OpenBSD Journal

Rafael Sadowski (rsadowski@) completed updates to C++ libraries in -current:

CVSROOT: /cvs Module name: src Changes by: rsadowski@cvs.openbsd.org 2025/08/21 09:26:58 Modified files: gnu/lib/libcxx : Makefile gnu/lib/libcxx/include/c++/v1: __config_site gnu/lib/libcxxabi: Makefile gnu/lib/libexecinfo: Makefile Added files: gnu/lib/libcxx/include/c++/v1: __assertion_handler Log message: update build infrastructure for libunwind-, libcxxabi- and libcxx-19.1.7 This gives us a modern c++ lib in base!

Read more…

Yubikey OTP support has been disabled in -current. The commit message explains the rationale:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/08/14 08:39:44 Modified files: sys/dev/usb : ukbd.c Log message: Most Yubikey ship with OTP support enabled out of the box (and generate accidental output like cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk). Yubikey re-configuration requires crazy buggy and fragile tools using crazy usb feature support, and therefore OTP disabling is very annoying. We make a policy decision to not attach these as keyboards anymore, because a majority of users just want the FIDO functionality. If you want to use OTP, buy a different device from a different vendor or convince Yubikey to significantly improve their tooling. idea from kettenis

To be clear: this affects only the keyboard attachment of only Yubico devices. Therefore:

• USB security devices from other vendors are not affected.
• FIDO functionality of Yubikeys (and Yubico security keys) is not affected.
• login_yubikey(8) can no longer be used for local authentication purposes, but will still function for authentication of remote clients (so long as they support Yubikey OTP).

Running a patched kernel is the only way [at present] to reverse this change.

OpenSSH will now adapt IP QoS to actual sessions and traffic. In a fresh commit, Damien Miller (djm@) introduced a significant change, which enables ssh and sshd to set the IP QoS based on what connections and sessions are active.

The commit message says, List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Damien Miller <djm () cvs ! openbsd ! org> Date: 2025-08-18 3:43:01 CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/08/17 21:43:01 Modified files: usr.bin/ssh : sshd-session.c sshd-auth.c ssh.c session.c serverloop.c packet.h packet.c mux.c misc.c clientloop.c channels.h channels.c Log message: Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS) continually at runtime based on what sessions/channels are open.

Read more…

Version 0.117 of Game of Trees has been released (and the port updated):

• regress: replace "sed -i" with ed(1) for portable in-place editing
• ensure that error messages from gotsysd libexec helpers get logged
• fix gotsysd using wrong auth and hmac labels in the generated gotd.conf
• preserve bad symlinks across merges during rebase and histedit
• improve binary files detection: detect any control characters, not just NUL
• gotwebd: fix race condition resulting in trucated html with trailing garbage
• make commit coloring faster and more accurate, producing smaller pack files
• improve selection of pack files for pinning in the open pack file cache
• regress: don't load global/home git configuration files while running tests
• make 'got clone' set a got.conf default branch for fetching only, not sending

In a recent entry on his blog, OpenBSD developer Ted Unangst (tedu@) asks, is OpenBSD 10x faster than Linux?. He explains,

Here’s a little benchmark complements of Jann Horn. It’s unexpectedly slow on Linux. OpenBSD is so fast, I had to modify the program slightly to measure itself, as the time utility is missing sufficient precision to even record nonzero. Go on, read the rest over at Ted's blog for some fun tidbits on performance and benchmarks.

OpenBSD users and aficionados are more likely than others to be familiar with the concept of greytrapping (the nastier kid sister of greylisting), as implemented via the OpenBSD spamd(8) spammer taunting software.

The feature has now been around for 18 years, and undeadly.org co-editor Peter Hansteen found that and another milestone to be a good reason to write a retrospective: Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to woo the unwary spammer rolled past the number of inhabitants in my home country of Norway. It's time for a retrospective.

So I wrote up one: Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? (also available with G's trackers here) is a retrospective article with data and graphs.

That's right, we've been making life harder for spammers for 18 years. Peter's writeup has links to data, and more field notes and war stories than he could actually remember writing when he started on the retrospective.

We have long been aware that OpenBSD and OpenSSH in general are at the very forefront of cryptography engineering.

A recent data point here is that Damien Miller (djm@) just committed a new OpenSSH Post-Quantum Cryptography FAQ page to the OpenSSH web site:

List: openbsd-cvs Subject: CVS: cvs.openbsd.org: www From: Damien Miller <djm () cvs ! openbsd ! org> Date: 2025-08-11 5:26:51 CVSROOT: /cvs Module name: www Changes by: djm@cvs.openbsd.org 2025/08/10 23:26:51 Added files: openssh : pq.html

Read more…

A new opportunity for you to help improve the upcoming OpenBSD 7.8 release has turned up. If YOU have a USB webcam you are using or would like to use with our favorite operating system, Kirill Korinsky (kirill@) would like to hear from you after testing recent snapshots.

Kirill's message to misc@ reads: Subject: Call for testing: USB webcams From: Kirill A. Korinsky <kirill () korins ! ky> Date: 2025-08-06 13:27:31 misc@, the latest snapshots for amd64 and arm64 (I haven't checked other architectures) include my recent changes to add support for H.264 streams from USB webcams.

Read more…

Development of important software sometimes happens without fanfare. If not for one of our editors noticing by watching commits, we would have missed the fact that Damien Miller (djm@) recently added a couple of notable features to OpenSSH:

Read more…

The WiFI 802.11 standards are a gnarly lot, and checking for compatibility of the various sub-specifications has been known to drive even seasoned OpenBSD developers to the brink of distraction.

Now Stefan Sperling (stsp@) is airing a possible improvement in compatibility checks via a message to tech@ titled "fix net80211 802.11g compatibility check", saying

List: openbsd-tech Subject: fix net80211 802.11g compatibility check From: Stefan Sperling <stsp () stsp ! name> Date: 2025-07-31 10:26:18 I have a WIP fix for qwx which relies on ieee80211_iserp_sta() to detect whether an AP supports 802.11g, rather than 802.11b only. And I encountered an access point which qwx could not connect to when my WIP fix is applied.

Read more…

Much longed for by some, remembered as a quaint memory by other greybeards, the classic Common Desktop Environment (CDE) is being added to the ports collection.

The initial commit message reads,

List: openbsd-ports-cvs Subject: CVS: cvs.openbsd.org: ports From: Antoine Jacoutot <ajacoutot () cvs ! openbsd ! org> Date: 2025-07-28 12:35:38 CVSROOT: /cvs Module name: ports Changes by: ajacoutot@cvs.openbsd.org 2025/07/28 06:35:38 Log message: Import cde-2.5.2 CDE - The Common Desktop Environment is X Windows desktop environment that was commonly used on commercial UNIX variants such as Sun Solaris, HP-UX and IBM AIX. Developed between 1993 and 1999, it has now been released under an Open Source licence by The Open Group.

Read more…

Version 0.116 of Game of Trees has been released (and the port updated):

• make our pack-refs header format align with the expectations of git 2.50.0
• fix bogus "bad offset in pack file" errors wrongly raised by gotd
• fix gotd branch protection rejecting commits that already exist on server
• pick a default branch to clone when the server does not advertise HEAD symref
• do not clobber changes staged via stage -p during "got revert"
• enforce additional restrictions on reference names specified in gotsys.conf
• change gotwebd favicons to show the smiley fish only
• fix gotd reload when /etc/gotd-secrets.conf is used
• fix bogus "raw object has unexpected size" errors during deltification
• fix bug in delta block stretch size calculation resulting in invalid deltas
• fix gotsysd behaviour when the anonymous user is removed from gotsys.conf
• add support for email and http/json notifications to gotsysd and gotsys.conf

In a recent blog post When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, Rafael Sadowski (rsadowski@) takes a deep dive into an infrequently mentioned feature of our favorite operating system: file immutability and the chflags command. From the article:

" ... anyone who’s ever had to investigate a security incident knows the harsh reality: logs are only as trustworthy as their protection against post-incident tampering. An attacker who gains root access isn’t going to politely leave their tracks in the log files – unless they physically can’t alter them anymore."

Read the whole thing, When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, over at Rafael's site!

In -current, the struct underlying stdio(3)'s FILE type has been made opaque, with library versions bumps across the board:

CVSROOT: /cvs Module name: src Changes by: yasuoka@cvs.openbsd.org 2025/07/16 09:33:05 Modified files: lib/libc : Symbols.list shlib_version lib/libc/hidden: stdio.h wchar.h lib/libc/stdio : Makefile.inc fclose.3 fclose.c findfp.c lib/libcrypto : shlib_version lib/libcurses : shlib_version lib/libedit : shlib_version lib/libexpat : shlib_version lib/libfido2 : shlib_version lib/libfuse : shlib_version

Read more…

In a series of commits, Anthony J Bentley (bentley@) modified the system so that font caching runs as dedicated (unprivileged) user, "_fc-cache".

fc-cache(1) has been using pledge(2) since May.

Job Snijders (job@) has added (to -current) a new utility, watch(1), for periodically executing a command and displaying its output.

The IIJ's iwatch was initially imported back in May, and has been reworked substantially before being linked to the build.

Yes, you read that right: KDE 6.4.0 Plasma is now in OpenBSD packages.

This was made possible by the efforts of Rafael Sadowski (rsadowski@) with the help of several others. The news was announced 2025-07-04 via a fediverse post and of course the commit message itself, where the description reads

Log message: Update Plasma 6.4 The most parts are straightforward as usual but in 6.4 the KDE Kwin team split kwin into kwin-x11 and kwin (wayland). This seems to be the sign that X11 is no longer of interest and we are focussing on Wayland.

Read more…

News from the Exotic Silicon front: Crystal Kolipe posted an update to misc@, saying

List: openbsd-misc Subject: Console 4096 colours and blink attribute From: Crystal Kolipe <kolipe.c () exoticsilicon ! com> Date: 2025-07-04 13:58:41 Tired of having just 256 colours on your console instead of 4096? Do you miss the blink attribute from the old VGA text mode days? Want to learn how cool stuff like this is implemented? Look no further: https://research.exoticsilicon.com/articles/console_4096

Clicking that link will bring you a colorful article with all implementation details and links to the code for you to try out yourself.

Happy blink and 4k colors console day to all who celebrate!

In a fediverse post on 2025-07-04, the Game of Trees Hub announced that they will be taking signups for repository hosting:

We have started our first round of sign-up for #Git repository hosting.

Our first server for Git hosting is expected to be installed next week. Additional servers will be added as needed based on demand.

See https://gothub.org for an introduction to our project.

See https://gothub.org/features.html to get an idea about which features are already working and what is planned for the future.

See https://gothub.org/tiers.html for the initial service tier configurations and prices.

See https://gothub.org/signup.html for details about the sign-up process.

Do you have code that could need to be hosted, and/or money to send their way? Click the links!

Version 0.115 of Game of Trees has been released (and the port updated):

• make errors reported by gotsys-apply-conf actually visible
• stop trying to start gotd from gotsys-apply-conf if gotd is not running
• fix infinite loop in got_pack_repaint_parent_commits() and got-read-pack
• fix creation of gotd.conf deny rules in gotsys-write-conf
• add support for global repository access rules to gotsysd.conf
• fix segfault due to double-free in got-read-gotconfig