OpenBSD Journal

OpenBSD Journal

By default, scp(1) now uses SFTP protocol

Contributed by rueda on from the saner-future-than-past dept.

Thanks to a commit by Damien Miller (djm@), scp(1) (in -current) now defaults to using the SFTP protocol:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2021/09/08 17:31:39

Modified files:
	usr.bin/ssh    : scp.1 scp.c 

Log message:
Use the SFTP protocol by default. The original scp/rcp protocol remains
available via the -O flag.

Note that ~user/ prefixed paths in SFTP mode require a protocol extension
that was first shipped in OpenSSH 8.7.

ok deraadt, after baking in snaps for a while without incident

As explained in the OpenSSH Release Notes,

SFTP offers more predictable filename handling and does not require expansion of glob(3) patterns via the shell on the remote side.

Unlocking UVM faults yields significant performance boost

Contributed by Peter N. M. Hansteen on from the no fault of UVM dept.

In a recent message to tech@ Martin Pieuchot (mpi@) wrote about analysis of kernel lock contention. We reproduce the message(s) here, reformatted with his permission.

Unlocking UVM [virtual memory - Ed.] faults makes build time decrease a lot and improve the overall latency of mixed userland workload. In other words it gives a smoother feeling for "desktop usage": it is now possible to do 'make -j17' and watch a HD video at the same time.

Read more…

traceroute(8) gets speed boost

Contributed by rueda on from the performance-enhancing-florian@ dept.

Florian Obser (florian@) has committed a significant speed boost for traceroute(8):

CVSROOT:	/cvs
Module name:	src
Changes by:	florian@cvs.openbsd.org	2021/09/03 03:13:00

Modified files:
	usr.sbin/traceroute: Makefile traceroute.8 traceroute.c 
	                     traceroute.h worker.c 

Log message:
Make traceroute(8) faster by sending probes and doing DNS async.

Traditional traceroute would send one probe and then wait for up to 5
seconds for a reply and then send the next probe. On a lossy link that
eventually ends in a black hole this would take about 15 minutes and
people would hit control-c in anger.

This rewrites the traceroute engine to use libevent and asr's async
DNS interface. Probes are now send every 30ms or as soon as we get an
answer back. With that we got the 15 minute worse case down to about
10 seconds.

A minor adjustment that is possible with this is to delay printing a
line until we get to a line with answers. This has two effects:

1) If there are intermediate hops that don't answer, output pauses for
a bit so we keep the visual cue of "something might be wrong here".
2) If there is a black hole at the end, we don't print out many "* * *"
lines and thus scrolling the interesting bits out of the terminal.
We collapse those lines and just print
64 * * *
at the end.

Unfortunately the -c option to send udp probes to a fixed port had to
go for now. But we should be able to add it back.

"Once you have seen the new one you can't go back to the old one" &
enthusiastic OK deraadt@
OK sthen@
"I am very distressed that florian went to bed without committing it"
beck@

Florian tooted links to recordings showing the old and new behaviours with an earlier version of this work.

xterm gets unveiled

Contributed by rueda on from the xterms of unveilment dept.

With the following commit, Matthieu Herrb (matthieu@) gave xterm(1) some unveil(2) goodness:

CVSROOT:	/cvs
Module name:	xenocara
Changes by:	matthieu@cvs.openbsd.org	2021/09/02 03:31:38

Modified files:
	app/xterm      : main.c 

Log message:
Unveil paths needed by xterm at run-time. work with tb@ and deraadt@

Only in (default) case where there are no exec-formatted or
exec-selected resources set. In those case the commands and their
arguments could be anywhere.

iked(8) gains client-side support for DNS configuration

Contributed by rueda on from the iked naming things dept.

With the following commit, Tobias Heider (tobhe@) added client-side support for DNS configuration to iked(8):

CVSROOT:	/cvs
Module name:	src
Changes by:	tobhe@cvs.openbsd.org	2021/09/01 09:30:07

Modified files:
	sbin/iked      : config.c iked.c iked.h ikev2.c ikev2_msg.c 
	                 ikev2_pld.c policy.c types.h vroute.c 

Log message:
Add client side support for DNS configuration. Use RTM_PROPOSAL_STATIC
route messages to propose the name server to resolvd(8).
For now, iked will only propose a single name server from the first
established connection.

Automatic name server configuration is enabled by default for policies using
the 'iface' option.

discussed with deraadt@
ok for the DNS parts florian@
ok for the rest patrick@

timeout(1) utility imported

Contributed by rueda on from the hit-me-hit-me-hit-me dept.

Job Snijders (job@) imported the timeout(1) utility from NetBSD:

CVSROOT:	/cvs
Module name:	src
Changes by:	job@cvs.openbsd.org	2021/09/01 09:50:34

Added files:
	usr.bin/timeout: Makefile timeout.1 timeout.c 

Log message:
Import timeout(1) from NetBSD

The timeout(1) utility can be used to run commands with a time limit.

OK deraadt@ beck@

Following initial import, job@ and others applied the OpenBSD-stick.

Fair Internet bandwidth management on a network using OpenBSD

Contributed by Peter N. M. Hansteen on from the put more QoS in your queues dept.

OpenBSD Journal co-editor Solène Rapenne (solene@) writes,
I have a simple DSL line with 15 Mb/s in download and 900 kb/s upload rates and there are many devices using the Internet and two people in remote work. Some poorly designed software (mostly on windows) will auto update without allowing to reduce the bandwidth or some huge bloated website will require lot of download and will impact workers using the network.

The point of this article is to explain how to use OpenBSD as a router on your network to allow the Internet access to be used fairly by devices on the network to guarantee everyone they will have at least a bit of Internet to continue working flawlessly.

Read the whole thing, Fair Internet bandwidth management on a network using OpenBSD for a walkthrough of implementing queueing and QoS traffic shaping for your network.

Hibernate time reduced

Contributed by rueda on from the winter-of-our-disk-content dept.

Theo de Raadt (deraadt@) committed a change which significantly reduces hibernate time on machines with larger amounts of RAM:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2021/08/30 03:45:29

Modified files:
	sys/kern       : subr_hibernate.c 

Log message:
increase hibernate writeout speed a little.  modern machines have vast
tracts of unused memory, and the empty-space RLE scanner (uvm_page_rle)
would rescan for empty space needlessly wasting excessive cpu time
16G machine, 100sec -> 9sec
40G machine, 325sec -> 28sec
with kettenis mlarkin

We are always happy to bear good news!

RSA/SHA1 signature type disabled by default in OpenSSH

Contributed by rueda on from the Really Senile Algorthms dept.

In a message to tech@ Damien Miller (djm@) explained the consequences of his recent commit:

[…]
RSA/SHA1, a.k.a the "ssh-rsa" signature type is now disabled by default
in OpenSSH.

While The SSH protocol confusingly uses overlapping names for key and
signature algorithms, this does not stop the use of RSA keys and there
is no need to regenerate "ssh-rsa" keys - most servers released in the
last five years will automatically negotiate the use of RSA/SHA-256/512
signatures.

This has been coming for a long time, but I do expect it will be
distruptive for some people as there are likely to be some devices
out there that cannot be upgraded to support the safer algorithms.

In these cases, it is possible to selectively re-enable RSA/SHA1
support by specifying PubkeyAcceptedAlgorithms=+ssh-rsa in the
ssh_config(5) or sshd_config(5) for the endpoint.

Please report any problems here, to bugs@ or to openssh@
[…]

TL;DR:

  • The "ssh-rsa" signature type is now disabled by default.
  • "ssh-rsa" signatures can be selectively re-enabled if necessary.
  • RSA ("ssh-rsa") keys are not affected by this change and remain valid.

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 6.9

0152021-08-20 SECURITY In LibreSSL, printing a certificate can result in a crash in X509_CERT_AUX_print().
0142021-08-11 SECURITY perl(1) Encode (3p) loads a module from an incorrect relative path.
0132021-08-11 RELIABILITY In a specific configuration, wg(4) leaked mbufs.
0122021-08-04 RELIABILITY A missaligned address could trigger a kernel assert and panic the kernel.
0112021-07-25 SECURITY On mips64, the strchr/index/strrchr/rindex functions in libc handled signed characters incorrectly.
0102021-07-25 SECURITY relayd(8), when using the the http protocol strip filter directive or http protocol macro expansion, processes format strings.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]