CVSROOT: /cvs
Module name: src
Changes by: mglocker@cvs.openbsd.org 2025/09/01 12:56:04
Modified files:
distrib/arm64/iso: Makefile
distrib/arm64/ramdisk: Makefile install.md list
Log message:
Add Raspberry Pi 5 Model B support for RAMDISK.
CVSROOT: /cvs
Module name: src
Changes by: deraadt@cvs.openbsd.org 2025/08/14 08:39:44
Modified files:
sys/dev/usb : ukbd.c
Log message:
Most Yubikey ship with OTP support enabled out of the box (and generate
accidental output like cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk).
Yubikey re-configuration requires crazy buggy and fragile tools using crazy
usb feature support, and therefore OTP disabling is very annoying. We
make a policy decision to not attach these as keyboards anymore, because a
majority of users just want the FIDO functionality. If you want to use OTP,
buy a different device from a different vendor or convince Yubikey to
significantly improve their tooling.
idea from kettenis
To be clear: this affects only the keyboard attachment of onlyYubico devices.
Therefore:
USB security devices from other vendors are not affected.
login_yubikey(8) can no longer be used for local authentication purposes, but will still function for authentication of remote clients (so long as they support Yubikey OTP).
Running a
patched
kernel is the only way [at present]
to reverse this change.
OpenSSH
will now adapt IP QoS to actual sessions and traffic.
In a fresh
commit,
Damien Miller (djm@) introduced a significant change,
which enables ssh
and sshd
to set the IP QoS based on what connections
and sessions are active.
The commit message says,
List: openbsd-cvs
Subject: CVS: cvs.openbsd.org: src
From: Damien Miller <djm () cvs ! openbsd ! org>
Date: 2025-08-18 3:43:01
CVSROOT: /cvs
Module name: src
Changes by: djm@cvs.openbsd.org 2025/08/17 21:43:01
Modified files:
usr.bin/ssh : sshd-session.c sshd-auth.c ssh.c session.c
serverloop.c packet.h packet.c mux.c misc.c
clientloop.c channels.h channels.c
Log message:
Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS)
continually at runtime based on what sessions/channels are open.
Here’s a little benchmark complements of Jann Horn. It’s unexpectedly slow on Linux.
OpenBSD is so fast, I had to modify the program slightly to measure itself, as the time utility is missing sufficient precision to even record nonzero.
Go on,
read the rest
over at Ted's
blog
for some fun tidbits on performance and benchmarks.
Contributed by
Peter N. M. Hansteen
on
from the oodles of imaginary friends dept.
OpenBSD users and aficionados are more likely than others to be familiar with the concept of
greytrapping
(the nastier kid sister of
greylisting),
as implemented via the OpenBSD
spamd(8)
spammer taunting software.
The feature has now been around for 18 years, and
undeadly.org co-editor Peter Hansteen
found that and another milestone to be a good reason to write a retrospective:
Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to woo the unwary spammer rolled past the number of inhabitants in my home country of Norway. It's time for a retrospective.
That's right, we've been making life harder for spammers for 18 years.
Peter's writeup has links to data, and more field notes and war stories than
he could actually remember writing when he started on the retrospective.
A new opportunity for you to help improve the upcoming
OpenBSD 7.8 release has turned up.
If YOU have a USB webcam you are using or would like to use with our favorite operating system, Kirill Korinsky (kirill@) would like to hear from you after testing recent snapshots.
Subject: Call for testing: USB webcams
From: Kirill A. Korinsky <kirill () korins ! ky>
Date: 2025-08-06 13:27:31
misc@,
the latest snapshots for amd64 and arm64 (I haven't checked other
architectures) include my recent changes to add support for H.264 streams
from USB webcams.
We are constantly on the lookout for stories of how you put OpenBSD to work.
Please submit any informative articles on how OpenBSD is helping your company.
2025-06-17RELIABILITYIn acme-client(1), handle as yet unobserved "processing" state when fetching an issued certificate by retrying instead of giving up.
2025-06-17RELIABILITYIn acme-client(1), handle as yet unobserved "processing" state when fetching an issued certificate by retrying instead of giving up.