Coming up this week on the show, we'll be talking with Damien Miller of the OpenSSH team. Their 7.0 release has some major changes, including phasing out older crypto and changing one of the defaults that might surprise you.
This episode was brought to you by
Headlines
EdgeRouter Lite, meet OpenBSD
The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it We've covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8)Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on itHe covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardwareMore discussion can be found on Hacker News and various other placesOne thing to note about these devices: because of their MIPS64 processor, they'll have weaker ASLR than X86 CPUs (and no WX at all)***
Design and Implementation of the FreeBSD Operating System interview
For those who don't know, the "Design and Implementation of the FreeBSD Operating System" is a semi-recently-revived technical reference book for FreeBSD developmentInfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors"The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points."Aside from detailing a few of the chapters, the interview covers who the book's target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics***
Path list parameter in OpenBSD tame
We've mentioned OpenBSD's relatively new "tame" subsystem a couple times before: it's an easy-to-implement "self-containment" framework, allowing programs to have a reduced feature set mode with even less privilegesOne of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access - you could either read/write files or not, nothing in betweenNow there's the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developersThe next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9More discussion can be found on Reddit and Hacker News***
FreeBSD & PC-BSD 10.2-RELEASE
The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came outThe Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used toA VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packetThe bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensionsARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boardsThe bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setupsIn addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmailCheck the full release notes for the rest of the details and changesPC-BSD also followed with their 10.2-RELEASE, sporting a few more additional features***
Interview - Damien Miller -
[email protected] / @damienmiller
OpenSSH: phasing out broken crypto, default cipher changes
News Roundup
NetBSD at Open Source Conference Shimane
We weren't the only ones away at conferences last week - the Japanese NetBSD guys are always raiding one event or anotherThis time they had NetBSD running on some Sony NWS devices (MIPS-based)JavaStations were also on display - something we haven't ever seen before (made between 1996-2000)***
BAFUG videos
The Bay Area FreeBSD users group has been uploading some videos of their recent meetingsDevin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it worksShortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader - for example, how can we type encryption passwords with non-US keyboard layoutsIn a second video, Jordan Hubbard and Kip Macy introduce "NeXTBSD aka FreeBSD X"In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc)People should record presentations at their BSD users groups and send them to us***
L2TP over IPSEC on OpenBSD
If you've got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty wellUsing only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your trafficThis guide specifically covers L2TP, using npppd and pre-shared keysServer setup, client setup, firewall configuration and routing-related settings are all covered in detail***
Reliable bare metal with TrueOS
Imagine a server version of PC-BSD with some useful utilities preinstalled - that's basically TrueOSThis article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solutionMost importantly, he also covers how to keep everything redundant and deal with hard drives failingThe author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he'd likeAnother factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are***
Kernel WX on i386
We mentioned some big WX kernel changes in OpenBSD a while back, but the work was mainly for x86_64 CPU architecture (which makes sense; that's what most people run now)Mike Larkin is back again, and isn't leaving the people with older hardware out, committing similar kernel work into the i386 platform now as wellCheck out our interview with Mike for some more background info on memory protections like WX***
Feedback/Questions
Markus writes inSean writes inTheo writes in***
View all episodes
