OpenBSD Journal

OpenBSD Journal

Catchup 2021-11-03

Contributed by rueda on from the onwards, onwards dept.

Interesting developments (in -current) since OpenBSD 7.0 include:

OpenBSD 7.0 released

Contributed by rueda on from the Undeadly-SYNs dept.

The OpenBSD project has released OpenBSD 7.0, the project's 51st release. As usual, the release page offers highlights, installation and upgrade instructions, as well as links to other resources such as the detailed changelog.

Notable improvements include, but are not limited to:

  • Support has been added for a new hardware platform, riscv64, for 64-bit RISC-V systems. [See earlier reports.]
  • /etc/bsd.re-config(5) was introduced, providing a mechanism to make config(8)-modified GENERIC kernels compatible with KARL.
  • Hibernate time has been reduced. [See earlier report.]
  • The timeout(1) utility was imported from NetBSD. [See earlier report.]
  • openrsync(1) now has include and exclude options. [See earlier report.]
  • doas(1) will now retry up to 3 times on password authentication failure.
  • ucc(4), a driver for USB HID Consumer Control keyboards, was added. This exposes volume, audio, and application launch keys.
  • xterm(1) is now unveiled. [See earlier report.]
  • printf(3) and friends now log an error and abort when confronted with format %n.
  • iked(8) now has client-side support for DNS configuration. [See earlier report.]
  • traceroute(8) speed has been boosted through asynchronous handling of probe packets and DNS. [See earlier report.]
  • dhcpleased(8) and resolvd(8) are both enabled by default and provide the standard mechanism for configuring IPv4 addresses by DHCP. [See previous reports.] The combination also makes nameserver information gathered via slaacd usable in dynamic configurations. dhclient(8) remains available for special cases. A "nameserver" command was added to route(8), allowing sending DNS nameserver prooposals to resolvd(8) over the routing socket.
  • In LibreSSL 3.4.1, support has been added for the OpenSSL 1.1.1 TLSv3 APIs. The "new" X.509 validator is enabled, allowing verification of modern certificate chains.
  • In OpenSSH 8.8, the RSA/SHA1 signature type [not RSA ("ssh-rsa") keys - see previous report] is disabled by default. scp(1) supports optional use of the SFTP protocol. [Since our previous report, the default has reverted to using the original scp/rcp protocol by default.]

Those upgrading from the 6.9 release (or earlier) should consult the Upgrade Guide.

While your install sets download or when your packages update, please take the time to look at and use one or more of the recommended ways to support the project, such as making a donation. Corporate entities may prefer to send money to The OpenBSD Foundation, a Canadian non-profit corporation. You can also get merchandise and help OpenBSD visibility. Also, don't forget to listen to the release song (mp3 or ogg) and check out the lyrics.

Thanks to the developers for all the excellent work that has gone into this great new release!

Catchup 2021-10-08

Contributed by rueda on from the sundry puffyisms dept.

In the run-up to the OpenBSD 7.0 release, we note several recent interesting things previously unreported:

September 30th, 2021 syspatches: some assembly might be required

Contributed by Peter N. M. Hansteen on from the intermediate solutions for intermediate problems dept.

Did you just run syspatch(8) and see it fail?

Here's the reason: one of the two root certificates behind the (excellent) Let's Encrypt CA service has expired. A bug in (the "legacy" verifier of) LibreSSL also contributed.

The syspatches (for OpenBSD 6.8, 032, for OpenBSD 6.9, 018) mitigate the unfortunate situation.

However, your syspatch may fail if your local mirror uses a Let's Encrypt certificate. Patch-22! In that case, the best advice may be to try a mirror that does not use a Let's Encrypt certificate just to get past this speed bump.

Read more…

By default, scp(1) now uses SFTP protocol

Contributed by rueda on from the saner-future-than-past dept.

Thanks to a commit by Damien Miller (djm@), scp(1) (in -current) now defaults to using the SFTP protocol:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2021/09/08 17:31:39

Modified files:
	usr.bin/ssh    : scp.1 scp.c 

Log message:
Use the SFTP protocol by default. The original scp/rcp protocol remains
available via the -O flag.

Note that ~user/ prefixed paths in SFTP mode require a protocol extension
that was first shipped in OpenSSH 8.7.

ok deraadt, after baking in snaps for a while without incident

As explained in the OpenSSH Release Notes,

SFTP offers more predictable filename handling and does not require expansion of glob(3) patterns via the shell on the remote side.

Unlocking UVM faults yields significant performance boost

Contributed by Peter N. M. Hansteen on from the no fault of UVM dept.

In a recent message to tech@ Martin Pieuchot (mpi@) wrote about analysis of kernel lock contention. We reproduce the message(s) here, reformatted with his permission.

Unlocking UVM [virtual memory - Ed.] faults makes build time decrease a lot and improve the overall latency of mixed userland workload. In other words it gives a smoother feeling for "desktop usage": it is now possible to do 'make -j17' and watch a HD video at the same time.

Read more…

traceroute(8) gets speed boost

Contributed by rueda on from the performance-enhancing-florian@ dept.

Florian Obser (florian@) has committed a significant speed boost for traceroute(8):

CVSROOT:	/cvs
Module name:	src
Changes by:	florian@cvs.openbsd.org	2021/09/03 03:13:00

Modified files:
	usr.sbin/traceroute: Makefile traceroute.8 traceroute.c 
	                     traceroute.h worker.c 

Log message:
Make traceroute(8) faster by sending probes and doing DNS async.

Traditional traceroute would send one probe and then wait for up to 5
seconds for a reply and then send the next probe. On a lossy link that
eventually ends in a black hole this would take about 15 minutes and
people would hit control-c in anger.

This rewrites the traceroute engine to use libevent and asr's async
DNS interface. Probes are now send every 30ms or as soon as we get an
answer back. With that we got the 15 minute worse case down to about
10 seconds.

A minor adjustment that is possible with this is to delay printing a
line until we get to a line with answers. This has two effects:

1) If there are intermediate hops that don't answer, output pauses for
a bit so we keep the visual cue of "something might be wrong here".
2) If there is a black hole at the end, we don't print out many "* * *"
lines and thus scrolling the interesting bits out of the terminal.
We collapse those lines and just print
64 * * *
at the end.

Unfortunately the -c option to send udp probes to a fixed port had to
go for now. But we should be able to add it back.

"Once you have seen the new one you can't go back to the old one" &
enthusiastic OK deraadt@
OK sthen@
"I am very distressed that florian went to bed without committing it"
beck@

Florian tooted links to recordings showing the old and new behaviours with an earlier version of this work.

Donate!

Donate to OpenBSD

Features

We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

OpenBSD Errata

OpenBSD 7.0

0062021-11-26 SECURITY In some situations the X.509 verifier would discard an error on an unverified certificate chain, resulting in an authentication bypass.
0052021-11-26 RELIABILITY An unprivileged user could crash the kernel by using UNIX-domain sockets in multiple threads.
0042021-11-09 SECURITY rpki-client(8) should handle CA misbehaviours as soft-errors.
0032021-10-31 SECURITY The kernel could leak memory when closing unix sockets.
0022021-10-31 RELIABILITY Opening /dev/bpf too often could lead to resource exhaustion.
0012021-10-31 RELIABILITY In certain configurations, nsd(8) can be crashed by a remote attacker.

Unofficial RSS feed of OpenBSD errata

XML/RSS/RDF

Users wishing RSS/RDF summary files of OpenBSD Journal can retrieve: RSS feed

Options are available.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]