OpenBSD Journal

OpenBSD Journal

Martin Pieuchot: The Unknown Plan

Contributed by Paul 'WEiRD' de Weerd on from the cheese-induced-hallucinations dept.

Fresh from Bucharest is this story from Martin Pieuchot (mpi@) with his experience from p2k19:

Since I attend OpenBSD hackathons, I hear stories about how crazy are the ports hackathons. So I try my best to look like a porter in order to experience this craziness. I must admit p2k19 was awesome but the craziness of port hackathons is still an enigma to me.

Read more…

OpenSSH U2F/FIDO support in base

Contributed by rueda on from the more-than-a-token-effort-(basically) dept.

Damien Miller (djm@) posted to tech@:

Hi,

I just committed all the dependencies for OpenSSH security key (U2F)
support to base and tweaked OpenSSH to use them directly. This means
there will be no additional configuration hoops to jump through to use
U2F/FIDO2 security keys.

Read more…

p2k19 Hackathon Report: Good vibes from Bucharest by Marc Espie (espie@)

Contributed by Peter N. M. Hansteen on from the cooking up the packages dept.

The first p2k19 hackathon report comes from Marc Espie (espie@), who writes:

I already came to Bucharest a year ago for EuroBSDcon, but I welcomed the chance at spending more time here, especially at a hackathon organized by Paul, who is such a great guy.

I heard that there was a lot of chanting involved around the city, but we had magical weather, totally unseasonally warm and sunny for november in Romania.

Read more…

HEADS UP: ntpd changing

Contributed by rueda on from the what-time-have-*you*-got? dept.

Theo de Raadt (deraadt@) posted to tech@:

The ntpd options -s and -S are going to be removed soon and at startup
with print:

    -s option no longer works and will be removed soon.
    Please reconfigure to use constraints or trusted servers.

Probably after 6.7 we'll delete the warning.  Maybe for 6.8 we'll remove
-s and -S from getopt, and starting with those options will fail.

Effective immediately, the -s option stops doing what you expect.  It now
does nothing.

Big improvements have happened in ntpd recently.  At startup, ntpd
aggressively tries to learn from NTP packets validated by constraints,
and set the time.

That means a smarter variation of -s is the default, but the information
is now *VALIDATED* by constraints.

2 additional constraints have been added.  If you have upgraded, please
review /etc/examples/ntpd.conf for modern use

Those who cannot use https constraints, can instead tag server lines
with the keyword "trusted", which means you believe MITM attacks are not
possible on the network to those specific NTP servers.  Do this only on
servers directly connected over trusted network.  If someone does
"servers pool.ntp.org trusted", we're going to have a great laugh.

We're creating something a bit complex, but our goal is for every
machine to have a close approximation of correct time.  If we get
there, some good things will happen.  Some serious cargo-culting
for using -s has gotten in the way (-s performs no MITM checks).

Read more…

DNSSEC enabled in default unbound(8) configuration

Contributed by rueda on from the +dnssec-take-two dept.

DNSSEC validation has been enabled in the default unbound.conf(5) in -current. The relevant commits were from Job Snijders (job@)

CVSROOT:	/cvs
Module name:	src
Changes by:	job@cvs.openbsd.org	2019/11/07 05:49:45

Modified files:
	etc            : unbound.conf 

Log message:
Enable DNSSEC validation in unbound by default

OK deraadt@ otto@

and from Stuart Henderson (sthen@)

CVSROOT:	/cvs
Module name:	src
Changes by:	sthen@cvs.openbsd.org	2019/11/07 08:46:37

Modified files:
	etc            : unbound.conf 

Log message:
Reenable "val-log-level: 2", so that when sites have misconfigured
dnssec the sysadmin has some idea what's going on in logs, and
"aggressive-nsec: yes", if we're using dnssec anyway we might as well
get the benefits. These were both enabled last time dnssec was enabled
in this sample unbound.conf.

ok florian@

This was attempted late last year, but reverted because of difficulties bootstrapping machines with incorrect clocks.

Read more…

U2F support in OpenSSH HEAD

Contributed by rueda on from the more-than-a-token-effort dept.

In a message to the openssh-unix-dev mailing list, Damien Miller (djm@) wrote:

[…]
As of this morning, OpenSSH now has experimental U2F/FIDO support, with
U2F being added as a new key type "sk-ecdsa-sha2-nistp256@openssh.com"
or "ecdsa-sk" for short (the "sk" stands for "security key").

If you're not familiar with U2F, this is an open standard for making
inexpensive hardware security tokens. These are easily the cheapest way
for users to get a hardware-backed keypair and there is a good range of
vendors who sell them including Yubico, Feitian, Thetis and Kensington.
Hardware-backed keys offer the benefit of being considerably more
difficult to steal - an attacker typically has to steal the physical
token (or at least persistent access to it) in order to steal the key.
[…]

See the full message for all the details.

Thank you Damien (djm@) and Darren (dtucker@) (OpenSSH-portable) for this important contribution to OpenSSH security.

EuroBSDCon 2019 videos available

Contributed by Peter N. M. Hansteen on from the puffy on display dept.

The EuroBSDCon channel at YouTube now has the EuroBSDCon 2019 videos online.

One excellent way to start is with Patricia Aas' excellent keynote Embedded Ethics and just go on, but you could also go directly to the OpenBSD related talks:

There are, of course, other talks worth taking in from the other projects too. There is even a playlist that gives you all 28 talks! And we're already looking forward to next year in Vienna (Wien), Austria!

New openbsdstore available with 6.6 T-shirts

Contributed by Paul 'WEiRD' de Weerd on from the better-clothes-for-the-emperor dept.

A new OpenBSD store has been started, for those looking for OpenBSD swag now that the project no longer produces CDs. If you like the artwork that comes with the releases, this is a great way to support it. Quoting the about page:

We believe art helps explain and define what OpenBSD is. Store managed by Job Snijders (job@) and Natasha Allegri. All profits from this store are used to pay the artists who create art for OpenBSD.

So if your old wireframe puffy shirt is getting a bit faded, or if your three-headed-daemon shirt is tearing at the seams - get a new shirt now and support artwork for the project!

OpenBSD shirt

OpenBSD 6.6 Released

Contributed by rueda on from the ~1%-of-the-beast dept.

In a message to relevant mailing lists, Theo de Raadt (deraadt@) announced that the OpenBSD project's 47th release, OpenBSD 6.6, is now available from mirror sites worldwide.

Rather than reproducing here the full list of new features, we refer readers to the official OpenBSD 6.6 page, and the detailed changelog.

Notable changes include but are not limited to:

Those upgrading from version 6.5 should read the Upgrade Guide.

As always, readers are encouraged to show their appreciation in the conventional manner.

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 6.6

0062019-11-16 SECURITY A regular user could change some network interface parameters due to missing checks in the ioctl(2) system call.
0052019-11-16 RELIABILITY A new kernel may require newer firmware images when using sysupgrade.
0042019-11-16 RELIABILITY The kernel could crash due to a NULL pointer dereference in net80211.
0032019-10-31 RELIABILITY bgpd(8) can crash on nexthop changes or during startup in certain configurations.
0022019-10-28 RELIABILITY Various third party applications may crash due to symbol collision.
0012019-10-28 RELIABILITY bpf(4) has a race condition during device removal.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]