anything unencrypted from being put on a disk unencrypted.

I see the danger as being what people are looking at when they take the disk from you, not what they can find when the system is running.

Re:Why would you encrypt swap?

There is a paper on this, called "Encrypting Virtual Memory." It is at http://www.citi.umich.edu/techreports/. The paper will be presented at the USENIX Security Symposium in August this year.

Re:Why would you encrypt swap?

[tzanger]

Largely, to keep one program from snatching sensitive information from another program's swap space. Like, for example, passwords that are held in memory. A hostile program running on a box could scan through available swap in search of username/password pairs.

That's one of the reasons your raw partitions aren't given read access to everyone by default.

Now I imagine an exploit could be crafted in which you allocated memory which would be allocated in swap first and then selectively swapped in and scanned...

Re:Why would you encrypt swap?

[jamesc]

what kind of performance tradeoff would be expected with on-the-fly encryption/decryption of the swap space?

The paper reference provided by an A-C above, http://www.citi.umich.edu/te chreports/citi-tr-00-3.pdf claims a 26% to 36% performance loss due to the swap space encryption in their benchmarks.
--

Re:Why would you encrypt swap?

[stripes]

My reasoning is that another process would never get your old "dirty" memory with your key after a malloc. They would have to resort to spying in your memory in realtime.

There is no Unix I know of where you get another processes' dirty memory when you malloc. When malloc first gets it's memory from the OS (with sbrk) it is zero'ed (I think in thery it is merely "not valid data", but in practice it is zero'ed). If you free that memory and malloc it again it might contain your own dirty data. Similar things happen with mmap'ing annon memory, and /dev/zero (the other way malloc is implmented nowadays). In Net and FreeBSD the free'ed memory is frequently madvis;ed as unused and will not be written to swap unless it is written to again (and will tend to come back as zero, unless it is written again).

When I say "no Unix I know of" this includes V7 (or V6 -- what is it the Lyon's book covers?).

Could someone more in the know explain what encryption buys you that kernel-level zeroing doesn't?

Others have already said, but I'll state for completeness... If your system is seized by a hostle force (say your goverment, or it's a laptop, it could be a competeing bissness), the swap area could have cleartext passwords, or chunks of important documents. Of corse if you didn't encrypt your real data then there are other areas of intrest on the disk...

Re:Why would you encrypt swap?

[YASD]

...a hostile foreign government or by the hostile local one...

A nice turn of phrase :)

------

Re:Why would you encrypt swap?

[ph0enix]

IIRC, OpenBSD swap space is only overwritten on demand.

I think that you are confusing the swap file encryption in OpenBSD with the Windows NT feature which writes 0's on the disk at shutdown. In OpenBSD, a random key is generated at system startup, and this is used to encrypt all data written to the swap file. When the system is shut down or rebooted, this key is lost and the swap file is unreadable.

Re:Why would you encrypt swap?

[technos]

Actually, I didn't know NT had that feature. OpenBSD swap is only overwritten on demand, meaning the contents are not changed until that section of swap is overwritten as some process swaps into it..

There hasn't been any real 'zero'ing feature, save perhaps the paranoid individuals I have seen that include dd if=/dev/zero of=/dev/[swap] bs=1024 count=[swapsize] in their shutdown scripts..

Re:Why would you encrypt swap?

[ct]

Would that be to prevent your users from seeing what is in swap space? Or is this a paranoid "If the feds take my box..." kind of thing?

Keeping in mind that OpenBSD's primary concern is security at any expense, what kind of performance tradeoff would be expected with on-the-fly encryption/decryption of the swap space?

Re:Why would you encrypt swap?

[enneff]

I think he was saying that looking at pictures of teenagers your own age is prefectly acceptable, and I agree. I'm not ashamed.

What's the big deal?

Re:Why would you encrypt swap?

[jcr]

There are many of nice, fast symmetric-key ciphers that won't make any noticeable difference in swap performance. The performance limits for swapping will still be the physics of the disk.

-jcr

Re:Why would you encrypt swap?

[sammy+baby]

Largely, to keep one program from snatching sensitive information from another program's swap space. Like, for example, passwords that are held in memory. A hostile program running on a box could scan through available swap in search of username/password pairs. Encrypting swap makes this less likely.

Re:Why would you encrypt swap?

[Ronin441]

It's because OpenBSD is the security-conscious version of BSD. They focus on having really good, really thorough security first, everything else second. As such, encrypting swap is a good, clever idea.

Re:Why would you encrypt swap?

[Decklin+Foster]

Would't a program running as a normal user be unable to access the raw swap partition? It seems that looking through the swap is only a problem if you are root, in which case you can just access the whole virtual memory space normally.

However, this definietly does come in handy in the "feds-snatch-your-box" case, especially, if you didn't make an electromagnet out of your door (no STR :-)

Re:Why would you encrypt swap?

[drinkypoo]

I run OpenBSD as a server. Why do I do such a thing? because OpenBSD really IS secure. When a CERT advisory comes out, often the line for OpenBSD says "This was fixed back in 2.1 before anyone knew it was a problem" or somesuch.

This is because OpenBSD's code is under constant review. While the hax0rz are hunting for flaws, so are the developers, and they tend to find them first due to their great familiarity with the code.

OpenBSD is terribly slick, plenty fast, fulfills all my needs, and is very nicely secure. I use windows on the desktop to play games, so I'm not worried about the various widgets that won't run on OpenBSD (like xmms.)

Re:Why would you encrypt swap?

[technos]

IIRC, OpenBSD swap space is only overwritten on demand. Once used, the space retains whatever information is in it until overwritten again.. A lot of useful junk, passwords, etc, is left in swap for an indeterminate amount of time. What happens when the box is stolen, say by a hostile foreign government or by the hostile local one, and they can't log in or mount your encrypted volumes? They sniff your swap space!!

Re:About as relevant as Solaris.

[bmajik]

Well, im glad to see you like IRIX. (I like, and Use IRIX daily as well).

As far as threading in irix, it didn't work with shit until 6.4. NFS on irix has been problematic at times, leading to pesky things like kernel panics, etc. The 32->64 bit migration on irix has been pretty amusing, unless you've actually had to use 3rd party tools or libs for anything, in which case, its been nightmarish. (n32 tools are better, vendiors love to ship o32... sound familiar ?)

IRIX has faults just like any other OS. I still like it. There is a pretty wide market niche for solaris to fill, one that IRIX wouldn't fill as well. Namely, Solaris has the right mix of "stable", "easy", and "thorough" to make it a very viable operating system. Outside of the world of slashdot, there are plenty of people that agree with me :)

IIRC, the largest IRIX installtion is ASCI-Blue mountain, at 6144 processsors. This is _not_ a single machine image. O2k machines have only been implemented upto 256 cpus with a single image, althoug the O2k architecture should support 4096 (see Lewis and Berg: Pthreads)

XFS _is_ a fast file-system. But if you were a hardcore irix user then you know its taken XFS a while to be what it is. Back in the day when we were running 5.3 + XFS, things were different. Back then there was no xfs_check. They just assumed it would alwasy work. This is in the XFS design papers, btw. Or like the time when XFS patches broke any possibility of conveniently booting a downed SGI machine (all the media was 6.2, effectivly patchlevel zero, but subsequent patches to the OS made the on-disk XFS file-system unreadable and thus unrepairable to the on-cd kernel and tools)

These sorts of things tend to not happen with solaris. It's not nearly as esoteric, so it doesn't have the bleeding edge performance of IRIX. On the other hand, it is very feature rich, and very stable as well.

Like i said, right mix of stabl, easy, and thorough. Might as well add "cheap".

Re:Guessing here...

[TyrantChang]

Well, not for all applications...for example, databases, you have no control over what gets paged in and out...it is more up to the database. So unless you make your own db that doesn't use any paging (which will be a rather useless database since dbs usually require a lot of memory), sensitive information in the database will always be in some sort of swap file/partition or temporary file.

Alpha?

["Zow"]

Just curious, but what happened to the Alpha port? I noticed that all the previous versions included it, even bootable on the CD, but not 2.7. Any ideas? Theo overclock his Alpha and toast in in testing out the encrypted swap space or what?

-"Zow"

Re:Alpha?

[brank]

In a lot of cases, ports follow up major releases. The primary architecture is done first, and others are added a few days later of whatever. Probably all we have to do is wait a bit.

Re:woot!

[faeryman]

its an olivetti-5030 server with four 486 boards in it. the motherboard has no processor slot on it, rather they sit on expansion cards.

i think you can get dual, maybe quad too, 486 motherboards for a VERY hefty price IIRC.

and i would kill for a 16 proc pentium mobo :)~~~~

Re:Why should I run OpenBSD?

[timmyd]

i believe linux is getting a replacement for ipchains in the 2.3/2.4 series. i think it is actually the ipnat that you are talking about.

btw: did apache have a remote exploit lately when they got the 'powered by apache' logo replaced with the back office one? i read something like that somewhere....

Re:About as relevant as Solaris.

[The+Man]

n32 tools are better, vendiors love to ship o32... sound familiar

Of course. Proof that IRIX-targeting proprietary vendors are just as idiotic as Linux-targeting ones (libc5, yeah that'll make me buy your shit).

This is _not_ a single machine image. O2k machines have only been implemented upto 256 cpus with a single image, althoug the O2k architecture should support 4096

I'm familiar with the architecture. 256 is still four times as many as Sun offers. The Craylink technology used to link partial SGIs is also highly impressive. It's really a blazing-fast network, with hubs and so forth. Quite flexible.

These sorts of things tend to not happen with solaris. It's not nearly as esoteric, so it doesn't have the bleeding edge performance of IRIX.

IRIX 6.5, which has been around for quite a while really, is rock solid. I've had plenty of annoying problems with earlier versions, just like you. 6.2 and 6.3 would lock up, 6.1 was complete garbage, NFS had issues, and so on. But you have to compare equivalent systems - we're not comparing Solaris 2.8 with IRIX 6.2. Solaris versions less than 2.4 had a number of serious problems; it's generally conceded today that Solaris < 2.4 is effectively unusable. I'm not recommending that anyone use IRIX 5.3 any more than that they use Solaris 2.3. When comparing IRIX 6.5.[5-8] with Solaris 2.8, IOW contemporaneous operating systems, I think you'll find that IRIX comes out looking quite good for stability, ease of use, and feature set. Naturally YMMV but I'm disinclined to allow problems with earlier versions of IRIX to bew brought up in a comparison with more recent versions of (something else).

Re:Is OpenBSD still relevant?

[dragonfly_blue]

All right, I'll not try and convince you again. You've made a choice, and you're sticking to it.

;-)

I get some mail from Theo (not to me personally, to the lists), and, although I'm not sure how long it will last, he is generally civil and forthcoming in them...

I don't know what to say about the packet filtering; is FreeBSD still filtering out packets from the OpenBSD networks, as they claim? "We won't stop filtering packets from the OpenBSD networks until Theo is out". Heh, it's fun to read archived threads sometimes.

Well, thanks for being honest; it's important for me to know how OpenBSD got its reputation. You seem like a good person, with very valid reasons for not using OpenBSD.

Re:oh my god things cost money!!

[mikpos]

True, $30 isn't much, but it's not as nice as free. It's like if you were to go to Costco, and they had fuzzy peach slices on for $30 a bag, but they were giving away licorice for free. If I was only strong enough to carry home one back of candy, I'd probably go for the licorice, even though I'd prefer to have the fuzzy peach slices.

So it's the same thing, I'd say. There's nothing wrong with not wanting to pay $30 when there's a perfectly valid alternative available gratis.

This is nothing new

[Randseed]

This is nothing new. Linux has been able to encrypt filesystems and swap space for several years now with no problem.

Go grab a new 2.4.0-test1-ac* kernel, apply the 2.3.42 kerneli patches (which aren't available on ftp.kerneli.org, ironically. Check the linux-kernel archives.), handle the conflicts, and update the kernel utilities. If you don't want to mess with all this, you can get a 2.2 patch from ftp.kerneli.org and use it.

# losetup -e

Re:Is OpenBSD still relevant?

[Loligo]

[ various OpenBSD vs. FreeBSD comments snipped ]

But you leave out the big kicker: what if I'm not using an x86 or Alpha based system?

In this case, FreeBSD does me no good at all, and NetBSD or OpenBSD are my *BSD flavors to choose between.

I'd love to use FreeBSD (more experience with it from a prior job) on my old Mac IIci, but it just ain't gonna happen.

-LjM

Re:Just did exactly this...

[Lt_Kernal]

Did you have IP forwarding off?
Proxy Server is just that...a proxy sever...and an okay firewall.

But it is NOT a NAT.

Turning IP Forwarding on on a box with PS 2.0 is not a good idea...basically you're leaving yourself open to attack...even with Dynamic Packet Filtering turned on.

I just know that PS, when used correctly, is pretty damn well secure.

-Kevin, MCSE+I, MCT

Re:Encrypting swap and RAM

[jeffstar]

if i want my disks to be encrypted (a la mitnick) how do i go about doing this anyway?

Re:Adding BSD to a Linux system...

[MAXOMENOS]

Yes, there is such a document: http://www.openbsd.org/faq/INSTALL.linux

This document makes a teensy error; it completely ignores the fact that the Linux swap space is not included in the Linux native file system; it has to be allocated on a separate partition with a different file system.

The Second Amendment Sisters

Re:Impressed...very impressed

[BJH]

I can pick up a Gigabit Ethernet card in Akihabara for around $US250. The real problem is the switches :(

Re:Why should I run OpenBSD?

[softsign]

This will be redundant given the other replies, but I'll add a few comments of my own.

1. Speed is a non-issue. The 486 _easily_ handles all the packets going through, even when NAT-ing. I've got one IBM NE2000 card and a D-link 10/100 with a Realtek chipset. BSDs actually have two fairly mature methods for setting up NAT. They're easy to configure, even if you only have the man pages at your disposal. Having never used FreeBSD, I had my gateway up and running within a day.
I had absolutely no problems with FreeBSD. For the most part I was running this machine sans monitor or keyboard. I did all my administration remotely (well, except for once when I accidentally flushed the firewall ruleset). I was able to run X apps on a remote display all without problems. I even got a little adventurous and set up my own mail server using sendmail. No performance problems at all. And this is a Frankenstein 486-66 with 24 megs ram.

2. Serendipity. I was just pissed at Redhat for failing to install and /. ran a story on FreeBSD that day. So I grabbed the ISO online and liked it right off the bat. The ability to upgrade the OS via ftp made sense in a machine where I planned to remove the CD-ROM. To be honest, I didn't look too much at OpenBSD, simply because I wasn't too concerned about the security/stability issues at the time. I didn't plan to have the system running for very long (ended up running it for 5 months) and I just wanted to give BSD a whirl.

3. Remember that *BSD is a BSD-Unix implementation. As such it differs in some ways from SVR4 Unix like Linux or the newer Solarises (?). For the most part, I find that it's not really all that different. The kernel is incredibly easy to modify and compile. I built several custom kernels, all using only vi and make. No need for fancy graphical kernel configuration. Not only that, but FreeBSD (not sure about the other BSDs) has a dynamic kernel. For example, I can compile the kernel without CD-ROM support (I mean _without_, not as a module) and when I try to access the CD-ROM, it will dynamically load the Cd-rom module. Neat stuff.

All in all, for someone with a little Linux/Unix know-how, BSD is very easy to install and run. Personally, I think it's a lot more mature than any of the Linux distributions I've seen and much easier to configure and run stably.

--

Another benefit.

[shiva-dow]

If the encryption were well done, a major benefit to this would be that even if the same clear text data were written to the same location, the encrypted data written would be 'random' from one boot to the next. This is a Good Thing(TM) in preventing more esoteric data recovey efforts from being effective.

Are you feeling lucky, punk?

Re:What kind of performance hit does it take?

[Vladinator]

Back under your bridge Troll.

Fawking Trolls!

Is OpenBSD still relevant?

[Lita+Juarez]

As I remember it, a large part of the purpose of OpenBSD was that it was developed outside the US so it wasn't subject to US restrictions on the export of strong cryptography. This allowed them to ship 128-bit Blowfish encryption, which added to the whole "super-secure" thing. But now that Uncle Sam have relaxed their export controls, part of the inherent advantage of OpenBSD over the other BSDs has been eroded.

The other strong point in OpenBSD's favour is the code auditing process, but FreeBSD is now going along the same path of tightening up its codebase. Again, the distinctions between the two main BSDs are becoming blurred. If this continues, will there still be a need for OpenBSD? Given the history between Theo and the FreeBSD camp, I can't ever see the projects merging. And with the price differential between Open and Free (admittedly not much, but still significant) I think Theo may have to relinquish his stranglehold on the official ISO image to the distro if OpenBSD is to survive. Despite the advantages of OpenBSD, I am still put off by the prospect of paying $25 (?) every 6 months, when I can get FreeBSD for more-or-less the cost of distribution.

- Lita

Re:Is OpenBSD still relevant?

[GreenPickles]

Certainly, OpenBSD is still very relavant, mostly in terms of philosophy. I'll give you a few reasons why as well as a counter-argument against your OS of choice.

OpenBSD's philosophy has always been less is more. One way they do this is carefully monitoring the base installation, no lynx, etc (hey those are ports!). No install of procfs by default.. Most people don't use it anyways (except maybe those killall people ;-).

Granted, you can do all of this in FreeBSD, however I'd rather not spend an extra hour of securing the box after the install. I'd rather just edit the rc.conf and inetd.conf files and be through with it.

I really wonder about your comments of FreeBSD tighting up the codebase. By checking out the ammount of exploits for the -current release.. especially the one that is being merged with the BSDi code. Granted, that this is technically an "unreleased" version and is not deemed stable, this does explain a bit about the FreeBSD Philosophy.

I do agree that part of the advantage of OBSD over *BSDs has been erroded because of the export changes in the US. However, it is still the only Unix (that I know of) that is activily being shipped with SSH and SSL. I think that in itself is pretty amazing. I've heard of no plans for *BSD being shipped with either in the base install.

BTW, I think that OBSD was built for hard core BSD / Security Junkies and there is quite a few of those people around. For this reason OBSD will survive, and the fact it's come up from 2.0 -> 2.7 is definate proof of this. (Where as with NetBSD how often do they release?)

The reason why OBSD costs so much is because of funding. They have little corprate backing. If you like any free project, don't you think you should contribute a little bit? That's kind of a lame argument not to spend the $ on something that you would be regularly using.

Re:Is OpenBSD still relevant?

[dragonfly_blue]

I can respect that; there are many people who agree with you.

However, it's interesting to notice some people will pay good money for excellent software, even without being able to try it out first. If you're resourceful, you can even get OpenBSD for (close to) free, as you pointed out.

Some people find Theo's development style and anti-social behavior to be abrasive, but since when have those qualities stopped anyone from being a fantastic software developer? Consider Picasso for a moment; although you may find him intensely disagreeable as a person, does that mean you will never find meaning in his paintings?

I urge you to reconsider OpenBSD, if you are holding back simply because of Theo's personality. OpenBSD is a truly refined, unusual experience, and, trust me on this; you can enjoy the meal without liking the chef.

Re:Is OpenBSD still relevant?

[GrenDel+Fuego]

What about the systems it has been ported to?

OpenBSD is based off of NetBSD which has been ported to many more systems than FreeBSD ever has. While I've only used OpenBSD on x86 (and then only briefly), I'm assuming it's also available for at least most of the platforms that NetBSD is.

Re:Is OpenBSD still relevant?

[brank]

If this continues, no, OpenBSD will have no significant advantages over FreeBSD. But at this point, FreeBSD is not as heavily audited, so it is less efficient, and most but not all of the export restrictions have been lifted. OpenBSD has many strong points left, although the price isn't one of them.

Re:Is OpenBSD still relevant?

[SirGeek]

At this point its pretty moot. FreeBSD (the BSD that I use on most of my UNIX systems at home ) is getting very very similar to OpenBSD it terms of "code review". And anytime I have had problems (even if they are 'in the faq') I have gotten polite reasons from the FreeBSD and even the NetBSD camps.

Some people find Theo's development style and anti-social behavior to be abrasive, but since when have those qualities stopped anyone from being a fantastic software developer? Consider Picasso for a moment; although you may find him intensely disagreeable as a person, does that mean you will never find meaning in his paintings?

His abusive/abrasive behavior is one reason why people WON'T deal with OpenBSD/OpenSSH.. why should I have to deal with a spokesperson like that ? If thats how he acted privatly, "offline" then fine.. But thats NOT how the spokesperson for a project should be when in the public eye (on usenet, etc.)

No.. it doesn't adversely affect his being a programmer. But it DOES affect how people interpret his project (Theo = Abusive, Abrasive, if I need help, I will get abuse... Therefore I don't want to deal with the project).

I urge you to reconsider OpenBSD, if you are holding back simply because of Theo's personality. OpenBSD is a truly refined, unusual experience, and, trust me on this; you can enjoy the meal without liking the chef

I "could" enjoy OpenBSD but not with their current "chef" in charge. In this world with plenty of options, I just go to a chef (like Jordon Hubbard from FreeBSD) who is polite and curtious to the customers, not rude and demeaning.

And besides, OpenBSD has had reviews done but if you look, they still have had many of the same problems that other BSD's (and Linux have had) do exist in OpenBSD.

And behavior like this doesn't give me warm fuzzies about dealing with him:http://freebsd.ntu.edu.tw/bsd/10/2/17/ 1.html (yes its a few years old, but from what I have seen he hasn't grown up yet)..

Re:Is OpenBSD still relevant?

[richie123]

I know the trustedBSD project is aiming to audit the Core FreeBSD system, but I would say that BSD contains far to much code to create a fully audited distribution. One of the main things about OpenBSD is that they draw a line at how much functionality they will include, so that auditing and security updates will remain managable.

Re:Is OpenBSD still relevant?

[Ignatius]

The FreeBSD vs. NetBSD error has already been adressed, and for the ISO image: there's absolutely no problem to create your own bootable OpenBSD CD: the 2.88MB boot-image is free and as a bonus you can customize the contained software to your architecture and other preferences and will probably be able to fit the whole system and software on only one CD (including source).

Re:Is OpenBSD still relevant?

[sirket]

Umm.... what rift between FreeBSD and OpenBSD? Theo split off from the NetBSD crowd _NOT_ the FreeBSD crowd. And the two most widely used BSD's are Net and FreeBSD not Free and Open BSD.

I am nto sure where you get your information but you may want to think about what you are writing before you write it.

-sirket

Re:Is OpenBSD still relevant?

[brank]

OpenBSD is avalible on the following platforms:

• i386
• sparc
• mvme68k
• amiga
• mac68k
• hp300
• pmax
• sun3

NetBSD is avalible on the following platforms:

• alpha
• amiga
• arc
• arm26
• arm32
• atari
• bebox
• cobalt
• hp300
• hpcmips
• i386
• luna68k
• mac68k
• macppc
• mvme68k
• news68k
• newsmips
• next68k
• ofppc
• pc532
• pmax
• prep
• sh3
• sparc
• sparc64
• sun3
• vax
• x68k

NetBSD is avalible on a few more, but non-i386/Alpha platforms who are going for security are probably OpenBSD's future if they allow FreeBSD to catch up. I didn't think of that.

Re:Is OpenBSD still relevant?

[kkenn]

Just to clarify some of your comments:

Actually, OpenBSD *does* ship lynx in the base system (what's more, it was vulnerable to some of the recent security holes), as well as other stuff like apache.

As of 4.0-RELEASE (which came out in March), FreeBSD ships OpenSSH and OpenSSL in the base system (even on CD). This was shortly after the first OpenBSD release which also included OpenSSH, IIRC. NetBSD also ships OpenSSL (and they pre-dated FreeBSD in this regard, I believe).

Finally, as one of the FreeBSD Security Officers I'm not sure what you're talking about WRT "the ammount of exploits for the -current release" - if these really do exist (and I'd be surprised) then we certainly haven't been informed of them.

What there *has* been lately is a lot of FUD on Bugtraq about "FreeBSD is probably vulnerable to this, but I didn't check" and so forth, but not a lot of content (well, there were a couple of vulnerabilities which applied to the other BSDs as well). If you have anything solid to point to here I'd appreciate it if you could drop us a line at security-officer@FreeBSD.org so we can look into it - thanks.

So far this year FreeBSD has found and fixed several vulnerabilities which exist in all three BSDs, as well as making numerous security fixes to FreeBSD itself (most are in the category of "well, I can't think of any way that would ever be a security problem, but I suppose it could be one in someone's weird setup, and it's still a bug").

Re:Is OpenBSD still relevant?

[moeller]

If this continues, will there still be a need for OpenBSD?

People in general always perceive that there must be a "need" for an entity, and then they watch for signs from God that this "need" is eroding. For some reason, this "need" never seems to increase, always decrease. This is probably a parallel with the human instinct to decry death over the living. An excellent example of this behavior is the past decade of Apple's existance, where the populace has always doubted the viability and need for a corporation such as Apple, and give wise advice that certaintly, by next November, this thrashing, rotting beast will not contaminate our existance. It has never been true, but that does not change people's minds. This scenario fits well with doubting the viability and need of OpenBSD. People will always use it, always be improving on it, as long as people like to do so, and the inherent "need" of this does not significantly play in the viability of the platform. Political distress would be much more likely to weaken a project.

Given the history between Theo and the FreeBSD camp, I can't ever see the projects merging.

I believe you must have intended the NetBSD project, which would still have a much higher chance of reintegrating with OpenBSD than Open with Free. In any case, it is a quite slim possibility that such a "merger" per se would occur.

Re:Is OpenBSD still relevant?

[SirGeek]

Theo won't produce an ISO image.. I asked about this from him 6 or so months ago...

As has been said, Theo doesn't work or play well with others. I mean if FreeBSD and NetBSD can remain viable (AND give away ISO images) why can't OpenBSD ?

Answer, they can't.

I am like many people. I like to try before I buy. At the time I had only a 33.6K dialup, I was NOT going to download individual distros. I wanted to burn a CD at work (where I have no bandwidth) then install on my computer at home. I will NOT use their product because of the actions of their spokesperson.

Re:Is OpenBSD still relevant?

[gehirntot]

I am like many people. I like to try before I buy. At the time I had only a 33.6K dialup, I was NOT going to download individual distros. I wanted to burn a CD at work (where I have no bandwidth) then install on my computer at home. I will NOT use their product because of the actions of their spokesperson.

It is amazing how you always resort to the same argument. Where is the problem with burning a CD that contains the install packages that you need, and then use the installation floppy and the burned CD for your installation at home.

You do not require an ISO image for that. Think before you flame. If you have bandwidth at work, you should try to use it intelligently.

Your argument that you "want to try before you buy," and that OpenBSD doesn't allow you to do that because there is no ISO image is flawed. This has been pointed out to you many times before. So, please stop whining. If you can not code, you should try to write documentation.

Re:Is OpenBSD still relevant?

[leereyno]

I'm downloading the entire package right now. But then again I work for a University where I have T1 access at my desk. Many a night I've stayed here in my cubicle till well past midnight downloading some package or another.

As for your question, I do think OpenBSD is still relevant. If FreeBSD (or linux, or ????) ever achives its level of security then maybe it will be obsolete. But that day is not here yet and I don't see it coming anytime soon.

The entire purpose of OpenBSD is security. An operating system that is secure will never be out of date unless another OS comes along that is even more secure.

Lee

Re:Impressed...very impressed

[JonK]

Well, the tech. preview for IPv6 under W2K is available here: presumably the 9x series and NT4 will both be patchable (it's no more than a new WinSock i.e a new TCP/IP stack). It's also, AFAIK, in the 2.3 and 2.4 kernel series.
--
Cheers

Re:The Myth of OpenBSD's Security

[jbarnett]

Even if you are under NDA, go to your contractor and say "Hey our products uses OpenBSD, OpenBSD has some problems, here they are *3* count em *3* vulnerabilites, can I place in a bug report with the OpenBSD so that they will fix them and make our product run better?"

Any your contractor will say "*3*, you mean *3* vulnerabilites !?!?"

And you say "*3* count em *3*, I said *3*, count em again *3* vulnerabilites, do you care if I put in *3* could em *3* bug reports to the OpenBSD team?"

And your contractor will say "*3* why *3* bug reports?"

And you say "*3* count em *3* bug reports because there are *3* count em *3* bugs to report and you can't put it on *1* count it *1* bug report, it has to be *3* count em *3* differant and seprate bug reports"

And you contractor will say "Ok, as long as it makes our *1* count it *1* product run better under OpenBSD *2.7* count it *2.7*"

And if you contractor says no, call up Theo in the middle of the night from a pay phone (works best if it is raining and have this converastion)

You: "I seen how you did device drivers on the x86"

Theo: [yawning] "What, who is this, what do you want"

You: "I seen how you did your device drivers on the PC platform the x86"

Theo: "Good, why the hell are you calling so late, email me about it I will reply in the morning"

You: "You did it in x86 ASM launage, you thought no one would see it"

Theo: [nervous] "uh, uhhhh it was for preformance reasons"

You: "Ahh you didn't think anyone would go to the trouble of reading obfused x86 asm did you?"

Theo: "No what are you talking about, it wasn't mean, it was for performance reasons, who are you"

You: "like a seti@home, distrubated computing power, but you didn't think anyone would notice, it is in there theo, I have seen it, but you thought you could hide it, and guess what i can expolit it theo, you know what theo?"

Theo: "What do you want"

You: "The public has to know, they will know, I will make sure. One question though Theo? What does it do? I want the truth"

Theo: "You can't handle the truth"

You: "come on theo"

Theo: "It is a seti like process embedded in the x86 version dammit, it gathers data and processes usefull results, it was funded by the DOD"

You: "What type of results"

Theo: "It is processing a %100 high res movie of the effect of hot grits being poured down someone's pants, fluid dynamics, burn data, everything you would want to know"

Re:Why should I run OpenBSD?

[Bishop]

I have OpenBSD 2.6 on a 486dx33 running in the kind of configuration you are looking for. I choose Open as that is what I had used before. Speed is a non-issue if you are just passing packets. Even my cheap ISA ne2000 cards can keep up with the cable modem. Even if you want to serve a few pages with apache or ftp a 486 is up to the task. If you want a system that you can install and forget, OpenBSD may be a better choice then FreeBSD. The 3 years without a remote exploit in the default install (which includes apache and sendmail) is comforting. I assume that FreeBSD can be secure as well, but they have always said that performance was their main concern whereas OpenBSD has always said that security is their main concern.

Compared to Linux I prefer OpenBSD as a gateway. I really like IPFilter and IPNat over IPchains. I find the configuration files much easier to read. For example the following blocks and logs all attempts to telnet to my gateway:

block in log from any to <my_ip> proto tcp port telnet flags S

(The above is a quick'n'dirty example. Please consult the docs before making your own rules).

IPFilter and IPNat do lack the proxies that come with Linux IP-MASQ. Generally this is not a problem as the IPFilter 'keep state' rule and IPNat seem to be smarter then Linux IP-MASQ. However I have not used Linux as a gateway for over a year so I could be wrong. If you IRC get the tircproxy package (look on freshmeat.net) and set it up as a tranparent proxy. Tircproxy proxies DCC connections and I recommend it to anyone using using IP-MASQ or *BSD IPNat

A good OpenBSD resource site is www.deadly.org

Re:FreeBSD 3.5?

[ozzmosis]

ftp://releng4.freebsd.org/pub/FreeBSD/snapshots/i3 86/4.0-20000608-STABLE/ thats -STABLE ?

Re:About as relevant as Solaris.

[The+Man]

From SGI of course.. makers of IRIX.. the most universally loathed UNIX amongst free unix/BSD zealots.

Too bad for them. I like IRIX. And BSD. And Linux, sometimes. Solaris, however, sucks my ass. IRIX has all the features you attribute to solaris, but it's actually fast. XFS is infinitely better than Solaris standard UFS, and you get it out of the box without paying extra. IRIX's thread implementation is functional, fast, and standards-compliant. NFS, including v3, works great. Intelligent SMP support? Well, IRIX runs on the 8k+-CPU nuke simulators and other massive Origin 2000 systems. Solaris can do 64 CPUs, but slowly (well, it can't do any number of CPUs quickly). I could go on, but I'm convinced the world is blind to Solaris's failings, which are many and severe.

Re:About as relevant as Solaris.

[The+Man]

Your point is? WinDOS has almost 90% market share. Does that mean it doesn't suck? Solaris takes a beautifully-designed lightning-fast million dollar system and makes it run like a 386 with a flaky memory module. IMHO, that qualifies as "sucks." I guess your definition is different. Just remember me when you're trading up your expensive Sun box again to make up for the failings of Solaris; I'll buy the old system from you, put UltraLinux on it, and get the same performance you will at half the price. I wish BSD had SMP support, but it's still worth using if you have a UP system lying around. Linux on SMP UltraSPARC, however, is a thing of beauty.

Re:You scared me for a second!

[Duke+of+URL]

Theo de Raadt said in a recent article that he was getting at least one venture capitalist calling him a week - and that he's turning down the offers. He's just not interested in going that route at all. I would think the GNU-like minded folks might respect that, but who knows?

Here's the qoute from the upside interveiw with de Raadt (Its down at the bottom of the page):

Next to shooting down potential investors -- "I'm basically getting somebody trying to offer us venture capital once a week"
--Theo de Raadt

Impressed...very impressed

[NoWhere+Man]

OpenBSD 2.7 improves support for high end system boards, SCSI controllers, ethernet interfaces, and adds gigabit ethernet drivers and IPv6 networking.

The first three were of no surprise, but the last two were mind boggling. Gigabit ethernet drivers? Be awhile before I actually pick one of these up...or for anyone else for that matter. And IPv6 protocols? I had no idea someone was trying to implement it. Do you know how much of a problem MS is going to have implement this? A new OS will be needed, I don't think a backwards compatible patch is possible for all of Windows 9X and NT.
Linux will most likely not have a problem implementing this, but it might be awhile before it happens because it is not needed yet.

I'll admit though, there is one thing that BSD has that Linux does not. Girls looked damned good in skin tight, red leather and tiny red horns. (Anyone who was at the Linux World Expo in NY knows what I am talking about :)~ ). If not, visit Day 2 of our trip for a few picks. Look for the scanned custom badges that they were handing out.
http://geeksinnewyork.n3.net

Re:Impressed...very impressed

[be-fan]

IPv6 is stable in kernel 2.4 and experimental in 2.2.x. What crack are you on?

Re:Impressed...very impressed

[NoWhere+Man]

Gee thx for that "what crack are you on?" crap. I had no idea that it was implemented stable in 2.4, but thanks for so bluntely pointing it out.

Re:Impressed...very impressed

[delirium_9]

both gigabit ethernet and ipv6 are available for linux right now, not sure how good the support is but if you try a make xconfig on one of the newer 2.2.x kernels you will see that you can add it in. as for any of us mere mortals getting to use either of these in the near future, well we can always hope :)

Re:Impressed...very impressed

[jbarnett]

I'll admit though, there is one thing that BSD has that Linux does not. Girls looked damned good in skin tight, red leather and tiny red horns.

Ok, I will admit that, but have you ever seen girls in over sized pengiun outfits eating raw bloody fish?

Re:Impressed...very impressed

[bmajik]

http://research.microsoft.com

MS doesn't sleep on much anymore. IPv6 work is being done now.

Sun also has some IPv6 mumblings, and a few developers were doing ipv6 stuff with linux like 2-3 _years_ ago.

Re:What kind of performance hit does it take?

[Randseed]

I'm wondering how this problem was addressed, and weither it could be ported to Linux easily?

Why? Linux has done encrypted swap and filesystems for years.

Re:Is OpenBSD still relevant? (procfs)

[GreenPickles]

What I meant by the procfs thing. A quick history... Procfs Exploit

OpenBSD did not have procfs installed by default where as *BSD did. And from what I understand from my security junkie programming buddies, FBSD is still probably vulrable to a procfs exploit (although it hasn't been written yet). OpenBSD worked really hard on this one and fixed the problem right.

Code junkies wanna check out the code? OBSD procfs patch
FBSD procfs patch

Re:Encrypting swap and RAM

[Ignatius]

Swap partition, no. Swap file, yes.

this ain't true: there's absolutely no problem using a loopback-ecrypted patition as swap-device.

Ramdisk in memory

absolutely pointless, since the encryption keys have to remain in (unencrypted) memory anyway.

I have the impression that some guy's miss the point here: encrypted partitions are not (primarily) meant to protect against intruders on a running system (a 2nd reason why encrypted ram is basically pointless) but to protect against theft, confiscation, seizuere (or whatever the legal pretext of the day may be called) of your hardware. It's about ensuring that once the power is turned off, there remains absolutely no recoverable data on the system.

Therefor it is, btw, reasonable to encrypt the swap partition with a random key transparently generated on startup (I've patched losetup to provide this very option.)

try it now

[ArchieBunker]

Why not try the OS for youself? If you like the features then use it. Don't try and pretend linux will always do everything you need. Use the right tool for the right job.

Re:OpenBSD Firewalls

[consume]

I have built an OpenBSD Firewall, and it has been chugging away on a $10.00 salvage 486 with two spare NICs for a few months now. OpenBSD uses the IPFilter packet filtering program for firewalling, and for Network Address Translation (having multiple machines share a single IP), you have IPNAT.

Both are included in the base install of OpenBSD, but need to be activated. From the OpenBSD FAQ at http://www.usa.openbsd.org/faq/faq6.ht ml#6.2 you can check out the IPFilter and IPNAT sections - this helped me to get running from practically step zero. The MAN pages in OpenBSD are also the best in the business, with example code and config files, and they are consistently getting better with each release.

To develop your rule base for IPFilter, you can't beat the IPFilter HOWTO located at http://www.obfuscation.org/ipf/. This has everything you need to know about creating a solid firewall without being an expert in TCP/IP packet routing.

So since you can get all the info for free, try downloading OpenBSD 2.7 and give it a shot. When it works for you WAY easier than you expected, take the cash that you would have spect on the firewall book and purchase the CD (and yes, mine is on the way...)

Good Luck and Enjoy!

Not such a general-purpose OS

[gwolf]

They do not -and I think, will not- add things such as KDE to their ports... OpenBSD is not built for beauty... It is built for rock-solid security. You can still add KDE, using the built-in Linux emulation, but IMHO you are defeating OpenBSD's reason to exist.

On where to find a list of ports, anyway... You can find a list at ftp.openbsd.org/pub/OpenBSD/2.7/ ports.tar.gz.

Re:Not such a general-purpose OS

[Zach+Garner]

KDE is in the current ports tree, and has been for a while. There are a number of KDE games and utilities available; what is not in the ports tree will probably compile without trouble. Gnome is not in the ports tree.

There are a number of people using OpenBSD not as a high-security servers, but as personal desktops. I've been using OpenBSD on my laptop quite fine for close to a year now. Getting my sound and PCMCIA to work was the easiest of any Unix i've used (in fact, i didnt have to do anything). I've got napster (knapster is now available for GUI people) and gnutella (gnut compiles fine, even though there is not a port yet and i havent had time to contribute it) and mpg123. Xmms is not available yet but it shouldnt be too long before it's a port. I made a Apache+PHP+Mysql MP3 player so i can access our MP3 server (running openbsd) easily, so for me XMMS isnt really needed. Xanim plays avi's with sound. Mpeg_play plays mpegs with out sound. The commercial Mpeg_TV may be able to play mpeg's with sound under linux emulation, i have not tried it. I've installed and ran WordPerfect (although it has long since been deleted, nothing beats TeX). I have not heard of Mozilla running, but netscape runs fairly well if you turn Java off.

Linux Emulation works well most of the time. The only bad thing about the emulation is that you get the performance and stability of RedHat on your BSD machine...

^Z

Re:So -- where's the list of ports ?

[QBasic_Dude]

There is Freshports, it's similar to Freshmeat.

Re:OpenBSD Firewalls

[Pinball+Wizard]

thanks, I think I'll check it out. My decision to use OpenBSD was highly influenced by the "secure by default" ethos of Theo & crew, and the fact that its been years since the last OpenBSD box has been rooted. So for me the Linux vs. OpenBSD discussion is kinda moot, but I'm sure I'll enjoy it anyway.

Re:Encrypting swap was in 2.6!

[nemoc]

True.... What we need are encrypted core dumps
encrpted swap is nice...but the big problem with memory is the core dump. If someone has local access to a box, and can get a core dump, there's a change they can get login-name/password-hash combo's, and it's trivial to run a word-list through a program like crack.
on improperly configured boxes, local access isn't even required as long as their running apache, because apache let's you enter the '..' directory in path names.

Re:OpenBSD Firewalls

[Bishop]

For IRC get tircproxy (look on freshmeat.net) and set it up as a transparent proxy. I would recommend this to Linux IP-MASQ users as well. I didn't bother with the oidentd part to tircproxy to set the usernames.

For ftp there is the 'proxy ftp' option for IPNat. I haven't really tested in though as my FTP client (lukemftp) is set to use passive by default. Netscape ftp seems to work though and I have no idea if it uses passive or not.

Don't forget the wealth of excellent docs.

[pschmied]

I feel compelled to agree with this comment. I too, must say that I really love Linux. That being said, it is _not_ a new user's operating system.

I feel that any of the *BSDs are very solid and production ready. I can't say that about a number of Linux machines. Linux can be made to be a very secure, wonderful, and easy Operating system, but for people wanting to get started, BSD is a better choice.

BSD's _biggest_ advantage is the weath of excellent documentation on general usage. OpenBSD's documentation is the man page system. Anything that you could possibly want to know about OpenBSD is in the man pages. This makes it very easy to find what you are looking for.

For those who also like "handbook" style docs, FreeBSD combines excellent man pages (sometimes Linux's manpages are a stretch) with a handbook that gives you a general overview of how to do basic administrative functions.

I advocate new users starting with FreeBSD because of the very user-friendly docs. FreeBSD's website has documentation that starts by teaching a user how to login! Seriously, read the "FreeBSD for people new to both FreeBSD and UNIX" documentation and tell me that wouldn't be good for _any_ new user.

OpenBSD is not quite so basic, but the docs are more friendly than anything I've seen from the Linux Documentation Project. I really like the LDP, but OpenBSD has some really great man pages.

If you are a linux user, check out one of the BSDs. You'll be glad you did. I started with Debian and Slackware circa kernel 1.2.13, and started using BSD last August. I'm hooked!

-Peter

Re:Some real info

[Strog]

For more info, go check out freenet6 for some info on IPv6 over IPv4 tunnels. They can hook you up with a free tunnel to the IPv6 bone. There are links to ipv6.org for some info on implementations on OS's. They list Windows 2000, NT4, Mac, Linux, All BSD's, Cisco routers, OS/390, OpenVMS, etc. They also had a link to a Quake I server on the IPv6 bone. Enjoy!

Re:OpenBSD Firewalls

[debrain]

Building OpenBSD and Linux Firewalls, Sonnerreich and Yates. This will tell you enough to get a solid OpenBSD firewall up.
Building Internet Firewalls, Second Edition Zwicky, Cooper, Chapman. This will provide you with more background information, but nothing on OpenBSD. (I was, not so much disappointed, as surprised, at this, for the first time with an O'Reilly book).

The best, in my very humble opinion, references are online, but they aren't as nice to read as the Building Linux and OpenBDS Firewalls book, but are an excellent suppliment.
http://coombs.anu.edu.au/ipfilter
http://www.obfuscation.org/ipf/

See the prior of the web pages for a mailing list (Majordomo). The author (Darren Reed) of IPFilter actively participates in this mailing list, which is helpful, and often appreciated.

Hope that helps
Brian

Re:... quad 486?

[Schnedt+McWapt]

Hey. I'm running NetBSD on a Mac SE/30. I am thinking of running OpenBSD on a second SE/30 I've aquired for such adventures. Did you really think I'm doing that because I can't afford a '486?

Coolness matters. The geek factor matters.

Work underway...

[^BR]

There's an SMP branch in the CVS repository.

There's a few information available here.

Re:Why should I run OOpenBSD?

If you install from the FreeBSD CD, just do a minimum installation, then, ftp to one of the ftp sites and install the ports from there, then, you'll have all the latest upgraded stuff, the most current upgrades at the time of your installation, but you need a broadband connection for that. Way cool and effcient. Alex

Re:Why should I run OpenBSD?

[ncc74656]

My problem with linux has been (lately) that when I try to install redhat, the install terminates.

Sounds like a Redh*t problem...but then you said you tried Debian, too. Back in the day, I started with SLS, then went to Slackware...nowadays, I'm using SuSE. (I took a quick detour into Corel Linux (based on Debian), but I couldn't get it dialed in just the way I wanted and didn't want to waste the time to figure it out when I knew how SuSE is configured.) I've installed SuSE on everything from a Cyrix 5x86 up to a K6-III and have never run into problems. I can't say that I've ever used Redh*t, but it seems that when someone posts to comp.os.linux.* or /. with a "Linux problem," it often ends up being a Redh*t problem.

I tried one of the BSDs (don't remember which one) a few years ago...there didn't seem to be anywhere near as much activity swirling around it as for Linux, so it didn't stay on my computer long. Now that my NetWare server setup is trashed (flaky i430VX-based motherboard, not a software problem...funny how most of the hardware problems I've run across have been with Chipzilla hardware, not stuff from this underdog or that underdog) and the machine it was on is fixed, maybe it's time for another trip into "BSD-land."

_/_
/ v \
(IIGS( Scott Alfter (remove Voyager's hull # to send mail)
\_^_/

Re:Really?

[YASD]

They grind code slowly but exceeding fine.

Seriously, it's a different philosophy with different priorities. Linux developers in general are more interested in rapid growth, a rapid release cycle, lots of feedback to fix stuff. BSD developers in general take a more "autocratic" (if you don't agree) or "controlled" (if you do) approach. And the OpenBSD team takes an "extraordinarily careful" approach, which is why we never hear about OpenBSD boxen getting cracked...

------

Re:Why should I run OOpenBSD?

Building a custom kernel is much simplier with BSD than Linux. With FreeBSD, even a total newbie can successfully build and install a custom kernel.

Rebuild a kernel with Linux is very hard work by comparision.

-Alex

Encrypt THIS!

[YASD]

Woo! Great stuff. Now if only I could encrypt my BIOS...

------

What kind of performance hit does it take?

[Vladinator]

It was suggested to me by another good tech that there would be an issue of this chewing up CPU cycles. I'm wondering how this problem was addressed, and weither it could be ported to Linux easily?

Fawking Trolls!

Re:What kind of performance hit does it take?

[Vladinator]

Where is that in the source? I asked a friend who is a regular poster on lkml and he didn't mention that it had already been done when I asked him about it...

Fawking Trolls!

Re:OpenBSD Firewalls

[rbrander]

I'm working my way through the Wiley book and finding it very good. There's a high-level (i.e. no code) overview of the various kinds of attacks and exposures, and what firewalls can (or not) do about each.

Then theres a, umm, diplomatic discussion of the choice parameters between using Linux or OpenBSD. It struck me as plain enough, between the lines, that they think OpenBSD has it all over Linux save in the level of support of some hardware, and possibly ease-of-install.

A fair bit of the book is devoted to the install of each, and configuration of the firewalls. I don't know if the book gives you anything about the actual setup that you can't get from OpenBSD's own documentation or the fine howto's at the "obfuscation" site, but I really benefitted from the textbook learning of the background of how IP packets work, and how lies inside them are the basis of most kinds of attacks.

PS: Good sense of humour in it, too. Buffer Overflow attacks are in a paragraph headed "Buffer: The IP Slayer".

6 of 66 comments

[linzeal]

( Read More... | 736 bytes in body | 6 of 66 comments )

Damn satanic OS...

Chris

vlan

[komet]

I see OpenBSD has VLAN support. Very nice. Does anyone know when Linux will have this in the stock kernel? Linux or OpenBSD would be great as VLAN routers.

"How do you like your OS?" "Slow, please."

[Wakko+Warner]

Wouldn't encrypting the swap and physical RAM make your machine about as slow as fuck?

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

-1 troll

[Anonymous+Coed]

this person doesn't know what they're talking about, OpenBSD has nothing to do with Solaris other than their (ancient) BSD heritage. It is a completely separate project not affiliated with Sun.

BSD Icon!

[lw54]

Big thanks to the /. crew for the BSD Icon!

Re:About as relevant as Solaris.

[jbarnett]

Are you trolling? Solaris is System V, OpenBSD is BSD, SunOS is BSD...

OpenBSD is based off NetBSD, which NetBSD is based of BSD Lite 4.4, which comes without restrications or royalties.

Solaris was based (and extremely hacked up) from SunOS, which SunOS was based off (help me here) BSD Fat(??) OpenBSD

Misconceptions about OpenBSD

[wbb4]

The /. community is mostly Linux-centric, the BSD section doesnt get a lot of readers (as opposed to other sections).

A lot of people seem to have some misconceptions about OpenBSD vs. FreeBSD vs. Linux Distros. (I don't have a lot of experience with NetBSD)

OpenBSD's primary purpose in life is to provide the most secure operating system availible. I personally think it has succeeded very well in this respect. Its the only operating system I would ever let touch my servers. OpenBSD works alright as a workstation OS, but IMHO there are better choices, depending on your needs. It works great as a router or firewall, and with the inclusion of RTMX O/S it is sure to only get better.

FreeBSD is meant to be, much like most Linux distros, an all purpose OS, which works well on workstations, as well as servers, and in many ways is, along with OpenBSD, superior to most Linux distros.

Linux distros are unique. I personally wouldn't run anything but Debian, which is partially an exception to the point Im about to make. Most Linux distros (ala RedHat) are geared more to try to be everything to everyone. This often times leaves a Linux distro very, very open by default (ala RedHat). Linux works decently as a server OS, lacking some more advanced crypto support (by default, these things can always be installed manually, or packaged), and works extremely well as a workstation OS.

OpenBSD isn't designed to be a workstation OS, as RedHat and others seem to be geared (You really shouldn't need a server running X by default). OpenBSD is designed to be secure, and -- as Theo claims -- hasn't had a remote root exploit in the DEFAULT install in three years. THATS why I choose OpenBSD for my servers. Ports really don't matter as much to me in OpenBSD as in FreeBSD, et al, because I simply don't need them. I really don't use anything other than xntp (which is now packaged) that isn't installed by default, or that I don't compile from source myself (i.e. not from a port).

The right tool for the right job, Linux doesn't need to be everything to everyone.

(I am not responsible for my bad spelling and grammer :)

Encrypted swap space

[Eimi+Metamorphoumai]

Oh good, now I won't have to write OrdoVim.

Seriously, wouldn't encrypting the swap space take a serious toll on speed?

Re:About as relevant as Solaris.

[jbarnett]

WTF slash ate my comment! Dammit, oh wow just found a bug, anyways the above post should of said:

Are you trolling? Solaris is System V, OpenBSD is BSD, SunOS is BSD...

OpenBSD is based off NetBSD, which NetBSD is based of BSD Lite 4.4, which comes without restrications or royalties.

Solaris was based (and extremely hacked up) from SunOS, which SunOS was based off (help me here) BSD Fat(??) less than 4.4 code (before all the lawsuits) in which Sun pay a one time huge (undisclosed) amount to AT&T to use AT&T/BSD code.

I don't see how you make the connection from Solaris OpenBSD

Encrypting swap and RAM

[Glytch]

I just know I'm gonna get flamed for asking a Linux question in a BSD article, but is there any way to encrypt a Linux swap partition? Also, are there any ways to encrypt the data in physical RAM, in any OS?

Re:Encrypting swap and RAM

[Ignatius]

Afaik, the loopback-encryption is currently broken in the development kernels (might be fixed already) and there might be changes in the crypto API with the release of 2.4. Moreover, I've hardly tested the patch, so all in all, I think it's reasonable to wait with a release until 2.4 and the appropriate fileutils are out (patches on patches aren't fun, btw.).

Re:Encrypting swap and RAM

[PD]

Oh I wish that I knew more about this.... I believe, but I may well be wrong, that Linux uses swap space to track information other than swapped out programs, and even if you're not ever going to swap it is useful and can speed up your system to have a small swap partition, say 8 or 16 megabytes.

I'm only offering this to indicate that you need to ask someone who really knows about the subject. And I could be wrong too.

Re:Encrypting swap and RAM

[teste_2000]

The Cmdr taco troll mentioned having disks 'blowfished'. Anyone have anymore info on this?

Re:Encrypting swap and RAM

[PD]

You could skip the swap partition and use cfs or something like that to encrypt a swap file. It would be very very slow.

An alternative idea would be to get yourself a pile of ram and disable swapping when you run sensitive programs.

Or, you can write the programs so they lock their memory to keep it from swapping out.

Re:Encrypting swap and RAM

[psergiu]

Yes, you need it. 64Mb or 32Mb will be enough.
Even 4Mb will do. But you should have swap. I noticed that on systems with no swap, when a fork/malloc bomb occures (Soffice with some strange doc file) the system won't come back. With a little swap (1/3 of mem) some apps (the ones that will unsuccesfully try to malloc) will die (usually Netscape&X) and the system is back online.
+++ATH0

Re:Encrypting swap and RAM

[LegacyMan]

Ignatius, Do you have a link to a site describing the steps and/or a patch for losetup and encrypting the swap partition with a dynamic generated key? Or is it a patched losetup as per the international patch? I am really interested in implimenting this as you described, any help or pointers would be appreciated. Thanks.

Re:Encrypting swap and RAM

[dimator]

Not sure about the swap encrypting, but I'd imagine encrypting the data in physical RAM would incur sever performance hit. Usually, memory related code and structures are optimized highly, to squeeze the last micro-sec of speed.
--
"And is the Tao in the DOS for a personal computer?"

Re:About as relevant as Solaris.

[jbarnett]

defacto servers in 90% of the enterprise market

Sadly yes. But do you think this is because Sun Sales Managers and PR reps brother the CEO and stroke him off, or do you think it is because the CEO knows what he is talking about on a techinal level?

Go up to any CEO and say "Sun Microsystems", they will say "The Dot in the Dot com people, right?", then say "OpenBSD Project" and they will say "So that is S&M Sex, right?"

It is not because Solaris is a better OS (which it is a DAM FINE one), but because Sun has a bettering marketing powers over CEO's that could even rival Microsofts PR (in some cases). What marketing power does OpenBSD have? A blurb on slashdot and maybe someone in #linux at 4 oclock in the morning saying something about it.

Just because something has a lot of users doesn't mean it is good *COUGH*****COUGH*

Solaris is good, but don't rate it basiced on number of users, basic it on techinal facts...

Adding BSD to a Linux system...

[Zagadka]

I've got Linux on my machine, and I'd like to try out BSD. Is there a "HOWTO" or some such document somewhere that outlines how to instal OpenBSD on a system that's already got Linux, so that I could dual-boot?

Also, does OpenBSD have ext2 support? Since it's got Linux binary emulation, it would be nice if I could just load the Linux executables off of my existing ext2 filesystem...

Re:Adding BSD to a Linux system...

[leereyno]

I don't know whether there is a howto specifically for what you are talking about. If I were you I'd take an old hard drive and use it to play with rather than try to resize a linux partition. I tried once to get openbsd to install alongside linux and for some reason it kept wiping out the partition table. I had all the info for the partitions written down, so it wasn't a big deal. But even so I couldn't get it to work either. So I just threw it on an old 540 meg hard drive I had and played with it that way.

More recently I bought an Orb drive specifically so I could have a bootable removable drive. I've got a cartridges for OpenBSD, NetBSD, freeBSD, Caldera 2.4, Suse, Debian, slackware, and even one for Dos and win311. The drive is around 200 bucks and the media is relatively cheap, around 35 bucks for 2.2 gigs of space. The drives themselves are pretty fast as well.

OpenBSD does have support for ext2fs filesystems, but you've got to configure the kernel to turn it on and of course recompile.

As for the linux emulation... not everything will run right. You're much better off recompiling whatever it is you want to use.

Lee

Re:Adding BSD to a Linux system...

[psergiu]

> As for the linux emulation... not everything will run right. You're much better off recompiling whatever it is you want to use.

Q2 + CTF works juuust right under OB2.6 with linux binary emulation. What more could you want ? :)
+++ATH0

Re:Adding BSD to a Linux system...

[q[alex]]

Yes, there is such a document:

http://www.openbsd.org/faq/INSTALL.linux

OpenBSD does have ext2fs support as well.

Win2k!?

[Platypii]

I fart in your general direction!

FreeBSD 3.5?

[ozzmosis]

Im just wondering i use FreeBSD 5.0-current and 4.0-release... and 4.0 is -stable so why would they come out with 3.5? Im a little confused..

Re:FreeBSD 3.5?

[kkenn]

3.5 is the final scheduled release on the 3.X branch. The FreeBSD development model has multiple simultaneous branches, on which releases are periodically made as "snapshots" of the branch at that point in time.

Development on the branches never really stops, although it does slow down considerably once the branch reaches end-of-life (as 3.X is about to do). Heck, there are still even occasional commits to 2.2.8-STABLE and even 2.1.7.1-STABLE :-)

Re:FreeBSD 3.5?

[Eric+Wayte]

To paraphrase Chris Coleman's post on Daily Daemon News, 4.0 was considered highly developmental and 3.x was supposed to continue the -STABLE branch. It seems that many have gone with 4.0 so the FreeBSD folks made it the -STABLE branch and have made 5.0 -CURRENT.

I've seen other vendors maintain what appears to be a backlevel release. After Lotus Notes 4.x came out, they were still releasing CDs on the 3.x code base.

All signs point to 3.5 being the last release in the 3.x line.

For Chris' comments, visit http://daily.daemonnews.org/view_story.php3?story_ id=990

So -- where's the list of ports ?

[elflord]

I'm curious about what's in ports and packages. Do they have a list somewhere ? Last I checked, it wasn't very impressive compared to the other BSDs ( they didn't even have KDE ), but that was a while ago, at version 2.5.

Re:So -- where's the list of ports ?

[Zach+Garner]

Freshports is for FreeBSD people. A large number of ports available for FreeBSD but not in the ports tree for OpenBSD will compile and run fine. Since OpenBSD has a smaller number of contributors than freebsd there arent as many port maintainers.

^Z

SSH/SSL in *BSD

[Cryp2Nite]

However, it is still the only Unix (that I know of) that is activily being shipped with SSH and SSL. I think that in itself is pretty amazing. I've heard of no plans for *BSD being shipped with either in the base install.

Allthough my machine is not in sync with the NetBSD-current releases lately, I am reading through the source updates regularly.
SSL was merged into the -current tree of NetBSD yesterday (probably in time to ship with the 1.5 release expected to branch from -current soonish).
As far as SSH is concerned NetBSD takes the hey those are ports! approach.
--
two-thousand-zero-zero
party over, it's out of time

Guessing here...

[Booker]

I figure that if you're security-paranoid, and you're programming an app, then you'd make sure that you never wrote sensitive info to disk. Say, you decrypt something, but only to (volatile) memory, so it can't be retrieved. Now... if that memory is written to swap, all of a sudden, you could probably go through that partition bit by bit and see what was there, as long as it had not been overwritten.

This is completely off the top of my head, and may very well be wrong. :)

---

NetBSD Firewalls

[DreamerFi]

www.dubbele.com has a free netbsd based firewall. Also, on the web site there's a good list of resources you may want to check out.

-John

Haiku

[575]

OpenBSD
The only thing thats safer:
An air-gap firewall

Re:OpenBSD Firewalls

[Pinball+Wizard]

Well, for me, buying the CD is pretty much a given. :) But thanks much for the info.

oh my god things cost money!!

[ArchieBunker]

I went to the grocery store and those bastards had the gall to make me pay for merchandise! Then I went to the gas station and had a heart attack when I found out gas wasn't free.

Things in this world cost money. OpenBSD still has less security holes than Free|NetBSD|Linux. I don't mind paying $25 for a good product, how else would they keep the project going? What does an ISO image have to do with its survival? You can download everything seperate. Why clog up bandwidth with a 600 meg file when you will be using 1/10 of its contents? I doubt you intent to install it on every architecture. Nothing is stopping you from making your own ISO image, so stop complaining.

Re:oh my god things cost money!!

[Lita+Juarez]

I went to the grocery store and those bastards had the gall to make me pay for merchandise! Then I went to the gas station and had a heart attack when I found out gas wasn't free.

There is absolutly no need to adopt that sort of sarcastic tone. I was raising a valid point and because you don't agree with it, you try to belittle me?

I do not object to having to pay for things, but as I am a student I don't have much money to spend on software. Therefore, I prefer FreeBSD since it is cheaper than OpenBSD. Yes, I could download parts of the distro, but I would much rather have a complete CD so I can add extra programs as and when I want to. There's no need to insult me for that, little boy.

Re:Why should I run OOpenBSD?

[Stary]

I tried FreeBSD... slim? I gave it a 1 gig partition to just try it out... hey there was an auto-function for partitioning, so I picked that one. Cool... now I went on to do the install... and what happens if not "No space left on device" or whatever...

Now of course I could've done it by hand and all that... but it just got me tired. Sure, call it easy and so, but unless the auto functions work, why have them at all? I havent tried it again after that, I probably will when I get some more time over this summer.

Re:Why should I run OpenBSD?

[softsign]

First off, <disclaimer>let me say that GNU-Linux is great, it's raising a big stink for Open Source and Free Software and that visibility and credibility is needed</disclaimer>. However, I have to agree with AC. The better known distros of BSD that I've tried have all been vastly easier to configure than any of the Linux distros. The Linux community tends to support bleeding-edge, often even before fixing present problems. On that token, however, I seriously think that Joe Clueless is far better off with FreeBSD or OpenBSD. It's relatively easy to use and has excellent support for established hardware.

I personally had to ditch efforts to run Linux on a DEC 486 I picked up after it was decommisioned at my school. Just about everything on this PC was in awful shape, from the RAM to the HDs to the BIOS. Nevertheless, I managed to install FreeBSD 3.4 on the first shot! After a little tinkering, I had this box running _beautifully_ as a cable-sharing gateway with a few auxillary services.

IMHO, BSD has really gotten the shaft in terms of public opinion. If you ask me, it really is the better operating system. It just doesn't have the hordes of fanatics. =)

--

Re:woot!

[jbarnett]

Can you really get quad 486 motherboards? What about 16 proc orginal pentium boards, that would be cool.

another reason to upgrade, -STABLE

[pixel+fairy]

there is now a -STABLE branch to the cvs tree,
good for those who dont like applying patches by hand.

OpenBSD == The Way To Go For Thinkpad Users

[Bowie+J.+Poag]

Just picked up a Thinkpad iSeries 1450 last week, and i've been having problems getting everything running under RH6.2 -- During my epic saga of a search for a fix, I found this page, which was tremendously helpful:

*NIX On The IBM Thinkpad

This page has a run-down of several free *NIX'es, and how they compare against eachother on the Thinkpad. Turns out OpenBSD 2.6 wins hands down.

Now I may rest. :)



Bowie J. Poag

Re:OpenBSD == The Way To Go For Thinkpad Users

[Bowie+J.+Poag]

Damnit, Beavis..

Here's the link:

UNIX on the Thinkpad


Bowie J. Poag

Re:openbsd.org running solaris?!?!

[jbarnett]

ever notice OpenBSD shirts and cd cases are lame. I use OpenBSD and really like it, but the "image" it puts off reminds me of a badly made ceral box..

Why should I run OOpenBSD?

Insert the standard [Why would I run *BSD instead of Linux]-questions here.

Seriously. For those of you who haven't tried *BSD but like Linux - you should give one of the BSDs a go. Installing FreeBSD is dead easy, OpenBSD aswell. What you get is a solid and functional OS.

My first impression of OpenBSD was that "Man, they've really put some thought into this". Redhat/Mandrake and the others cram in loads of weird programs on your harddrive but the default *BSD install is very slick and slim lined. You get what you need and if you want more then go for the ports.

The ports system rocks! For those of us with fast connections it's far better than RPM. No problems with missing libraries and no hassle.

Enough of the rant. Now TRY it!

j0hn

Re:Why should I run OOpenBSD?

[Baki]

The ports system rocks! For those of us with fast connections it's far better than RPM. No problems with missing libraries and no hassle.

Even more so for those with slow connections. For years I've used FreeBSD with only a 28k8 modem. The ports system is much much more bandwidth efficient. Example:

RPM: new RPM with some fix. Old RPM based on emacs-20.5, new RPM too. You have to download the whole binary, complete package again. That is outrageious IMO

Port: New fix: Update your port (basically a directory with some files, among which are patch files, in it) usually done by an rsync like mechanism (cvsup) ie the update typically is something like 1kb. Then rebuild the port (the original emacs-20.5.tar.tz source is still lying around in /usr/ports/distfiles from the first time you got this port).

So for refreshes of a port you typically download 1KB, for RPM you have to reget the whole binary again.

Re:OpenBSD Firewalls

[Fruit]

I'm running an OpenBSD 2.6 firewall at home for half a year now, but I miss Linux' "plugins" (ip_masq_ftp et alii). It's really a nat issue, not firewalling, but it's till annoying having to switch on FTP passive mode every time, and not being able to initiate a DCC chat/send with IRC.

Is there anything I can do with OpenBSD to alleviate this?

--
"Negative on that, I'm a meat popsicle."

Slightly Off Topic

[cjkarr]

This is slightly off-topic, but some time ago, I heard that Debian was looking to do a FreeBSD port of Debian. How difficult would it be to also do this for OpenBSD?

Is anyone even considering this anymore?

-Chris

Re:Slightly Off Topic

[Phroggy]

Even more off-topic, Darwin is based on FreeBSD, runs on a Mach kernel, and uses Debian's package manager and a few other things. They should have an x86 version soon - apparently it all compiles on x86 but they haven't put together an installer or anything for it yet.

--

Re:Is OpenBSD still relevant? (procfs)

[kkenn]

> FBSD is still probably vulrable to a procfs
> exploit (although it hasn't been written yet)

Hrumph - there's nothing like jumping to conclusions. Do you really think FreeBSD coders are idiots and don't know how to fix bugs when they see them?

IIRC, OpenBSD was just as vulnerable to the problem as FreeBSD if you enabled procfs, the only difference being they didn't enable it in the default kernel.

openbsd.org running solaris?!?!

[jon_c]

Anyone care to explain wtf is going on with this?

-Jon

What he said.

[dragonfly_blue]

I agree; I'm still forced to use Windows98 to some degree (don't ask), but I have free reign as far as determining my (and my clients) server OS's.

OpenBSD is fantastic for servers, especially if you don't need to run KDE or Gnome apps (although, I'm sure you could figure out how to run some o' them new-fangled window managers, if you are so inclined.) If you are looking for a desktop system, though, I'd look elsewhere. Personally I don't even install X11 if I can help it.

The encrypted swap feature is not one of the points that initially sold me on OpenBSD (although it does sound über-sexy at cocktail parties). =P

It's the other, shall I say, more practical (OK, all right, probably more boring, too; but...) features that I like. Like SSH built-in, and everything locked down by default. Not necessarily cutting-edge, but nice. I sleep well at night.

Re:About as relevant as Solaris.

[leereyno]

Riiiiiighhht........

Re:F1R5T p05t

[leereyno]

Oh my, I feel so pathetic. We poor americans have a lot to feel bad about. I mean we produce more food than any other country on earth. Our industrial capacity is also the biggest anywhere. Also our economy is the largest as well as the fastest growing on earth. Then there is the fact that our military capability is the greatest the world has ever known. Being the birthplace of modern democracy doesn't help much either.

God, we suck!!!

I think that other countries like France, Germany, or Great Britain, who once had vast empires only to lose them, are by far superior to this country. But then again maybe they aren't and the people who live there are simply jealous? I really can't say for sure, since I've never been to those countries. But I'd be willing to bet that most of the people there who point out how much we suck have never been to America either.

I guess the only thing that sucks more than being an american is being someone whose inferiority complex is set off by americans.

Lee

openBSD 2.7

[2600BSD]

Now i have something to play with at work before they fire me!!!!!!!!

Re:About as relevant as Solaris.

[bmajik]

... And yours seems to be filled with a bit of zealotry.

I've heard alot of nasty things about solaris, including slow and insecure. However, I've _not_ heard "obsolete" before. How do you figure solaris as being obsolete ? Is it that bit about working kernel level threads ? Or intelligent SMP support ? Maybe you were talking about the obselete man pages that fully document the thread safety of nearly any function call. Perhaps you meant the obsolete software/hardware integration w.r.t. fault tolerance features. Maybe you were upset about solaris's obsolete NFS performance, which by the way, destroys that of both linux _and_ OpenBSD.

I won't make a judgement about which OS "sucks less", both are critical in what I do every day. OpenBSD is not the end-all be-all operating system, you should of course be wise enough to know that no operating system is. Until *BSD and Linux can pick up some of the features I've mentioned above, there is plenty of future left for solaris, and some of the other top-tier Sys-V based unicies.

As an amusing postscript, Ironically enough, where is Linux getting major patches and work done on some of these "enterprise" and scalability issues ? From SGI of course.. makers of IRIX.. the most universally loathed UNIX amongst free unix/BSD zealots.

OpenBSD Firewalls

[Pinball+Wizard]

I'm giving up MS Proxy Server in favor of a real firewall, and I've decided to use OpenBSD.

Can anyone recommend a good firewall book for OpenBSD? In particular, I've got the O'reilly book, Building Internet Firewalls, and I was considering Building Linux and OpenBSD firewalls, from Wiley.

Any comments or suggestions?