Lost Technology | BSD Now 96

Lost Technology | BSD Now 96

Coming up this week, we’ll be talking with Jun Ebihara about some lesser-known CPU architectures in NetBSD. He’ll tell us what makes these old (and often forgotten) machines so interesting. As usual, we’ve also got answers to your emails and all this week’s news on BSD Now – the place to B.. SD.

Thanks to:




Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –


Out with the old, in with the less

  • Our friend Ted Unangst has a new article up, talking about “various OpenBSD replacements and reductions”
  • “Instead of trying to fix known bugs, we’re trying to fix unknown bugs. It’s not based on the current buggy state of the code, but the anticipated future buggy state of the code. Past bugs are a bigger factor than current bugs.”
  • In the post, he goes through some of the bigger (and smaller) examples of OpenBSD rewriting tools to be simpler and more secure
  • It starts off with a lesser-known SCSI driver that “tried to do too much” being replaced with three separate drivers
  • “Each driver can now be modified in isolation without unintentional side effects on other hardware, or the need to consider if and where further special cases need to be added. Despite the fact that these three drivers duplicate all the common boilerplate code, combined they only amount to about half as much code as the old driver.”
  • In contrast to that example, he goes on to cite mandoc as taking a very non “unixy” direction, but at the same time being smaller and simpler than all the tools it replaced
  • The next case is the new http daemon, and he talks a bit about the recently-added rewrite support being done in a simple and secure way (as opposed to regex and its craziness)
  • He also talks about the rewritten “file” utility: “Almost by definition, its sole input will be untrusted input. Perversely, people will then trust what file tells them and then go about using that input, as if file somehow sanitized it.”
  • Finally, sudo in OpenBSD’s base system is moving to ports soon, and the article briefly describes a new tool that may or may not replace it, called “doas”
  • There’s also a nice wrap-up of all the examples at the end, and the “Pruning and Polishing” talk is good complementary reading material

More OpenZFS and BSDCan videos

SMP steroids for PF

  • An Oracle employee that’s been porting OpenBSD’s PF to an upcoming Solaris release has sent in an interesting patch for review
  • Attached to the mail was what may be the beginnings of making native PF SMP-aware
  • Before you start partying, the road to SMP (specifically, giant lock removal) is a long and very complicated one, requiring every relevant bit of the stack to be written with it in mind – this is just one piece of the puzzle
  • The initial response has been quite positive though, with some back and forth between developers and the submitter
  • For now, let’s be patient and see what happens

DragonFly 4.2.0 released

  • DragonFlyBSD has released the next big update of their 4.x branch, complete with a decent amount of new features and fixes
  • i915 and Radeon graphics have been updated, and DragonFly can claim the title of first BSD with Broadwell support in a release
  • Sendmail in the base system has been replaced with their homegrown DragonFly Mail Agent, and there’s a wiki page about configuring it
  • They’ve also switched the default compiler to GCC 5, though why they’ve gone in that direction instead of embracing Clang is a mystery
  • The announcement page also contains a list of kernel changes, details on the audio and graphics updates, removal of the SCTP protocol, improvements to the temperature sensors, various userland utility fixes and a list of updates to third party tools
  • Work is continuing on the second generation HAMMER filesystem, and Matt Dillon provides a status update in the release announcement
  • There was also some hacker news discussion you can check out, as well as upgrade instructions

OpenSMTPD 5.7.1 released

  • The OpenSMTPD guys have just released version 5.7.1, a major milestone version that we mentioned recently
  • Crypto-related bits have been vastly improved: the RSA engine is now privilege-separated, TLS errors are handled more gracefully, ciphers and curve preferences can now be specified, the PKI interface has been reworked to allow custom CAs, SNI and certificate verification have been simplified and the DH parameters are now 2048 bit by default
  • The long-awaited filter API is now enabled by default, though still considered slightly experimental
  • Documentation has been improved quite a bit, with more examples and common use cases (as well as exotic ones)
  • Many more small additions and bugfixes were made, so check the changelog for the full list
  • Starting with 5.7.1, releases are now cryptographically signed to ensure integrity
  • This release has gone through some major stress testing to ensure stability – Gilles regularly asks their Twitter followers to flood a test server with thousands of emails per second, even offering prizes to whoever can DDoS them the hardest
  • OpenSMTPD runs on all the BSDs of course, and seems to be getting pretty popular lately
  • Let’s all encourage Kris to stop procrastinating on switching from Postfix

Interview – Jun Ebihara (蛯原純) – jun@soum.co.jp / @ebijun

Lesser-known CPU architectures, embedded NetBSD devices

News Roundup

FreeBSD foundation at BSDCan

  • The FreeBSD foundation has posted a few BSDCan summaries on their blog
  • The first, from Steven Douglas, begins with a sentiment a lot of us can probably identify with: “Where I live, there are only a handful of people that even know what BSD is, let alone can talk at a high level about it. That was one of my favorite things, being around like minded people.”
  • He got to meet a lot of the people working on big-name projects, and enjoyed being able to ask them questions so easily
  • Their second trip report is from Ahmed Kamal, who flew in all the way from Egypt
  • A bit starstruck, he seems to have enjoyed all the talks, particularly Andrew Tanenbaum’s about MINIX and NetBSD
  • There are also two more wrap-ups from Zbigniew Bodek and Vsevolod Stakhov, so you’ve got plenty to read

OpenBSD from a veteran Linux user perspective

  • In a new series of blog posts, a self-proclaimed veteran Linux user is giving OpenBSD a try for the first time
  • “For the first time I installed a BSD box on a machine I control. The experience has been eye-opening, especially since I consider myself an ‘old-school’ Linux admin, and I’ve felt out of place with the latest changes on the system administration.”
  • The post is a collection of his thoughts about what’s different between Linux and BSD, what surprised him as a beginner – admittedly, a lot of his knowledge carried over, and there were just minor differences in command flags
  • One of the things that surprised him (in a positive way) was the documentation: “OpenBSD’s man pages are so nice that RTFMing somebody on the internet is not condescending but selfless.”
  • He also goes through some of the basics, installing and updating software, following different branches
  • It concludes with “If you like UNIX, it will open your eyes to the fact that there is more than one way to do things, and that system administration can still be simple while modern.”

FreeBSD on the desktop, am I crazy

  • Similar to the previous article, the guy that wrote the SSH two factor authentication post we covered last week has another new article up – this time about FreeBSD on the desktop
  • He begins with a bit of forewarning for potential Linux switchers: “It certainly wasn’t an easy journey, and I’m tempted to say do not try this at home to anybody who isn’t going to leverage any of FreeBSD’s strong points. Definitely don’t try FreeBSD on the desktop if you haven’t used it on servers or virtual machines before. It’s got less in common with Linux than you might think.”
  • With that out of the way, the list of positives is pretty large: a tidy base system, separation between base and ports, having the option to choose binary packages or ports, ZFS, jails, licensing and of course the lack of systemd
  • The rest of the post talks about some of the hurdles he had to overcome, namely with graphics and the infamous Adobe Flash
  • Also worth noting is that he found jails to be not only good for isolating daemons on a server, but pretty useful for desktop applications as well
  • In the end, he says it was worth all the trouble, and is even planning on converting his laptop to FreeBSD soon too

OpenIKED and Cisco CSR 1000v IPSEC

  • This article covers setting up a site-to-site IPSEC tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED
  • What kind of networking blog post would be complete without a diagram where the internet is represented by a big cloud
  • There are lots of details (and example configuration files) for using IKEv2 and OpenBSD’s built-in IKE daemon
  • It also goes to show that the BSDs generally play well with existing network infrastructure, so if you were a business that’s afraid to try them… don’t be

HardenedBSD improves stack randomization

  • The HardenedBSD guys have improved their FreeBSD ASLR patchset, specifically in the stack randomization area
  • In their initial implementation, the stack randomization was a random gap – this update makes the base address randomized as well
  • They’re now stacking the new on top of the old as well, with the goal being even more entropy
  • This change triggered an ABI and API incompatibility, so their major version has been bumped

OpenSSH 6.9 released

  • The OpenSSH team has announced the release of a new version which, following their tick/tock major/minor release cycle, is focused mainly on bug fixes
  • There are a couple new things though – the “AuthorizedKeysCommand” config option now takes custom arguments
  • One very notable change is that the default cipher has changed as of this release
  • The traditional pairing of AES128 in counter mode with MD5 HMAC has been replaced by the ever-trendy ChaCha20-Poly1305 combo
  • Their next release, 7.0, is set to get rid a number of legacy items: PermitRootLogin will be switched to “no” by default, SSHv1 support will be totally disabled, the 1024bit diffie-hellman-group1-sha1 KEX will be disabled, old ssh-dss and v00 certs will be removed, a number of weak ciphers will be disabled by default (including all CBC ones) and RSA keys will be refused if they’re under 1024 bits
  • Many small bugs fixes and improvements were also made, so check the announcement for everything else
  • The native version is in OpenBSD -current, and an update to the portable version should be hitting a ports or pkgsrc tree near you soon


  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
  • We’d love to see more participation from the listeners – get in touch with us if you’re doing something interesting you’d like to talk about (or have already written about)
  • If you’re using DNSCrypt on your router to protect your DNS lookups, as mentioned in a few of our tutorials, you may want to consider switching the authoritative resolver away from OpenDNS (since Cisco recently bought them and doesn’t have the best security record)

Question? Comments? Contact us here!