Skip to main content.

Episode 070: Daemons in the North


Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent

This episode was brought to you by

iXsystems - Enterprise servers and storage for open sourceTarsnap - online backups for the truly paranoid


More conference presentation videos

OpenBSD PIE enhancements

  • ASLR and PIE are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem
  • They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment
  • For example, the default shells (and many other things in /bin and /sbin) are statically linked
  • In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose
  • With this and a few related commits, OpenBSD fixes this by introducing static self-relocation
  • More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy
  • It'll be available in 5.7 in May, or you can use a -current snapshot if you want to get a slice of the action now

FreeBSD foundation semi-annual newsletter

  • The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities
  • As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved
  • The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already)
  • You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too
  • There are also sections about the FreeBSD Journal's progress, a new staff member and a testimonial from NetApp
  • It's a very long report, so dedicate some time to read all the way through it
  • This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too
  • As we go into 2015, consider donating to whichever BSD you use, it really can make a difference

Modernizing OpenSSH fingerprints

  • When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to
  • Up until now, the key fingerprints have been an MD5 hash, displayed as hex
  • This can be problematic, especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to
  • This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint
  • You can add a "FingerprintHash" line in your ssh_config to force using only the new type
  • There's also a new option to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type
  • The new options should be in the upcoming 6.8 release

Interview - Dan Langille - / @bsdcan

Plans for the BSDCan 2015 conference

News Roundup

Introducing ntimed, a new NTP daemon

  • As we've mentioned before in our tutorials, there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD
  • With all the recent security problems with ISC's NTPd, Poul-Henning Kamp has been working on a third NTP daemon
  • It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports or on Github
  • PHK also has a few blog entries about the project, including status updates

OpenBSD-maintained projects list

  • There was recently a read on the misc mailing list asking about different projects started by OpenBSD developers
  • The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example)
  • A developer compiled a new list from all of the replies to that thread into a nice organized webpage
  • Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more
  • This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout)

Monitoring network traffic with FreeBSD

  • If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you
  • It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage)
  • This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike

Trapping spammers with spamd

  • This is a blog post about OpenBSD's spamd - a spam email deferral daemon - and how to use it for your mail
  • It gives some background on the greylisting approach to spam, rather than just a typical host blacklist
  • "Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation."
  • The post also shows how to combine it with PF and other tools for a pretty fancy mail setup
  • You can find spamd in the OpenBSD base system, or use it with FreeBSD or NetBSD via ports and pkgsrc
  • You might also want to go back and listen to BSDTalk episode 68, where Will talks to Bob Beck about spamd


Mailing List Gold

  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to - if you do anything cool with BSD, tell us about it
  • Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
  • Have a happy new year, and make 2015 the year you finally switch over to BSD

Latest News

Two Year Anniversary


We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment


We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?


We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

EuroBSDCon 2014


As you might expect, both Allan and Kris will be at EuroBSDCon this year. They'll be busy hunting down various BSD developers and forcing them to do interviews, but don't hesitate to say hi if you're a listener!...

Episode 164: Virtualized COW / PI?


Direct Download:VideoHD VideoMP3 AudioOGG AudioTorrent This episode was brought to you by Headlines vmm enabled VMM, the OpenBSD hypervisor, has been imported into current It has similar hardware requirements to bhyve, a Intel Nehalem or newer CPU with the hardware virtualization features enabled in the BIOS AMD support has not been started yet OpenBSD is the...

Episode 163: Return of the Cantrill


Direct Download:VideoHD VideoMP3 AudioOGG AudioTorrent This episode was brought to you by Headlines FreeBSD 11.0-RELEASE Now Available FreeBSD 11.0-RELEASE is now officially out. A last minute reroll to pickup OpenSSL updates and a number of other security fixes meant the release was a little behind schedule, and shipped as 11.0-RELEASE-p1, but the release is better...

Episode 162: The Foundation of NetBSD


Direct Download:VideoHD VideoMP3 AudioOGG AudioTorrent This episode was brought to you by Headlines What is new on EC2 for FreeBSD 11.0-RELEASE “FreeBSD 11.0-RELEASE is just around the corner, and it will be bringing a long list of new features and improvements — far too many for me to list here. I think there are...

Episode 161: The BSD Bromance


Direct Download:VideoHD VideoMP3 AudioOGG AudioTorrent This episode was brought to you by Headlines EuroBSDCon 2016 Wrapup Ollivier Robert’s Photos from EuroBSDCon Get your BSDNow die-cut stickers NetBSD for newbies - Develop your own Power PC We don’t get to feature too many stories on NetBSD being deployed as a Power PC (Not PowerPC, you...