This episode was brought to you by

Headlines

Key rotation in OpenSSH 6.8

• Damien Miller posted a new blog entry about one of the features in the upcoming OpenSSH 6.8
• Times changes, key types change, problems are found with old algorithms and we switch to new ones
• In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now
• With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange
• Keys that are in your known_hosts file but not on the server will get automatically removed
• This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often
• There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple
• There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released ***

NetBSD Banana Pi images

• We've talked about the Banana Pi a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi
• Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices
• There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially
• The email includes some steps to get everything working and an overview of what comes with the image
• Also check the wiki page for some related boards and further instructions on getting set up
• On a related note, NetBSD also recently got GPU acceleration working for the Raspberry Pi (which is a first for their ARM port) ***

LibreSSL shirts and other BSD goodies

• If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online
• There are two versions, either "keep calm and use LibreSSL" or the slightly more snarky "keep calm and abandon OpenSSL"
• While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too
• You can get some FreeBSD, PCBSD and FreeNAS stuff from the FreeBSD mall site
• OpenBSD recently launched their new store, but the selection is still a bit limited right now
• NetBSD has a couple places where you can buy shirts and other apparel with the flag logo on it
• We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo is pretty cool
• Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) ***

OPNsense 15.1.4 released

• The OPNsense guys have been hard at work since we spoke to them, fixing lots of bugs and keeping everything up to date
• A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs)
• This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes
• They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change
• A developer has also posted an interesting write-up titled "Development Workflow in OPNsense"
• If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it ***

Interview - Ed Maste - board@freebsdfoundation.org

The FreeBSD foundation's activities

News Roundup

Rolling with OpenBSD snapshots

• One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling
• There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture
• This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding
• This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness
• After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think
• He's now helping test out patches and new ports since he's running the same code as the developers ***

Signing pkgsrc packages

• As of the time this show airs, the official pkgsrc packages aren't cryptographically signed
• Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS
• Using GNUPG pulled in a lot of dependencies, and they're trying to keep the bootstrapping process minimal
• Instead, they're using netpgpverify, a fork of NetBSD's netpgp utility
• Maybe someday this will become the official way to sign packages in NetBSD? ***

FreeBSD support model changes

• Starting with 11.0-RELEASE, which won't be for a few months probably, FreeBSD releases are going to have a different support model
• The plan is to move "from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime"
• There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets
• This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them
• Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read ***

OpenSMTPD, Dovecot and SpamAssassin

• We've been talking about setting up your own BSD-based mail server on the last couple episodes
• Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering
• A lot of people regularly ask the developers how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets
• In addition, it also covers SSL certificates, PKI and setting up MX records - some things that previous posts have lacked
• Just be sure to replace those "apt-get" commands and "eth0" interface names with something a bit more sane…
• In related news, OpenSMTPD has got some interesting new features coming soon
• They're also planning to switch to LibreSSL by default for the portable version ***

FreeBSD 10 on the Thinkpad T400

• BSD laptop articles are becoming popular it seems - this one is about FreeBSD on a T400
• Like most of the ones we've mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do
• This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager
• If you're a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you
• The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt ***

PC-BSD 10.1.1 Released

• Automatic background updater now in
• Shiny new Qt5 utils
• OVA files for VM’s
• Full disk encryption with GELI v7 ***

Feedback/Questions

• Camio writes in
• Sha'ul writes in
• John writes in
• Sean writes in (TJ's lengthy reply)
• Christopher writes in ***

Mailing List Gold

• Special Instructions
• Pretending to be a VT220 ***

This episode was brought to you by

Headlines

Portscout ported to OpenBSD

• Portscout is a popular utility used in the FreeBSD ports infrastructure
• It lets port maintainers know when there's a new version of the upstream software available by automatically checking the distfile mirror
• Now OpenBSD porters can enjoy the same convenience, as it's been ported over
• You can view the status online to see how it works and who maintains what
• The developer who ported it is working to get all the current features working on OpenBSD, and added a few new features as well
• He decided to fork and rename it a few days later ***

Sysadmins and systemd refugees flocking to BSD

• With all the drama in Linux land about the rapid changes to their init system, a lot of people are looking at BSD alternatives
• This "you got your Windows in my Linux" article (and accompanying comments) give a nice glimpse into the minds of some of those switchers
• Both server administrators and regular everyday users are switching away from Linux, as more and more distros give them no choice but to use systemd
• Fortunately, the BSD communities are usually very welcoming of switchers - it's pretty nice on this side! ***

OpenBSD's versioning schemes

• Ted Unangst explains the various versioning systems within OpenBSD, from the base to libraries to other included software
• In contrast to FreeBSD's release cycle, OpenBSD isn't as concerned with breaking backwards compatibility (but only if it's needed to make progress)
• This allows them to innovate and introduce new features a lot more easily, and get those features in a stable release that everyone uses
• He also details the difference between branches, their errata system and lack of "patch levels" for security
• Some other things in OpenBSD don't have version numbers at all, like tmux
• "Every release adds some new features, fixes some old bugs, probably adds a new bug or two, and, if I have anything to say about it, removes some old features." ***

VAXstation 4000 Model 90 booting NetBSD

• We found a video of NetBSD booting on a 22 year old VAX workstation, circa 1992
• This system has a monstrous 71 MHz CPU and 128MB of ECC RAM
• It continues in part two, where we learn that it would've cost around $25,000 when it was released!
• The uploader talks about his experiences getting NetBSD on it, what does and doesn't work, etc
• It's interesting to see that such old hardware isn't necessarily obsolete just because newer things have come out since then (but maybe don't try to build world on it...) ***

Interview - Ken Moore - ken@pcbsd.org

The Lumina desktop environment

Special segment

Lumina walkthrough

News Roundup

Suricata for IDS on pfSense

• While most people are familiar with Snort as an intrusion detection system, Suricata is another choice
• This guide goes through the steps of installing and configuring it on a public-facing pfSense box
• Part two details some of the configuration steps
• One other cool thing about Suricata - it's compatible with Snort rules, so you can use the same updates
• There's also another recent post about snort as well, if that's more your style
• If you run pfSense (or any BSD) as an edge router for a lot of users, this might be worth looking into ***

OpenBSD's systemd API emulation project

• This story was pretty popular in the mainstream news this week
• For the Google Summer of Code, a student is writing emulation wrappers for some of systemd's functions
• There was consideration from some Linux users to port over the finished emulation back to Linux, so they wouldn't have to run the full systemd
• One particularly interesting Slashdot comment snippet: "We are currently migrating a large number (much larger than planned after initial results) of systems from RHEL to BSD - a decision taken due to general unhappiness with RHEL6, but SystemD pushed us towards BSD rather than another Linux distro - and in some cases are seeing throughput gains of greater than 10% on what should be equivalent Linux and BSD server builds. The re-learning curve wasn't as steep as we expected, general system stability seems to be better too, and BSD's security reputation goes without saying."
• It will NOT be in the base system - only in ports, and only installed as a dependency for things like newer GNOME that require such APIs
• In the long run, BSD will still be safe from systemd's reign of terror, but will hopefully still be compatible with some third party packages like GNOME that insist on using it ***

GhostBSD 4 previewed

• The GhostBSD project is moving along, slowly getting closer to the 4 release
• This article shows some of the progress made, and includes lots of screenshots and interesting graphical frontends
• If you're not too familiar with GhostBSD, we interviewed the lead developer a little while back ***

NetBSD on the Banana Pi

• The Banana Pi is a tasty alternative to the Raspberry Pi, with similar hardware specs
• In this blog post, a NetBSD developer details his experiences in getting NetBSD to run on it
• After studying how the prebuilt Linux image booted, he made some notes and started hacking
• Ethernet, one of the few things not working, is being looked into and he's hoping to get it fully supported for the upcoming NetBSD 7.0
• They're only about $65 as of the time we're recording this, so it might be a fun project to try ***

Feedback/Questions

• Antonio writes in
• Garegin writes in
• Erno writes in
• Brandon writes in ***