NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Inside FreeBSD Netgraph: Behind the Curtain of Advanced Networking

Launching BSSG - My Journey from Dynamic CMS to Bash Static Site Generator

News Roundup

OpenZFS Cheat Sheet

Dipping my toes in OpenBSD, in Amsterdam

SSH keys from a command: sshd's AuthorizedKeysCommand directive

How to move bhyve VM and Jail container from one host to another host ?

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Dave - Webstack

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

What Would It Take to Recreate Bell Labs?

Human Scale Software vs Open Source

News Roundup

How to run Visual Studio (VS) Code Remote over SSH on FreeBSD 13 and 14

Why are some emails from Charlie Root and others are from root?

Backward compatibility, even for settings, has real costs

Kyua graduates

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

573 - Vedran - linuxulator

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems and OpenBSD 9.8

Improving and debugging FreeBSDs Intel wifi support

FreeBSD adds an implementation of the 9P filesystem

News Roundup

FreeBSD Zero to Desktop Speedrun Challenge

Why and how to run your own FreeBSD package cache

Game of Trees Hub: A Git Repository Hosting Service Based on OpenBSD

Why Does FreeBSD Default to Csh/Tcsh? Exploring Its Advantages

AI-assisted computer interfaces of the future

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

SSH as a sudo replacement

Core.13 is Now In Office

News Roundup

Running GoToSocial on NetBSD

A DMD package for OpenIndiana

Adding more swap space to Omnios

OpenBSD added initial support for Qualcomm Snapdragon Elite X after 1 day

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Isa - Pinebook Question.md

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES

This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

FreeBSD Status Report Fourth Quarter 2023

In Memoriam : Inventor of NTP protocol that keeps time on billions of devices dies at age 85

News Roundup

Migrate a FreeBSD bhyve virtual machine to OmniOS

This blog is AI free

Hard disk LEDs and Noisy Machines

SSH based comment system

NetBSD 10 RC.4 is available

Beastie Bits

Tarsnap

This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Terrapin Attack

• OpenSSH 9.6 is out
• OpenBSD Patches
• FreeBSD Patches
• If anyone is aware of NetBSD Patches, please send them into the show so I can update the show notes

SSH Hardening with ssh-audit

News Roundup

MidnightBSD 3.1.2

syscall(2) removed from -current

2024 FreeBSD Community Survey is Here

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• (Markus - how to verify FreeBSD deliverables](https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/539/feedback/Markus%20-%20how%20to%20verify%20FreeBSD%20deliverables.md)
• (neb - tui](https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/539/feedback/neb%20-%20tui.md)

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

OpenZFS Storage Best Practices and Use Cases – Part 2: File Serving and SANs

My MNT Reform – almost a year on

News Roundup

Why do I know shell, and how can you?

Authenticate the SSH servers you are connecting to

dsynth in DragonFly

Navigating around in shell

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Brad - jail manager questions Jail manager comparison: https://appjail.readthedocs.io/en/latest/compare/
• nixbytes - sharing a link.md

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

• Join us and other BSD Fans in our BSD Now Telegram channel

  ---

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

FreeBSD 13.2 Release Announcement

Using DTrace to find block sizes of ZFS, NFS, and iSCSI

News Roundup

Midnight BSD 3.0.1

Closing a stale SSH connection

How to automatically add identity to the SSH authentication agent

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Dan - ZFS question
• Matt - Thanks

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Automation and Hacking Your FreeBSD CLI

Run your own instant messaging service on FreeBSD

News Roundup

Watch Netflix on FreeBSD

HardenedBSD January 2023 Status Report

How To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2)

OpenSSH fixes double-free memory bug that’s pokable over the network

A late announcement, but better late than never

Next NYC*BUG: March? April? Certainly May!

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups.

Feedback/Questions

• Daniel - Plan 9 lives
• Jason - nvd driver

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

The mass extinction of UNIX workstations

whoarethey: Determine Who Can Log In to an SSH Server

News Roundup

FreeBSD vs. Linux 5 Factors When Considering FreeBSD vs. Linux: Packages

A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding

Harvesting the Noise While it’s Fresh, Revisited

Bastille - The Jail Manager on FreeBSD

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. ***
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

NOTES
This episode of BSDNow is brought to you by Tarsnap and the BSDNow Patreon

Headlines

Fuzzing ping(8) … and finding a 24 year old bug

The Role of Operating Systems in IOT

News Roundup

Authentication gateway with SSH on OpenBSD

FreeBSD 12.4 is out

Beastie Bits

Vagrant FreeBSD Boxbuilder
LibreSSL 3.7.0 Released
OPNsense 22.7.9 released
BIOS Memory Map for vmd(8) Rewrite in Progress

Tarsnap

• This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. ***
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv ***

Headlines

Unix is 50

In the summer of 1969 computer scientists Ken Thompson and Dennis Ritchie created the first implementation of Unix with the goal of designing an elegant and economical operating system for a little-used PDP-7 minicomputer at Bell Labs. That modest project, however, would have a far-reaching legacy. Unix made large-scale networking of diverse computing systems — and the Internet — practical. The Unix team went on to develop the C language, which brought an unprecedented combination of efficiency and expressiveness to programming. Both made computing more "portable". Today, Linux, the most popular descendent of Unix, powers the vast majority of servers, and elements of Unix and Linux are found in most mobile devices. Meanwhile C++ remains one of the most widely used programming languages today. Unix may be a half-century old but its influence is only growing.

Hunting down Ken's PDP-7: video footage found

In my prior blog post, I traced Ken's scrounged PDP-7 to SN 34. In this post I'll show that we have actual video footage of that PDP-7 due to an old film from Bell Labs. this gives us almost a minute of footage of the PDP-7 Ken later used to create Unix.

News Roundup

OpenBSD 6.6 Released

• Announce: https://marc.info/?l=openbsd-tech&m=157132024225971&w=2
• Upgrade Guide: https://openbsd.org/faq/upgrade66.html
• Changelog: https://openbsd.org/plus66.html

OPNsense 19.7.5 released

Hello friends and followers, Lots of plugin and ports updates this time with a few minor improvements in all core areas. Behind the scenes we are starting to migrate the base system to version

12.1 which is supposed to hit the next 20.1 release. Stay tuned for more infos in the next month or so.

Here are the full patch notes:

• system: show all swap partitions in system information widget
• system: flatten services_get() in preparation for removal
• system: pin Syslog-ng version to specific package name
• system: fix LDAP/StartTLS with user import page
• system: fix a PHP warning on authentication server page
• system: replace most subprocess.call use
• interfaces: fix devd handling of carp devices (contributed by stumbaumr)
• firewall: improve firewall rules inline toggles
• firewall: only allow TCP flags on TCP protocol
• firewall: simplify help text for direction setting
• firewall: make protocol log summary case insensitive
• reporting: ignore malformed flow records
• captive portal: fix type mismatch for timeout read
• dhcp: add note for static lease limitation with lease registration (contributed by Northguy)
• ipsec: add margintime and rekeyfuzz options
• ipsec: clear $dpdline correctly if not set
• ui: fix tokenizer reorder on multiple saves
• plugins: os-acme-client 1.26[1]
• plugins: os-bind will reload bind on record change (contributed by blablup)
• plugins: os-etpro-telemetry minor subprocess.call replacement
• plugins: os-freeradius 1.9.4[2]
• plugins: os-frr 1.12[3]
• plugins: os-haproxy 2.19[4]
• plugins: os-mailtrail 1.2[5]
• plugins: os-postfix 1.11[6]
• plugins: os-rspamd 1.8[7]
• plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks)
• plugins: os-telegraf 1.7.6[8]
• plugins: os-theme-cicada 1.21 (contributed by Team Rebellion)
• plugins: os-theme-tukan 1.21 (contributed by Team Rebellion)
• plugins: os-tinc minor subprocess.call replacement
• plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz)
• plugins: os-virtualbox 1.0 (contributed by andrewhotlab)

Dealing with the misunderstandings of what is GhostBSD

Since the release of 19.09, I have seen a lot of misunderstandings on what is GhostBSD and the future of GhostBSD. GhostBSD is based on TrueOS with FreeBSD 12 STABLE with our twist to it. We are still continuing to use TrueOS for OpenRC, and the new package's system for the base system that is built from ports. GhostBSD is becoming a slow-moving rolling release base on the latest TrueOS with FreeBSD 12 STABLE. When FreeBSD 13 STABLE gets released, GhostBSD will be upgraded to TrueOS with FreeBSD 13 STABLE.

Our official desktop is MATE, which means that the leading developer of GhostBSD does not officially support XFCE. Community releases are maintained by the community and for the community. GhostBSD project will provide help to build and to host the community release. If anyone wants to have a particular desktop supported, it is up to the community. Sure I will help where I can, answer questions and guide new community members that contribute to community release.

There is some effort going on for Plasma5 desktop. If anyone is interested in helping with XFCE and Plasma5 or in creating another community release, you are well come to contribute. Also, Contribution to the GhostBSD base system, to ports and new ports, and in house software are welcome. We are mostly active on Telegram https://t.me/ghostbsd, but you can also reach us on the forum.

SHUTTLE – VPN over SSH | VPN Alternative

Looking for a lightweight VPN client, but are not ready to spend a monthly recurring amount on a VPN? VPNs can be expensive depending upon the quality of service and amount of privacy you want. A good VPN plan can easily set you back by 10$ a month and even that doesn’t guarantee your privacy. There is no way to be sure whether the VPN is storing your confidential information and traffic logs or not. sshuttle is the answer to your problem it provides VPN over ssh and in this article we’re going to explore this cheap yet powerful alternative to the expensive VPNs. By using open source tools you can control your own privacy.

• VPN over SSH – sshuttle

sshuttle is an awesome program that allows you to create a VPN connection from your local machine to any remote server that you have ssh access on. The tunnel established over the ssh connection can then be used to route all your traffic from client machine through the remote machine including all the dns traffic. In the bare bones sshuttle is just a proxy server which runs on the client machine and forwards all the traffic to a ssh tunnel. Since its open source it holds quite a lot of major advantages over traditional VPN.

OpenSSH 8.1 Released

• Security

  • ssh(1), sshd(8), ssh-add(1), ssh-keygen(1): an exploitable integer overflow bug was found in the private key parsing code for the XMSS key type. This key type is still experimental and support for it is not compiled by default. No user-facing autoconf option exists in portable OpenSSH to enable it. This bug was found by Adam Zabrocki and reported via SecuriTeam's SSD program.
  • ssh(1), sshd(8), ssh-agent(1): add protection for private keys at rest in RAM against speculation and memory side-channel attacks like Spectre, Meltdown and Rambleed. This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large "prekey" consisting of random data (currently 16KB).

• This release includes a number of changes that may affect existing configurations:

  • ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ...").

• New Features

  • ssh(1): Allow %n to be expanded in ProxyCommand strings
  • ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519"
  • ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email).
  • ssh-keygen(1): print key comment when extracting public key from a private key.
  • ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too.
  • All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's.

Beastie Bits

• Say goodbye to the 32 CPU limit in NetBSD/aarch64
• vBSDcon 2019 videos
• Browse the web in the terminal - W3M
• NetBSD 9 and GSoC
• BSDCan 2019 Videos
• NYC*BUG Install Fest: Nov 6th 18:45 @ Suspenders
• FreeBSD Miniconf at linux.conf.au 2020 Call for Sessions Now Open
• FOSDEM 2020 - BSD Devroom Call for Participation
• University of Cambridge looking for Research Assistants/Associates

Feedback/Questions

• Trenton - Beeping Thinkpad
• Alex - Per user ZFS Datasets
  • Allan’s old patch from 2015
• Javier - FBSD 12.0 + ZFS + encryption

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

36+ year old bug in FFS/UFS discovered and patched

This update eliminates a kernel stack disclosure bug in UFS/FFS directory entries that is caused by uninitialized directory entry padding written to the disk.

• When the directory entry is written to disk, it is written as a full 32bit entry, and the unused bytes were not initialized, so could possibly contain sensitive data from the kernel stack It can be viewed by any user with read access to that directory. Up to 3 bytes of kernel stack are disclosed per file entry, depending on the the amount of padding the kernel needs to pad out the entry to a 32 bit boundary. The offset in the kernel stack that is disclosed is a function of the filename size. Furthermore, if the user can create files in a directory, this 3 byte window can be expanded 3 bytes at a time to a 254 byte window with 75% of the data in that window exposed. The additional exposure is done by removing the entry, creating a new entry with a 4-byte longer name, extracting 3 more bytes by reading the directory, and repeating until a 252 byte name is created. This exploit works in part because the area of the kernel stack that is being disclosed is in an area that typically doesn't change that often (perhaps a few times a second on a lightly loaded system), and these file creates and unlinks themselves don't overwrite the area of kernel stack being disclosed. It appears that this bug originated with the creation of the Fast File System in 4.1b-BSD (Circa 1982, more than 36 years ago!), and is likely present in every Unix or Unix-like system that uses UFS/FFS. Amazingly, nobody noticed until now. This update also adds the -z flag to fsck_ffs to have it scrub the leaked information in the name padding of existing directories. It only needs to be run once on each UFS/FFS filesystem after a patched kernel is installed and running. Submitted by: David G. Lawrence dg@dglawrence.com
• So a patched kernel will no longer leak this data, and running the fsck_ffs -z command will erase any leaked data that may exist on your system
• OpenBSD commit with additional detail on mitigations The impact on OpenBSD is very limited: 1 - such stack bytes can be found in raw-device reads, from group operator. If you can read the raw disks you can undertake other more powerful actions. 2 - read(2) upon directory fd was disabled July 1997 because I didn't like how grep * would display garbage and mess up the tty, and applying vis(3) for just directory reads seemed silly. read(2) was changed to return 0 (EOF). Sep 2016 this was further changed to EISDIR, so you still cannot see the bad bytes. 3 - In 2013 when guenther adapted the getdents(2) directory-reading system call to 64-bit ino_t, the userland data format changed to 8-byte-alignment, making it incompatible with the 4-byte-alignment UFS on-disk format. As a result of code refactoring the bad bytes were not copied to userland. Bad bytes will remain in old directories on old filesystems, but nothing makes those bytes user visible. There will be no errata or syspatch issued. I urge other systems which do expose the information to userland to issue errata quickly, since this is a 254 byte infoleak of the stack which is great for ROP-chain building to attack some other bug. Especially if the kernel has no layout/link-order randomization ...

---

NomadBSD, a BSD for the Road

As regular It’s FOSS readers should know, I like diving into the world of BSDs. Recently, I came across an interesting BSD that is designed to live on a thumb drive. Let’s take a look at NomadBSD. NomadBSD is different than most available BSDs. NomadBSD is a live system based on FreeBSD. It comes with automatic hardware detection and an initial config tool. NomadBSD is designed to “be used as a desktop system that works out of the box, but can also be used for data recovery, for educational purposes, or to test FreeBSD’s hardware compatibility.” This German BSD comes with an OpenBox-based desktop with the Plank application dock. NomadBSD makes use of the DSB project. DSB stands for “Desktop Suite (for) (Free)BSD” and consists of a collection of programs designed to create a simple and working environment without needing a ton of dependencies to use one tool. DSB is created by Marcel Kaiser one of the lead devs of NomadBSD. Just like the original BSD projects, you can contact the NomadBSD developers via a mailing list.

• Version 1.2 Released

NomadBSD recently released version 1.2 on April 21, 2019. This means that NomadBSD is now based on FreeBSD 12.0-p3. TRIM is now enabled by default. One of the biggest changes is that the initial command-line setup was replaced with a Qt graphical interface. They also added a Qt5 tool to install NomadBSD to your hard drive. A number of fixes were included to improve graphics support. They also added support for creating 32-bit images.

• Thoughts on NomadBSD

I first discovered NomadBSD back in January when they released 1.2-RC1. At the time, I had been unable to install Project Trident on my laptop and was very frustrated with BSDs. I downloaded NomadBSD and tried it out. I initially ran into issues reaching the desktop, but RC2 fixed that issue. However, I was unable to get on the internet, even though I had an Ethernet cable plugged in. Luckily, I found the wifi manager in the menu and was able to connect to my wifi. Overall, my experience with NomadBSD was pleasant. Once I figured out a few things, I was good to go. I hope that NomadBSD is the first of a new generation of BSDs that focus on mobility and ease of use. BSD has conquered the server world, it’s about time they figured out how to be more user-friendly.

---

News Roundup

[OpenBSD automatic

upgrade](https://www.tumfatig.net/20190426/openbsd-automatic-upgrade/)

OpenBSD 6.5 advertises for an installer improvement: rdsetroot(8) (a build-time tool) is now available for general use. Used in combination with autoinstall.8, it is now really easy to do automatic upgrades of your OpenBSD instances. I first manually upgraded my OpenBSD sandbox to 6.5. Once that was done, I could use the stock rdsetroot(8) tool. The plan is quite simple: write an unattended installation response file, insert it to a bsd.rd 6.5 installation image and reboot my other OpenBSD instances using that image.

• Extra notes

There must be a way to run onetime commands (in the manner of fw_update) to automatically run sysmerge and packages upgrades. As for now, I’d rather do it manually. This worked like a charm on two Synology KVM instances using a single sd0 disk, on my Thinkpad X260 using Encrypted root with Keydisk and on a Vultr instance using Encrypted root with passphrase. And BTW, the upgrade on the X260 used the (iwn0) wireless connection. I just read that florian@ has released the sysupgrade(8) utility which should be released with OpenBSD 6.6. That will make upgrades even easier! Until then, happy upgrading.

FreeBSD Dtrace ext2fs Support

• Which logs were replaced by dtrace-probes:

  • Misc printf's under DEBUG macro in the blocks allocation path.
  • Different on-disk structures validation errors, now the filesystem will silently return EIO's.
  • Misc checksum errors, same as above.

• The only debug macro, which was leaved is EXT2FSPRINTEXTENTS.

• It is impossible to replace it by dtrace-probes, because the additional logic is required to walk thru file extents.

• The user still be able to see mount errors in the dmesg in case of:

  • Filesystem features incompatibility.
  • Superblock checksum error.

Create a dedicated user for ssh tunneling only

I use ssh tunneling A LOT, for everything. Yesterday, I removed the public access of my IMAP server, it’s now only available through ssh tunneling to access the daemon listening on localhost. I have plenty of daemons listening only on localhost that I can only reach through a ssh tunnel. If you don’t want to bother with ssh and redirect ports you need, you can also make a VPN (using ssh, openvpn, iked, tinc…) between your system and your server. I tend to avoid setting up VPN for the current use case as it requires more work and more maintenance than running ssh server and a ssh client. The last change, for my IMAP server, added an issue. I want my phone to access the IMAP server but I don’t want to connect to my main account from my phone for security reasons. So, I need a dedicated user that will only be allowed to forward ports. This is done very easily on OpenBSD. The steps are: 1. generate ssh keys for the new user 2. add an user with no password 3. allow public key for port forwarding Obviously, you must allow users (or only this one) to make port forwarding in your sshd_config.

---

That was easy. Some info on upgrading VMM VMs to 6.5

We're running dedicated vmm(4)/vmd(8) servers to host opinionated VMs. OpenBSD 6.5 is released! There are two ways you can upgrade your VM. Either do a manual upgrade or leverage autoinstall(8). You can take care of it via the console with vmctl(8).

• Upgrade yourself

To get connected to the console you need to have access to the host your VM is running on. The same username and public SSH key, as provided for the VM, are used to create a local user on the host. When this is done you can use vmctl(8) to manage your VM. The options you have are:

```$ vmctl start id [-c]```

$ vmctl stop id [-fw]```

```-w Wait until the VM has been terminated.```

-c Automatically connect to the VM console.```

• See the Article for the rest of the guide

Beastie Bits

• powerpc64 architecture support in FreeBSD ports
• GhostBSD 19.04 overview
• HardenedBSD will have two user selectable ASLR implementations
• NYCBUG 2016 Talk Shell-Fu Uploaded
• What is ZIL anyway?

Feedback/Questions

• Quentin - Organize an Ada/BSD interview
• DJ - Update
• Patrick - Bhyve frontends
• A small programming note: After BSDNow episode 300, the podcast will switch to audio-only, using a new higher quality recording and production system. The live stream will likely still include video.

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

FreeBSD ZFS vs. ZoL Performance, Ubuntu ZFS On Linux Reference

With iX Systems having released new images of FreeBSD reworked with their ZFS On Linux code that is in development to ultimately replace their existing FreeBSD ZFS support derived from the code originally found in the Illumos source tree, here are some fresh benchmarks looking at the FreeBSD 12 performance of ZFS vs. ZoL vs. UFS and compared to Ubuntu Linux on the same system with EXT4 and ZFS. Using an Intel Xeon E3-1275 v6 with ASUS P10S-M WS motherboard, 2 x 8GB DDR4-2400 ECC UDIMMs, and Samsung 970 EVO Plus 500GB NVMe solid-state drive was used for all of this round of testing. Just a single modern NVMe SSD was used for this round of ZFS testing while as the FreeBSD ZoL code matures I'll test on multiple systems using a more diverse range of storage devices. FreeBSD 12 ZoL was tested using the iX Systems image and then fresh installs done of FreeBSD 12.0-RELEASE when defaulting to the existing ZFS root file-system support and again when using the aging UFS file-system. Ubuntu 18.04.2 LTS with the Linux 4.18 kernel was used when testing its default EXT4 file-system and then again when using the Ubuntu-ZFS ZoL support. Via the Phoronix Test Suite various BSD/Linux I/O benchmarks were carried out. Overall, the FreeBSD ZFS On Linux port is looking good so far and we are looking forward to it hopefully maturing in time for FreeBSD 13.0. Nice job to iX Systems and all of those involved, especially the ZFS On Linux project. Those wanting to help in testing can try the FreeBSD ZoL spins. Stay tuned for more benchmarks and on more diverse hardware as time allows and the FreeBSD ZoL support further matures, but so far at least the performance numbers are in good shape.

DragonFlyBSD 5.4.2 is out

Upgrading guide

Here's the tag commit, for what has changed from 5.4.1 to 5.4.2 The normal ISO and IMG files are available for download and install, plus an uncompressed ISO image for those installing remotely. I uploaded them to mirror-master.dragonflybsd.org last night so they should be at your local mirror or will be soon. This version includes Matt's fix for the HAMMER2 corruption bug he identified recently. If you have an existing 5.4 system and are running a generic kernel, the normal upgrade process will work.

> cd /usr/src
> git pull
> make buildworld.
> make buildkernel.
> make installkernel.
> make installworld
> make upgrade

After your next reboot, you can optionally update your rescue system:

> cd /usr/src
> make initrd

As always, make sure your packages are up to date:

> pkg update
> pkg upgrade

News Roundup

Containing web services with iocell

I'm a huge fan of the FreeBSD jails feature. It is a great system for splitting services into logical units with all the performance of the bare metal system. In fact, this very site runs in its own jail! If this is starting to sound like LXC or Docker, it might surprise you to learn that OS-level virtualization has existed for quite some time. Kudos to the Linux folks for finally getting around to it. 😛 If you're interested in the history behind Jails, there is an excellent talk from Papers We Love on the subject: https://www.youtube.com/watch?v=hgN8pCMLI2U

• Getting started

There are plenty of options when it comes to setting up the jail system. Ezjail and Iocage seem popular, or you could do things manually. Iocage was recently rewritten in python, but was originally a set of shell scripts. That version has since been forked under the name Iocell, and I think it's pretty neat, so this tutorial will be using Iocell.

• To start, you'll need the following:
  • A FreeBSD install (we'll be using 11.0)
  • The iocell package (available as a package, also in the ports tree)
  • A ZFS pool for hosting the jails

Once you have installed iocell and configured your ZFS pool, you'll need to run a few commands before creating your first jail. First, tell iocell which ZFS pool to use by issuing iocell activate $POOLNAME. Iocell will create a few datasets.

As you can imagine, your jails are contained within the /iocell/jails dataset. The /iocell/releases dataset is used for storing the next command we need to run, iocell fetch. Iocell will ask you which release you'd like to pull down. Since we're running 11.0 on the host, pick 11.0-RELEASE. Iocell will download the necessary txz files and unpack them in /iocell/releases.

• See Article for the rest of the walkthrough.

Oracle Solaris 11.4 SRU8

Today we are releasing the SRU 8 for Oracle Solaris 11.4. It is available via 'pkg update' from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1.

• This SRU introduces the following enhancements:
  • Integration of 28060039 introduced an issue where any firmware update/query commands will log eereports and repeated execution of such commands led to faulty/degraded NIC. The issue has been addressed in this SRU.
  • UCB (libucb, librpcsoc, libdbm, libtermcap, and libcurses) libraries have been reinstated for Oracle Solaris 11.4
  • Re-introduction of the service fc-fabric.
  • ibus has been updated to 1.5.19

• The following components have also been updated to address security issues:
  • NTP has been updated to 4.2.8p12
  • Firefox has been updated to 60.6.0esr
  • BIND has been updated to 9.11.6
  • OpenSSL has been updated to 1.0.2r
  • MySQL has been updated to 5.6.43 & 5.7.25
  • libxml2 has been updated to 2.9.9
  • libxslt has been updated to 1.1.33
  • Wireshark has been updated to 2.6.7
  • ncurses has been updated to 6.1.0.20190105
  • Apache Web Server has been updated to 2.4.38
  • perl 5.22
  • pkg.depot

The Problem with SSH Agent Forwarding

After hacking the matrix.org website today, the attacker opened a series of GitHub issues mentioning the flaws he discovered. In one of those issues, he mentions that “complete compromise could have been avoided if developers were prohibited from using [SSH agent forwarding].” Here’s what man ssh_config has to say about ForwardAgent: "Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent’s Unix-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent."" Simply put: if your jump box is compromised and you use SSH agent forwarding to connect to another machine through it, then you risk also compromising the target machine! Instead, you should use either ProxyCommand or ProxyJump (added in OpenSSH 7.3). That way, ssh will forward the TCP connection to the target host via the jump box and the actual connection will be made on your workstation. If someone on the jump box tries to MITM your connection, then you will be warned by ssh.

[OpenBSD Upgrade Guide: 6.4 to 6.5

Start by performing the pre-upgrade steps. Next, boot from the install kernel, bsd.rd: use bootable install media, or place the 6.5 version of bsd.rd in the root of your filesystem and instruct the boot loader to boot this kernel. Once this kernel is booted, choose the (U)pgrade option and follow the prompts. Apply the configuration changes and remove the old files. Finish up by upgrading the packages: pkg_add -u. Alternatively, you can use the manual upgrade process. You may wish to check the errata page or upgrade to the stable branch to get any post-release fixes.

• Before rebooting into the install kernel
• Configuration and syntax changes
• Files to remove
• Special packages
• Upgrade without the install kernel

Beastie Bits

• 2019 FreeBSD Community Survey
• Seagate runs Mach.2 demo on FreeBSD
• FreeBSD: Resizing and Growing Disks
• Loading 4.9 on an old Tandy 4025LX - 386, 16MB, 1GB HD. Good old external SCSI CD
• OS108 MATE 20190422 released

Feedback/Questions

• Casey - Oklahoma City & James
• Michael - Question on SAS backplane (camcontrol?)
• Ales - OpenBSD, FreeNAS, OpenZFS questions

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

A Pi-Powered Plan 9 Cluster

Plan 9 from Bell Labs comes from the same stable as the UNIX operating system, which of course Linux was designed after, and Apple’s OS X runs on top of a certified UNIX operating system. Just like UNIX, Plan 9 was developed as a research O/S — a vehicle for trying out new concepts — with it building on key UNIX principles and taking the idea of devices are just files even further. In this post, we take a quick look at the Plan 9 O/S and some of the notable features, before moving on to the construction of a self-contained 4-node Raspberry Pi cluster that will provide a compact platform for experimentation.

---

Endlessh: an SSH Tarpit

I’m a big fan of tarpits: a network service that intentionally inserts delays in its protocol, slowing down clients by forcing them to wait. This arrests the speed at which a bad actor can attack or probe the host system, and it ties up some of the attacker’s resources that might otherwise be spent attacking another host. When done well, a tarpit imposes more cost on the attacker than the defender. The Internet is a very hostile place, and anyone who’s ever stood up an Internet-facing IPv4 host has witnessed the immediate and continuous attacks against their server. I’ve maintained such a server for nearly six years now, and more than 99% of my incoming traffic has ill intent. One part of my defenses has been tarpits in various forms.

---

News Roundup

rdist(1) – when Ansible is too much

The post written about rdist(1) on johan.huldtgren.com sparked us to write one as well. It's a great, underappreciated, tool. And we wanted to show how we wrapped doas(1) around it. There are two services in our infrastructure for which we were looking to keep the configuration in sync and to reload the process when the configuration had indeed changed. There is a pair of nsd(8)/unbound(8) hosts and a pair of hosts running relayd(8)/httpd(8) with carp(4) between them. We didn't have a requirement to go full configuration management with tools like Ansible or Salt Stack. And there wasn't any interest in building additional logic on top of rsync or repositories. > Enter rdist(1), rdist is a program to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode, and mtime of files if possible and can update programs that are executing.

---

Falling in love with OpenBSD again

I was checking the other day and was appalled at how long it has been since I posted here. I had been working a job during 2018 that had me traveling 3,600 miles by air every week so that is at least a viable excuse. So what is my latest project? I wanted to get something better than the clunky old T500 “freedom laptop” that I could use as my daily driver. Some background here. My first paid gig as a programmer was on SunOS 4 (predecessor to Solaris) and Ultrix (on a DEC MicroVAX). I went from there to a Commodore Amiga (preemptive multitasking in 1985!). I went from there to OS/2 (I know, patron saint of lost causes) and then finally decided to “sell out” and move to Windows as the path of least resistance in the mid 90’s. My wife bought me an iPod literally just as they started working with computers other than Macs and I watched with fascination as Apple made the big gamble and moved away from PowerPC chips to Intel. That was the beginning of the Apple Fan Boi years for me. My gateway drug was a G4 MacMini and I managed somehow to get in on the pre-production, developer build of an Intel-based Mac. I was quite happy on the platform until about three years ago.

---

How I Created My First FreeBSD Port

I created my first FreeBSD port recently. I found that FreeBSD didn't have a port for GoCD, which is a continuous integration and continuous deployment (CI/CD) system. This was a great opportunity to learn how to build a FreeBSD port while also contributing back to the community

---

The Tilde Institute of OpenBSD Education

Welcome to tilde.institute! This is an OpenBSD machine whose purpose is to provide a space in the tildeverse for experimentation with and education of the OpenBSD operating system. A variety of editors, shells, and compilers are installed to allow for development in a native OpenBSD environment. OpenBSD's httpd(8) is configured with slowcgi(8) as the fastcgi provider and sqlite3 available. This allows users to experiment with web development using compiled CGI in C, aka the BCHS Stack. In addition to php7.0 and mysql (mariadb) by request, this provides an environment where the development of complex web apps is possible.

---

Beastie Bits

• SoloBSD 19.03-STABLE
• WireGuard for NetBSD
• [NetBSD - Removing PF](https://mail-index.netbsd.org/tech-kern/2019/03/29/msg024883.html )
• What does the N in nmake stand for?
• A Map of the Internet from May 1973
• NSA-B-Gone : A sketchy hardware security device for your x220

Feedback/Questions

• Jake - A single jail as a VPN client
• Matt - Surprising BSD Features
• cia - Routing and ZFS

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Headlines

A EULA in FOSS clothing?

There was a tremendous amount of reaction to and discussion about my blog entry on the midlife crisis in open source. As part of this discussion on HN, Jay Kreps of Confluent took the time to write a detailed response — which he shortly thereafter elevated into a blog entry.

Let me be clear that I hold Jay in high regard, as both a software engineer and an entrepreneur — and I appreciate the time he took to write a thoughtful response. That said, there are aspects of his response that I found troubling enough to closely re-read the Confluent Community License — and that in turn has led me to a deeply disturbing realization about what is potentially going on here.

To GitHub: Assuming that this is in fact a EULA, I think it is perilous to allow EULAs to sit in public repositories. It’s one thing to have one click through to accept a license (though again, that itself is dubious), but to say that a git clone is an implicit acceptance of a contract that happens to be sitting somewhere in the repository beggars belief. With efforts like choosealicense.com, GitHub has been a model in guiding projects with respect to licensing; it would be helpful for GitHub’s counsel to weigh in on their view of this new strain of source-available proprietary software and the degree to which it comes into conflict with GitHub’s own terms of service.

To foundations concerned with software liberties, including the Apache Foundation, the Linux Foundation, the Free Software Foundation, the Electronic Frontier Foundation, the Open Source Initiative, and the Software Freedom Conservancy: the open source community needs your legal review on this! I don’t think I’m being too alarmist when I say that this is potentially a dangerous new precedent being set; it would be very helpful to have your lawyers offer their perspectives on this, even if they disagree with one another. We seem to be in some terrible new era of frankenlicenses, where the worst of proprietary licenses are bolted on to the goodwill created by open source licenses; we need your legal voices before these creatures destroy the village!

NetBSD and LLVM

NetBSD entering 2019 with more complete LLVM support

I’m recently helping the NetBSD developers to improve the support for this operating system in various LLVM components. As you can read in my previous report, I’ve been focusing on fixing build and test failures for the purpose of improving the buildbot coverage. Previously, I’ve resolved test failures in LLVM, Clang, LLD, libunwind, openmp and partially libc++. During the remainder of the month, I’ve been working on the remaining libc++ test failures, improving the NetBSD clang driver and helping Kamil Rytarowski with compiler-rt.

The process of upstreaming support to LLVM sanitizers has been finalized

I’ve finished the process of upstreaming patches to LLVM sanitizers (almost 2000LOC of local code) and submitted to upstream new improvements for the NetBSD support. Today out of the box (in unpatched version) we have support for a variety of compiler-rt LLVM features: ASan (finds unauthorized memory access), UBSan (finds unspecified code semantics), TSan (finds threading bugs), MSan (finds uninitialized memory use), SafeStack (double stack hardening), Profile (code coverage), XRay (dynamic code tracing); while other ones such as Scudo (hardened allocator) or DFSan (generic data flow sanitizer) are not far away from completeness. The NetBSD support is no longer visibly lacking behind Linux in sanitizers, although there are still failing tests on NetBSD that are not observed on Linux. On the other hand there are features working on NetBSD that are not functional on Linux, like sanitizing programs during early initialization process of OS (this is caused by /proc dependency on Linux that is mounted by startup programs, while NetBSD relies on sysctl(3) interfaces that is always available).

News Roundup

Thoughts on FreeBSD 12.0

Playing with FreeBSD with past week I don’t feel as though there were any big surprises or changes in this release compared to FreeBSD 11. In typical FreeBSD fashion, progress tends to be evolutionary rather than revolutionary, and this release feels like a polished and improved incremental step forward. I like that the installer handles both UFS and ZFS guided partitioning now and in a friendly manner. In the past I had trouble getting FreeBSD’s boot menu to work with boot environments, but that has been fixed for this release. I like the security options in the installer too. These are not new, but I think worth mentioning. FreeBSD, unlike most Linux distributions, offers several low-level security options (like hiding other users’ processes and randomizing PIDs) and I like having these presented at install time. It’s harder for people to attack what they cannot see, or predict, and FreeBSD optionally makes these little adjustment for us. Something which stands out about FreeBSD, compared to most Linux distributions I run, is that FreeBSD rarely holds the user’s hand, but also rarely surprises the user. This means there is more reading to do up front and new users may struggle to get used to editing configuration files in a text editor. But FreeBSD rarely does anything unless told to do it. Updates rarely change the system’s behaviour, working technology rarely gets swapped out for something new, the system and its applications never crashed during my trial. Everything was rock solid. The operating system may seem like a minimal, blank slate to new users, but it’s wonderfully dependable and predictable in my experience. I probably wouldn’t recommend FreeBSD for desktop use. It’s close relative, GhostBSD, ships with a friendly desktop and does special work to make end user applications run smoothly. But for people who want to run servers, possible for years without change or issues, FreeBSD is a great option. It’s also an attractive choice, in my opinion, for people who like to build their system from the ground up, like you would with Debian’s server install or Arch Linux. Apart from the base tools and documentation, there is nothing on a FreeBSD system apart from what we put on it.

FreeBSD 12.0 Performance Against Windows & Linux On An Intel Xeon Server

Last week I posted benchmarks of Windows Server 2019 against various Linux distributions using a Tyan dual socket Intel Xeon server. In this article are some complementary results when adding in the performance of FreeBSD 11.2 against the new FreeBSD 12.0 stable release for this leading BSD operating system. As some fun benchmarks to end out 2018, here are the results of FreeBSD 11.2/12.0 (including an additional run when using GCC rather than Clang) up against Windows Server and several enterprise-ready Linux distributions. While FreeBSD 12.0 had picked up just one win of the Windows/Linux comparisons run, the FreeBSD performance is moving in the right direction. FreeBSD 12.0 was certainly faster than FreeBSD 11.2 on this dual Intel Xeon Scalable server based on a Tyan 1U platform. Meanwhile, to no surprise given the data last week, Clear Linux was by far the fastest out-of-the-box operating system tested. I did run some extra benchmarks on FreeBSD 11.2/12.0 with this hardware: in total I ran 120 benchmarks for these BSD tests. Of the 120 tests, there were just 15 cases where FreeBSD 11.2 was faster than 12.0. Seeing FreeBSD 12.0 faster than 11.2 nearly 90% of the time is an accomplishment and usually with other operating systems we see more of a mixed bag on new releases with not such solidly better performance. It was also great seeing the competitive performance out of FreeBSD when using the Clang compiler for the source-based tests compared to the GCC8 performance. Additional data available via this OpenBenchmarking.org result file.

How NetBSD came to be shipped by Microsoft

Google cache in case the site is down

In 2000, Joe Britt, Matt Hershenson and Andy Rubin formed Danger Incorporated. Danger developed the world’s first recognizable smartphone, the Danger HipTop. T-Mobile sold the first HipTop under the brand name Sidekick in October of 2002. Danger had a well developed kernel that had been designed and built in house. The kernel came to be viewed as not a core intellectual property and Danger started a search for a replacement. For business reasons, mostly to do with legal concerns over the Gnu Public License, Danger rejected Linux and began to consider BSD Unix as a replacement for the kernel. In 2006 I was hired by Mike Chen, the manager of the kernel development group to investigate the feasibility of replacing the Danger kernel with a BSD kernel, to select the version of BSD to use, to develop a prototype and to develop the plan for adapting BSD to Danger’s requirements. NetBSD was easily the best choice among the BSD variations at the time because it had well developed cross development tools. It was easy to use a NetBSD desktop running an Intel release to cross compile a NetBSD kernel and runtime for a device running an ARM processor. (Those interested in mailing list archaeology might be amused to investigate NetBSD technical mailing list for mail from picovex, particularly from Bucky Katz at picovex.) We began product development on the specific prototype of the phone that would become the Sidekick LX2009 in 2007 and contracts for the phone were written with T-Mobile. We were about half way through the two year development cycle when Microsoft purchased Danger in 2008. Microsoft would have preferred to ship the Sidekick running Windows/CE rather than NetBSD, but a schedule analysis performed by me, and another by an independent outside contractor, indicated that doing so would result in unacceptable delay.

Beastie Bits

• Unleashed 1.2 Released
• 35th CCC - Taming the Chaos: Can we build systems that actually work?
• Potholes to avoid when migrating to IPv6
• XScreenSaver 5.42
• SSH Examples and Tunnels
• Help request - mbuf(9) - request for comment
• NSA to release free Reverse Engineering Tool
• Running FreeBSD on a Raspberry Pi3 using a custom image created with crochet and poudriere

Feedback/Questions

• Dries - Lets talk a bit about VIMAGE jails
• ohb - Question About ZFS Root Dataset
• Micah - Active-Active NAS Sync recommendations

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

##Headlines
###Six Metrics for Measuring ZFS Pool Performance Part 1

The layout of a ZFS storage pool has a significant impact on system performance under various workloads. Given the importance of picking the right configuration for your workload and the fact that making changes to an in-use ZFS pool is far from trivial, it is important for an administrator to understand the mechanics of pool performance when designing a storage system.

• To quantify pool performance, we will consider six primary metrics:
• Read I/O operations per second (IOPS)
• Write IOPS
• Streaming read speed
• Streaming write speed
• Storage space efficiency (usable capacity after parity versus total raw capacity)
• Fault tolerance (maximum number of drives that can fail before data loss)
• For the sake of comparison, we’ll use an example system with 12 drives, each one sized at 6TB, and say that each drive does 100MB/s streaming reads and writes and can do 250 read and write IOPS. We will visualize how the data is spread across the drives by writing 12 multi-colored blocks, shown below. The blocks are written to the pool starting with the brown block on the left (number one), and working our way to the pink block on the right (number 12).

Note that when we calculate data rates and IOPS values for the example system, they are only approximations. Many other factors can impact pool access speeds for better (compression, caching) or worse (poor CPU performance, not enough memory).
There is no single configuration that maximizes all six metrics. Like so many things in life, our objective is to find an appropriate balance of the metrics to match a target workload. For example, a cold-storage backup system will likely want a pool configuration that emphasizes usable storage space and fault tolerance over the other data-rate focused metrics.
Let’s start with a quick review of ZFS storage pools before diving into specific configuration options. ZFS storage pools are comprised of one or more virtual devices, or vdevs. Each vdev is comprised of one or more storage providers, typically physical hard disks. All disk-level redundancy is configured at the vdev level. That is, the RAID layout is set on each vdev as opposed to on the storage pool. Data written to the storage pool is then striped across all the vdevs. Because pool data is striped across the vdevs, the loss of any one vdev means total pool failure. This is perhaps the single most important fact to keep in mind when designing a ZFS storage system. We will circle back to this point in the next post, but keep it in mind as we go through the vdev configuration options.
Because storage pools are made up of one or more vdevs with the pool data striped over the top, we’ll take a look at pool configuration in terms of various vdev configurations. There are three basic vdev configurations: striping, mirroring, and RAIDZ (which itself has three different varieties). The first section will cover striped and mirrored vdevs in this post; the second post will cover RAIDZ and some example scenarios.
A striped vdev is the simplest configuration. Each vdev consists of a single disk with no redundancy. When several of these single-disk, striped vdevs are combined into a single storage pool, the total usable storage space would be the sum of all the drives. When you write data to a pool made of striped vdevs, the data is broken into small chunks called “blocks” and distributed across all the disks in the pool. The blocks are written in “round-robin” sequence, meaning after all the disks receive one row of blocks, called a stripe, it loops back around and writes another stripe under the first. A striped pool has excellent performance and storage space efficiency, but absolutely zero fault tolerance. If even a single drive in the pool fails, the entire pool will fail and all data stored on that pool will be lost.
The excellent performance of a striped pool comes from the fact that all of the disks can work independently for all read and write operations. If you have a bunch of small read or write operations (IOPS), each disk can work independently to fetch the next block. For streaming reads and writes, each disk can fetch the next block in line synchronized with its neighbors. For example, if a given disk is fetching block n, its neighbor to the left can be fetching block n-1, and its neighbor to the right can be fetching block n+1. Therefore, the speed of all read and write operations as well as the quantity of read and write operations (IOPS) on a striped pool will scale with the number of vdevs. Note here that I said the speeds and IOPS scale with the number of vdevs rather than the number of drives; there’s a reason for this and we’ll cover it in the next post when we discuss RAID-Z.
Here’s a summary of the total pool performance (where N is the number of disks in the pool):

• N-wide striped:
• Read IOPS: N * Read IOPS of a single drive
• Write IOPS: N * Write IOPS of a single drive
• Streaming read speed: N * Streaming read speed of a single drive
• Streaming write speed: N * Streaming write speed of a single drive
• Storage space efficiency: 100%
• Fault tolerance: None!

Let’s apply this to our example system, configured with a 12-wide striped pool:

• 12-wide striped:
• Read IOPS: 3000
• Write IOPS: 3000
• Streaming read speed: 1200 MB/s
• Streaming write speed: 1200 MB/s
• Storage space efficiency: 72 TB
• Fault tolerance: None!
• Below is a visual depiction of our 12 rainbow blocks written to this pool configuration:

The blocks are simply striped across the 12 disks in the pool. The LBA column on the left stands for “Logical Block Address”. If we treat each disk as a column in an array, each LBA would be a row. It’s also easy to see that if any single disk fails, we would be missing a color in the rainbow and our data would be incomplete. While this configuration has fantastic read and write speeds and can handle a ton of IOPS, the data stored on the pool is very vulnerable. This configuration is not recommended unless you’re comfortable losing all of your pool’s data whenever any single drive fails.
A mirrored vdev consists of two or more disks. A mirrored vdev stores an exact copy of all the data written to it on each one of its drives. Traditional RAID-1 mirrors usually only support two drive mirrors, but ZFS allows for more drives per mirror to increase redundancy and fault tolerance. All disks in a mirrored vdev have to fail for the vdev, and thus the whole pool, to fail. Total storage space will be equal to the size of a single drive in the vdev. If you’re using mismatched drive sizes in your mirrors, the total size will be that of the smallest drive in the mirror.
Streaming read speeds and read IOPS on a mirrored vdev will be faster than write speeds and IOPS. When reading from a mirrored vdev, the drives can “divide and conquer” the operations, similar to what we saw above in the striped pool. This is because each drive in the mirror has an identical copy of the data. For write operations, all of the drives need to write a copy of the data, so the mirrored vdev will be limited to the streaming write speed and IOPS of a single disk.

Here’s a summary:

• N-way mirror:

• Read IOPS: N * Read IOPS of a single drive

• Write IOPS: Write IOPS of a single drive

• Streaming read speed: N * Streaming read speed of a single drive

• Streaming write speed: Streaming write speed of a single drive

• Storage space efficiency: 50% for 2-way, 33% for 3-way, 25% for 4-way, etc. [(N-1)/N]

• Fault tolerance: 1 disk per vdev for 2-way, 2 for 3-way, 3 for 4-way, etc. [N-1]

• For our first example configuration, let’s do something ridiculous and create a 12-way mirror. ZFS supports this kind of thing, but your management probably will not.

• 1x 12-way mirror:

• Read IOPS: 3000

• Write IOPS: 250

• Streaming read speed: 1200 MB/s

• Streaming write speed: 100 MB/s

• Storage space efficiency: 8.3% (6 TB)

• Fault tolerance: 11

As we can clearly see from the diagram, every single disk in the vdev gets a full copy of our rainbow data. The chainlink icons between the disk labels in the column headers indicate the disks are part of a single vdev. We can lose up to 11 disks in this vdev and still have a complete rainbow. Of course, the data takes up far too much room on the pool, occupying a full 12 LBAs in the data array.

Obviously, this is far from the best use of 12 drives. Let’s do something a little more practical and configure the pool with the ZFS equivalent of RAID-10. We’ll configure six 2-way mirror vdevs. ZFS will stripe the data across all 6 of the vdevs. We can use the work we did in the striped vdev section to determine how the pool as a whole will behave. Let’s first calculate the performance per vdev, then we can work on the full pool:

• 1x 2-way mirror:

• Read IOPS: 500

• Write IOPS: 250

• Streaming read speed: 200 MB/s

• Streaming write speed: 100 MB/s

• Storage space efficiency: 50% (6 TB)

• Fault tolerance: 1

• Now we can pretend we have 6 drives with the performance statistics listed above and run them through our striped vdev performance calculator to get the total pool’s performance:

• 6x 2-way mirror:

• Read IOPS: 3000

• Write IOPS: 1500

• Streaming read speed: 3000 MB/s

• Streaming write speed: 1500 MB/s

• Storage space efficiency: 50% (36 TB)

• Fault tolerance: 1 per vdev, 6 total

• Again, we will examine the configuration from a visual perspective:

Each vdev gets a block of data and ZFS writes that data to all of (or in this case, both of) the disks in the mirror. As long as we have at least one functional disk in each vdev, we can retrieve our rainbow. As before, the chain link icons denote the disks are part of a single vdev. This configuration emphasizes performance over raw capacity but doesn’t totally disregard fault tolerance as our striped pool did. It’s a very popular configuration for systems that need a lot of fast I/O. Let’s look at one more example configuration using four 3-way mirrors. We’ll skip the individual vdev performance calculation and go straight to the full pool:

• 4x 3-way mirror:
• Read IOPS: 3000
• Write IOPS: 1000
• Streaming read speed: 3000 MB/s
• Streaming write speed: 400 MB/s
• Storage space efficiency: 33% (24 TB)
• Fault tolerance: 2 per vdev, 8 total

While we have sacrificed some write performance and capacity, the pool is now extremely fault tolerant. This configuration is probably not practical for most applications and it would make more sense to use lower fault tolerance and set up an offsite backup system.
Striped and mirrored vdevs are fantastic for access speed performance, but they either leave you with no redundancy whatsoever or impose at least a 50% penalty on the total usable space of your pool. In the next post, we will cover RAIDZ, which lets you keep data redundancy without sacrificing as much storage space efficiency. We’ll also look at some example workload scenarios and decide which layout would be the best fit for each.

###2FA with ssh on OpenBSD

Five years ago I wrote about using a yubikey on OpenBSD. The only problem with doing this is that there’s no validation server available on OpenBSD, so you need to use a different OTP slot for each machine. (You don’t want to risk a replay attack if someone succeeds in capturing an OTP on one machine, right?) Yubikey has two OTP slots per device, so you would need a yubikey for every two machines with which you’d like to use it. You could use a bastion—and use only one yubikey—but I don’t like the SPOF aspect of a bastion. YMMV.
After I played with TOTP, I wanted to use them as a 2FA for ssh. At the time of writing, we can’t do that using only the tools in base. This article focuses on OpenBSD; if you use another operating system, here are two handy links.

• SEED CONFIGURATION

The first thing we need to do is to install the software which will be used to verify the OTPs we submit.

# pkg_add login_oath

We need to create a secret - aka, the seed - that will be used to calculate the Time-based One-Time Passwords. We should make sure no one can read or change it.

$ openssl rand -hex 20 > ~/.totp-key
$ chmod 400 ~/.totp-key

Now we have a hexadecimal key, but apps usually want a base32 secret. I initially wrote a small script to do the conversion.
While writing this article, I took the opportunity to improve it. When I initially wrote this utility for my use, python-qrcode hadn’t yet been imported to the OpenBSD ports/packages system. It’s easy to install now, so let’s use it.
Here’s the improved version. It will ask for the hex key and output the secret as a base32-encoded string, both with and without spacing so you can copy-paste it into your password manager or easily retype it. It will then ask for the information needed to generate a QR code. Adding our new OTP secret to any mobile app using the QR code will be super easy!

• SYSTEM CONFIGURATION

We can now move to the configuration of the system to put our new TOTP to use. As you might guess, it’s going to be quite close to what we did with the yubikey.
We need to tweak login.conf. Be careful and keep a root shell open at all times. The few times I broke my OpenBSD were because I messed with login.conf without showing enough care.

• SSHD CONFIGURATION

Again, keeping a root shell around decreases the risk of losing access to the system and being locked outside.
A good standard is to use PasswordAuthentication no and to use public key only. Except… have a guess what the P stands for in TOTP. Yes, congrats, you guessed it!
We need to switch to PasswordAuthentication yes. However, if we made this change alone, sshd would then accept a public key OR a password (which are TOTP because of our login.conf). 2FA uses both at the same time.
To inform sshd we intend to use both, we need to set AuthenticationMethods publickey,password. This way, the user trying to login will first need to perform the traditional publickey authentication. Once that’s done, ssh will prompt for a password and the user will need to submit a valid TOTP for the system.
We could do this the other way around, but I think bots could try passwords, wasting resources. Evaluated in this order, failing to provide a public key leads to sshd immediately declining your attempt.

• IMPROVING SECURITY WITHOUT IMPACTING UX

My phone has a long enough password that most of the time, I fail to type it correctly on the first try. Of course, if I had to unlock my phone, launch my TOTP app and use my keyboard to enter what I see on my phone’s screen, I would quickly disable 2FA.
To find a balance, I have whitelisted certain IP addresses and users. If I connect from a particular IP address or as a specific user, I don’t want to go through 2FA. For some users, I might not even enable 2FA.
To sum up, we covered how to create a seed, how to perform a hexadecimal to base32 conversion and how to create a QR code for mobile applications. We configured the login system with login.conf so that ssh authentication uses the TOTP login system, and we told sshd to ask for both the public key and the Time-based One-Time Password. Now you should be all set to use two-factor ssh authentication on OpenBSD!

##News Roundup
###How ZFS maintains file type information in directories

As an aside in yesterday’s history of file type information being available in Unix directories, I mentioned that it was possible for a filesystem to support this even though its Unix didn’t. By supporting it, I mean that the filesystem maintains this information in its on disk format for directories, even though the rest of the kernel will never ask for it. This is what ZFS does.
The easiest way to see that ZFS does this is to use zdb to dump a directory. I’m going to do this on an OmniOS machine, to make it more convincing, and it turns out that this has some interesting results. Since this is OmniOS, we don’t have the convenience of just naming a directory in zdb, so let’s find the root directory of a filesystem, starting from dnode 1 (as seen before).

# zdb -dddd fs3-corestaff-01/h/281 1
Dataset [....]
[...]
microzap: 512 bytes, 4 entries
[...]
ROOT = 3

# zdb -dddd fs3-corestaff-01/h/281 3
Object lvl iblk dblk dsize lsize %full type
3 1 16K 1K 8K 1K 100.00 ZFS directory
[...]
microzap: 1024 bytes, 8 entries

RESTORED = 4396504 (type: Directory)
ckstst = 12017 (type: not specified)
ckstst3 = 25069 (type: Directory)
.demo-file = 5832188 (type: Regular File)
.peergroup = 12590 (type: not specified)
cks = 5 (type: not specified)
cksimap1 = 5247832 (type: Directory)
.diskuse = 12016 (type: not specified)
ckstst2 = 12535 (type: not specified)

This is actually an old filesystem (it dates from Solaris 10 and has been transferred around with ‘zfs send | zfs recv’ since then), but various home directories for real and test users have been created in it over time (you can probably guess which one is the oldest one). Sufficiently old directories and files have no file type information, but more recent ones have this information, including .demo-file, which I made just now so this would have an entry that was a regular file with type information.
Once I dug into it, this turned out to be a change introduced (or activated) in ZFS filesystem version 2, which is described in ‘zfs upgrade -v’ as ‘enhanced directory entries’. As an actual change in (Open)Solaris, it dates from mid 2007, although I’m not sure what Solaris release it made it into. The upshot is that if you made your ZFS filesystem any time in the last decade, you’ll have this file type information in your directories.
How ZFS stores this file type information is interesting and clever, especially when it comes to backwards compatibility. I’ll start by quoting the comment from zfs_znode.h:

/*
* The directory entry has the type (currently unused on
* Solaris) in the top 4 bits, and the object number in
* the low 48 bits. The "middle" 12 bits are unused.
*/

In yesterday’s entry I said that Unix directory entries need to store at least the filename and the inode number of the file. What ZFS is doing here is reusing the 64 bit field used for the ‘inode’ (the ZFS dnode number) to also store the file type, because it knows that object numbers have only a limited range. This also makes old directory entries compatible, by making type 0 (all 4 bits 0) mean ‘not specified’. Since old directory entries only stored the object number and the object number is 48 bits or less, the higher bits are guaranteed to be all zero.
The reason this needed a new ZFS filesystem version is now clear. If you tried to read directory entries with file type information on a version of ZFS that didn’t know about them, the old version would likely see crazy (and non-existent) object numbers and nothing would work. In order to even read a ‘file type in directory entries’ filesystem, you need to know to only look at the low 48 bits of the object number field in directory entries.

###Everything old is new again

Just because KDE4-era software has been deprecated by the KDE-FreeBSD team in the official ports-repository, doesn’t mean we don’t care for it while we still need to. KDE4 was released on January 11th, 2008 — I still have the T-shirt — which was a very different C++ world than what we now live in. Much of the code pre-dates the availability of C11 — certainly the availability of compilers with C11 support. The language has changed a great deal in those ten years since the original release.
The platforms we run KDE code on have, too — FreeBSD 12 is a long way from the FreeBSD 6 or 7 that were current at release (although at the time, I was more into OpenSolaris). In particular, since then the FreeBSD world has switched over to Clang, and FreeBSD current is experimenting with Clang 7. So we’re seeing KDE4-era code being built, and running, on FreeBSD 12 with Clang 7. That’s a platform with a very different idea of what constitutes correct code, than what the code was originally written for. (Not quite as big a difference as Helio’s KDE1 efforts, though)
So, while we’re counting down to removing KDE4 from the FreeBSD ports tree, we’re also going through and fixing it to work with Clang 7, which defaults to a newer C++ standard and which is quite picky about some things. Some time in the distant past, when pointers were integers and NULL was zero, there was some confusion about booleans. So there’s lots of code that does list.contains(element) > 0 … this must have been a trick before booleans were a supported type in all our compilers. In any case it breaks with Clang 7, since contains() returns a QBool which converts to a nullptr (when false) which isn’t comparable to the integer 0. Suffice to say I’ve spent more time reading KDE4-era code this month, than in the past two years.
However, work is proceeding apace, so if you really really want to, you can still get your old-school kicks on a new platform. Because we care about packaging things right, even when we want to get rid of it.

###OpenBSD netcat demystified

Owing to its versatile functionalities, netcat earns the reputation as “TCP/IP Swiss army knife”. For example, you can create a simple chat app using netcat:

• (1) Open a terminal and input following command:

# nc -l 3003

This means a netcat process will listen on 3003 port in this machine (the IP address of current machine is 192.168.35.176).

• (2) Connect aforemontioned netcat process in another machine, and send a greeting:

# nc 192.168.35.176 3003
hello

Then in the first machine’s terminal, you will see the “hello” text:

# nc -l 3003
hello

A primitive chatroom is built successfully. Very cool! Isn’t it? I think many people can’t wait to explore more features of netcatnow. If you are among them, congratulations! This tutorial may be the correct place for you.
In the following parts, I will delve into OpenBSD’s netcatcode to give a detailed anatomy of it. The reason of picking OpenBSD’s netcat rather than others’ is because its code repository is small (~2000 lines of code) and neat. Furthermore, I also hope this little book can assist you learn more socket programming knowledge not just grasping usage of netcat.
We’re all set. Let’s go!

##Beastie Bits

• What’s in store for NetBSD 9.0
• NetBSD machines at Open Source Conference 2018 Hiroshima
• nmctl adapted with limited privileges: nmctl-0.6.0
• Submit Your Work: Check out SCALE 17x and FOSDEM ’19 CFPs
• OpenBSD 6.4 site is up! (with a partial list of new features)
• Using Alpine to Read Your Email on OpenBSD

##Feedback/Questions

• Morgan - Send/Receive to Manage Fragmentation?
• Ryan - ZFS and mmap
• Marcus - Linux Compat
• Ben - Multiple Pools

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

##Headlines
##Interview - Michael W. Lucas - mwlucas@michaelwlucas.com / @mwlauthor

• BR: [Welcome Back]
• AJ: What have you been doing since last we talked to you [ed, ssh, and af3e]
• BR: Tell us more about AF3e
• AJ: How did the first Absolute FreeBSD come about?
• BR: Do you have anything special planned for MeetBSD?
• AJ: What are you working on now? [FM:Jails, Git sync Murder]
• BR: What are your plans for next year?
• AJ: How has SEMIBug been going?

Auction at https://mwl.io
Patreon Link:

##Feedback/Questions

• Paul - Recent bhyve related videos (daemon)
• Michael - freebsd-update question
• Sigflup - pkg file search

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

This episode was brought to you by

Headlines

Strange timer bug in FreeBSD 11

• Peter Wemm wrote in to the FreeBSD -CURRENT mailing list with an interesting observation
• Running the latest development code in the infrastructure, the clock would stop keeping time after 24 days of uptime
• This meant things like cron and sleep would break, TCP/IP wouldn't time out or resend packets, a lot of things would break
• A workaround until it was fixed was to reboot every 24 days, but this is BSD we're talking about - uptime is our game
• An initial proposal was adding a CFLAG to the build options which makes makes signed arithmetic wrap
• Peter disagreed and gave some background, offering a different patch to fix the issue and detect it early if it happens again
• Ultimately, the problem was traced back to an issue with a recent clang import
• It only affected -CURRENT, not -RELEASE or -STABLE, but was definitely a bizarre bug to track down ***

An OpenBSD mail server

• There's been a recent influx of blog posts about building a BSD mail server for some reason
• In this fancy series of posts, the author sets up OpenSMTPD in its native OpenBSD home, whereas previous posts have been aimed at FreeBSD and Linux
• In addition to the usual steps, this one also covers DKIMproxy, ClamAV for scanning attachments, Dovecot for IMAP and also multiple choices of spam filtering: spamd or SpamAssassin
• It also shows you how to set up Roundcube for building a web interface, using the new in-base httpd
• That means this is more of a "complete solution" - right down to what the end users see
• The series is split up into categories so it's very easy to follow along step-by-step ***

How DragonFlyBSD uses git

• DragonFlyBSD, along with PCBSD and EdgeBSD, uses git as its version control system for the system source code
• In a series of posts, Matthew Dillon (the project lead) details their internal setup
• They're using vanilla git over ssh, with the developers' accounts set to git-only (no shell access)
• The maintainers of the server are the only ones with shell access available
• He also details how a cron job syncs from the master to a public box that anyone can check out code from
• It would be interesting to hear about how other BSD projects manage their master source repository ***

Why not try PCBSD?

• ITwire, another more mainstream tech site, published a recent article about switching to PCBSD
• They interview a guy named Kris that we've never heard of before
• In the article, they touch on how easy it can potentially be for Linux users looking to switch over to the BSD side - lots of applications are exactly the same
• "With the growing adoption of systemd, dissatisfaction with Linux has reached proportions not seen in recent years, to the extent that people have started talking of switching to FreeBSD."
• If you have some friends who complain to you about systemd all the time, this might be a good article to show them ***

Interview - Henning Brauer - henning@openbsd.org / @henningbrauer

OpenNTPD and its portable variant

News Roundup

Authenticated time in OpenNTPD

• We recorded that interview with Henning just a few days ago, and it looks like part of it may be outdated already
• While at the hackathon, some developers came up with an alternate way to get authenticated NTP responses
• You can now add an HTTPS URL to your ntpd.conf in addition to the time server pool
• OpenNTPD will query it (over TLS, with CA verification) and look at the date sent in the HTTPS header
• It's not intended to be a direct time source, just a constraint to keep things within reason
• If you receive regular NTP packets that are way off from the TLS packet, those will be discarded and the server(s) marked as invalid
• Henning and Theo also weigh in to give some of the backstory on the idea
• Lots more detail can be found in Reyk's email explaining the new feature (and it's optional of course) ***

NetBSD at Open Source Conference 2015 Oita and Hamanako

• It's been a while since we've featured one of these trip reports, but the Japanese NetBSD users group is still doing them
• This time the conferences were in Oita and Hamanako, Japan
• Machines running NetBSD included the CubieBoard2 Allwinner A20, Raspberry Pi and Banana Pi, Sharp NetWalker and a couple Zaurus devices
• As always, they took lots of pictures from the event of NetBSD on all these weird machines ***

Poudriere in a jail

• A common question we get about our poudriere tutorial is "how do I run it in a jail?" - this blog post is about exactly that
• It takes you through the networking setup, zpool setup, nginx setup, making the jail and finally poking the right holes in the jail to allow poudriere to work its magic ***

Bruteblock, another way to stop bruteforce

• We've mentioned a few different ways to stop ssh bruteforce attempts in the past: fail2ban, denyhosts, or even just with pf's built-in rate limiting
• Bruteblock is a similar tool, but it's not just for ssh logins - it can do a number of other services
• It can also work directly with IPFW, which is a plus if you're using that as your firewall
• Add a few lines to your syslog.conf and bruteblock will get executed automatically
• The rest of the article takes you through the different settings you can configure for blocking ***

New iwm(4) driver and cross-polination

• The OpenBSD guys recently imported a new "iwm" driver for newer Intel 7260 wireless cards (commonly found in Thinkpads)
• NetBSD wasted no time in porting it over, giving a bit of interesting backstory
• According to Antti Kantee, "it was created for OpenBSD by writing and porting a NetBSD driver which was developed in a rump kernel in Linux userspace"
• Both projects would appreciate further testing if you have the hardware and can provide useful bug reports
• Maybe FreeBSD and DragonFly will port it over too, or come up with something that's partially based on the code ***

PCBSD current images

• The first PCBSD -CURRENT images should be available this weekend
• This image will be tagged 11.0-CURRENTFEB2015, with planned monthly updates
• For the more adventurous this will allow testing both FreeBSD and PCBSD bleeding edge ***

Feedback/Questions

• Antonio writes in
• Richard writes in
• Charlie writes in
• Ben writes in ***

Mailing List Gold

• A systematic effort
• GCC's lunch
• Hopes and dreams ***

Discussion

Comparison of ways to securely tunnel your traffic

• OpenVPN, OpenBSD IKED, FreeBSD IPSEC, OpenSSH, Tor ***

This episode was brought to you by

Headlines

Key rotation in OpenSSH 6.8

• Damien Miller posted a new blog entry about one of the features in the upcoming OpenSSH 6.8
• Times changes, key types change, problems are found with old algorithms and we switch to new ones
• In OpenSSH (and the SSH protocol) however, there hasn't been an easy way to rotate host keys... until now
• With this change, when you connect to a server, it will log all the server's public keys in your known_hosts file, instead of just the first one used during the key exchange
• Keys that are in your known_hosts file but not on the server will get automatically removed
• This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often
• There are some instructions in the blog post for how you'll be able to rotate host keys and eventually phase out the older ones - it's really simple
• There are a lot of big changes coming in OpenSSH 6.8, so we'll be sure to cover them all when it's released ***

NetBSD Banana Pi images

• We've talked about the Banana Pi a bit before - it's a small ARM board that's comparable to the popular Raspberry Pi
• Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices
• There are even a set of prebuilt pkgsrc packages, so you won't have to compile everything initially
• The email includes some steps to get everything working and an overview of what comes with the image
• Also check the wiki page for some related boards and further instructions on getting set up
• On a related note, NetBSD also recently got GPU acceleration working for the Raspberry Pi (which is a first for their ARM port) ***

LibreSSL shirts and other BSD goodies

• If you've been keeping up with the LibreSSL saga and want a shirt to show your support, they're finally available to buy online
• There are two versions, either "keep calm and use LibreSSL" or the slightly more snarky "keep calm and abandon OpenSSL"
• While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too
• You can get some FreeBSD, PCBSD and FreeNAS stuff from the FreeBSD mall site
• OpenBSD recently launched their new store, but the selection is still a bit limited right now
• NetBSD has a couple places where you can buy shirts and other apparel with the flag logo on it
• We couldn't find any DragonFlyBSD shirts unfortunately, which is a shame since their logo is pretty cool
• Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to) ***

OPNsense 15.1.4 released

• The OPNsense guys have been hard at work since we spoke to them, fixing lots of bugs and keeping everything up to date
• A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven't updated it again by the time this airs)
• This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes
• They're doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change
• A developer has also posted an interesting write-up titled "Development Workflow in OPNsense"
• If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it ***

Interview - Ed Maste - board@freebsdfoundation.org

The FreeBSD foundation's activities

News Roundup

Rolling with OpenBSD snapshots

• One of the cool things about the -current branch of OpenBSD is that it doesn't require any compiling
• There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture
• This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding
• This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness
• After using -current for seven weeks, the author comes to the conclusion that it's not as unstable as people might think
• He's now helping test out patches and new ports since he's running the same code as the developers ***

Signing pkgsrc packages

• As of the time this show airs, the official pkgsrc packages aren't cryptographically signed
• Someone from Joyent has been working on that, since they'd like to sign their pkgsrc packages for SmartOS
• Using GNUPG pulled in a lot of dependencies, and they're trying to keep the bootstrapping process minimal
• Instead, they're using netpgpverify, a fork of NetBSD's netpgp utility
• Maybe someday this will become the official way to sign packages in NetBSD? ***

FreeBSD support model changes

• Starting with 11.0-RELEASE, which won't be for a few months probably, FreeBSD releases are going to have a different support model
• The plan is to move "from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime"
• There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets
• This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them
• Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read ***

OpenSMTPD, Dovecot and SpamAssassin

• We've been talking about setting up your own BSD-based mail server on the last couple episodes
• Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering
• A lot of people regularly ask the developers how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets
• In addition, it also covers SSL certificates, PKI and setting up MX records - some things that previous posts have lacked
• Just be sure to replace those "apt-get" commands and "eth0" interface names with something a bit more sane…
• In related news, OpenSMTPD has got some interesting new features coming soon
• They're also planning to switch to LibreSSL by default for the portable version ***

FreeBSD 10 on the Thinkpad T400

• BSD laptop articles are becoming popular it seems - this one is about FreeBSD on a T400
• Like most of the ones we've mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do
• This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager
• If you're a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you
• The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt ***

PC-BSD 10.1.1 Released

• Automatic background updater now in
• Shiny new Qt5 utils
• OVA files for VM’s
• Full disk encryption with GELI v7 ***

Feedback/Questions

• Camio writes in
• Sha'ul writes in
• John writes in
• Sean writes in (TJ's lengthy reply)
• Christopher writes in ***

Mailing List Gold

• Special Instructions
• Pretending to be a VT220 ***

This episode was brought to you by

Interview - Peter Wemm - peter@freebsd.org / @karinjiri

The FreeBSD web cluster and infrastructure

Feedback/Questions

• Todd writes in
• Brandon writes in ***

This episode was brought to you by

Headlines

FreeBSD foundation August update

• The foundation has published a new PDF detailing some of their recent activities
• It includes project development updates, the 10.1-RELEASE schedule and some of its new features
• There is also a short interview with Dru Lavigne in the "voices from the community" section
• If you're into hardware, there's another section about some new FreeBSD server equipment
• In closing, there's an update on funding too ***

NSD for an authoritative nameserver

• With BIND having been removed from FreeBSD 10.0, you might be looking to replace your old DNS setup
• This article shows how to use NSD for an authoritative DNS nameserver
• It's also got a link to a similar article on Unbound, the new favorite recursive and caching resolver (they work great together)
• All the instructions are presented very neatly, with all the little details included
• Less BIND means less vulnerabilities, everybody's happy ***

BIND and Nginx removed from OpenBSD

• While we're on the topic of DNS servers, BIND was finally removed from OpenBSD as well
• The base system contains both NSD and Unbound, so users can transition over between 5.6 (November of this year) and 5.7 (May of next year)
• They've also removed nginx from the base system, in favor of the new custom HTTP daemon
• BIND and Nginx are still available in ports if you don't want to switch
• We're hoping to have Reyk Floeter on the show next week to talk about it, but scheduling might not work out, so it may be a little later on
• With Apache gone in the upcoming 5.6, It's also likely that sendmail will be removed before 5.7 - hooray for modern alternatives ***

NetBSD demo videos

• A Japanese NetBSD developer has been uploading lots of interesting videos
• Unsurprisingly, they're all featuring NetBSD running on exotic and weird hardware
• Most of them are demoing sound or running a modern Twitter client on an ancient computer
• They're from the same guy that did the conference wrap-up we mentioned recently ***

Interview - Shawn Webb - shawn.webb@hardenedbsd.org / @lattera

Address space layout randomization in FreeBSD

Tutorial

Reverse SSH tunneling

News Roundup

Puppet master-agent installation on FreeBSD

• If you've got a lot of BSD boxes under your control, or if you're just lazy, you've probably looked into Puppet before
• The author claims a lack of BSD-specific Puppet documentation, so he decided to write up some notes of his own
• He goes through some advantages of using this type of tool for deployments, even when you don't have a huge number of systems
• The rest of the post explains how to set up both the master and the agent configurations ***

Misc. pfSense items

• We found a few miscellaneous pfSense articles this past week
• The first one is about the hunt for the "ultimate" free open source firewall, where pfSense is obviously a strong contender
• The second one shows how to log NAT firewall states (a good way to find out which family member has been torrenting!)
• In the third, you can see how to automatically back up your configuration files
• The fourth item shows how to set up PXE booting with pfSense, similar to one of our tutorials ***

Time Machine backups on ZFS

• If you've got a Mac you need to keep backed up, a FreeBSD server with ZFS can take the place of an expensive "time capsule"
• This post walks you through setting up netatalk and mDNS for a very versatile Time Machine backup system
• With a single command on the OS X side, you can write to and read from the BSD box just like a regular external drive
• Surprisingly simple to do, recommended for anyone with Macs on their network ***

Lumina desktop preview

• Lumina, the BSD-exclusive desktop environment, seems to be coming along nicely
• The main developer has posted an update on the PCBSD blog with some screenshots
• Lots of new features have been added, many of which are documented in the post
• There just might be a BSD Now episode about Lumina coming up.. (cough cough) ***

Feedback/Questions

• Gary writes in
• Cedric writes in
• Caldwell writes in
• Cary writes in ***

This episode was brought to you by

Headlines

MeetBSD 2014 is approaching

• The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California
• MeetBSD has an "unconference" format, which means there will be both planned talks and community events
• All the extra details will be on their site soon
• It also has hotels and various other bits of useful information - hopefully with more info on the talks to come
• Of course, EuroBSDCon is coming up before then ***

First experiences with OpenBSD

• A new blog post that leads off with "tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven't tried before"
• The author read the famous "BSD for Linux users" series (that most of us have surely seen) and decided to give BSD a try
• He details his different OS and distro history, concluding with how he "eventually became annoyed at the poor quality of Linux userland software"
• From there, it talks about how he used the OpenBSD USB image and got a fully-working system
• He especially liked the simplicity of OpenBSD's "hostname.if" system for network configuration
• Finally, he gets Xorg working and imports all his usual configuration files - seems to be a happy new user! ***

NetBSD rump kernels on bare metal (and Kansai OSC report)

• When you're developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right
• However, NetBSD's rump kernels - a very unique concept - make this process a lot easier
• This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week
• Also have a look back at episode 8 for our interview about rump kernels and what exactly they do
• While on the topic of NetBSD, there were also a couple of very detailed reports (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference that we wanted to highlight ***

OpenSSL and LibreSSL updates

• OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!)
• Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more
• LibreSSL released a new version to address most of the vulnerabilities, but wasn't affected by some of them
• Whichever version of whatever SSL you use, make sure it's patched for these issues
• DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, NetBSD and FreeBSD are not (outside of -CURRENT) ***

Interview - Robert Watson - rwatson@freebsd.org

FreeBSD architecture, security research techniques, exploit mitigation

Tutorial

Protecting traffic with a BSD-based VPN

News Roundup

A FreeBSD-based CGit server

• If you use git (like a certain host of this show) then you've probably considered setting up your own server
• This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend
• It even shows you how to set up multiple repos with key-based user separation and other cool things
• The author of the post is also a listener of the show, thanks for sending it in! ***

Backup devices for small businesses

• In this article, different methods of data storage and backup are compared
• After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer
• He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers
• It also goes over some of the hardware specifics in the FreeNAS Mini ***

A new Xenocara interview

• As a follow up to last week's OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara
• If you're not familiar with Xenocara, it's OpenBSD's version of Xorg with some custom patches
• In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing
• Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it's natural for him to do a lot of the maintainership work there ***

Building a high performance FreeBSD samba server

• If you've got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what's the best solution?
• FreeBSD, ZFS and Samba obviously!
• The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients
• This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding)
• It doesn't even require the newest or best hardware with the right changes, pretty cool ***

Feedback/Questions

• An interesting Reddit thread (or two)
• PB writes in
• Sean writes in
• Steve writes in
• Lachlan writes in
• Justin writes in ***

This episode was brought to you by

Headlines

EuroBSDCon 2014 registration open

• September is getting closer, and that means it's time for EuroBSDCon - held in Bulgaria this year
• Registration is finally open to the public, with prices for businesses ($287), individuals ($217) and students ($82) for the main conference until August 18th
• Tutorials, sessions, dev summits and everything else all have their own pricing as well
• Registering between August 18th - September 12th will cost more for everything
• You can register online here and check hotels in the area
• The FreeBSD foundation is also accepting applications for travel grants ***

OpenBSD SMP PF update

• A couple weeks ago we talked about how DragonflyBSD updated their PF to be multithreaded
• With them joining the SMP ranks along with FreeBSD, a lot of users have been asking about when OpenBSD is going to make the jump
• In a recent mailing list thread, Henning Brauer addresses some of the concerns
• The short version is that too many things in OpenBSD are currently single-threaded for it to matter - just reworking PF by itself would be useless
• He also says PF on OpenBSD is over four times faster than FreeBSD's old version, presumably due to those extra years of development it's gone through
• There's also been even more recent concern about the uncertain future of FreeBSD's PF, being mostly unmaintained since their SMP patches
• We reached out to four developers (over week ago) about coming on the show to talk about OpenBSD network performance and SMP, but they all ignored us ***

Introduction to NetBSD pkgsrc

• An article from one of our listeners about how to create a new pkgsrc port or fix one that you need
• The post starts off with how to get the pkgsrc tree, shows how to get the developer tools and finally goes through the Makefile format
• It also lists all the different bmake targets and their functions in relation to the porting process
• Finally, the post details the whole process of creating a new port ***

FreeBSD 9.3-RELEASE

• After three RCs, FreeBSD 9.3 was scheduled to be finalized and announced today but actually came out yesterday
• The full list of changes is available, but it's mostly a smaller maintenance release
• Lots of driver updates, ZFS issues fixed, hardware RNGs are entirely disabled by default, netmap framework updates, read-only ext4 support was added, the vt driver was merged from -CURRENT, new hardware support (including radeon KMS), various userland tools got new features, OpenSSL and OpenSSH were updated... and much more
• If you haven't jumped to the 10.x branch yet (and there are a lot of people who haven't!) this is a worthwhile upgrade - 9.2-RELEASE will reach EOL soon
• Good news, this will be the first release with PGP-signed checksums on the FTP mirrors - a very welcome change
• With that out of the way, the 10.1-RELEASE schedule was posted ***

Interview - Bryan Drewery - bdrewery@freebsd.org / @bdrewery

The FreeBSD package building cluster, pkgng, ports, various topics

Tutorial

Tunneling traffic through DNS

News Roundup

SSH two-factor authentication on FreeBSD

• We've previously mentioned stories on how to do two-factor authentication with a Yubikey or via a third party website
• This blog post tells you how to do exactly that, but with your Google account and the pam_google_authenticator port
• Using this setup, every user that logs in with a password will have an extra requirement before they can gain access - but users with public keys can login normally
• It's a really, really simple process once you have the port installed - full details on the page ***

Ditch tape backup in favor of FreeNAS

• The author of this post shares some of his horrible experiences with tape backups for a client
• Having constant, daily errors and failed backups, he needed to find another solution
• With 1TB of backups, tapes just weren't a good option anymore - so he switched to FreeNAS (after also ruling out a pre-built NAS)
• The rest of the article details his experiences with it and tells about his setup ***

NetBSD vs FreeBSD, desktop experiences

• A NetBSD and pkgsrc developer details his experiences running NetBSD on a workstation at his job
• Becoming more and more disappointed with graphics performance, he finally decides to give FreeBSD 10 a try - especially since it has a native nVidia driver
• "Running on VAX, PlayStation 2 and Amiga is fun, but I’ll tell you a little secret: nobody cares anymore about VAX, PlayStation 2 and Amiga."
• He's become pretty satisfied with FreeBSD, a modern choice for a 2014 desktop system ***

PCBSD not-so-weekly digest

• Speaking of choices for a desktop system, it's the return of the PCBSD digest!
• Warden and PBI_add have gotten some interesting new features
• You can now create jails "on the fly" when adding a new PBI to your application library
• Bulk jail creation is also possible now, and it's really easy
• New Jenkins integration, with public access to poudriere logs as well
• PkgNG 1.3.0.rc2 testing for EDGE users ***

Feedback/Questions

• Jeff writes in - Sending Encrypted Backups over SSH + Sending ZFS snapshots via user
• Bruce writes in
• Richard writes in
• Jeff writes in - NYCBUG dmesg list
• Steve writes in ***

This episode was brought to you by

Headlines

PIE and ASLR in FreeBSD update

• A status update for Shawn Webb's ASLR and PIE work for FreeBSD
• One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
• "FreeBSD has supported loading PIEs for a while now, but the applications in base weren't compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support"
• If you're running -CURRENT, just add "WITH_PIE=1" to your /etc/src.conf and /etc/make.conf
• The next step is working on the ASLR coding style and getting more developers to look through it
• Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR ***

Misc. pfSense news

• Couple of pfSense news items this week, including some hardware news
• Someone's gotta test the pfSense hardware devices before they're sold, which involves powering them all on at least once
• To make that process faster, they're building a controllable power board (and include some cool pics)
• There will be more info on that device a bit later on
• On Friday, June 27th, there will be another video session (for paying customers only...) about virtualized firewalls
• pfSense University, a new paid training course, was also announced
• A single two-day class costs $2000, ouch ***

ZFS stripe width

• A new blog post from Matt Ahrens about ZFS stripe width
• "The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice"
• Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
• He covers best performance on random IOPS, best reliability, and best space efficiency use cases
• It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels' overhead factor ***

FreeBSD 9.3-BETA3 released

• The third BETA in the 9.3 release cycle is out, we're slowly getting closer to the release
• This is expected to be the final BETA, next will come the RCs
• There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what's in -CURRENT (but still isn't using ChaCha20)
• The FreeBSD foundation has a blog post about it too
• There's a list of changes between 9.2 and 9.3 as well, but we'll be sure to cover it when the -RELEASE hits ***

Interview - Bryce Chidester - brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

• A Slackware user from the "linux questions" forum decides to try out BSD, and documents his initial impressions and findings
• After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to "politics" (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
• In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
• So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
• Might be an interesting, ongoing series we can follow up on later ***

Even more BSDCan trip reports

• BSDCan may be over until next year, but trip reports are still pouring in
• This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
• He's part of the "Jenkins CI for FreeBSD" group and went to BSDCan mostly for that
• Nice long post about all of his experiences at the event, definitely worth a read
• He even talks about... the food ***

FreeBSD disk partitioning

• For his latest book series on FreeBSD's GEOM system, MWL asked the hackers mailing list for some clarification
• This erupted into a very long discussion about fdisk vs gnop vs gpart
• So you don't have to read the 500 mailing list posts, he's summarized the findings in a blog post
• It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools ***

BSD Router Project version 1.51

• A new version of the BSD Router Project has been released, 1.51
• It's now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
• Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
• Check the sourceforge page for the complete list of changes
• Bad news... the minimum disk size requirement has increased to 512MB... getting pretty bloated ***

Feedback/Questions

• Fongaboo writes in
• David writes in
• Kristian writes in ***

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports

• The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
• Karl Lehenbauer's keynote (he's on next week's episode)
• Mariusz Zaborski and Pawel Jakub Dawidek, Capsicum and Casper (relevant to today's interview)
• Luigi Rizzo, In-kernel OpenvSwitch on FreeBSD
• Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
• Warner Losh, NAND Flash and FreeBSD
• Simon Gerraty, FreeBSD bmake and Meta Mode
• Bob Beck, LibreSSL - The First 30 Days
• Henning Brauer, OpenBGPD Turns 10 Years Old
• Arun Thomas, BSD ARM Kernel Internals
• Peter Hessler, Using BGP for Realtime Spam Lists
• Pedro Giffuni, Features and Status of FreeBSD's Ext2 Implementation
• Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
• Daichi Goto, Shellscripts and Commands
• Benno Rice, Keeping Current
• Sean Bruno, MIPS Router Hacking
• John-Mark Gurney, Optimizing GELI Performance
• Patrick Kelsey, Userspace Networking with libuinet
• Massimiliano Stucchi, IPv6 Transitioning Mechanisms
• Roger Pau Monné, Taking the Red Pill
• Shawn Webb, Introducing ASLR in FreeBSD
• There's also a trip report from Peter Hessler and one from Julio Merino
• The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that's a recurring trend) ***

Defend your network and privacy with a VPN and OpenBSD

• After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
• This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
• There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
• You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems - this could also be used with Tor (but it would be very slow)
• It also includes a few general privacy tips, recommended browser extensions, etc
• The intro to the article is especially great, so give the whole thing a read
• He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you're watching! ***

You should try FreeBSD

• In this blog post, the author talks a bit about how some Linux people aren't familiar with the BSDs and how we can take steps to change that
• He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
• Possibly the most useful part is how to address the question "my server already works, why bother switching?"
• "Stackoverflow’s answers assume I have apt-get installed"
• It includes mention of the great documentation, stability, ports, improved security and much more
• A takeaway quote for would-be Linux switchers: "I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before" ***

OpenBSD and the little Mauritian contributor

• This is a story about a guy from Mauritius named Logan, one of OpenBSD's newest developers
• Back in 2010, he started sending in patched for OpenBSD's "mg" editor, among other small things, and eventually added file transfer resume support for SFTP
• The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
• It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
• Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back ***

Interview - Jon Anderson - jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

• The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
• This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
• Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read ***

LibreSSL porting update

• Since the last LibreSSL post we covered, a couple unofficial "portable" versions have died off
• Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly - stop doing that!
• This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
• Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good ***

BSDMag May 2014 issue is out

• The usual monthly release from BSDMag, covering a variety of subjects
• This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
• It's a free PDF, go grab it ***

BSDTalk episode 241

• A new episode of BSDTalk is out, this time with Bob Beck
• He talks about the OpenBSD foundation's recent activities, his own work in the project, some stories about the hardware in Theo's basement and a lot more
• The interview itself isn't about LibreSSL at all, but they do touch on it a bit too
• Really interesting stuff, covers a lot of different topics in a short amount of time ***

Feedback/Questions

• We got a number of replies about last week's VPN question, so thanks to everyone who sent in an email about it - the vpnc package seems to be what we were looking for
• Tim writes in
• AJ writes in
• Peter writes in
• Thomas writes in
• Martin writes in ***

This episode was brought to you by

Headlines

FreeBSD 11 goals and discussion

• Something that actually happened at BSDCan this year...
• During the FreeBSD devsummit, there was some discussion about what changes will be made in 11.0-RELEASE
• Some of MWL's notes include: the test suite will be merged to 10-STABLE, more work on the MIPS platforms, LLDB getting more attention, UEFI boot and install support
• A large list of possibilities was also included and open for discussion, including AES-GCM in IPSEC, ASLR, OpenMP, ICC, in-place kernel upgrades, Capsicum improvements, TCP performance improvements and A LOT more
• There's also some notes from the devsummit virtualization session, mostly talking about bhyve
• Lastly, he also provides some notes about ports and packages and where they're going ***

An SSH honeypot with OpenBSD and Kippo

• Everyone loves messing with script kiddies, right?
• This blog post introduces Kippo, an SSH honeypot tool, and how to use it in combination with OpenBSD
• It includes a step by step (or rather, command by command) guide and some tips for running a honeypot securely
• You can use this to get new 0day exploits or find weaknesses in your systems
• OpenBSD makes a great companion for security testing tools like this with all its exploit mitigation techniques that protect all running applications ***

NetBSD foundation financial report

• The NetBSD foundation has posted their 2013 financial report
• It's a very "no nonsense" page, pretty much only the hard numbers
• In 2013, they got $26,000 of income in donations
• The rest of the page shows all the details, how they spent it on hardware, consulting, conference fees, legal costs and everything else
• Be sure to donate to whichever BSDs you like and use! ***

Building a fully-encrypted NAS with OpenBSD

• Usually the popular choice for a NAS system is FreeNAS, or plain FreeBSD if you know what you're doing
• This article takes a look at the OpenBSD side and explains how to build a NAS with security in mind
• The NAS will be fully encrypted, no separate /boot partition like FreeBSD and FreeNAS require - this means the kernel itself is even protected
• The obvious trade-off is the lack of ZFS support for storage, but this is an interesting idea that would fit most people's needs too
• There's also a bit of background information on NAS systems in general, some NAS-specific security tips and even some nice graphs and pictures of the hardware - fantastic write up! ***

Interview - Brian Callahan & Aaron Bieber - admin@lists.nycbug.org & admin@cobug.org

Forming a local BSD Users Group

Tutorial

The basics of pkgsrc

News Roundup

FreeBSD periodic mails vs. monitoring

• If you've ever been an admin for a lot of FreeBSD boxes, you've probably noticed that you get a lot of email
• This page tells about all the different alert emails, cron emails and other reports you might end up getting, as well as how to manage them
• From bad SSH logins to Zabbix alerts, it all adds up quickly
• It highlights the periodic.conf file and FreeBSD's periodic daemon, as well as some third party monitoring tools you can use to keep track of your servers ***

Doing cool stuff with OpenBSD routing domains

• A blog post from our viewer and regular emailer, Kjell-Aleksander!
• He manages some internally-routed IP ranges at his work, but didn't want to have equipment for each separate project
• This is where OpenBSD routing domains and pf come in to save the day
• The blog post goes through the process with all the network details you could ever dream of
• He even named his networking equipment... after us ***

LibreSSL, the good and the bad

• We're all probably familiar with OpenBSD's fork of OpenSSL at this point
• However, "for those of you that don't know it, OpenSSL is at the same time the best and most popular SSL/TLS library available, and utter junk"
• This article talks about some of the cryptographic development challenges involved with maintaining such a massive project
• You need cryptographers, software engineers, software optimization specialists - there are a lot of roles that need to be filled
• It also mentions some OpenSSL alternatives and recent LibreSSL progress, as well as some downsides to the fork - the main one being their aim for backwards compatibility ***

PCBSD weekly digest

• Lots going on in PCBSD land this week, AppCafe has been redesigned
• The PBI system is being replaced with pkgng, PBIs will be automatically converted once you update
• In the more recent post, there's some further explanation of the PBI system and the reason for the transition
• It's got lots of details on the different ways to install software, so hopefully it will clear up any possible confusion ***

Feedback/Questions

• Antonio writes in
• Daniel writes in
• Sean writes in
• tsyn writes in
• Chris writes in ***

This episode was brought to you by

Headlines

FreeBSD 10 as a firewall

• Back in 2012, the author of this site wrote an article stating you should avoid FreeBSD 9 for a firewall and use OpenBSD instead
• Now, with the release of 10.0, he's apparently changed his mind and switched back over
• It mentions the SMP version of pf, general performance advantages and more modern features
• The author is a regular listener of BSD Now, hi Joe! ***

Network Noise Reduction Using Free Tools

• Really long blog post, based on a BSDCan presentation, about fighting spam with OpenBSD
• Peter Hansteen, author of the book of PF, goes through how he uses OpenBSD's spamd and other security features to combat spam and malware
• He goes through his experiences with content filtering and disappointment with a certain proprietary vendor
• Not totally BSD-specific, lots of people can enjoy the article - lots of virus history as well ***

FreeBSD ASLR patches submitted

• So far, FreeBSD hasn't had Address Space Layout Randomization
• ASLR is a nice security feature, see wikipedia for more information
• With a giant patch from Shawn Webb, it might be integrated into a future version (after a vicious review from the security team of course)
• We might have Shawn on the show to talk about it, but he's also giving a presentation at BSDCan about his work with ASLR ***

Old-style pkg_ tools retired

• At last the old pkg_add tools are being retired in FreeBSD
• pkgng is a huge improvement, and now portmgr@ thinks it's time to cut the cord on the legacy toolset
• Ports aren't going away, and probably never will, but for binary package fans and new users that are used to things like apt, pkgng is the way to go
• All pkg_ tools will be considered unsupported on September 1, 2014 - even on older branches ***

Interview - Luke Marsden - luke@hybridcluster.com / @lmarsden

BSD at HybridCluster

Tutorial

Filesharing with chrooted SFTP

News Roundup

FreeBSD on OpenStack

• OpenStack is a cloud computing project
• It consists of "a series of interrelated projects that control pools of processing, storage, and networking resources throughout a datacenter, able to be managed or provisioned through a web-based dashboard, command-line tools, or a RESTful API."
• Until now, there wasn't a good way to run a full BSD instance on OpenStack
• With a project in the vein of Colin Percival's AWS startup scripts, now that's no longer the case! ***

FOSDEM BSD videos

• This year's FOSDEM had seven BSD presentations
• The videos are slowly being uploaded for your viewing pleasure
• Not all of the BSD ones are up yet, but by the time you're watching this they might be!
• Check this directory for most of 'em
• The BSD dev room was full, lots of interest in what's going on from the other communities ***

The FreeBSD challenge finally returns!

• Due to prodding from a certain guy of a certain podcast, the "FreeBSD Challenge" series has finally resumed
• Our friend from the Linux foundation picks up with day 11 and day 12 on his switching from Linux journey
• This time he outlines the upgrade process of going from 9 to 10, using freebsd-update
• There's also some notes about different options for upgrading ports and some extra tips ***

PCBSD weekly digest

• After the big 10.0 release, the PCBSD crew is focusing on bug fixes for a while
• During their "fine tuning phase" users are encouraged to submit any and all bugs via the trac system
• Warden got some fixes and the package manager got some updates as well
• Huge size reduction in PBI format ***

Feedback/Questions

• Derrick writes in
• Sean writes in
• Patrick writes in
• Peter writes in
• Sean writes in ***

This episode was brought to you by

Headlines

FreeBSD foundation's 2013 fundraising results

• The FreeBSD foundation finally counted all the money they made in 2013
• $768,562 from 1659 donors
• Nice little blog post from the team with a giant beastie picture
• "We have already started our 2014 fundraising efforts. As of the end of January we are just under $40,000. Our goal is to raise $1,000,000. We are currently finalizing our 2014 budget. We plan to publish both our 2013 financial report and our 2014 budget soon."
• A special thanks to all the BSD Now listeners that contributed, the foundation was really glad that we sent some people their way (and they mentioned us on Facebook) ***

OpenSSH 6.5 released

• We mentioned the CFT last week, and it's finally here!
• New key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519 (now the default when both clients support it)
• Ed25519 public keys are now available for host keys and user keys, considered more secure than DSA and ECDSA
• Funny side effect: if you ONLY enable ed25519 host keys, all the compromised Linux boxes can't even attempt to login lol~
• New bcrypt private key type, 500,000,000 times harder to brute force
• Chacha20-poly1305 transport cipher that builds an encrypted and authenticated stream in one
• Portable version already in FreeBSD -CURRENT, and ports
• Lots more bugfixes and features, see the full release note or our interview with Damien
• Work has already started on 6.6, which can be used without OpenSSL! ***

Crazed Ferrets in a Berkeley Shower

• In 2000, MWL wrote an essay for linux.com about why he uses the BSD license: "It’s actually stood up fairly well to the test of time, but it’s fourteen years old now."
• This is basically an updated version about why he uses the BSD license, in response to recent comments from Richard Stallman
• Very nice post that gives some history about Berkeley, the basics of the BSD-style licenses and their contrast to the GNU GPL
• Check out the full post if you're one of those people that gets into license arguments
• The takeaway is "BSD is about making the world a better place. For everyone." ***

OpenBSD on BeagleBone Black

• Beaglebone Blacks are cheap little ARM devices similar to a Raspberry Pi
• A blog post about installing OpenBSD on a BBB from.. our guest for today!
• He describes it as "everything I wish I knew before installing the newly renamed armv7 port on a BeagleBone Black"
• It goes through the whole process, details different storage options and some workarounds
• Could be a really fun weekend project if you're interested in small or embedded devices ***

Interview - Ted Unangst - tedu@openbsd.org / @tedunangst

OpenBSD's signify infrastructure, ZFS on OpenBSD

Tutorial

Running an NTP server

News Roundup

Getting started with FreeBSD

• A new video and blog series about starting out with FreeBSD
• The author has been a fan since the 90s and has installed it on every server he's worked with
• He mentioned some of the advantages of BSD over Linux and how to approach explaining them to new users
• The first video is the installation, then he goes on to packages and other topics - 4 videos so far ***

More OpenBSD hackathon reports

• As a followup to last week, this time Kenneth Westerback writes about his NZ hackathon experience
• He arrived with two goals: disklabel fixes for drives with 4k sectors and some dhclient work
• This summary goes into detail about all the stuff he got done there ***

X11 in a jail

• We've gotten at least one feedback email about running X in a jail Well.. with this commit, looks like now you can!
• A new tunable option will let jails access /dev/kmem and similar device nodes
• Along with a change to DRM, this allows full X11 in a jail
• Be sure to check out our jail tutorial and jailed VNC tutorial for ideas ***

PCBSD weekly digest

• 10.0 "Joule Edition" finally released!
• AMD graphics are now officially supported
• GNOME3, MATE and Cinnamon desktops are available
• Grub updates and fixes
• PCBSD also got a mention in eweek ***

Feedback/Questions

• Justin writes in
• Daniel writes in
• Martin writes in
• Alex writes in - unofficial FreeBSD RPI Images
• James writes in
• John writes in ***

This episode was brought to you by

Headlines

Secure communications with OpenBSD and OpenVPN

• Starting off today's theme of encryption...
• A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic
• Part 1 covers installing OpenBSD with full disk encryption (which we'll be doing later on in the show)
• Part 2 covers the initial setup of OpenVPN certificates and keys
• Parts 3 and 4 are the OpenVPN server and client configuration
• Part 5 is some updates and closing remarks ***

FreeBSD Foundation Newsletter

• The December 2013 semi-annual newsletter was sent out from the foundation
• In the newsletter you will find the president's letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored
• The president's letter alone is worth the read, really amazing
• Really long, with lots of details and stories from the conferences and projects ***

Use of NetBSD with Marvell Kirkwood Processors

• Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer
• The IP-Plug is a "multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger)."
• Really cool little NetBSD ARM project with lots of graphs, pictures and details ***

Experimenting with zero-copy network IO

• Long blog post from Adrian Chadd about zero-copy network IO on FreeBSD
• Discusses the different OS' implementations and options
• He's able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn't stopping there
• Tons of details, check the full post ***

Interview - Damien Miller - djm@openbsd.org / @damienmiller

Cryptography in OpenBSD and OpenSSH

Tutorial

Full disk encryption in FreeBSD & OpenBSD

News Roundup

OpenZFS office hours

• Our buddy George Wilson sat down to take some ZFS questions from the community
• You can see more info about it here ***

License summaries in pkgng

• A discussion between Justin Sherill and some NYCBUG guys about license frameworks in pkgng
• Similar to pkgsrc's "ACCEPTABLE_LICENSES" setting, pkgng could let the user decide which software licenses he wants to allow
• Maybe we could get a "pkg licenses" command to display the license of all installed packages
• Ok bapt, do it ***

The FreeBSD challenge continues

• Checking in with our buddy from the Linux foundation...
• The switching from Linux to FreeBSD blog series continues for his month-long trial
• Follow up from last week: "As a matter of fact, I did check out PC-BSD, and wanted the challenge. Call me addicted to pain and suffering, but the pride and accomplishment you feel from diving into FreeBSD is quite rewarding."
• Since we last mentioned it, he's decided to go from a VM to real hardware, got all of his common software installed, experimented with the Linux emulation, set up virtualbox, learned about slices/partitions/disk management, found BSD alternatives to his regularly-used commands and lots more ***

Ports gets a stable branch

• For the first time ever, FreeBSD's ports tree will have a maintained "stable" branch
• This is similar to how pkgsrc does things, with a rolling release for updated software and stable branch for only security and big fixes
• All commits to this branch require approval of portmgr, looks like it'll start in 2014Q1 ***

Feedback/Questions

• John writes in
• Spencer writes in
• Campbell writes in
• Sha'ul writes in
• Clint writes in ***

Headlines

pkgng 1.2 released

• bapt and bdrewery from the portmgr team released pkgng 1.2 final
• New features include an improved build system, plugin improvements, new bootstrapping command, SRV mirror improvements, a new "pkg config" command, repo improvements, vuXML is now default, new fingerprint features and much more
• Really simple to upgrade, check our pkgng tutorial if you want some easy instructions
• It's also made its way into Dragonfly
• See the show notes for the full list of new features and fixes ***

ChaCha20 and Poly1305 in OpenSSH

• Damien Miller recently committed support for a new authenticated encryption cipher for OpenSSH, chacha20-poly1305
• Long blog post explaining what these are and why we need them
• This cipher combines two primitives: the ChaCha20 cipher and the Poly1305 MAC
• RC4 is broken, we needed an authenticated encryption mode to complement AES-GCM that doesn't show the packet length in cleartext
• Great explanation of the differences between EtM, MtE and EaM and their advantages
• "Both AES-GCM and the EtM MAC modes have a small downside though: because we no longer desire to decrypt the packet as we go, the packet length must be transmitted in plaintext. This unfortunately makes some forms of traffic analysis easier as the attacker can just read the packet lengths directly." ***

Is it time to dump Linux and move to BSD

• ITworld did an article about switching from Linux to BSD
• The author's interest was sparked from a review he was reading that said "I feel the BSD communities, especially the FreeBSD-based projects, are where the interesting developments are happening these days. Over in FreeBSD land we have efficient PBI bundles, a mature advanced file system in the form of ZFS, new friendly and powerful system installers, a new package manager (pkgng), a powerful jail manager and there will soon be new virtualization technology coming with the release of FreeBSD 10.0"
• The whole article can be summed up with "yes" - ok, next story! ***

OpenZFS devsummit videos

• The OpenZFS developer summit discussion and presentation videos are up
• People from various operating systems (FreeBSD, Mac OS X, illumos, etc.) were there to discuss ZFS on their platforms and the challenges they faced
• Question and answer session from representatives of every OS - had a couple FreeBSD guys there including one from the foundation
• Presentations both about ZFS itself and some hardware-based solutions for implementing ZFS in production
• TONS of video, about 6 hours' worth
• This leads us into our interview, which is... ***

Interview - George Wilson - wilzun@gmail.com / @zfsdude

OpenZFS

Tutorial

A crash course on ZFS

News Roundup

ruBSD 2013 information

• The ruBSD 2013 conference will take place on Saturday December 14, 2013 at 10:30 AM in Moscow, Russia
• Speakers include three OpenBSD developers, Theo de Raadt, Henning Brauer and Mike Belopuhov
• Their talks are titled "The bane of backwards compatibility," "OpenBSD's pf: Design, Implementation and Future" and "OpenBSD: Where crypto is going?"
• No word on if there will be video recordings, but we'll let you know if that changes ***

DragonFly roadmap, post 3.6

• John Marino posted a possible roadmap for DragonFly, now that they're past the 3.6 release
• He wants some third party vendor software updated from very old versions (WPA supplicant, bmake, binutils)
• Plans to replace GCC44 with Clang, but GCC47 will probably be the primary compiler still
• Bring in fixes and new stuff from FreeBSD 10 ***

BSDCan 2014 CFP

• BSDCan 2014 will be held on May 16-17 in Ottawa, Canada
• They're now accepting proposals for talks
• If you are doing something interesting with a BSD operating system, please submit a proposal
• We'll be getting lots of interviews there ***

casperd added to -CURRENT

• "It (and its services) will be responsible forgiving access to functionality that is not available in capability modes and box. The functionality can be precisely restricted."
• Lists some sysctls that can be controlled ***

ZFS corruption bug fixed in -CURRENT

• Just a quick follow-up from last week, the ZFS corruption bug in FreeBSD -CURRENT was very quickly fixed, before that episode was even uploaded ***

Feedback/Questions

• Chris writes in
• SW writes in
• Jason writes in
• Clint writes in
• Chris writes in ***

Headlines

Faces of FreeBSD

• The FreeBSD foundation is publishing articles on different FreeBSD developers
• This one is about Colin Percival (cperciva@), the ex-security officer
• Tells the story of how he first found BSD, what he contributed back, how he eventually became the security officer
• Running series with more to come ***

Lots of BSD presentation videos uploaded

• EuroBSDCon 2013 dev summit videos, AsiaBSDCon 2013 videos, MWL's presentation video
• Most of us never get to see the dev summit talks since they're only for developers
• AsiaBSDCon 2013 videos also up finally
• List of AsiaBSDCon presentation topics here
• Our buddy Michael W Lucas gave an "OpenBSD for Linux users" talk at a Michigan Unix Users Group.
• He says "Among other things, I compare OpenBSD to Richard Stallman and physically assault an audience member. We also talk long long time, memory randomization, PF, BSD license versus GPL, Microsoft and other OpenBSD stuff"
• Really informative presentation, pretty long, answers some common questions at the end ***

Call for Presentations: FOSDEM 2014 and NYCBSDCon 2014

• FOSDEM 2014 will take place on 1–2 February, 2014, in Brussels, Belgium
• Just like in the last years, there will be both a BSD booth and a developer's room
• The topics of the devroom include all BSD operating systems. Every talk is welcome, from internal hacker discussion to real-world examples and presentations about new and shiny features.
• If you are in the area or want to go, check the show notes for details
• NYCBSDCon is also accepting papers.
• It'll be in New York City at the beginning of February 2014
• If anyone wants to give a talk at one of these conferences, go ahead and send in your stuff! ***

FreeBSD foundation's year-end fundraising campaign

• The FreeBSD foundation has been supporting the FreeBSD project and community for over 13 years
• As of today they have raised about half a million dollars, but still have a while to go
• Donations go towards new features, paying for the server infrastructure, conferences, supporting the community, hiring full-time staff members and promoting FreeBSD at events
• They are preparing the debut of a new online magazine, the FreeBSD Journal
• Typically big companies make their huge donations in December, like a couple of anonymous donors that gave around $250,000 each last year
• Make your donation today over at freebsdfoundation.org, every little bit helps
• Everyone involved with BSD Now made a donation last year and will do so again this year ***

Interview - Amitai Schlair - schmonz@netbsd.org / @schmonz

The NetBSD Foundation, pkgsrc, future plans

Tutorial

Combining SSH and tmux

• Note: there was a mistake in the video version of the tutorial, please consult the written version for the proper instructions. ***

News Roundup

PS4 released

• Sony's Playstation 4 is finally released
• As previously thought, its OS is heavily based on FreeBSD and uses the kernel among other things
• Link in the show notes contains the full list of BSD software they're using
• Always good to see BSD being so widespread ***

BSD Mag November issue

• Free monthly BSD magazine publishes another issue
• This time their topics include: Configuring a Highly Available Service on FreeBSD, IT Inventory & Asset Management Automation, more FreeBSD Programming Primer, PfSense and Snort and a few others
• PDF linked in the show notes ***

pbulk builds made easy

• NetBSD's pbulk tool is similar to poudriere, but for pkgsrc
• While working on updating the documentation, a developer cleaned up quite a lot of code
• He wrote a script that automates pbulk deployment and setup
• The whole setup of a dedicated machine has been reduced to just three commands ***

PCBSD weekly digest

• Over 200 PBIs have been populated in to the PC-BSD 10 Stable Appcafe
• Many PC-BSD programs received some necessary bug fixes and updates
• Some include network detection in the package and update managers, nvidia graphic detection, security updates for PCDM ***

Feedback/Questions

• Peter writes in
• Kjell-Aleksander writes in
• Jordan writes in
• Christian writes in
• entransic writes in ***