OpenBSD Journal

Following a discussion on tech@, Job Snijders (job@), committed to ps(1) support for displaying the parent/child hierarchy of processes as an ASCII art tree:

CVSROOT: /cvs Module name: src Changes by: job@cvs.openbsd.org 2022/09/01 15:15:54 Modified files: bin/ps : extern.h print.c ps.1 ps.c ps.h Log message: Add forest (-f) mode In -f mode group & display parent/child process relationships using ASCII art. Borrows heavily from Brian Somers' work on FreeBSD ps(1). With input from deraadt@ and tb@ OK benno@ claudio@

Read more…

Antoine Jacoutot (ajacoutot@) has added a "configtest" action to rcctl(8):

CVSROOT: /cvs Module name: src Changes by: ajacoutot@cvs.openbsd.org 2022/09/01 01:25:32 Modified files: etc/rc.d : rc.subr share/man/man8 : rc.d.8 usr.sbin/rcctl : rcctl.sh Log message: Add a new action: "configtest", to check configuration syntax of the daemon. A few adjustments will be done in the next days (like disabling this action if there's no specific rc_configtest function defined). e.g. /etc/rc.d/sshd configtest rcctl configtest sshd idea from naddy@

This is a feature that sysadmin types have been wanting for quite a while. A consistent way to sanity check your config before loading in anger is certain to make OpenBSD users' lives better.

Damien Miller (djm@) notes that all (new) commits to the portable OpenSSH repository are now signed using git's SSH signature support.

Further details are on the OpenSSH development mailing list:

[…] We are in the process of converting the portable OpenSSH repository to require signed commits, tags and pushes, using git's recent ssh signature support. So far it's gone very smoothly, and we hope to have it enforced for all commits soon. We maintain our own git repository for portable OpenSSH, that is automatically mirrored to github. We use "pre-receive" and "update" hooks to check for signed pushes and tags/commits respectively, using an in-repository allowed_signers file. […]

This is a most welcome process integrity improvement that hopefully will make the world trust our favorite SSH software even more.

In a pair of commits, Theo de Raadt (deraadt@) changed many daemons in /sbin to be dynamically linked. First this, which had some of us a little mystified:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/08/29 05:51:05 Modified files: etc : rc Log message: mount /usr earlier, to satisfy dynamically-linked daemons in /sbin better (there will be more soon)

Read more…

Video recordings from BSDCan 2022 are now available.

OpenBSD-related sessions include:

• Building a Large Scale Threat Intelligence System with OpenBSD - Lawrence Teo (lteo@)
• Network Management with the OpenBSD Packet Filter Toolset - Massimiliano Stucchi, Peter N M Hansteen, Tom Smyth
• PolyglotBSD - Brian Callahan (bcallah@)

That's several hours of intense OpenBSD entertainment (and some sister BSDs) right there!

Stefan Sperling (stsp@) has committed support for RAID 1C [mirroring and encryption] boot to -current on the amd64 platform:

CVSROOT: /cvs Module name: src Changes by: stsp@cvs.openbsd.org 2022/08/12 14:17:46 Modified files: share/man/man4 : softraid.4 sys/arch/amd64/stand/efi32: efidev.c sys/arch/amd64/stand/efi64: efidev.c sys/arch/amd64/stand/efiboot: efidev.c sys/arch/amd64/stand/libsa: biosdev.c softraid_amd64.c sys/lib/libsa : softraid.c Log message: add support for booting from RAID 1C softraid(4) volumes on amd64 Only boot-loader changes are needed. Both installboot(8) and the kernel already do what is required to make this work. ok kn@ Tested: biosboot on vmm: kn, stsp biosboot and efiboot on server hardware: stsp

Support on the arm64 platform can be expected soon.

Great work, Stefan (and Klemens, and everyone else involved)!

Damien Miller (djm@) has committed home-directory request to sftp-server(8): CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2022/08/11 23:20:28 Modified files: usr.bin/ssh : sftp-server.c PROTOCOL Log message: sftp-server: support home-directory request Add support to the sftp-server for the home-directory extension defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing expand-path@openssh.com, but uses a more official protocol name, and so is a bit more likely to be implemented by non-OpenSSH clients. From Mike Frysinger, ok dtucker@

In -current, /usr/games has been removed from the default $PATH. Theo Buehler (tb@) committed the change:

CVSROOT: /cvs Module name: src Changes by: tb@cvs.openbsd.org 2022/08/10 01:40:37 Modified files: etc/skel : dot.cshrc dot.profile Log message: Remove games from the default $PATH in /etc/skel The games are a playground for developers. Their code is very old and full of bugs. ok deraadt kn

So when you next sit down on a fresh snapshot install and want to do a quick rot13 or do a round of tetris, you may need to specify the full path.

Alternatively, you could dig into the code and see if you can fix a bug or two.

Damien Miller (djm@) committed a change randomising the rekeying interval in arc4random(3) (and friends):

CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2022/07/30 23:10:36 Modified files: lib/libc/crypt : arc4random.c Log message: Randomise the rekey interval a little. Previously, the chacha20 instance would be rekeyed every 1.6MB. This makes it happen at a random point somewhere in the 1-2MB range. Feedback deraadt@ visa@, ok tb@ visa@

With the following commit(s), Theo de Raadt (deraadt@) moved -current to version 7.2-beta:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/07/20 09:12:39 Modified files: sys/conf : newvers.sh sys/sys : param.h etc/root : root.mail usr.bin/signify: signify.1 sys/arch/macppc/stand/tbxidata: bsd.tbxi Log message: move to 7.2-beta. this gets done very early, to avoid finding out version number issues close to release

Snapshots are (already) available for several platforms.

(Regular readers will know what comes next…)
This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

For those who have been paying attention to the Game of Trees development list, there has been a lot going on with got(1). Apologies here at undeadly for having missed some release announcements!

Having written as much, got 0.74 was released on July 14th, 2022!

Release notes may be found here: https://gameoftrees.org/releases/CHANGES

The -portable release also got some attention, and those release notes may be found here: http://gameoftrees.org/releases/portable/CHANGELOG

Read more…

Our favorite BGP daemon, OpenBGPD, has a new version 7.5 out. The announcement reads,

We have released OpenBGPD 7.5, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon.

Read more…

A fairly critical component of routing security infrastructure, rpki-client, has a new release out, version 7.9.

The announcement leads in,

rpki-client 7.9 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon.

rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads and BGPsec Router keys in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.

Read the whole thing here and grab the new release at your favorite OpenBSD mirror.

Theo de Raadt (deraadt@) committed the change:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2022/07/02 11:21:32 Modified files: sbin/dhclient : dhclient.c Log message: dhclient(8) has been undergoing replacement with "ifconfig xxx inet auto" for a couple of years, backed by dhcpleased(8), which provides much better dns handling. The next step is to make the dhclient simply execve ifconfig in that way, and provide syslog warnings about deprecated options along the way. This way, we can find the last few dhclient users, and what they are missing. ok florian krw

The first r2k22 hackathon report is in, from Job Snijders (job@), who writes:

Traveling to r2k22 was a lot of fun! It's not often I get to travel to developer meetings by bike.

Read more…

Courtney Allen has published a blog post about how to run a website and blog almost exclusively on things that are in the OpenBSD base system already, only adding AsciiDoc to the mix.

The lead in reads, I have fallen in love with a recent combination of software to make good looking websites, and having an easy to manage web server. I’m a minimalist in many ways. Really, I find that it makes my life easier.

You can read the whole thing here: 0 Dependency Websites with OpenBSD & AsciiDoc.

Christian Ludwig "wrote a tool to statically analyze spl(9) kernel locking in OpenBSD. It even found some bugs."

His write up is here: https://medium.com/@chrissicool/analyze-openbsds-kernel-with-domain-specific-knowledge-ca665d92eebb

His code for the Lock Balancing Checker referenced in the write up is available under an ISC license and can be obtained here: https://github.com/chrissicool/lbc

Here are a few recent OpenBSD news items that we almost missed ourselves:

• The r2k22 hackathon is underway in Bruges, Belgium, see https://bsd.network/@stsp/108531205545193224
• The new grep --null option
• Adventures with privsep in xlock(1)

Frederic Cambus (fcambus@) has written a blog entry regarding the significant differences between the versions of LLVM in base and ports.

We wouldn't blame you if you it slipped under your RADAR that OpenBGPD 7.4 was released, since it doesn't appear to have been mentioned on the OpenBGPD website yet. However, the release notes may be found in this mailing list post from June 14th, 2022:
https://marc.info/?l=openbsd-announce&m=165521316007652&w=2