Skip to main content.

Episode 070: Daemons in the North


Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent

This episode was brought to you by

iXsystems - Enterprise servers and storage for open sourceTarsnap - online backups for the truly paranoid


More conference presentation videos

OpenBSD PIE enhancements

  • ASLR and PIE are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem
  • They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment
  • For example, the default shells (and many other things in /bin and /sbin) are statically linked
  • In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose
  • With this and a few related commits, OpenBSD fixes this by introducing static self-relocation
  • More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy
  • It'll be available in 5.7 in May, or you can use a -current snapshot if you want to get a slice of the action now

FreeBSD foundation semi-annual newsletter

  • The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities
  • As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved
  • The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already)
  • You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too
  • There are also sections about the FreeBSD Journal's progress, a new staff member and a testimonial from NetApp
  • It's a very long report, so dedicate some time to read all the way through it
  • This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too
  • As we go into 2015, consider donating to whichever BSD you use, it really can make a difference

Modernizing OpenSSH fingerprints

  • When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to
  • Up until now, the key fingerprints have been an MD5 hash, displayed as hex
  • This can be problematic, especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to
  • This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint
  • You can add a "FingerprintHash" line in your ssh_config to force using only the new type
  • There's also a new option to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type
  • The new options should be in the upcoming 6.8 release

Interview - Dan Langille - / @bsdcan

Plans for the BSDCan 2015 conference

News Roundup

Introducing ntimed, a new NTP daemon

  • As we've mentioned before in our tutorials, there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD
  • With all the recent security problems with ISC's NTPd, Poul-Henning Kamp has been working on a third NTP daemon
  • It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports or on Github
  • PHK also has a few blog entries about the project, including status updates

OpenBSD-maintained projects list

  • There was recently a read on the misc mailing list asking about different projects started by OpenBSD developers
  • The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example)
  • A developer compiled a new list from all of the replies to that thread into a nice organized webpage
  • Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more
  • This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout)

Monitoring network traffic with FreeBSD

  • If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you
  • It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage)
  • This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike

Trapping spammers with spamd

  • This is a blog post about OpenBSD's spamd - a spam email deferral daemon - and how to use it for your mail
  • It gives some background on the greylisting approach to spam, rather than just a typical host blacklist
  • "Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation."
  • The post also shows how to combine it with PF and other tools for a pretty fancy mail setup
  • You can find spamd in the OpenBSD base system, or use it with FreeBSD or NetBSD via ports and pkgsrc
  • You might also want to go back and listen to BSDTalk episode 68, where Will talks to Bob Beck about spamd


Mailing List Gold

  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to - if you do anything cool with BSD, tell us about it
  • Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
  • Have a happy new year, and make 2015 the year you finally switch over to BSD

Latest News

New announcement


We understand that Michael Dexter, Brad Davis, and George Rosamond think there should be more real news....

Two Year Anniversary


We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment


We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?


We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

Episode 281: EPYC Server battle


Direct Download:MP3 AudioVideo Headlines scp client multiple vulnerabilities Overview SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation. Description Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and...

Episode 280: FOSS clothing


Direct Download:MP3 AudioVideo Headlines A EULA in FOSS clothing? There was a tremendous amount of reaction to and discussion about my blog entry on the midlife crisis in open source. As part of this discussion on HN, Jay Kreps of Confluent took the time to write a detailed response — which...

Episode 279: Future of ZFS


Direct Download:MP3 AudioVideo Headlines The future of ZFS in FreeBSD The sources for FreeBSD's ZFS support are currently taken directly from Illumos with local ifdefs to support the peculiarities of FreeBSD where the Solaris Portability Layer (SPL) shims fall short. FreeBSD has regularly pulled changes from Illumos and tried to push...

Episode 278: The real McCoy


Direct Download:MP3 AudioVideo Interview - Kirk McKusick - 25 years of FreeBSD How Kirk got started in BSD, at the very beginning Predicting the Future How the code and community grew The leadership of the project, and how it changed over time UFS over the years (reading disks from 1982 in 2018) Conferences The rise and fall of...