OpenBSD Interview: Strengths, Tradeoffs And Plans

Duke of URL writes: "Boardwatch interviewed OpenBSD contributor Louis Bertrand. It's an excellent article about OpenBSD's niche and mission. They discussed the continued code audit, OpenSSH, and future version plans, including SMP development, ports rework, and continued integration of IPv6. Journalist Jeffrey Carl does a good job of pointing out OpenBSD's strengths and tradeoffs."

Linux security resources

I'd just like to add to what others have said. Linux, just like any operating system, takes a bit of work to make *and keep* secure. But there are some excellent tools at your disposal:

Secure-Linux [openwall.com] is a Linux kernel patch that adds nifty security features, which eliminates many, if not most, buffer overflow attacks. I tested this with one of the ProFTPd exploits, and indeed, the exploit failed against a known vulnerable version of ProFTPd. Without the patch, the exploit worked.

Psionic PortSentry [psionic.com] detects and responds to port scans in real time. It works with other Unixes as well.

With these tools, the standard ipchains stuff, and a willingness to not run *every* daemon under the sun, you can have a reasonably secure Linux box.

Also, to throw those k1dd13z for an extra loop, put all this on linuxppc. Let 'em chew on that for a while...

New XFMail home page [slappy.org]

/bin/tcsh: Try it; you'll like it.

Why hasn't someone done a secure linux?

I looked a couple of weeks ago, and was unable to find anyone who had done a secure linux distro. Why would I rather have Linux?

• Faster. OpenBSD is slow on my boxes.
• Better hardware support.
• SMP
• Better commercial app support.
• Generally, easier install.

There are a couple of pages out there that describe products, but no downloadable distros. This sounds to me like a great market for someone to "do a mandrake" in.

--

Install isn't as bad as you make it out to be.

I just installed it tonight for the first time. The disk setup was a tad cryptic, but the documentation rocks, as long as you know what to look for. It was so clear I almost wanted to cry.

(BTW, where are the preconfigured firewall and gateway scripts installed by default?)

But I agree the article wasn't really that great.

OpenBSD should be more recognized

I've been looking into OpenBSD for a while to replace Linux on my firewall, and it seems like its much better suited for the job. Many people overlook the *BSDs, but Linux has become too mainstream for my tastes :). I should be putting OpenBSD 2.6(+?) on my IP Masq box over spring break...btw a good book on using OpenBSD for this stuff is Configuring Linux and OpenBSD Firewalls, it's like $35

Re:You missed the main point of OpenBSD

And exactly how big of a problem is Linux's source code, or any of RedHat 6.X's services source? Obviously not as bad as some of you make it out to be. How many times a week do you hear of people's boxes being rooted b/c somebody read Linux's source code, found a hole, and exploited a machine? Not everyone is as eleet as you and reads source code and finds buffer overflows in services(sarcasm) nightly.

First of all, relax. There's no need to be so defensive. Nobody's saying that your favorite OS sucks! :) A compliment for OpenBSD is not (necessarily) a criticism of Linux.

Services like sendmail and apache have been around for a LONG time, and many vulnerabilities have been discovered, and fixed. If you are paranoid, use the oldest version that doesn't have known vulnerabilities.

So, umm, this sounds like words of support for OpenBSD, because that's what OpenBSD does by default (do any Linux distributions take this approach?). It would be *a lot* of trouble to go around downgrading all of the critical network daemons on a Linux distribution to get it secured down (not to mention the time spent finding the last "secure" version of those daemons). Just because someone hasn't broken into a system yet, does not mean that the system is secure! ;)

They (OS service developers) don't brag about formal 'line-by-line' autids of their sofware, but just because they don't have 'audits' doesn't mean that they lag behind on security.

Yes, it pretty much does. What you don't look for, you probably won't find. ;) For software of any significant size and complexity, unless you actively look for security holes (or bugs in general), chances are they exist. That said, it doesn't mean that Linux is grossly insecure, but it does lag behind OpenBSD in the security arena a bit.

What mail service comes with OpenBSD? Surely they write their own, b/c Sendmail doesn't have 'security audits' of their code.

OpenBSD 2.5 and FreeBSD 3.2 (the two distributions that I happen to have in front of me at the moment, which also happen to have been released around the same time) both shipped with the exact same version of sendmail (8.9.3). The difference? On FreeBSD, sendmail is eneabled by default (as I assume it is on most Linux distributions as well, but it has been a long while since I have administered one of those, so I can't speak for any of them).

On OpenBSD (/etc/rc.conf):
sendmail_flags=NO

On FreeBSD (/etc/defaults/rc.conf):
sendmail_enable="YES"

(actually, a quick diff of the source files shows that they are not exactly the same -- looks like some extra type casting and bounds checking has been added)

Don't get me wrong here, I love FreeBSD (and Linux), but this illustrates the point that Louis Bertrand is trying to make: if I had no knowledge of the security issues surrounding sendmail, the default would be for my OpenBSD system to be "secure" (in that regard) and my FreeBSD system to be potentially less so. I have plenty of other things to worry about than how secure every single network daemon on my system might be, and there is some comfort in knowing that the OpenBSD folks have already done a lot of that work.

-- Anony Mouse

p.s.
http://www.securityfocus.com/vdb/bottom.html?secti on=exploit&vid=1006
http://www.securityfocus.com/vdb/bottom.html?secti on=discussion&vid=1078

Open BSD is our choice

OpenBSD is absolutely the choice for me. Sure it has some problems, any SW product will. But with OpenBSD I get a relatively secure environment right from day one. I don't need to have our admins spend weeks implementing bolt-on's to make the environment fairly bulletproof. The only disapointment I have using OpenBSD is that it is very basic. However that is one of the things that our admins love about it. Less bells and whistles means less stuff to break.

security IS important if you're on the public net

I just got tired of my linux box being hacked and broken into ;-(

after about 2 yrs being on the net (public email/web/cgi/ssh/sql services being run), I was broken into 3 times. each time it costed me a lot of effort and pain. plus downtime. and even lost files ;-( ;-(

so I decided to give openbsd a try. so far, its doing what I need it to. I'm wasting a dual BX board on openbsd (it does not have SMP like linux does; which is what my previous o/s was) but I'll exchange computes for secure computes anyday.

the way I see it is: if you're inside a protected region (inside the company firewall where there are no 'bad' people to screw you over) then linux on the desktop seems to rule for me. but for any kind of public box, the Kiddies all know about linux and its weaknesses. I'm not sure they know much about openbsd. and even if they did know about it, there's few (if any) open holes they could crawl thru.

today, I'm being ultra paraoid. I'm not running cgi's anymore, no networked sql, and I even dumped sendmail for qmail. so on my site, its qmail and ssh - THAT'S IT.

only time will tell - but I feel much better already, knowing that there has been a controlled audit of the openbsd code.

--

Re:OpenBSD goes overboard

FWIW, you can get a proper su (in Debian, at least) by installing the secure-su package.

Are you good enough to be a security admin?

Are you good enough to be a security admin?

Part of the problem is too many people just installing some packaged software, which they picked for reasons related to how many other clueless people picked it, and they expect it to be rock solid secure as installed without any configuration or tuning. They also expect top notch performance.

If you want security, then you have to understand security, or you have to get something that is guaranteed to be secure right from the box, or hire someone who knows security (and please, no whining about lack of technical people when technical people are still looking for decent jobs where their employers respect their skills). OpenBSD probably is the most secure system available right now, as installed, although even I would not trust it without looking under the hood.

A system/network security expert can make most systems secure (even NT if enough information can be had). Businesses have to commit to the attitude of security and trust a security expert to set it up for them. If you can't trust someone, then you better pull the plug on that internet connection right now (and probably also fire all your employees).

Re:OpenBSD goes overboard

Straight off, I get the message that this user is not in the appropriate group to su to root.

This is pretty common behavior on non-Linux machines and certainly did not originate with OpenBSD. In order to su root, you must be in the wheel group.

Linux does not require this because it uses the GNU version of su, which is intended specifically not to have this requirement. Here is an explanation [qnx.com] for this decision:

Why GNU su does not support the wheel group (by Richard Stallman)

Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

Ugh...

Why do people have to mangle the charset on these pages? It's almost unreadable in Solaris, with all those "?"'s littering it.

It's good to see something like this in an interview, though:

Unless security is your primary consideration, you probably aren?t going to use OpenBSD for all of your Unix servers. Linux, FreeBSD and NetBSD all
excel in various areas where OpenBSD does not. However, OpenBSD certainly has its place, and should be part of any network administrator?s toolkit.
For your most security-sensitive tasks, OpenBSD is very likely to be ?the right tool for the right job.?

Many Linux distros are great for a catch-all, newbie-friendly OS, whereas most BSD's (I've heard, I haven't used any of them extensively) feel more like a traditional Unix out-of-the-box.

(*please*, no "*BSD is Unix, Linux is not blah blah blah" comments. Because they're free, they both have *no* official "Unix" code, it was taken out of *BSD, and was never in Linux, but they share the same kernel interface, which is good enough for me)

For a Linux alternative, use FreeBSD. For other platforms, use NetBSD. If you like the way Linux does things, use Linux. Need security? Run OpenBSD. Want media/SMP goodies and a pretty interface? Get BeOS. etc., etc., etc.

They all have their niches, and *advocacy* involves recognizing that, and using the tool that's right for the job. So it's good to see some real BSD advocacy.
---
pb Reply or e-mail; don't vaguely moderate [152.7.41.11].

This article really doesn't touch on strengths..

or weaknesses of OpenBSD.

I installed it for the first time about 3 weeks ago, and I can't believe how much I love it. (I use linux as my workstation, and work on AIX, Solaris, etc.)

Everyone talks a lot about how secure it is, but that doesn't help anyone who actually wants to USE it. If you're wondering how useable it is, the answer is, "very!"

I would say its strengths, as far as a server OS, are:

1) Tiny, tiny footprint. Full server install w/out X windows is like 100 MB.

2) Nice, full man pages.

3) It comes with a ton of preconfigured firewall and gateway scripts, along with a ton of info on what they do.

4) It, by default, emails you every day with info on what's going on on your system. This is the type of thing most sysadmins spend their first four or five months writing for Slowaris/AIX/etc.

5) It has GREAT networking support. Tunnels, VPN, etc, etc are right there ready to rock from the word 'go.'

6) It really does only run a tiny set of services on startup. I think it starts with like, 6 processes, by default. That's a very nice base from which to build.

7) Ports rock my little world. They make life very, very nice.

On the downside:

1) The install is amazingly terrifying the first few times. If you don't know what partitions are, if you don't understand hard drive geometry, don't even bother with OBSD. Get FreeBSD and install it a few times first. It follows the same concepts, and has a more clear explanation of what's going on.

2) The filesystem sucks raw ass. Even mounted noatime and.. whatever else the other mount option is to make things faster.. :P .. it's slow as hell.

That's pretty much the only bad things I'd say aobut it. I _love_ it as a firewall OS, and I might use it as a web server or something.. The FS performance scares me.

All in all, the article was lame, as far as explaining why anyone would use OBSD. :P

--
blue

My experiences with OpenBSD

First off, let me state that I am OS slut. I've done my stint with Solaris, Irix, FreeBSD and for the past two years Linux. (And I even develop a fair bit of software they gets deployed under 'doze, but we don't need to talk about that.) All have their strengths and weaknesses, and I'm not terribly partial to any of them.

I have been meaning to play with OpenBSD for quite some time now, and finally decided to deploy it on my gateway/firewall which had been running RedHat 5.2 for the past two years. From all that I had read, this seemed to be the perfect application of OpenBSD. The install went very smoothly and I was very impressed by installation/sysadmin documentation available on the openbsd web site. The only install problem was my 2gig SCSI disk, of which only 1 gig was recognized. This was no big deal, as 1 gig was plenty, but this is aparently a known limitation of OpenBSD and some drives/BIOSs.

The first thing I noticed was that the openbsd firewall code is lacking all the plug-ins for mangling complicated protocols like irc, realaudio, quake, etc. Even the use of non-passive ftp required the use of a proxy. This wasn't a big deal for me since I don't use any of these, but I know that many linux users would see this as a big problem.

A day or so after my install, I noticed that througput on my cable modem was just really sucking to some sites, and I could not connect to others at all. I figured this was a problem with the cable service, which has actually been quite good for me. After jacking my laptop directly into the cable box, I realized that there was nothing wrong with my net connection and that the openbsd machine was fubaring the connections.

No problem, I'll post to the openbsd mailing list and see what the problem is. I got several replies that I must have something configured improperly. No, said I, the system is virtually stock, and I get excellent throughput to most sites. After much bitching, someone eventually notified me that the NE2000 device driver had known problems. So I replaced the cards with 3c509s (don't laugh, it's all I had on hand) and most of my problems went away. Thanks guys, if you had *told* me the driver was buggy, I could have saved myself a few days of headaches.

I say *most* of my problems, because I had very similar problems with the 3c509 cards, although they were not nearly as bad. Eventually, I was able to get someone to admit to the fact the the 3c509 driver was buggy as well.

Needless to say, at this point I was quite pissed as I had lost several days of work debugging and swapping hardware. I don't mind the fact that there are bugs in free software, but what really pissed me off was the fact that (1) the cards were listed as being supported (2) there was absolutely indication of problems with the drivers for these cards in any of the documentation when in fact they had been reported my many people before me and (3) the attitude of the people on the openbsd mailing list who outright assumed that because things were not working that I had done something wrong.

I'm sorry, but it was a terribly souring experience for me, and I am not likely to go back any time soon. In all fairness, however, I must say that openbsd performed flawlessly for 2-3 weeks aside from the problems I had with device drivers. In mentioning this to other people, I almost always got the response, "Yeah, the openbsd drivers suck." Perhaps I was just terribly unlucky. Who knows...

As an addendum, I switched back to Linux and my machine has been very happy ever since. There's a lot of stuff I don't like about Linux (design and implementation) but I really must concede that things Just Work(TM) a remarkably large percentage of the time. And perhaps more importantly, I have been much more impressed by the attitudes and helpfullness of people in the Linux community. I don't always get the right answer to questions I post, but I usually get enough to be helpful...

And finally, to the Openbsd people who happen to stumble across this message, I do hope that you will take my comments as constructive criticism, for that is how they are intended.

-p.