December 31, 2014

70: Daemons in the North

1 hour 24 minutes

It's our last episode of 2014, and we'll be chatting with Dan Langille about the upcoming BSDCan conference. We'll find out what's planned and what sorts of presentations they're looking for. As usual, answers to viewer-submitted questions and all the week's news, coming up on BSD Now - the place to B.. SD.

This episode was brought to you by

Headlines

More conference presentation videos

Some more of the presentation videos from AsiaBSDCon are appearing online

Masanobu Saitoh, Developing CPE Routers Based on NetBSD

Reyk Floeter, VXLAN and Cloud-based Networking with OpenBSD

Jos Jansen, Adapting OS X to the enterprise

Pierre Pronchery & Guillaume Lasmayous, Carve your NetBSD

Colin Percival, Everything you need to know about cryptography in 1 hour (not from AsiaBSDCon)

The "bsdconferences" YouTube channel has quite a lot of interesting older BSD talks too - you may want to go back and watch them if you haven't already

***

OpenBSD PIE enhancements

ASLR and PIE are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem

They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment

For example, the default shells (and many other things in /bin and /sbin) are statically linked

In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose

With this and a few related commits, OpenBSD fixes this by introducing static self-relocation

More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy

It'll be available in 5.7 in May, or you can use a -current snapshot if you want to get a slice of the action now

***

FreeBSD foundation semi-annual newsletter

The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities

As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved

The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already)

You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too

There are also sections about the FreeBSD Journal's progress, a new staff member and a testimonial from NetApp

It's a very long report, so dedicate some time to read all the way through it

This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too

As we go into 2015, consider donating to whichever BSD you use, it really can make a difference

***

Modernizing OpenSSH fingerprints

When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to

Up until now, the key fingerprints have been an MD5 hash, displayed as hex

This can be problematic, especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to

This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint

You can add a "FingerprintHash" line in your ssh_config to force using only the new type

There's also a new option to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type

The new options should be in the upcoming 6.8 release

***

Interview - Dan Langille - [email protected] / @bsdcan

Plans for the BSDCan 2015 conference

News Roundup

Introducing ntimed, a new NTP daemon

As we've mentioned before in our tutorials, there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD

With all the recent security problems with ISC's NTPd, Poul-Henning Kamp has been working on a third NTP daemon

It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports or on Github

PHK also has a few blog entries about the project, including status updates

***

OpenBSD-maintained projects list

There was recently a read on the misc mailing list asking about different projects started by OpenBSD developers

The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example)

A developer compiled a new list from all of the replies to that thread into a nice organized webpage

Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more

This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout)

***

Monitoring network traffic with FreeBSD

If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you

It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage)

This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike

***

Trapping spammers with spamd

This is a blog post about OpenBSD's spamd - a spam email deferral daemon - and how to use it for your mail

It gives some background on the greylisting approach to spam, rather than just a typical host blacklist

"Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation."

The post also shows how to combine it with PF and other tools for a pretty fancy mail setup

You can find spamd in the OpenBSD base system, or use it with FreeBSD or NetBSD via ports and pkgsrc

You might also want to go back and listen to BSDTalk episode 68, where Will talks to Bob Beck about spamd

***

Feedback/Questions

Sean writes in

Brandon writes in

Anders writes in

David writes in

Kyle writes in

***

Mailing List Gold