OpenBSD Journal

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.2:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/09/11 08:27:09 Modified files: sys/conf : newvers.sh Log message: drop the -beta

For those unfamiliar with the process: this is not the 7.2 release, but is part of the standard build-up to the release.

It's time to start using "-D snap" with pkg_add (and pkg_info).

(Regular readers will know what comes next…) This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

A new version of the OpenBSD rpki-client – RPKI validator to support BGP Origin Validation, version 8.0 has been released.

The announcement reads, rpki-client 8.0 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.

Read more…

Stefan Sperling (stsp@) noted the release of version 0.75 of Game of Trees:

Version control system #gameoftrees 0.75 has been released.

This is the first release which ships gotwebd, a Fast-CGI Git repository web server written by @basepr1me and lots of help by @op and others. In the long term, gotwebd will replace its ancestor, the gotweb CGI program. If you already run gotweb then please try gotwebd and let us know about any issues.
[…]

We are delighted to have received a report on the recently-concluded g2k22 hackathon. Martijn van Duren (martijn@) writes:

Coming to Bad Liebenzell for the 3rd year in a row I knew what to expect, but the scenery still continues to amaze me. Driving through the black forest was a nice little escape before plunging back into the SNMP world.

One of the biggest misconceptions I've seen floating around and one of my biggest irks with snmpd(8) was its privilege separation situation. While true that snmpd(8) always had multiple processes it was never used to any meaningful degree. The engine process (snmpe) handled everything snmp related: Handling packets/connections, de-/encoding the BER, handling authentication, finding the correct object and retrieving the data from the proper source (usually the kernel). Because some metrics fell outside the scope of pledge it also ran without the pledge seat belt. The engine however does run inside a /var/empty chroot, this is where the other (parent) process comes into play. When a trap (notification) is received and covered by "trap handle" it's forwarded to the parent process, which then executes the "command".

Read more…

In a September 1st post to tech@ titled immutable userland mappings, Theo de Raadt (deraadt@) gave us a preview of code that may soon land in -current. The message leads in,

In the last few years, I have been improving the strictness of userland memory layout. An example is the recent addition of MAP_STACK and msyscall(). The first one marks pages that are stack, so that upon entry to the kernel we can check if the stack-pointer is pointing in the stack range. If it isn't, the most obvious conclusion is that a ROP pivot has occured, and we kills the process. The second one marks the region which contains syscall traps, if upon entry to the kernel the PC is not in that region, we know somone is trying to do system calls via an unapproved method.

Read more…

Following a discussion on tech@, Job Snijders (job@), committed to ps(1) support for displaying the parent/child hierarchy of processes as an ASCII art tree:

CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2022/09/01 15:15:54 Modified files: bin/ps : extern.h print.c ps.1 ps.c ps.h Log message: Add forest (-f) mode In -f mode group & display parent/child process relationships using ASCII art. Borrows heavily from Brian Somers' work on FreeBSD ps(1). With input from deraadt@ and tb@ OK benno@ claudio@

Read more…

Antoine Jacoutot (ajacoutot@) has added a "configtest" action to rcctl(8):

CVSROOT: /cvs Module name: src Changes by: ajacoutot@cvs.openbsd.org 2022/09/01 01:25:32 Modified files: etc/rc.d : rc.subr share/man/man8 : rc.d.8 usr.sbin/rcctl : rcctl.sh Log message: Add a new action: "configtest", to check configuration syntax of the daemon. A few adjustments will be done in the next days (like disabling this action if there's no specific rc_configtest function defined). e.g. /etc/rc.d/sshd configtest rcctl configtest sshd idea from naddy@

This is a feature that sysadmin types have been wanting for quite a while. A consistent way to sanity check your config before loading in anger is certain to make OpenBSD users' lives better.

Damien Miller (djm@) notes that all (new) commits to the portable OpenSSH repository are now signed using git's SSH signature support.

Further details are on the OpenSSH development mailing list:

[…] We are in the process of converting the portable OpenSSH repository to require signed commits, tags and pushes, using git's recent ssh signature support. So far it's gone very smoothly, and we hope to have it enforced for all commits soon. We maintain our own git repository for portable OpenSSH, that is automatically mirrored to github. We use "pre-receive" and "update" hooks to check for signed pushes and tags/commits respectively, using an in-repository allowed_signers file. […]

This is a most welcome process integrity improvement that hopefully will make the world trust our favorite SSH software even more.

In a pair of commits, Theo de Raadt (deraadt@) changed many daemons in /sbin to be dynamically linked. First this, which had some of us a little mystified:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/08/29 05:51:05 Modified files: etc : rc Log message: mount /usr earlier, to satisfy dynamically-linked daemons in /sbin better (there will be more soon)

Read more…

Video recordings from BSDCan 2022 are now available.

OpenBSD-related sessions include:

• Building a Large Scale Threat Intelligence System with OpenBSD - Lawrence Teo (lteo@)
• Network Management with the OpenBSD Packet Filter Toolset - Massimiliano Stucchi, Peter N M Hansteen, Tom Smyth
• PolyglotBSD - Brian Callahan (bcallah@)

That's several hours of intense OpenBSD entertainment (and some sister BSDs) right there!

Stefan Sperling (stsp@) has committed support for RAID 1C [mirroring and encryption] boot to -current on the amd64 platform:

CVSROOT: /cvs Module name: src Changes by: stsp@cvs.openbsd.org 2022/08/12 14:17:46 Modified files: share/man/man4 : softraid.4 sys/arch/amd64/stand/efi32: efidev.c sys/arch/amd64/stand/efi64: efidev.c sys/arch/amd64/stand/efiboot: efidev.c sys/arch/amd64/stand/libsa: biosdev.c softraid_amd64.c sys/lib/libsa : softraid.c Log message: add support for booting from RAID 1C softraid(4) volumes on amd64 Only boot-loader changes are needed. Both installboot(8) and the kernel already do what is required to make this work. ok kn@ Tested: biosboot on vmm: kn, stsp biosboot and efiboot on server hardware: stsp

Support on the arm64 platform can be expected soon.

Great work, Stefan (and Klemens, and everyone else involved)!

Damien Miller (djm@) has committed home-directory request to sftp-server(8): CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2022/08/11 23:20:28 Modified files: usr.bin/ssh : sftp-server.c PROTOCOL Log message: sftp-server: support home-directory request Add support to the sftp-server for the home-directory extension defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing expand-path@openssh.com, but uses a more official protocol name, and so is a bit more likely to be implemented by non-OpenSSH clients. From Mike Frysinger, ok dtucker@

In -current, /usr/games has been removed from the default $PATH. Theo Buehler (tb@) committed the change:

CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2022/08/10 01:40:37 Modified files: etc/skel : dot.cshrc dot.profile Log message: Remove games from the default $PATH in /etc/skel The games are a playground for developers. Their code is very old and full of bugs. ok deraadt kn

So when you next sit down on a fresh snapshot install and want to do a quick rot13 or do a round of tetris, you may need to specify the full path.

Alternatively, you could dig into the code and see if you can fix a bug or two.

Damien Miller (djm@) committed a change randomising the rekeying interval in arc4random(3) (and friends):

CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2022/07/30 23:10:36 Modified files: lib/libc/crypt : arc4random.c Log message: Randomise the rekey interval a little. Previously, the chacha20 instance would be rekeyed every 1.6MB. This makes it happen at a random point somewhere in the 1-2MB range. Feedback deraadt@ visa@, ok tb@ visa@

With the following commit(s), Theo de Raadt (deraadt@) moved -current to version 7.2-beta:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/07/20 09:12:39 Modified files: sys/conf : newvers.sh sys/sys : param.h etc/root : root.mail usr.bin/signify: signify.1 sys/arch/macppc/stand/tbxidata: bsd.tbxi Log message: move to 7.2-beta. this gets done very early, to avoid finding out version number issues close to release

Snapshots are (already) available for several platforms.

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

For those who have been paying attention to the Game of Trees development list, there has been a lot going on with got(1). Apologies here at undeadly for having missed some release announcements!

Having written as much, got 0.74 was released on July 14th, 2022!

Release notes may be found here: https://gameoftrees.org/releases/CHANGES

The -portable release also got some attention, and those release notes may be found here: http://gameoftrees.org/releases/portable/CHANGELOG

Read more…

Our favorite BGP daemon, OpenBGPD, has a new version 7.5 out. The announcement reads,

We have released OpenBGPD 7.5, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon.

Read more…

A fairly critical component of routing security infrastructure, rpki-client, has a new release out, version 7.9.

The announcement leads in,

rpki-client 7.9 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon.

rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads and BGPsec Router keys in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.

Read the whole thing here and grab the new release at your favorite OpenBSD mirror.

Theo de Raadt (deraadt@) committed the change:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/07/02 11:21:32 Modified files: sbin/dhclient : dhclient.c Log message: dhclient(8) has been undergoing replacement with "ifconfig xxx inet auto" for a couple of years, backed by dhcpleased(8), which provides much better dns handling. The next step is to make the dhclient simply execve ifconfig in that way, and provide syslog warnings about deprecated options along the way. This way, we can find the last few dhclient users, and what they are missing. ok florian krw

The first r2k22 hackathon report is in, from Job Snijders (job@), who writes:

Traveling to r2k22 was a lot of fun! It's not often I get to travel to developer meetings by bike.

Read more…