Slashdot Mirror
OpenBSD, Security, and Theo de Raadt
AdamK writes "Here's a very interesting article on security and OpenBSD. It also briefly mentions Linux, comparing the two." A quote from the story: "OpenBSD is so secure that it even got the attention of the U.S. Department of Justice, which stores and transmits top-secret data using 260 copies of the OS."
The only file systems which could help guard against this type of attack would be a cryptographic file system or a steganographic file system.
Simple, it is BSD, not SysV.
There are differences, but you get used to that. I'm already in the habbit of typing "ps -aef;ps -aux;ps -ae;ps -ex;ps -ax;ps -a" of which normally only one returns what I was looking for. (Challange, guess which variant eash is used on - trick question, I may have one made up)
Other than command line arguements, of which ps is about the worst few people will be able to tell the difference without being told. That is if you replcaed the login screen on any xbsd box with one that said Linux few people would notice the difference.
I like the way freeBSD is configured, but I've only played with slackware 3.0 for linux, which is not a fair comparition.
As a programer, I think that *BSD is better programed overall. This is not to say that *BSD is perfect, or that Linux is all bad, there are places where linux is better programed. Overall though from what I've seen the majority of cases leaves *BSD better. One aspect of better is that BSD encourages programers to think through what they are doing while linux is more of a quick hack. That is Linux is more release quickly and often where as BSD is get it right, then release. The only advantage is if it is wrong BSD makes it easier to throw away that code as it isn't released.
FreeBSD has better networking code, though linux has cought up for the most part. Linux has better SMP, but FreeBSD is catching up. OpenBSD is more secure, netBSD is more portable. (Linux has been ported alot, but netBSD has more useful working ports, while many linux ports belong in the curisoity catagory due to the hardware limits)
Finially, BSD is not GNU. This is religion for many people, but the fact it I don't like the GNU license. Your welcome to disagree, I don't worship the BSD license, just prefer it given a choice
Please be gentle with my box... this may not be wise of me.
You missed one:
7) BSD is all caps, and capslock sucks
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
1) BSD Sucks
2) Linux is best
3) BSD is too fragmented
4) BSD is dying
5) There is no software for BSD
6) There is no hardware support for BSD.
<WHINE>
I said it so all you trolls don't have to.
Never used OpenBSD before, but this is from their faq:
/usr is not the same partition that / is (and it shouldn't be) then you will need to mount it, also /usr && mount /usr
8.3 - I forgot my root password, what do I do now?
A few steps to recovery
1.Boot into single user mode. For i386 arch type boot -s at the boot prompt.
2.mount the drives.
bsd# fsck -p / && mount -u /
3.If
bsd# fsck -p
4.run passwd
5.boot into mulituser mode.. and remember your password!
This has nothing to do w/ shadow passwords. The method he described will work even if you have shadow passwords. Even if the passwords were stored on another system and all over the wire data was encrypted w/ 5billion bit encryption you could still boot from a floppy and modify whatever files you needed to in order to disable said protection. Or you could replace /bin/login with /bin/sh. If you have physical access to the machine it is NOT secure.
-matt
Linux would have no way not to let you boot from a floppy. The BIOS handles booting, not the kernel. LILO does have some security options for not allowing paramaters to be passed to the kernel, but booting from the disk drive bypasses the hdd alltogether so it doesn't matter. Disabling it in the BIOS does nothing either; most mbs these days have a jumper that will clear the BIOS, and if that doesn't work you can just pull the battery. If someone has physical access to the box it is not secure.
-matt
Bail out of there while the getting is good. Sounds like the new IT manager there is a PHB of the worst variety.
There's an easy way to prevent someone from ever booting to a floppy drive on a server - take out the floppy drive. I've run my main server for years with no floppy drive in it.
But unless you physically lock the machine up, or do something radical like fill the floppy drive connector with epoxy, you really can't prevent someone from opening the box and hooking up a floppy drive and resetting the CMOS memory...
Just because it isn't documented doesn't mean that it is impossible. At any rate, it still doesn't prevent moving the hard drive to another machine that can be compromised and then returning it. Also if the case is non-proprietary, motherboards are relatively cheap these days (under $100 for most of them).
What an incredibly poor design. Reminds me why I make a point of not buying IBM hardware. :-)
Damnit, hit submit at the wrong time.
Here is a question. Supposing the opposite problem happens... Instead of forgetting the password, what happens if too many people (like a former employee for instance) knows what the password is... If its burned into PROM, how do I change it? Can I? If so, how many times before the PROM is full? This would seem to be a serious enough problem to make this 'feature' unusable even if you don't worry about losing/forgetting passwords.
The MUST be an option to NOT boot from a floppy. I can hardly believe that Linux has no way of letting you do this. Just set it in BIOS if all else fails.
Its a hardware problem. Linux can't do anything to fix that, and neither can anything else. If you have physical access to the machine you can override anything (including BIOS passwords, by resetting the CMOS memory (either a jumper or shorting the battery momentarily)). Even if no floppy is connected, you can open the machine and hook one up. Or you can remove the hard drive the passwd or shadow file is on, hook it up to another machine and change the files.
Unless you physically lock the machine up, it is not secure.
Yes, if the guy was really paranoid, he would have changed the boot
sequence and password protected the BIOS, but it wouldn't have
prevented "plan B" - which is to wipe the BIOS by opening the case, or
to remove the HD and install it in another machine.
And yes, I'm aware of the need for physical security; (the servers
were stored in a locked, alarmed room.)
I was just asking, because (as I said) this BSD shop told them that if
it was running BSD, then there was no way anyone could break into
them.
So which OS's do you use that can prevent you from booting from a
different volume? (be it floppy, hard drive, or some other medium.)
I've set up OpenBSD as a firewall here at my office and I love it. The system is stable, easily secured, and fairly fast. If a script kiddie put all that in motion, then more power to him. It's not about personalities, it's about a good operating system. Period.
The server is not pumping out many bits...
Geeky modern art T-shirts
"...slower than molasass"
;)
I wonder if it's significant that the URL is in the subdirectory "teasers".
Geeky modern art T-shirts
"Did I forget anything ? ;-)"
;)
You might add an internal UPS so that case-breach disk destruction could continue happily even when the power cord is pulled.
Geeky modern art T-shirts
Slashdot, roasting on an open fire... ;)
Seriously. back in 1995 I worked for a national ISP that I won't name. We had to build news machines. A lot of news machines. We had quite a few ISP customers, and they all wanted news.
At the time, I was a Mac user. UNIX was the clunky thing I used to read my email and run traceroute with. I mention this only to show that I had no prior BSD/Linux bias.
After much pain, we got Linux going (Red Hat 3.2, I believe, but don't quote me). A pentium 200 filled about 20 meg, then leveled out. Not bad.
The FreeBSD 1.5 machine, with the same hardware, filled a DS3. (Boy, were those T1 customers hanging off that site *pissed*! But that's another story.) The FreeBSD box didn't so much as break a sweat.
So, we plugged it into an OC3.
The box finally leveled out at 80 meg. My gut reaction is that it was the cheap 100bT NIC that filled out.
Of course, we eventually smoked the SCSI arrays (remember back when an 8 gig array was impressive?) But the OS just kept going, and going, and going.
As a network engineer, FreeBSD earned my trust.
Now, most people don't need to soak an OC-3. But those of us who do (Best, Yahoo, etc) tend to run FreeBSD.
Your T-1 ISP? Either will work just fine.
Your desktop? Linux will support your goofy desktop hardware.
Well, nice try, but the only one of your four steps that would actually accomplish the goal of securing a computer to which one has physical access is step 4 - Encrypt the filesystem.
Steps 1 and 2 - disabling booting from floppies and CDs in BIOS and setting a BIOS password - are laughably easy to get around. Just pop the cover on the box. Most systems either have a jumper that lets you reset the CMOS or you can just unplug the battery that saves the CMOS memory. Bye-bye BIOS password.
After that step 3 - setting LILO passwords - becomes moot because I will boot off a floppy| CD|second hard disk and just mount your Linux|FreeBSD|OpenBSD|NetBSD|Solaris|whatever partition.
So only step 4, encrypting provides you with any protection. From the way you stated step 4 I am assuming you mean encrypting the entire file system and unencrypting at boot time (rather than unencrypting individual files on the fly during operation). That is the only practical way to achieve security when physical access cannot be controlled, but you better use a damn-big, randomly-generated key.
Many, many people use Windows NT to store and transmit top-secret data. Does that mean that NT is secure, or just that the expertise to properly evaluate security is much rarer than the willingness to believe marketing that says what you want to hear?
And, of course, it can be misleading to speak of a "secure operating system" - security is a property of the system as a whole. A Windows NT mail hub can store and forward a PGP-encrypted message without the contents of the message being any more readable, and an OpenBSD machine can be configured with open "telnet" ports and guessable passwords.
The care and effort put into OpenBSD's security aspects is of course useful and laudable, but it won't do you the user any good if you don't understand your own role in keeping the system secure.
--
Xenu loves you!
I assume if OpenBSD puts such an emphasis on security, shadowed passwords would be a default setting which would have stopped the method you've outlined here. I'm amazed that the disgruntled system admin didn't use them, but that may go some way to explain why he was let go.
This is not true. You can't directly get to a root shell like you can with single user mode (or, if single user prompts for a password, try lilo: linux rw init=/bin/sh --don't forget to umount /, then just reboot the machine, shutdown won't work) on linux. You can just pop in an install floppy and mount your / filesystem and edit the passwd file though. Physical access = root access. Shadowing the passwords doesn't change that, you can still edit /etc/shadow.
*chuckle*
In general, physical access to the machine allows access to everything, typically through a method such as what you employed. BSD is no different from Linux (or DOS, or NT, or about anything else) in this regard.
Yes, a person could use a cryptographic hack to keep all file systems encrypted, but the performance hit is usually bad enough that most people find it far, far more economical (and effective) to lock the servers in a machine room with restricted access...
"Flame away, I wear asbestos underwear"
Here we use OpenBSD as part of our IDS solution. It has a couple of qualities that make it a great choice. First, it is very secure as a default installation. Second, BSD in general has some of the fastest network sniffing capabilities of any OS. Third, some OS's like Linux and Solaris don't know how many packets they've really dropped so you can't tell for certain how good they are doing. Fourth, it is FREE. The DOJ has contractors just as any agency (even NSA has contractors for some things I'm told). If you get people that understand what they need and what works best for the situation it isn't surprising to see it used by Gov't.
As for limitations, it comes with X and Netscape. Also, there are some new programs that are supposed to allow you to compile Linux binaries and run them. I haven't used this but it sounds cool. So, basically it isn't much more limited than Linux for software. Last I saw it doesn't support dual CPUs and I'm not sure about RAID so it gives up quite a lot to Linux there. Maybe once Linux becomes too mainstream and Linus too much of an icon, all the 'real' computer hacks will turn to OpenBSD for the next revolution? Just kidding.
Lastly, I know that people have been donating hardware (like gigabit ether) that will help keep it a viable, quality OS.
Do really dense people warp space more than others?
This reminds me...
A couple of weeks ago, I got a call from a company that was letting
their sysadmin go (and not on good terms, either), and needed someone
to hack their (linux) servers, as nobody else knew root passwords; I
got called in; downtime was not an issue, so (with the aid of a
rescue disk) it was just a matter of rebooting the boxes and editing
the passwd file...
After seeing how simple it was to get into the boxes, they immediately
asked if I could switch the boxes over to BSD, as the previous people
they had called (a BSD shop) had told them that if they had used
BSD, then there was no way anyone could get into the boxes, as BSD is
"uncrackable."
Now, I don't have any experience with BSD (I tried installing it, but
there are no drivers for my home machine, which I use as a testbed,)
so I didn't have any firm comeback; but I would like to know (from
the BSD people who will be reading this) if the same technique I used
would be possible on a BSD machine. (I'm hard pressed to think of how
this could be done, short of encrypting the root FS, or something
similar.)
Can anyone shed some light on this? Is BSD really "uncrackable", or
are these other guys just blowing smoke?