OpenBSD Journal

In a message to tech@ Damien Miller (djm@) explained the consequences of his recent commit:

[…] RSA/SHA1, a.k.a the "ssh-rsa" signature type is now disabled by default in OpenSSH. While The SSH protocol confusingly uses overlapping names for key and signature algorithms, this does not stop the use of RSA keys and there is no need to regenerate "ssh-rsa" keys - most servers released in the last five years will automatically negotiate the use of RSA/SHA-256/512 signatures. This has been coming for a long time, but I do expect it will be distruptive for some people as there are likely to be some devices out there that cannot be upgraded to support the safer algorithms. In these cases, it is possible to selectively re-enable RSA/SHA1 support by specifying PubkeyAcceptedAlgorithms=+ssh-rsa in the ssh_config(5) or sshd_config(5) for the endpoint. Please report any problems here, to bugs@ or to openssh@ […]

TL;DR:

• The "ssh-rsa" signature type is now disabled by default.
• "ssh-rsa" signatures can be selectively re-enabled if necessary.
• RSA ("ssh-rsa") keys are not affected by this change and remain valid.

Claudio Jeker (claudio@) has committed support for simple include and exclude cases in (open)rsync:

CVSROOT: /cvs Module name: src Changes by: claudio@cvs.openbsd.org 2021/08/29 07:43:46 Modified files: usr.bin/rsync : Makefile extern.h flist.c main.c receiver.c sender.c Added files: usr.bin/rsync : charclass.h rmatch.c rules.c Log message: Implement --exclude/exclude-file and --include/include-file. Currently only simple include and excludes work, the advanced filters introduced later in rsync are not implemented. It is unclear if the per directory filters are something we want to implement. This requires more modern protocols which openrsync is not able to handle right now. This adds a special matching function to allow the ** matching which behaves mostly like rsyncs version with the exception of how bad [] patterns are expanded. For bad patterns openrsync follows more how fnmatch behaves and not the somewhat strange rsync behaviour. Not perfect but committing now so people can test and provide feedback

Great stuff! This should further reduce the need for installing the net/rsync port.

OpenBSD Journal co-editor Peter Hansteen writes in, saying

When Jonathan at SEMI_bug asked me whether I could do a talk for them, it took me a few moments to come up with a good subject and title. But for what would be a lunchtime session in the US East time zone on Sunday August 22nd, 2021 the subject became

Recent and not so recent changes in OpenBSD that make life better (and may turn up elsewhere too)

Once I had come up with the title, I wrote it up as a full article, now hosted on my blog.

If you prefer the hyper-condensed version, the slides for the talk are available, too.

With the following commit, Theo de Raadt (deraadt@) moved -current to version 7.0-beta:

CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2021/08/17 09:03:56 Modified files: sys/conf : newvers.sh etc/root : root.mail share/mk : sys.mk sys/arch/macppc/stand/tbxidata: bsd.tbxi usr.bin/signify: signify.1 Log message: 7.0-beta

Snapshots are (already) available for most platforms.

This serves as an excellent reminder to upgrade snapshots frequently, test both base and ports, and report problems [plus, of course, donate!].

Now enabled by default on OpenBSD -current is dhcpleased(8), a dynamic host configuration protocol daemon written by florian@ (Florian Obser), who spoke with us about his work:

I suppose this is either the KAME project's fault, or if we don't want to go that far back, Theo's fault. At g2k16 he floated the idea of a network configuration daemon. It would collect "proposals" for IP addresses, default routes and DNS configuration from various sources (DHCP, IPv6 router advertisements, umb(4), etc.), make some policy decisions, configure the network, and set resolv.conf(5)

Read more…

Florian Obser (florian@) has enabled dhcpleased(8) and resolvd(8) [on both of which we reported earlier] in base.

The commits are,

Read more…

Since our previous report, there has been significant progress on support for riscv64:

• There's now a web page for the platform, with details of (broadened) hardware support (for those lucky/deserving enough to have hardware, of course).
• Following some commits from Dale Rahn (drahn@), install sets now include xenocara.

As always, thanks to those involved!

Sven G is back with another tale of using a Raspberry Pi in his garage:

OpenBSD lets one control the GPIO pins on a Raspberry Pi. Controlling a garage door is simple: connect the GPIO output pin to one side of a relay's coil, connect the 5 volt output of the Pi to the other side of the relay's coil, and connect wires from your garage's wall console to the relay's common and "normally closed" ports. Running the program below opens or closes the door. Since the Pi will be connected to the garage wall console, you'll want to enable sshd. I've named my Pi "garage" and my program "og," so I can open the door remotely with

ssh garage /home/sven/bin/og

Read more…

Frederic Cambus (fcambus@) has blogged about the recent history and current state of toolchains on OpenBSD.

It provides a good explanation of how and why things got to where they stand.

The OpenBSD project has released OpenBSD 6.9, the project's 50th release. As usual the release page offers highlights, installation and upgrade instructions as well as links to other resources such as the detailed changelog.

Notable improvements include, but are not limited to

• The arm64 platform now has OpenBSD booting multi-user on Apple M1
• Numerous improvements to the relatively fresh powerpc64 platform
• A generous sprinkling of multicore untangling in the network stack
• A fresh virtual Ethernet Bridge device veb(4), more details in Introducing veb(4) - a new Virtual Ethernet Bridge
• New daemons dhcpleased(8) (see also) and resolvd(8) (see also) introduced to make road warriors' lives easier. (These daemons are not enabled by default.)
• rpki-client(8) has seen major work, including initial support for RRDP (The RPKI Repository Delta Protocol, RFC 8182).
• For enhanced privacy control for video recording, the sysctl(8) parameter kern.video.record was added. (See earlier report). This is analogous to kern.audio.record.
• Major updates to packages

Those upgrading from 6.8 or earlier releases should consult the Upgrade Guide.

Thanks to the developers for all the good work that went into this excellent new release!

While your install sets download or when your packages update, please take the time to look at and use one or more of the recommended ways to support the project, such as making a donation. You can also get merchandise and help OpenBSD visibility. Corporate entities may prefer sending some money in the direction of the OpenBSD Foundation, which is a Canadian non-profit corporation.

With the following commit, Dale Rahn (drahn@) imported initial support for the 64-bit RISC-V architecture:

CVSROOT: /cvs Module name: src Changes by: drahn@cvs.openbsd.org 2021/04/22 20:42:17 Added files: sys/arch/riscv64: Makefile sys/arch/riscv64/compile: Makefile Makefile.inc sys/arch/riscv64/compile/GENERIC: Makefile sys/arch/riscv64/compile/RAMDISK: Makefile sys/arch/riscv64/conf: GENERIC Makefile.riscv64 RAMDISK files.riscv64 kern.ldscript sys/arch/riscv64/dev: mainbus.c mainbus.h plic.c plic.h riscv_cpu_intc.c riscv_cpu_intc.h simplebus.c simplebusvar.h timer.c timer.h sys/arch/riscv64/include: _float.h _types.h asm.h atomic.h bootconfig.h bus.h cdefs.h conf.h cpu.h cpufunc.h db_machdep.h disklabel.h elf.h endian.h exec.h fdt.h fenv.h frame.h ieee.h ieeefp.h intr.h kcore.h limits.h loadfile_machdep.h mutex.h param.h pcb.h pmap.h proc.h profile.h pte.h ptrace.h reg.h reloc.h riscv64var.h riscvreg.h sbi.h setjmp.h signal.h softintr.h spinlock.h syscall.h tcb.h timetc.h trap.h vmparam.h sys/arch/riscv64/riscv64: ast.c autoconf.c bus_dma.c bus_space.c conf.c copy.S copyinout.S copystr.S cpu.c cpufunc_asm.S cpuswitch.S db_disasm.c db_interface.c db_trace.c disksubr.c fpu.c genassym.cf intr.c locore.S locore0.S machdep.c mem.c pagezero.S pmap.c process_machdep.c sbi.c sig_machdep.c softintr.c support.S syscall.c trap.S trap_machdep.c vm_machdep.c Log message: Initial import of OpenBSD/riscv64 This work is based on the effort: https://www.openbsd.org/papers/Porting_OpenBSD_to_RISCV_FinalReport.pdf "Porting OpenBSD to RISC-V ISA" by Brian Bamsch <bbamsch@google.com> Wenyan He <wenyan.he@sjsu.edu> Mars Li <mengshi.li.mars@gmail.com> Shivam Waghela <shivamwaghela@gmail.com> With additional work by Dale Rahn <drahn@openbsd.org>

Congratulations and thanks to all involved!

We received a contribution from Sven G, about checking the temperature in the garage where his dog sleeps with OpenBSD:

I was inspired by the April 2017 article in undeadly.org about getting OpenBSD running on a Raspberry Pi 3B+. My goal was to use a Raspberry Pi running OpenBSD to monitor the temperature in my garage from my home. My dog has his own little "apartment" inside the garage, so I want to keep an eye on the temperature. (I don't rely on this device. He sleeps inside the house whenever he wants.)

If anything seems wrongheaded, please chalk it up to a frothy mixture of enthusiasm, ignorance, stubbornness, and "just-because-I-wanted-to-do-it-this-way-ness."

Read more…

Dr. Brian Robert Callahan (bcallah@) blogged about his work in getting D compiler(s) working under OpenBSD.

The first paragraph reads:

I got GDC, the GNU D Compiler, working on OpenBSD. Supporting D has been a very long time coming. Here's the story of how we got here and where we need to go next.

Read the full post for all the details, including an explanation of why there isn't yet a port.

Hoping to be able to make a conference in Vienna in September (and doing it digitally if not), the EuroBSDCon is now accepting submissions for presentations and tutorials.
Read more at 2021.EuroBSDCon.org

In a recent blog post, OpenBSD developer Solène Rapenne (solene@) offers an over view of the security features offered by a default OpenBSD installation.

The first paragraph of the introduction reads,

In this text I will explain what makes OpenBSD secure by default when you install it. Do not take this for a security analysis, but more like a guide to help you understand what is done by OpenBSD to have a secure environment. The purpose of this text is not to compare OpenBSD to other OSes but to say what you can honestly expect from OpenBSD.

A worthy reminder of how the system works, and a very handy piece to show to anybody who wonders why one would choose to use OpenBSD over anything else. You can read the whole thing here.

With the following commit, Florian Obser (florian@) imported dhcpleased(8), DHCP daemon to acquire IPv4 address leases from servers, plus dhcpleasectl(8), a utility to control the daemon:

CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2021/02/26 09:16:37 Added files: sbin/dhcpleased: Makefile bpf.c bpf.h checksum.c checksum.h control.c control.h dhcpleased.8 dhcpleased.c dhcpleased.h engine.c engine.h frontend.c frontend.h log.c log.h usr.sbin/dhcpleasectl: Makefile dhcpleasectl.8 dhcpleasectl.c parser.c parser.h Log message: Import dhcpleased(8) - a dhcp daemon to acquire IPv4 address leases from servers.

Read more…

With the following commit, Florian Obser (florian@) imported resolvd(8), a daemon for handling nameserver configuration:

CVSROOT: /cvs Module name: src Changes by: florian@cvs.openbsd.org 2021/02/24 11:10:41 Added files: sbin/resolvd : Makefile resolvd.8 resolvd.c Log message: Import resolvd(8), a daemon to rewrite resolv.conf. prodding deraadt

Since the initial import, resolvd(8) has seen:

1. some significant reworking
2. improvements to the man page
3. linking to the build

Read more…

In this commit, David Gwynne (dlg@) adds a new veb(4) driver to the tree. David's goal is to replace the old bridge(4) driver:

Read more…

Mark Kettenis (kettenis@) is teasing OpenBSD booting multi-user on Apple M1 hardware:

So OpenBSD boots multi-user on the new Apple M1 hardware. This still has some hacks in it that need to be fixed, so don't expect support for this in the tree right now. But a big thank you to those that contributed to the pool for getting us some hardware. […]

See the full post for the dmesg.

Congratulations to all those involved!

Recent noteworthy things commited to -current and not previously reported include:

• [2021-01-26] Patrick Wildt (patrick@) continues work [with help from Mark Kettenis (kettenis@)] on supporting the Apple M1.
• [2021-02-06] Solène Rapenne (solene@) blogged about using 2FA with TOTP.
• [2021-02-08] Stefan Sperling (stsp@) added a RAID1C (raid1 + crypto) softraid(8) discipline.
• [2021-02-09] Patrick Wildt (patrick@) added lldb(1) (for amd64 and arm64 platforms).
• [2021-02-09] maxburst feature removed from tcp_output by Jan Klemkov (jan@)
  [2021-02-09] PF_LOCK() activated by Patrick Wildt (patrick@)
  [2021-02-10] Vitaliy Makkoveev (mvs@) moved UNIX domain sockets out of the kernel lock
  
• [2021-02-11] Jonathan Gray (jsg@) upgraded libdrm to version 2.4.104, with changes to the relevant devices (see FAQ).
• [2021-02-12] Otto Moerbeek (otto@) has requested testing/review of a patch enhancing malloc(3) "junking".

All in all, this looks promising for the upcoming OpenBSD 6.9 release!