OpenBSD 2.6 - New Features

By Kurt Seifried, [email protected]


 

Well it's been a few months, and a new release of OpenBSD is out (since December 1st 1999 actually) and I thought it was high time I covered some of the new features and improvements. For those of you unfamiliar with OpenBSD it is a flavor of UNIX based on BSD, with one main goal in mind. Security. The entire purpose of OpenBSD is to provide a fast, stable, and above all, secure computing platform.

OpenSSH

The most noticeable change in OpenBSD 2.6 is probably the addition of OpenSSH. OpenSSH is SSH with all the proprietary components ripped out, a lot of bug fixes, and the encryption is all done externally via OpenSSL. OpenSSH ships with 2.6 and is part of the default install, but due to the RSA patent in the US the OpenSSL components are not available on the CD-ROM, so you will need to download this from an OpenBSD ftp site (they could have included OpenSSL on the CD-ROM, but then they would need to produce one for the US, and one for international use, and there would be other possible legal problems as well, so they opted not to). During the install however you will be prompted to install it, first which version (US or international) and then for the method (FTP, HTTP, CDROM, etc), and then for the location. You can of course install it later on with:

#pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/2.6/packages/i386/ssl26.tar.gz

or if you are in the USA:

#pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/2.6/packages/i386/sslUSA26.tar.gz

By default OpenSSH is enabled, so as soon as you install the SSL package and reboot it will work. SKey support is also available now for OpenSSH.

Why OpenSSH matters:

OpenBSD is the first Open Source operating system to ship something like ssh that is not encumbered by licensing issues (although there are patent issues, you can use RSAREF in the US). This means people can easily login to and administer OpenBSD systems in a secure manner with very little additional setup required (as compared to say, deploying IPSec).

Apache

Another improvement is the use of DSO's (Dynamic Shared Object's) in Apache, which is a very similar concept to shared libraries typical of UNIX platforms. DSO's allow you to add in support for third party software (such as SSL) without having to recompile the Apache software. This allows for a much greater degree of flexibility, not only in adding support for new things, but upgrading them (instead of recompiling all of Apache you compile a now DSO and restart Apache). The primary disadvantage of DSO's is that some platforms do not support them properly, and on some supported platforms DSO's will slow the server down a bit. Generally speaking however the gains made in ease of use, deployment of software, and so on outweigh any minor performance problems.

Why DSO matters:

It makes the deployment of a secure web server far easier (and other features like perl_mod). Also if there is a bug in one of the DSO's you only need to replace it and restart Apache (as opposed to recompiling everything).

Driver updates

This goes without saying as a good thing. OpenBSD has historically lagged behind systems like Linux and Windows for driver support, which is a good thing in my opinion. Linux and Windows support a lot of BAD hardware (i.e. estimates run as high as 70% that NT crashes are due to bad drivers and software problems), OpenBSD tends to support the better quality hardware, because that is what the developers want. However OpenBSD has also lacked support for some very popular hardware (especially in the area of sound cards), so with the release of 2.6 a lot of drivers have been added, and others improved.

Why better drivers matter:

Bad drivers can cause crashes and other stability problems. I also want to use the soundcard on my new Sony VAIO laptop.

Secure by default

Well I lied a bit on this one, OpenBSD has been "secure by default" for a while. What does this mean? Well a default install of OpenBSD should (in theory) be completely secure against network attacks. The only services turned on by default are OpenSSH, portmap, and some services in inetd, all of which have been audited extensively and are relatively risk free. The OpenBSD philosophy (as I understand it) is to make the system as secure as possible, which would mean in most operating systems disabling damn near everything. But in the case of OpenBSD this is not necessary, the services that are on by default have been heavily audited, and deemed "safe", and as such are enabled (plus they give a basic level of functionality required by many people). If a user wants to do something "insecure" (like say install an IMAP server) they are on their own, you will need to get the ports collection, compile and install an IMAP server, and then add configuration lines in inetd.conf for it. If you want to do something deemed "safe", such as install the OpenBSD ftp daemon all you need to do is uncomment the line for it in inetd.conf, and add an ftp user (this is covered in the OpenBSD FAQ).

Why "secure by default matters":

You can install OpenBSD and be reasonably confident there are no exploitable holes. You can enable certain things (like FTP, or DNS) with a high level of confidence that it won't bite you later on (in the form of someone remotely exploiting it and getting root on your box). If you want to do "insecure" things, you will be forced to learn a little bit about how to do it (correctly or otherwise).

 

 

Reference links:

https://https.openbsd.org/cgi-bin/order - order form for OpenBSD CD's and paraphernalia

http://www.openbsd.org/faq/ - OpenBSD FAQ


Back

Last updated 15/2/2002

Copyright Kurt Seifried 2002