Skip to main content.

Episode 070: Daemons in the North

2014-12-31

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent

This episode was brought to you by

iXsystems - Enterprise servers and storage for open sourceTarsnap - online backups for the truly paranoid


Headlines

More conference presentation videos


OpenBSD PIE enhancements

  • ASLR and PIE are great security features that OpenBSD has had enabled by default for a long time, in both the base system and ports, but they have one inherent problem
  • They only work with dynamic libraries and binaries, so if you have any static binaries, they don't get the same treatment
  • For example, the default shells (and many other things in /bin and /sbin) are statically linked
  • In the case of the static ones, you can always predict the memory layout, which is very bad and sort of defeats the whole purpose
  • With this and a few related commits, OpenBSD fixes this by introducing static self-relocation
  • More and more CPU architectures are being tested and getting support too; this isn't just for amd64 and i386 - VAX users can rest easy
  • It'll be available in 5.7 in May, or you can use a -current snapshot if you want to get a slice of the action now

FreeBSD foundation semi-annual newsletter

  • The FreeBSD foundation publishes a huge newsletter twice a year, detailing their funded projects and some community activities
  • As always, it starts with a letter from the president of the foundation - this time it's about encouraging students and new developers to get involved
  • The article also has a fundraising update with a list of sponsored projects, and they note that the donations meter has changed from dollars to number of donors (since they exceeded the goal already)
  • You can read summaries of all the BSD conferences of 2014 and see a list of upcoming ones next year too
  • There are also sections about the FreeBSD Journal's progress, a new staff member and a testimonial from NetApp
  • It's a very long report, so dedicate some time to read all the way through it
  • This year was pretty great for BSD: both the FreeBSD and OpenBSD foundations exceeded their goals and the NetBSD foundation came really close too
  • As we go into 2015, consider donating to whichever BSD you use, it really can make a difference

Modernizing OpenSSH fingerprints

  • When you connect to a server for the first time, you'll get what's called a fingerprint of the host's public key - this is used to verify that you're actually talking to the same server you intended to
  • Up until now, the key fingerprints have been an MD5 hash, displayed as hex
  • This can be problematic, especially for larger key types like RSA that give lots of wiggle room for collisions, as an attacker could generate a fake host key that gives the same MD5 string as the one you wanted to connect to
  • This new change replaces the default MD5 and hex with a base64-encoded SHA256 fingerprint
  • You can add a "FingerprintHash" line in your ssh_config to force using only the new type
  • There's also a new option to require users to authenticate with more than one public key, so you can really lock down login access to your servers - also useful if you're not 100% confident in any single key type
  • The new options should be in the upcoming 6.8 release

Interview - Dan Langille - info@bsdcan.org / @bsdcan

Plans for the BSDCan 2015 conference


News Roundup

Introducing ntimed, a new NTP daemon

  • As we've mentioned before in our tutorials, there are two main daemons for the Network Time Protocol - ISC's NTPd and OpenBSD's OpenNTPD
  • With all the recent security problems with ISC's NTPd, Poul-Henning Kamp has been working on a third NTP daemon
  • It's called "ntimed" and you can try out a preview version of it right now - it's in FreeBSD ports or on Github
  • PHK also has a few blog entries about the project, including status updates

OpenBSD-maintained projects list

  • There was recently a read on the misc mailing list asking about different projects started by OpenBSD developers
  • The initial list had marks for which software had portable versions to other operating systems (OpenSSH being the most popular example)
  • A developer compiled a new list from all of the replies to that thread into a nice organized webpage
  • Most people are only familiar with things like OpenSSH, OpenSMTPD, OpenNTPD and more recently LibreSSL, but there are quite a lot more
  • This page also serves as a good history lesson for BSD in general: FreeBSD and others have ported some things over, while a couple OpenBSD tools were born from forks of FreeBSD tools (mergemaster, pkg tools, portscout)

Monitoring network traffic with FreeBSD

  • If you've ever been curious about monitoring network traffic on your FreeBSD boxes, this forum post may be exactly the thing for you
  • It'll show you how to combine the Netflow, NfDump and NfSen suite of tools to get some pretty detailed network stats (and of course put them into a fancy webpage)
  • This is especially useful for finding out what was going on at a certain point in time, for example if you had a traffic spike

Trapping spammers with spamd

  • This is a blog post about OpenBSD's spamd - a spam email deferral daemon - and how to use it for your mail
  • It gives some background on the greylisting approach to spam, rather than just a typical host blacklist
  • "Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the sender re-attempts mail delivery at a later time, the sender may be allowed to continue the mail delivery conversation."
  • The post also shows how to combine it with PF and other tools for a pretty fancy mail setup
  • You can find spamd in the OpenBSD base system, or use it with FreeBSD or NetBSD via ports and pkgsrc
  • You might also want to go back and listen to BSDTalk episode 68, where Will talks to Bob Beck about spamd

Feedback/Questions


Mailing List Gold


  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv - if you do anything cool with BSD, tell us about it
  • Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
  • Have a happy new year, and make 2015 the year you finally switch over to BSD

Latest News

New announcement

2017-05-25

Hi, Mr. Dexter...

Two Year Anniversary

2015-08-08

We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment

2015-01-17

We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?

2014-11-26

We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...


Episode 195: I don’t WannaCry

2017-05-24

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines ino64 project committed to FreeBSD 12-CURRENT The ino64 project has been completed and merged into FreeBSD 12-CURRENT Extend the inot, devt, nlinkt types to 64-bit ints. Modify struct dirent layout to add doff, increase the size of dfileno to 64-bits,...

Episode 194: Daemonic plans

2017-05-17

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines FreeBSD Project Status Report (January to March 2017) While a few of these projects indicate they are a "plan B" or an "attempt III", many are still hewing to their original plans, and all have produced impressive results. Please enjoy...

Episode 193: Fire up the 802.11 AC

2017-05-10

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines Bringing up 802.11ac on FreeBSD Adrian Chadd has a new blog post about his work to bring 802.11ac support to FreeBSD 802.11ac allows for speeds up to 500mbps and total bandwidth into multiple gigabits The FreeBSD net80211 stack has reasonably good 802.11n...

Episode 192: SSHv1 Be Gone

2017-05-03

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines OpenSSH Removes SSHv1 Support In a series of commits starting here and ending with this one, Damien Miller completed the removal of all support for the now-historic SSHv1 protocol from OpenSSH. The final commit message, for the commit that removes the SSHv1 related...