OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
BSDNow Episode 016: Cryptocrystalline
Contributed by tbert on Tue Dec 24 14:43:36 2013 (GMT)
from the slacking-editors dept.

In BSDNow Episode 016: Cryptocrystalline there is an interview with Damien Miller (djm@ @damienmiller) titled "Cryptography in OpenBSD and OpenSSH" along with an article titled "Secure communications with OpenBSD and OpenVPN" and tutorial about "Full disk encryption in FreeBSD and OpenBSD"

The BSDNow show is recorded live on Wednesdays at 2pm Eastern Standard Time and then the live recording is edited into the video and audio files released the following Friday afternoon. Due to time constraints and live recordings, it's always best to check their website show notes and tutorial pages for updated information. As TJ said, "It's a community-driven project," so if you want to help out, you can send questions, comments, show ideas/topics, or stories you want mentioned on the show to

Available audio and video recordings:
SD Video | HD Video | MP3 Audio | OGG Audio | Youtube | Torrent | iTunes MP3 | Roku

[ 0 comments ] (flat) (expanded)

strlcpy(3) Use in 3rd Party Software
Contributed by tbert on Tue Dec 24 13:03:02 2013 (GMT)
from the decoded-symbols dept.

Theo de Raadt (deraadt@) penned a missive titled "On the matter of strlcpy/strlcat acceptance by industry":

From time to time, there are people who say that strlcpy and strlcat
are stupid.

This is a little frustrating because we just want developers to have
an easier time writing/auditing string code to avoid overflows and
truncations, especially considering so many standard C APIs require
fixed length strings or have other limits, and will in the forceable

You probably all know about the mainstream users of these functions,
like the Linux kernel, or MacOS, or the other BSD's, and Solaris.  But
there are many, many more, and it is time to show the global
strlcpy'ing deniers the reality.

I've collected some statistics to see how much upstream software use
these functions.

The (elided) rest of the message below the fold; the full lists of software can be found at the link to the mailing list archive.

[ 1 comment 1277d20:14 ago ] (flat) (expanded)

OpenSMTP Update(s)
Contributed by tbert on Tue Dec 24 15:33:06 2013 (GMT)
from the stuck-in-the-queue dept.

Gilles Chehade (gilles@) has a recent blog post up about recent and upcoming work on OpenSMTPd, the greatest thing ever to happen to email†.

When I wrote the last blog post, we had just released 5.3.2 which was a minor release that fixed a few non-critical bugs that were reported to us since the first major release a few months earlier.

A while later, we released another minor release, 5.3.3, that also fixed minor bugs and brought some new non-invasive features to deal with common use-cases reported by our increasing user base.

OpenSMTPD 5.3.3 was very stable, it's been running on busy servers at work and we did not experience any bug with it while accepting and routing millions of daily messages with remote hosts on several machines.

It was a nice release for what it's worth :-)

What now ?

Well, we didn't stop hacking on OpenSMTPD and since 5.3.3 we have gone through lots of simplifications and adding new features. There are actually so many changes that a blog post can't possibly go through all of it but I'll discuss some of the most important and visible ones.

We have released new major version 5.4.1 a few days ago, and the features that are described below are all part of it. It is a very good release IMO and you should definitely take time to switch your 5.3.x setups to this new one.

If you hadn't caught it before, his previous update is also worth going through to get a glimpse into how this project has been improving over the last year.

† statement may not be factual

[ 1 comment 1280d3:39 ago ] (flat) (expanded)

OpenBSD ruBSD Talks Online
Contributed by tbert on Mon Dec 23 08:03:36 2013 (GMT)
from the are-you-bsd? dept.

Fresh from a successful tour of the motherland, our fearless OpenBSD devs have placed their ruBSD 2013 talks online:

[ 5 comments 1271d14:35 ago ] (flat) (expanded)

USENIX LISA 2013 Managing Access Using SSH Keys [video]
Contributed by tbert on Thu Dec 19 05:11:12 2013 (GMT)
from the a-usenix-conference-for-an-old-apple-product dept.

Tatu Ylönen invented the Secure Shell (SSH) protocol in 1995 and even the history of OpenSSH mentions how OpenSSH is a derivative of the original free ssh 1.2.12 he released. He is also the founder and CEO of SSH Communications Security which sells a commercial version of ssh. A few more details can be found on the USENIX LISA 2013 page for "Managing Access Using SSH Keys" but the audio and video files are linked below.

SSH user keys are ubiquitously used for accessing information systems by automated processes and system administrators. Many large organizations have hundreds of thousands of keys granting access, with many keys providing privileged access without auditing or controls. The talk educates the audience about risks arising from unmanaged access using SSH keys; discusses what is required by compliance mandates; outlines how to establish effective operational processes for provisioning, terminating, and monitoring SSH user key based access; and outlines how to understand and remediate SSH user keys in an existing environment.

Editor's note: This talk is, in no small part, a push for a commercial product; the issues raised in regards to lax management of SSH keys, however, are valid enough to warrant careful consideration of one's own key regime.

Available audio and video formats:
Video MP4 | Video WEBM | Audio MP3 | Audio OGG

[ 0 comments ] (flat) (expanded)

tmpfs Enabled in -current
Contributed by tbert on Tue Dec 17 08:19:10 2013 (GMT)
from the nothing-lasts-forever dept.

Marc Espie (espie@) committed a change that enables tmpfs in OpenBSD -current:

Module name:	src
Changes by:	2013/12/14 16:28:02

Modified files:
	sbin           : Makefile 
	sys/conf       : GENERIC 

Log message:
enable tmpfs so it gets tested some more.
okay kettenis@, martin@, beck@, krw@, tedu@, millert@

Thanks to Pedro Martelletto, who did much of this work.

Like it says on the label, enabled for testing; as always, community effort is vital to ensuring the continuing quality of OpenBSD releases.

[ 14 comments 139d17:34 ago ] (flat) (expanded)

BSDCan 2014 CFP
Contributed by tbert on Fri Dec 13 15:04:22 2013 (GMT)
from the probably-no-handegg-this-time dept.

Dan Langille wrote in to tell us that BSDCan is accepting proposals for talks:

BSDCan 2014 will be held 16-17 (Fri-Sat) May, 2014 in Ottawa, at the University of Ottawa. It will be preceded by two days of tutorials on 14-15 May (Wed-Thu).

We are now accepting proposals for talks.

[ 0 comments ] (flat) (expanded)

FuguIta - An OpenBSD 5.4 + Patches LiveCD/LiveUSB
Contributed by tbert on Tue Dec 10 09:39:42 2013 (GMT)
from the Not-Allowed-To-Make-Fugu-Jokes dept.

So you might ask yourself, "Why do I need a LiveCD/LiveUSB when I can just install OpenBSD normally to a flash stick?"

It's a great question. In most situations you really are better off installing OpenBSD normally to a flash device and keeping your own system updated with everything installed and configure just the way you want it. Additionally, the OpenBSD install media itself is essentially a very limited "LiveCD" of sorts with a shell and many of the tools you might need.

Nonetheless, there are rare occasions when having a fully patched and updated (STABLE Branch) LiveCD/LiveUSB of our favorite operating system can be extremely useful. If you're doing something like a simple one-off router, then having a fully patched LiveCD/LiveUSB image available can be really handy. It can also be useful for testing hardware support on new systems at stores to see what works. Of course, just having access to working and patched LiveCD/LiveUSB when you're in a hurry or in a bind (pun intended) can often save you a ton of effort.

[ 3 comments 139d18:40 ago ] (flat) (expanded)

ChaCha20 and Poly1305 in OpenSSH
Contributed by jcr on Wed Dec 4 09:02:00 2013 (GMT)
from the the-poly-cha-cha-is-the-new-dance-craze dept.

OpenBSD developer Damien Miller (djm@) wrote a great post titled "ChaCha20 and Poly1305 in OpenSSH" and below is a small excerpt:

Recently, I committed support for a new authenticated encryption cipher for OpenSSH, This cipher combines two primitives from Daniel J. Bernstein: the ChaCha20 cipher and the Poly1305 MAC (Message Authentication Code) and was inspired by Adam Langley's similar proposal for TLS.

Why another cipher and MAC? A few reasons... First, we would like a high-performance cipher to replace RC4 since it is pretty close to broken now, we'd also like an authenticated encryption mode to complement AES-GCM - which is great if your hardware supports it, but takes significant voodoo to make run in constant time and, finally, having an authenticated encryption mode that is based on a stream cipher allows us to encrypt the packet lengths again.

Wait, what do you mean by "encrypt the packet lengths again"? (last rhetorical question, I promise) Well, it's a long story that requires a little background...

[ 6 comments 139d17:03 ago ] (flat) (expanded)

Support OpenBSD!

Donate to OpenBSD

Buy OpenBSD products


We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.

Older Stuff
Tuesday, December 03
07:02 BSDNow Episode 013: Bridging the Gap - OpenBSD Router Part 2 (1)
Monday, December 02
07:57 Is Your Stack Protector Working? (7)
Thursday, November 28
02:50 Support For Shared Named Semaphores (0)
02:48 The 2013 Chuck Yerkes Award Goes To... (0)
Wednesday, November 27
02:51 OpenBSD Foundation Now Accepts Bitcoin Donations (3)
Tuesday, November 26
03:27 ruBSD 2013 Has Theo, Henning, and Mike Speaking (3)
06:35 BSDNow Episode 012: Collecting SSHells - A guide to SSH and tmux (1)
Monday, November 25
04:14 Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway (1)
Friday, November 22
13:15 FOSDEM 2014 Call For Presentations In BSD Developer Room (0)

Older Stuff...
Yesterday's Edition...

OpenBSD Errata

OpenBSD Resources

Users wishing RSS/RDF summary files of OpenBSD Journal, can retrieve: [xml]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]