Episode 104

Beverly Hills 25519

Download Subscribe
00:00:00
/
01:20:44
RSS Feed Download (55.4 MB) Link with Timestamp

August 26th, 2015

1 hr 20 mins 44 secs

Link with Timestamp

Download MP3 (55.4 MB)

Your Hosts
Tags
bafug tame edgerouter lite erl curve25519 ed25519 cryptography gcm cbc hmac md5 aes chacha20-poly1305 chacha20 openssl openssh interview bsd guide howto tutorial pcbsd dragonflybsd netbsd openbsd freebsd

About this Episode

Coming up this week on the show, we'll be talking with Damien Miller of the OpenSSH team. Their 7.0 release has some major changes, including phasing out older crypto and changing one of the defaults that might surprise you.

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid

Headlines

EdgeRouter Lite, meet OpenBSD

  • The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it
  • We've covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8)
  • Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it
  • He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware
  • More discussion can be found on Hacker News and various other places
  • One thing to note about these devices: because of their MIPS64 processor, they'll have weaker ASLR than X86 CPUs (and no WX at all) ***

Design and Implementation of the FreeBSD Operating System interview

  • For those who don't know, the "Design and Implementation of the FreeBSD Operating System" is a semi-recently-revived technical reference book for FreeBSD development
  • InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors
  • "The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points."
  • Aside from detailing a few of the chapters, the interview covers who the book's target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics ***

Path list parameter in OpenBSD tame

  • We've mentioned OpenBSD's relatively new "tame" subsystem a couple times before: it's an easy-to-implement "self-containment" framework, allowing programs to have a reduced feature set mode with even less privileges
  • One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access - you could either read/write files or not, nothing in between
  • Now there's the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers
  • The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9
  • More discussion can be found on Reddit and Hacker News ***

FreeBSD & PC-BSD 10.2-RELEASE

  • The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out
  • The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13
  • New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to
  • A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet
  • The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions
  • ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards
  • The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups
  • In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail
  • Check the full release notes for the rest of the details and changes
  • PC-BSD also followed with their 10.2-RELEASE, sporting a few more additional features ***

Interview - Damien Miller - djm@openbsd.org / @damienmiller

OpenSSH: phasing out broken crypto, default cipher changes

News Roundup

NetBSD at Open Source Conference Shimane

  • We weren't the only ones away at conferences last week - the Japanese NetBSD guys are always raiding one event or another
  • This time they had NetBSD running on some Sony NWS devices (MIPS-based)
  • JavaStations were also on display - something we haven't ever seen before (made between 1996-2000) ***

BAFUG videos

  • The Bay Area FreeBSD users group has been uploading some videos of their recent meetings
  • Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works
  • Shortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader - for example, how can we type encryption passwords with non-US keyboard layouts
  • In a second video, Jordan Hubbard and Kip Macy introduce "NeXTBSD aka FreeBSD X"
  • In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc)
  • People should record presentations at their BSD users groups and send them to us ***

L2TP over IPSEC on OpenBSD

  • If you've got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty well
  • Using only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your traffic
  • This guide specifically covers L2TP, using npppd and pre-shared keys
  • Server setup, client setup, firewall configuration and routing-related settings are all covered in detail ***

Reliable bare metal with TrueOS

  • Imagine a server version of PC-BSD with some useful utilities preinstalled - that's basically TrueOS
  • This article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solution
  • Most importantly, he also covers how to keep everything redundant and deal with hard drives failing
  • The author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he'd like
  • Another factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are ***

Kernel WX on i386

  • We mentioned some big WX kernel changes in OpenBSD a while back, but the work was mainly for x86_64 CPU architecture (which makes sense; that's what most people run now)
  • Mike Larkin is back again, and isn't leaving the people with older hardware out, committing similar kernel work into the i386 platform now as well
  • Check out our interview with Mike for some more background info on memory protections like WX ***

Feedback/Questions