Skip to main content.

Episode 070: Daemons in the North

2014-12-31

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent

This episode was brought to you by

iXsystems - Enterprise servers and storage for open sourceTarsnap - online backups for the truly paranoid


Headlines

More conference presentation videos


OpenBSD PIE enhancements

  • ASLR and PIE are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem
  • They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment
  • For example, the default shells (and many other things in /bin and /sbin) are statically linked
  • In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose
  • With this and a few related commits, OpenBSD fixes this by introducing static self-relocation
  • More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy
  • It'll be available in 5.7 in May, or you can use a -current snapshot if you want to get a slice of the action now

FreeBSD foundation semi-annual newsletter

  • The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities
  • As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved
  • The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already)
  • You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too
  • There are also sections about the FreeBSD Journal's progress, a new staff member and a testimonial from NetApp
  • It's a very long report, so dedicate some time to read all the way through it
  • This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too
  • As we go into 2015, consider donating to whichever BSD you use, it really can make a difference

Modernizing OpenSSH fingerprints

  • When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to
  • Up until now, the key fingerprints have been an MD5 hash, displayed as hex
  • This can be problematic, especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to
  • This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint
  • You can add a "FingerprintHash" line in your ssh_config to force using only the new type
  • There's also a new option to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type
  • The new options should be in the upcoming 6.8 release

Interview - Dan Langille - info@bsdcan.org / @bsdcan

Plans for the BSDCan 2015 conference


News Roundup

Introducing ntimed, a new NTP daemon

  • As we've mentioned before in our tutorials, there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD
  • With all the recent security problems with ISC's NTPd, Poul-Henning Kamp has been working on a third NTP daemon
  • It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports or on Github
  • PHK also has a few blog entries about the project, including status updates

OpenBSD-maintained projects list

  • There was recently a read on the misc mailing list asking about different projects started by OpenBSD developers
  • The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example)
  • A developer compiled a new list from all of the replies to that thread into a nice organized webpage
  • Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more
  • This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout)

Monitoring network traffic with FreeBSD

  • If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you
  • It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage)
  • This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike

Trapping spammers with spamd

  • This is a blog post about OpenBSD's spamd - a spam email deferral daemon - and how to use it for your mail
  • It gives some background on the greylisting approach to spam, rather than just a typical host blacklist
  • "Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation."
  • The post also shows how to combine it with PF and other tools for a pretty fancy mail setup
  • You can find spamd in the OpenBSD base system, or use it with FreeBSD or NetBSD via ports and pkgsrc
  • You might also want to go back and listen to BSDTalk episode 68, where Will talks to Bob Beck about spamd

Feedback/Questions


Mailing List Gold


  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv - if you do anything cool with BSD, tell us about it
  • Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
  • Have a happy new year, and make 2015 the year you finally switch over to BSD

Latest News

Two Year Anniversary

2015-08-08

We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment

2015-01-17

We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?

2014-11-26

We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

EuroBSDCon 2014

2014-09-18

As you might expect, both Allan and Kris will be at EuroBSDCon this year. They'll be busy hunting down various BSD developers and forcing them to do interviews, but don't hesitate to say hi if you're a listener!...


Episode 156: The Fresh BSD experience

2016-08-24

Direct Download:VideoHD VideoMP3 AudioOGG AudioTorrent This episode was brought to you by Headlines FreeBSD 11.0-RC1 Available FreeBSD is marching onwards to 11.0, and with it the first RC1 was released. In addition to the usual amd64 architectures, you may want to give it a whirl on your various ARM boards as well, as it...

Episode 155: Cabling up FreeBSD

2016-08-17

Direct Download:VideoHD VideoMP3 AudioOGG AudioTorrent< This episode was brought to you by Headlines My two year journey to becoming an OS Developer A blog post by Ryan Zezeski about how he ended doing OS Development instead of working on application We have featured his posts before, including The illumos SYSCALL Handler It started...

Episode 154: Myths, Pi’s & Features, oh my!

2016-08-10

Direct Download:Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines broken features aren't used This post from TedU talks about the difficulty of removing features from an operating system “One of the difficulties in removing a feature is identifying all the potential users. A...

Episode 153: Big int trouble

2016-08-03

Direct Download: Video | HD Video | MP3 Audio | OGG Audio | Torrent This episode was brought to you by Headlines my int is too big “The NCC Group report describes the bugs, but not the history of the code.” “Several of them, as reported by NCC, involved similar integer truncation issues. Actually, they involved...