Skip to main content.

Episode 102: May Contain ZFS


Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid


FreeBSD on Olimex RT5350F-OLinuXino

  • If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it)
  • It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM
  • This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
  • In part two of the series, he talks about the GPIO and how you can configure it
  • Part three is still in the works, so check the site later on for further progress and info

The modern OpenBSD home router

  • In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
  • "It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst"
  • Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
  • This guide also covers PPP and IPv6, in case you have those requirements
  • In a similar but unrelated series, another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge
  • He also has a separate post for setting up an IPSEC VPN on the router

NetBSD at Open Source Conference 2015 Kansai

  • The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
  • They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
  • Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
  • They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
  • And what conference would be complete without an LED-powered towel

OpenSSH 7.0 released

  • The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
  • SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
  • The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now
  • If you're using an older configuration file, the "without-password" option still works, so no change is required
  • You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
  • Various bug fixes and documentation improvements are also included
  • Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
  • In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled

Interview - Peter Toth - / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

  • A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
  • Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things)
  • He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging
  • Renato Westphal sent in a report of his very first hackathon
  • He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
  • Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
  • His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff
  • There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well

FreeBSD jails, the hard way

  • As you learned from our interview this week, there's quite a selection of tools available to manage your jails
  • This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
  • Unlike with iocage, ZFS isn't actually a requirement for this method
  • If you are using it, though, you can make use of snapshots for making template jails

OpenSSH hardware tokens

  • We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
  • This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model
  • It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
  • Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too

LibreSSL 2.2.2 released

  • The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
  • At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more
  • SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely
  • Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
  • It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well


  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to
  • BSD Now tshirts are now available to preorder, and will be shipping in September (you have until the end of August to place an order, then they're gone)
  • Next week's episode will be a shorter prerecorded one, since Allan's going to BSDCam

Latest News

New announcement


We understand that Michael Dexter, Brad Davis, and George Rosamond think there should be more real news....

Two Year Anniversary


We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment


We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?


We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...

Episode 281: EPYC Server battle


Direct Download:MP3 AudioVideo Headlines scp client multiple vulnerabilities Overview SCP clients from multiple vendors are susceptible to a malicious scp server performing unauthorized changes to target directory and/or client output manipulation. Description Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and...

Episode 280: FOSS clothing


Direct Download:MP3 AudioVideo Headlines A EULA in FOSS clothing? There was a tremendous amount of reaction to and discussion about my blog entry on the midlife crisis in open source. As part of this discussion on HN, Jay Kreps of Confluent took the time to write a detailed response — which...

Episode 279: Future of ZFS


Direct Download:MP3 AudioVideo Headlines The future of ZFS in FreeBSD The sources for FreeBSD's ZFS support are currently taken directly from Illumos with local ifdefs to support the peculiarities of FreeBSD where the Solaris Portability Layer (SPL) shims fall short. FreeBSD has regularly pulled changes from Illumos and tried to push...

Episode 278: The real McCoy


Direct Download:MP3 AudioVideo Interview - Kirk McKusick - 25 years of FreeBSD How Kirk got started in BSD, at the very beginning Predicting the Future How the code and community grew The leadership of the project, and how it changed over time UFS over the years (reading disks from 1982 in 2018) Conferences The rise and fall of...