We are still actively working on the spam issue.
Difference between revisions of "OpenBSD"
m (→Licensing: I don't see how the quotes were relevant.) |
(I started using OpenBSD again, so changes since 5.8) |
||
| Line 5: | Line 5: | ||
== Why? == | == Why? == | ||
| − | '''Why might I want to use OpenBSD?''' | + | '''Why might I want to use OpenBSD?''' Here are some reasons why: |
| − | Here are some reasons why: | + | * It's not Linux: OpenBSD can claim to be, for the most part, safe from many of the freedesktop.org cancers like [[systemd]] that are deservedly unpopular amongst Linux users. It also promotes portability, so that a program can run on more operating systems than just Linux (or OpenBSD for that matter). |
| − | * It's not Linux | + | * Stuck in the mud: OpenBSD tries to stick to being a faithful evolution of 4.4BSD-Lite, and instead of having Google Groups mailing lists and forums and wikis, OpenBSD has mailing lists with a [http://marc.info blessed archive] and a website that's straight out of the 90s. |
| − | * Stuck in the mud | + | * The right way: You may come to a point at one time or another where you may realise that choice is bad. Choice is bad, because it places us in a position where we must make a choice. Many things in OpenBSD have only one way of having it done and most of the time it is the best way of having it done. The example given is apmd - when enabled, it transparently manages CPU frequency and power states and handles suspend and hibernation seamlessly without any hassle. |
| − | * The right way | + | * Sane defaults: OpenBSD doesn't do stupid shit and tries to do whatever you wanted it to do out of the box first time, instead of having to fiddle around with configuration; this has a security impact as well, since if you have to do it yourself you're more likely to fuck it up. Most, if not all daemons in the base system and even in ports and packages follow best practices like chroots, priv-drop and priv-sep by default. |
| − | * Sane defaults | + | * Integration: OpenBSD is developed in a single CVS tree ''(whine whine whine... they use C... V... S...)'', which means that the developers can work with a totally integrated codebase instead of having to accommodate bits and pieces from various projects that might not work together immediately and might even have upstreams that are hostile to each other, leading Linux distributions to heavily patch packages to get things working. Again, look at apmd, which works very well because the daemon and the kernel are developed concurrently and by the same group of developers. |
| − | * Integration | + | * Proactive security: OpenBSD's policy is "don't do stupid shit". Doing the right thing with regards to security has led the project to a record of only two holes in the default installation in over 20 years. When upstream fucks up or licensing becomes a problem, the project takes it into their own hands to roll their own quality solution according to the mantra of "shut up and hack": OpenSSH, the preeminent SSH server and client implementation was borne out of the original SSH becoming non-free; LibreSSL came from years of shit coding standards, enmity with upstream and stupid vulnerabilities (Heartbleed being the one that pushed them over the edge) in OpenSSL. |
== Licensing == | == Licensing == | ||
The BSD operating systems are where the [[Licenses|BSD licence]] originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community. | The BSD operating systems are where the [[Licenses|BSD licence]] originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community. | ||
| − | The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned | + | The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned in good will for the unrestricted use of the software in the first place. |
| − | As for the licensing state of OpenBSD itself, most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, | + | As for the licensing state of OpenBSD itself, most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, while new programs from OpenBSD generally released under the simpler ISC licence, which excludes a clause made unneccesary by the Berne convention. The only programs released under the GPL included with OpenBSD are the GNU toolchain (GCC, binutils, GDB). |
| − | == | + | == Tips == |
| + | The following sections assume you are using a relatively recent release of OpenBSD which should be the latest release or at least released within the last year. | ||
=== Set up the shell === | === Set up the shell === | ||
| − | + | pdksh, OpenBSD's default shell, only sources {{ic|.profile}} out of the box. Add | |
export ENV="${HOME}/.kshrc" | export ENV="${HOME}/.kshrc" | ||
| − | to your | + | to your {{ic|.profile}}, and then add your interactive shell customisation to {{ic|.kshrc}}. Descendant shells will inherit {{ic|$ENV}} from the environment, so it will continue to be sourced in all shells in the session including those in an X session. |
| + | |||
| + | pdksh supports most of the {{ic|$PS1}} escapes from bash, so add | ||
| + | PS1="\W \$ " | ||
| + | to your {{ic|.kshrc}} to show your current directory. | ||
=== Privilege escalation === | === Privilege escalation === | ||
| − | + | sudo, the privilege escalation tool used in many Linux distributions, was replaced by doas in OpenBSD 5.8, a far smaller tool; the rationale being that most sudo users don't use 99% of it's features and therefore, it was decreed that a simpler and smaller tool be written. | |
| − | This is an example | + | |
| − | + | To set doas up, you need to edit {{ic|/etc/doas.conf}}. This is an example {{ic|doas.conf}}: | |
| − | + | {{bc|permit :wheel as root | |
| − | This allows all users in the | + | permit nopass root}} |
| − | === | + | You can check the {{ic|doas.conf}} like this: |
| − | + | # doas -C /etc/doas.conf | |
| − | Remote repositories can be any of the mirrors listed here. For this example, we will use the | + | This allows all users in the wheel group to run commands as root. If you added a user account with the OpenBSD installer, it will have added it to the wheel group already. It also allows root to run commands without a password for all users on the system. |
| − | Add this to | + | === Setting up package management === |
| − | + | Instead of downloading a repository database, the OpenBSD package utilities consult a remote mirror or local package store specified either in {{ic|/etc/pkg.conf}} or alternatively in the environment variable {{ic|$PKG_PATH}} for every request. | |
| − | where | + | Remote repositories can be any of the mirrors listed [https://www.openbsd.org/ftp.html here]. For this example, we will use the ftp.openbsd.org mirror, ran by Theo in Canada. |
| − | + | Add this to {{ic|/etc/pkg.conf}}: | |
| − | + | installpath = http://ftp.openbsd.org/pub/OpenBSD/packages/6.0/amd64 | |
| − | + | where 6.0 is your version number, amd64 is your architecture and the beginning of the path replaced with whatever mirror you chose. If you [[#Privilege escalation|set up doas]], you can begin installing programs from your normal user account like so: {{bc|$ doas pkg_add irssi | |
| − | + | doas ([email protected]) password: | |
| − | + | quirks-2.241 signed on 2016-07-26T16:56:10Z | |
| − | + | Ambiguous: choose package for irssi | |
| − | + | a 0: <None> | |
| − | + | 1: irssi-0.8.19 | |
| − | + | 2: irssi-0.8.19-socks | |
| + | Your choice: 1 | ||
| + | irssi-0.8.19: ok}} | ||
Read the [[Package manager#OpenBSD|package management]] article for more on how to use the OpenBSD package management system. | Read the [[Package manager#OpenBSD|package management]] article for more on how to use the OpenBSD package management system. | ||
=== Init scripts === | === Init scripts === | ||
| − | The OpenBSD init system is configured in | + | The OpenBSD init system is configured in the file {{ic|/etc/rc.conf.local}}. It is advised that you only put '''used''' entries into {{ic|rc.conf.local}}, however it is easier to simply copy {{ic|rc.conf}} to {{ic|rc.conf.local}} and edit it there. |
Any system daemon can be enabled by setting it's <tt>_flags</tt> variable to blank or to pass flags to the daemon, and can be disabled by setting it to <tt>NO</tt>. | Any system daemon can be enabled by setting it's <tt>_flags</tt> variable to blank or to pass flags to the daemon, and can be disabled by setting it to <tt>NO</tt>. | ||
| − | Daemons from packages/ports are specified in the <tt>pkg_scripts</tt> variable. For example, here is a configuration for starting [[DNSCrypt]] and [[Tor]] as system daemons. | + | Daemons from packages/ports are specified in the <tt>pkg_scripts</tt> variable. For example, here is a configuration for starting [[DNSCrypt]] and [[Tor]] as system daemons.{{bc|<nowiki># rc.d(8) packages scripts |
| − | + | # started in the specified order and stopped in reverse order | |
| − | + | dnscrypt_proxy_flags="-R dnscrypt.eu-dk -a 127.0.0.1:40" | |
| − | + | pkg_scripts="dnscrypt_proxy tor"</nowiki>}} | |
| − | |||
The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor. | The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor. | ||
=== Full disk encryption === | === Full disk encryption === | ||
Full disk encryption in OpenBSD is achieved through the use of <tt>softraid</tt>. | Full disk encryption in OpenBSD is achieved through the use of <tt>softraid</tt>. | ||
| − | Boot up the OpenBSD install media and wait until you come to this prompt. | + | Boot up the OpenBSD install media and wait until you come to this prompt. {{bc|erase ^?, werase ^W, kill ^U, intr ^C, status ^T |
| − | + | Welcome to the OpenBSD/amd64 6.0 installation program. | |
| − | + | (I)nstall, (U)pgrade, (A)utoinstall or (S)hell?}} | |
| − | + | Choose {{ic|s}} to drop into a root shell. If you do not have any other partitions that you need on your disk, initialise the MBR of the first SATA disk with this command: | |
| − | Choose | ||
# fdisk -iy sd0 | # fdisk -iy sd0 | ||
| − | Now proceed to partition the disk and create a | + | You'll need to look at the {{ic|wd?}} disks |
| − | + | Now proceed to partition the disk and create a RAID type partition on {{ic|a}}, perhaps like this: {{bc|> a a | |
| − | + | offset: [whatever] | |
| − | + | size: [whatever] | |
| − | + | FS type: [4.2BSD] RAID | |
| − | + | > w | |
| − | + | > q}} | |
''Blank lines signify a blank line with enter typed.'' | ''Blank lines signify a blank line with enter typed.'' | ||
| − | To initialise the RAID partition with a passphrase, type: | + | To initialise the RAID partition with a passphrase, type: {{bc|# bioctl -c C -r auto -l sd0a softraid0 |
| − | + | Passphrase: | |
| − | + | Verify passphrase:}} | |
| − | + | {{ic|-r auto}} is a surefire way to increase the iterations of the PBKDF2 key derivation function which should increase it's resilience against brute-forcing. | |
| − | You should see a dmesg message showing that | + | You should see a dmesg message showing that a new disk with your encrypted partition was attached to the system. Exit the shell with {{ic|^D}} or {{ic|exit}}, enter the installer with {{ic|i}} and when the installer asks you for your root disk, choose that disk instead (if you type {{ic|?}}, the disk should be listed as {{ic|SOFTRAID}}). The OpenBSD bootloader transparently handles full disk encryption and will ask you for your passphrase when loading the kernel. |
[[Category:BSD]] | [[Category:BSD]] | ||
[[Category:Operating systems]] | [[Category:Operating systems]] | ||
Revision as of 18:16, 25 October 2016
This dongle is a OpenBSD is a free, multi-platform 4.4BSD based Unix-like operating system, part of the BSD family. The OpenBSD project's efforts emphasize portability, correctness, proactive security and integrated cryptography, although you probably already know this by now.
Contents
Why?
Why might I want to use OpenBSD? Here are some reasons why:
- It's not Linux: OpenBSD can claim to be, for the most part, safe from many of the freedesktop.org cancers like systemd that are deservedly unpopular amongst Linux users. It also promotes portability, so that a program can run on more operating systems than just Linux (or OpenBSD for that matter).
- Stuck in the mud: OpenBSD tries to stick to being a faithful evolution of 4.4BSD-Lite, and instead of having Google Groups mailing lists and forums and wikis, OpenBSD has mailing lists with a blessed archive and a website that's straight out of the 90s.
- The right way: You may come to a point at one time or another where you may realise that choice is bad. Choice is bad, because it places us in a position where we must make a choice. Many things in OpenBSD have only one way of having it done and most of the time it is the best way of having it done. The example given is apmd - when enabled, it transparently manages CPU frequency and power states and handles suspend and hibernation seamlessly without any hassle.
- Sane defaults: OpenBSD doesn't do stupid shit and tries to do whatever you wanted it to do out of the box first time, instead of having to fiddle around with configuration; this has a security impact as well, since if you have to do it yourself you're more likely to fuck it up. Most, if not all daemons in the base system and even in ports and packages follow best practices like chroots, priv-drop and priv-sep by default.
- Integration: OpenBSD is developed in a single CVS tree (whine whine whine... they use C... V... S...), which means that the developers can work with a totally integrated codebase instead of having to accommodate bits and pieces from various projects that might not work together immediately and might even have upstreams that are hostile to each other, leading Linux distributions to heavily patch packages to get things working. Again, look at apmd, which works very well because the daemon and the kernel are developed concurrently and by the same group of developers.
- Proactive security: OpenBSD's policy is "don't do stupid shit". Doing the right thing with regards to security has led the project to a record of only two holes in the default installation in over 20 years. When upstream fucks up or licensing becomes a problem, the project takes it into their own hands to roll their own quality solution according to the mantra of "shut up and hack": OpenSSH, the preeminent SSH server and client implementation was borne out of the original SSH becoming non-free; LibreSSL came from years of shit coding standards, enmity with upstream and stupid vulnerabilities (Heartbleed being the one that pushed them over the edge) in OpenSSL.
Licensing
The BSD operating systems are where the BSD licence originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community.
The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned in good will for the unrestricted use of the software in the first place.
As for the licensing state of OpenBSD itself, most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, while new programs from OpenBSD generally released under the simpler ISC licence, which excludes a clause made unneccesary by the Berne convention. The only programs released under the GPL included with OpenBSD are the GNU toolchain (GCC, binutils, GDB).
Tips
The following sections assume you are using a relatively recent release of OpenBSD which should be the latest release or at least released within the last year.
Set up the shell
pdksh, OpenBSD's default shell, only sources .profile out of the box. Add
export ENV="${HOME}/.kshrc"
to your .profile, and then add your interactive shell customisation to .kshrc. Descendant shells will inherit $ENV from the environment, so it will continue to be sourced in all shells in the session including those in an X session.
pdksh supports most of the $PS1 escapes from bash, so add
PS1="\W \$ "
to your .kshrc to show your current directory.
Privilege escalation
sudo, the privilege escalation tool used in many Linux distributions, was replaced by doas in OpenBSD 5.8, a far smaller tool; the rationale being that most sudo users don't use 99% of it's features and therefore, it was decreed that a simpler and smaller tool be written.
To set doas up, you need to edit /etc/doas.conf. This is an example doas.conf:
permit :wheel as root permit nopass root
You can check the doas.conf like this:
# doas -C /etc/doas.conf
This allows all users in the wheel group to run commands as root. If you added a user account with the OpenBSD installer, it will have added it to the wheel group already. It also allows root to run commands without a password for all users on the system.
Setting up package management
Instead of downloading a repository database, the OpenBSD package utilities consult a remote mirror or local package store specified either in /etc/pkg.conf or alternatively in the environment variable $PKG_PATH for every request.
Remote repositories can be any of the mirrors listed here. For this example, we will use the ftp.openbsd.org mirror, ran by Theo in Canada.
Add this to /etc/pkg.conf:
installpath = http://ftp.openbsd.org/pub/OpenBSD/packages/6.0/amd64
where 6.0 is your version number, amd64 is your architecture and the beginning of the path replaced with whatever mirror you chose. If you set up doas, you can begin installing programs from your normal user account like so:
$ doas pkg_add irssi doas ([email protected]) password: quirks-2.241 signed on 2016-07-26T16:56:10Z Ambiguous: choose package for irssi a 0: <None> 1: irssi-0.8.19 2: irssi-0.8.19-socks Your choice: 1 irssi-0.8.19: ok
Read the package management article for more on how to use the OpenBSD package management system.
Init scripts
The OpenBSD init system is configured in the file /etc/rc.conf.local. It is advised that you only put used entries into rc.conf.local, however it is easier to simply copy rc.conf to rc.conf.local and edit it there.
Any system daemon can be enabled by setting it's _flags variable to blank or to pass flags to the daemon, and can be disabled by setting it to NO.
Daemons from packages/ports are specified in the pkg_scripts variable. For example, here is a configuration for starting DNSCrypt and Tor as system daemons.
# rc.d(8) packages scripts # started in the specified order and stopped in reverse order dnscrypt_proxy_flags="-R dnscrypt.eu-dk -a 127.0.0.1:40" pkg_scripts="dnscrypt_proxy tor"
The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor.
Full disk encryption
Full disk encryption in OpenBSD is achieved through the use of softraid.
Boot up the OpenBSD install media and wait until you come to this prompt.
erase ^?, werase ^W, kill ^U, intr ^C, status ^T Welcome to the OpenBSD/amd64 6.0 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell?
Choose s to drop into a root shell. If you do not have any other partitions that you need on your disk, initialise the MBR of the first SATA disk with this command:
# fdisk -iy sd0
You'll need to look at the wd? disks
Now proceed to partition the disk and create a RAID type partition on a, perhaps like this:
> a a offset: [whatever] size: [whatever] FS type: [4.2BSD] RAID > w > q
Blank lines signify a blank line with enter typed.
To initialise the RAID partition with a passphrase, type:
# bioctl -c C -r auto -l sd0a softraid0 Passphrase: Verify passphrase:
-r auto is a surefire way to increase the iterations of the PBKDF2 key derivation function which should increase it's resilience against brute-forcing.
You should see a dmesg message showing that a new disk with your encrypted partition was attached to the system. Exit the shell with ^D or exit, enter the installer with i and when the installer asks you for your root disk, choose that disk instead (if you type ?, the disk should be listed as SOFTRAID). The OpenBSD bootloader transparently handles full disk encryption and will ask you for your passphrase when loading the kernel.
