Episode 102

May Contain ZFS

Download Subscribe
00:00:00
/
01:08:02
RSS Feed Download (46.7 MB) Link with Timestamp

August 12th, 2015

1 hr 8 mins 2 secs

Link with Timestamp

Download MP3 (46.7 MB)

Your Hosts
Tags
uefi authentication libressl vpn ipsec gateway router ezjail docker lxc containers bhyve iocage jails interview bsd guide howto tutorial pcbsd dragonflybsd netbsd openbsd freebsd

About this Episode

This week on the show, we'll be talking with Peter Toth. He's got a jail management system called "iocage" that's been getting pretty popular recently. Have we finally found a replacement for ezjail? We'll see how it stacks up.

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

  • If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it)
  • It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM
  • This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
  • In part two of the series, he talks about the GPIO and how you can configure it
  • Part three is still in the works, so check the site later on for further progress and info ***

The modern OpenBSD home router

  • In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
  • "It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst"
  • Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
  • This guide also covers PPP and IPv6, in case you have those requirements
  • In a similar but unrelated series, another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge
  • He also has a separate post for setting up an IPSEC VPN on the router ***

NetBSD at Open Source Conference 2015 Kansai

  • The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
  • They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
  • Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
  • They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
  • And what conference would be complete without an LED-powered towel ***

OpenSSH 7.0 released

  • The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
  • SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
  • The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now
  • If you're using an older configuration file, the "without-password" option still works, so no change is required
  • You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
  • Various bug fixes and documentation improvements are also included
  • Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
  • In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled ***

Interview - Peter Toth - peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

  • A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
  • Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things)
  • He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging
  • Renato Westphal sent in a report of his very first hackathon
  • He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
  • Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
  • His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff
  • There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well ***

FreeBSD jails, the hard way

  • As you learned from our interview this week, there's quite a selection of tools available to manage your jails
  • This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
  • Unlike with iocage, ZFS isn't actually a requirement for this method
  • If you are using it, though, you can make use of snapshots for making template jails ***

OpenSSH hardware tokens

  • We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
  • This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model
  • It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
  • Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too ***

LibreSSL 2.2.2 released

  • The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
  • At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more
  • SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely
  • Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
  • It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well ***

Feedback/Questions