Fresh from Bucharest is this story from Martin Pieuchot (mpi@) with his experience from p2k19:
Since I attend OpenBSD hackathons, I hear stories about how crazy are
the ports hackathons. So I try my best to look like a porter in order
to experience this craziness. I must admit p2k19 was awesome but the
craziness of port hackathons is still an enigma to me.
I just committed all the dependencies for OpenSSH security key (U2F)
support to base and tweaked OpenSSH to use them directly. This means
there will be no additional configuration hoops to jump through to use
U2F/FIDO2 security keys.
The ntpd options -s and -S are going to be removed soon and at startup
-s option no longer works and will be removed soon.
Please reconfigure to use constraints or trusted servers.
Probably after 6.7 we'll delete the warning. Maybe for 6.8 we'll remove
-s and -S from getopt, and starting with those options will fail.
Effective immediately, the -s option stops doing what you expect. It now
Big improvements have happened in ntpd recently. At startup, ntpd
aggressively tries to learn from NTP packets validated by constraints,
and set the time.
That means a smarter variation of -s is the default, but the information
is now *VALIDATED* by constraints.
2 additional constraints have been added. If you have upgraded, please
review /etc/examples/ntpd.conf for modern use
Those who cannot use https constraints, can instead tag server lines
with the keyword "trusted", which means you believe MITM attacks are not
possible on the network to those specific NTP servers. Do this only on
servers directly connected over trusted network. If someone does
"servers pool.ntp.org trusted", we're going to have a great laugh.
We're creating something a bit complex, but our goal is for every
machine to have a close approximation of correct time. If we get
there, some good things will happen. Some serious cargo-culting
for using -s has gotten in the way (-s performs no MITM checks).
Module name: src
Changes by: firstname.lastname@example.org 2019/11/07 08:46:37
etc : unbound.conf
Reenable "val-log-level: 2", so that when sites have misconfigured
dnssec the sysadmin has some idea what's going on in logs, and
"aggressive-nsec: yes", if we're using dnssec anyway we might as well
get the benefits. These were both enabled last time dnssec was enabled
in this sample unbound.conf.
from the more-than-a-token-effort dept.
to the openssh-unix-dev mailing list,
Damien Miller (djm@) wrote:
As of this morning, OpenSSH now has experimental U2F/FIDO support, with
U2F being added as a new key type "email@example.com"
or "ecdsa-sk" for short (the "sk" stands for "security key").
If you're not familiar with U2F, this is an open standard for making
inexpensive hardware security tokens. These are easily the cheapest way
for users to get a hardware-backed keypair and there is a good range of
vendors who sell them including Yubico, Feitian, Thetis and Kensington.
Hardware-backed keys offer the benefit of being considerably more
difficult to steal - an attacker typically has to steal the physical
token (or at least persistent access to it) in order to steal the key.
There are, of course, other talks worth taking in from the other projects too. There is even a playlist that gives you all 28 talks! And we're already looking forward to next year in Vienna (Wien), Austria!
A new OpenBSD store has been started, for those looking for OpenBSD swag now that the project no longer produces CDs. If you like the artwork that comes with the releases, this is a great way to support it. Quoting the about page:
We believe art helps explain and define what OpenBSD is. Store managed by Job Snijders (job@) and Natasha Allegri. All profits from this store are used to pay the artists who create art for OpenBSD.
So if your old wireframe puffy shirt is getting a bit faded, or if your three-headed-daemon shirt is tearing at the seams - get a new shirt now and support artwork for the project!