OpenBSD

OpenBSD developer at the c2k1 hackathon at MIT

General

In accordance with other BSD-based operating systems, both the OpenBSD kernel and the userland programs, such as the Unix shells and common tools, are jointly developed in a source code repository . Third party software is available in the form of ready-made packages or can be created from source code using the port system .

OpenBSD is available for various computer architectures , including DEC Alpha , i386 , AMD64 , PowerPC, and SPARC64 .

History and dissemination

In December 1994, Theo de Raadt - one of NetBSD's co-founders, experienced developer and member of the core team - was asked to leave his position. At the same time, his access to the source code repository was blocked. The reason is not known exactly, but claims have been made that it is related to personal conflicts on the NetBSD mailing list . Theo de Raadt has been criticized for showing an aggressive manner at times: In the book Free For All , Peter Wayner claims that before the spin-off from NetBSD, de Raadt "began to anger some people involuntarily"; Interviewers admit "having concerns [about him]"; and Linus Torvalds has described it as "difficult".

This article or the following section is not adequately provided with supporting documents ( e.g. individual evidence ). Information without sufficient evidence could be removed soon. Please help Wikipedia by researching the information and including good evidence.

Some NetBSD mailing list participants viewed him as a “terrorist” [no evidence], which is why his long-term ban was only lifted in 2005 [no evidence]. Others, however, find its directness refreshing and hardly anyone denies [Who? There is no evidence] that he is a skilled programmer and computer security expert .

In October 1995, Theo de Raadt founded OpenBSD as a new project split from NetBSD 1.0. The first release, OpenBSD 1.2, was released in July 1996, followed by OpenBSD 2.0 in October of that year. Since then, OpenBSD has followed the schedule of releasing a new version every six months. This is then maintained and supported for a year.

It is difficult to pinpoint the prevalence of OpenBSD: the OpenBSD project itself does not collect or publish usage statistics and there are few other sources of information. The emerging BSD certification project carried out a usage survey in 2005, which showed that 32.8% of the BSD users surveyed (1420 of 4330 respondents) use OpenBSD, placing OpenBSD second of the four major BSD derivatives, behind FreeBSD with 77 , 0% and before NetBSD with 16.3%. Multiple choices were possible. The * BSDStats project sees OpenBSD today with slightly over 0.5% distribution far behind the new projects DragonFly BSD and PC-BSD .

Free software and free documentation

When OpenBSD was launched, Theo de Raadt decided to make the source code readable for everyone at all times. So, with the help of Chuck Cranor, he set up a public anonymous CVS version control server . This was the first of its kind in the software development world: at the time it was common for only a small team of developers to have access to the CVS management system. This approach had some shortcomings, especially external contributors had no way of finding out what had already been done, and the resulting ignorance contributed unnecessary patches . This resulted in a lot of unnecessarily duplicated work. The decision to disclose led to the name OpenBSD and marked the beginning of the project's insistence on free and publicly available source code and documentation.

An example of the OpenBSD project's attitude towards open documentation is the discontinuation of support for Adaptec AAC RAID controllers because this would have required either a non-free driver or the signing of a confidentiality agreement (NDA) - not acceptable conditions for the project .

Licenses

OpenBSD 6.6 with X.org and the window manager cwm

One goal of OpenBSD is the "spirit of the original Berkeley Unix - Copyright maintain", this allowed a. "Relatively undisturbed distribution of the Unix source code" For this reason, for new source code, the ISC license preferred, which is a simplified version the BSD license represents. The MIT or BSD license is also accepted. The GNU General Public License is viewed as too restrictive in comparison: source code under this and other undesired licenses is not permitted for integration into the base system. In addition, existing source code under these licenses will be replaced or, if possible, re-licensed. However, in some cases this is not possible, an example is GCC . There is no suitable replacement for this: it would be too time-consuming and impractical to design a new compiler . Even so, OpenBSD has made significant strides in terms of licensing. Particularly noteworthy is the development of OpenSSH , based on the original SSH . It first appeared in OpenBSD 2.6 and is now the most popular SSH implementation . It is an integral or optional part of many operating systems, e.g. B. the other BSD operating systems and almost every Linux distribution . Also worth mentioning is the by license restrictions on IPFilter necessary become development of PF - Firewall . It first appeared in OpenBSD 3.0 and is also available today for DragonFly BSD, NetBSD, and FreeBSD . OpenBSD has replaced the Unix commands diff , grep , gzip , bc , dc , nm and size , which are under the GPL, with BSD-licensed versions. "Simple" commands like true or false are in the public domain . The OpenBSD project is also behind the development of OpenNTPD and OpenCVS, also BSD-licensed versions of existing software.

In June 2001, concerns about Darren Reed's changes to the IPFilter license triggered a systematic review of all licenses in the OpenBSD source code and port system . Source code in more than 100 files scattered around the system was found to be unlicensed, ambiguous, or in violation of guidelines. In order to ensure compliance with all licenses, an attempt was made to contact all copyright holders. As a result, some parts were removed, many replaced, and others re-licensed to allow further use in OpenBSD. The newly licensed programs from among Xerox licensed initially for research use multicast - routing programs mrinfo(8)and map-mbone(8).

It should also be noted that all Daniel J. Bernstein's software has been removed from the OpenBSD port system. At the time of removal, Bernstein required that any modified versions of his software be approved by him prior to release, a requirement the OpenBSD project refused to devote time or effort to. Distance led to a quarrel with Bernstein, he saw it as inappropriate and said that the Netscape - Web browser is much less free. For this reason he accused the OpenBSD project together with Theo de Raadt of hypocrisy. The OpenBSD project took the position that Netscape, although not open source, demanded license terms that were easier to comply with; they claimed to Bernstein that the demands for control over derivatives would result in a great deal of additional work. Therefore, removal is the most appropriate way to meet his requirements. In 2007, Bernstein released all of its software under the public domain, which resolved the licensing problems. However, no official OpenBSD packages currently exist; In the case of qmail and djbdns , this is justified by the fact that these programs continue to offer no apparent added value.

safety

Shortly after the OpenBSD project was founded, Theo de Raadt was contacted by the local software security company Secure Networks, Inc. (SNI). This worked on Ballista, a "tool for security audits of networks". It was renamed "Cybercop Scanner" after SNI was bought by Network Associates. It was designed to exploit any security holes in software . This coincided closely with Theo de Raadt's own interest in security. So they both decided to cooperate. This relationship was of great benefit as it helped set the focus for the OpenBSD project and contributed to the release of OpenBSD 2.3. While others have taken the path of least resistance on many counts, OpenBSD often took a different route and went to great lengths to do what was right, appropriate, and secure, even at the expense of convenience, speed, or functionality. As bugs in OpenBSD became harder to find and exploit, the security company found it too difficult, or not cost-effective, to deal with such minor problems. After many years of working together, the two sides decided that their goals were achieved and parted ways.

Until June 2002, the OpenBSD website had the slogan:

In June 2002, Internet Security Systems discovered a challenge-response authentication bug in the OpenSSH source code. This was the first and to date the only security flaw in the standard OpenBSD installation, which allows a remote attacker to gain access to the root account . The vulnerability was very serious, in part due to the widespread use of OpenSSH. The bug also affected a considerable number of other operating systems. She made it necessary to change the slogan:

This became on March 13, 2007 on the English pages to "Only two remote holes in the default install, in more than 10 years!" changed after Core Security Technologies uncovered a network-related vulnerability. The current German slogan is: "Only two 'remote holes' in the standard installation for a damn long time!"

This statement has often been criticized because only a few services are activated in the OpenBSD standard installation and contain versions of OpenBSD software for which remotely vulnerable security holes were found later; however, the OpenBSD project insists that the slogan refers to the standard installation and that the information is therefore correct. One of the fundamental concepts of OpenBSD is the pursuit of a simple, clean, and by default secure system. “Standard” refers to the product's default settings directly during installation; more security holes would have been recorded if more services had been started with OpenBSD. The concept of offering only a few services by default fits in well with common computer security practices . Furthermore, the project is open source and uses methods such as source code auditing, both of which are said to be important to the security of a system.

OpenBSD 6.6 at startup

The project follows the guideline to keep a continuous source code audit for security gaps. Developer Marc Espie described the work as "never ending, it's more a matter of progress than looking for specific bugs." He goes on to list some typical steps that are followed once a bug is found. One of them is to search the entire source code repository for this and similar errors. "Trying to find out if the documentation should be extended" and to do some research to see if "it is possible to extend the compiler to warn of this particular problem in the future." Besides DragonFly BSD , OpenBSD is the only open source operating system with the guideline to replace classic K&R -C source code with equivalent modern ANSI -C code. This does not cause any functional changes, but increases readability and ensures greater consistency. There is a standard style for source code, the Kernel Normal Form (KNF) , which specifies the appearance of the source code in order to make it easy to understand and maintain. The KNF must be applied to all source code that is to be included in the basic system.

OpenBSD came into disrepute in December 2010 because of the suspicion that several backdoors for use by the FBI had been hidden in the IPsec stack on behalf of the US government . OpenBSD founder Theo de Raadt himself published a warning to this effect.

application

Because of security enhancements, cryptography and integrated PF firewall OpenBSD suitable for use in the security industry, specifically for firewalls , intrusion detection systems and VPN - Gateways . It is also widely used for web and other servers as they need to be resistant to cracker and DoS attacks. Due to the inclusion of spamd in the base system, OpenBSD is occasionally used as a spam filter .

OpenBSD integrates the X Window System . Since the license changes to XFree86 , a modified version of X.Org called xenocara has been used. With the X system, it is possible to use OpenBSD as a home computer or workstation and make use of a desktop environment , window manager, or both. This makes it possible to use the X desktop in an abundance of forms.

The OpenBSD package management system allows you to choose from a large number of the most popular programs for the desktop. The desktop environments Gnome , KDE and Xfce can be found here ; the web browsers Mozilla Firefox and Opera as well as many multimedia programs.

The usability and performance of OpenBSD is occasionally criticized. Studies on performance and scaling often show that OpenBSD lags behind other operating systems; the best known are the studies by Felix von Leitner. OpenBSD developers and users responded with the view that performance should be considered, but security, reliability and accuracy are more important. OpenBSD is a comparatively small project, especially when compared to FreeBSD and Linux, so developer time for security improvements is often seen as more rewarding than for performance optimization. Critics of user-friendliness often criticize the lack of graphical configuration programs, the unadorned standard installation and the “spartan” and “intimidating” installation itself. This criticism is met with a similar rejection as the criticism of performance: the preference for simplicity, reliability and security. One reviewer admitted, "Using an ultra-secure operating system can be a chore."

Sales and marketing

OpenBSD is available free of charge in several ways: the source code can be obtained via anonymous CVS or CVSup , binary final and development versions can be downloaded via FTP and HTTP . Complete CD sets including documentation, illustrations, a selection of stickers and the title song of the respective release could be ordered online for a fee up to and including version 6.0. The CD sets were one of the few sources of income for the project and ensured its existence. However, these were discontinued with the release of version 6.1. The proceeds were used to finance hardware, bandwidth, hackathons and other purchases. Since release 4.2 of November 1, 2007, complete CD image files (ISO) for most architectures have also been made available for download.

Together with some other operating systems, OpenBSD uses the port system in connection with its own package management system, this allows easy installation and administration of programs not contained in the base system. Originally based on the FreeBSD port system, the systems are now significantly different. In contrast to FreeBSD, the OpenBSD ports system is only intended as a source for building the end product, i.e. the packages. When installing a port, a package is first created and then installed by the package management tools. Packages for each version are created en masse by the OpenBSD team and made available for download. OpenBSD is also unique among the BSDs in that the port and base system are developed and published jointly for each version. It follows that ports and packets released with one version, for example 6.6, can not be used with another version, for example 6.5. This guideline contributes a large part to the stability of the development process, but at the same time it can also mean that port software of the last OpenBSD version will lag behind the latest version of the program by the author until the next version is released.

Puffy

Around the time of OpenBSD 2.7, the original mascot, a BSD daemon with a trident and halo, was replaced by Puffy , a puffer fish. Puffy was selected because of the blowfish algorithm (Blowfish) in OpenSSH and the strongly defensive Images of puffer fish whose spines protect it from enemies. Puffy quickly became very popular, mainly because of its appealing image and its clear distinction from the BSD daemon, which was already used by FreeBSD, and the daemon herd used by NetBSD until 2004. Puffy first appeared in OpenBSD 2.6 and has appeared in a variety of forms on t-shirts and posters ever since. Some of them were, often based on well-known people: Puffiana Jones , famous hackologist and adventurer in search of the lost RAID; Puffathy , a little Alberta girl who must work with Taiwan to save the day; Sir Puffy of Ramsay , freedom fighter who, together with little Bob from Beckly, steals from the rich and distributes it among the poor; Puffy daddy , famous rapper and political idol, Puffy Baba , who fights against the 40 vendors ( 40 manufacturers ), or Pufferix and Bobilix, who distribute the three disks of freedom .

After a few versions, OpenBSD also became known for its promotional songs and its interesting, often funny illustrations. Some of it was contributed by Ty Semaka of the band Plaid Tongued Devils . At first it was meant to be just minor humor, however as the concept evolved it became part of OpenBSD plausibility. Each version propagated a moral or political point of view relevant to the project, often in the form of a parody . The production of promotional songs was discontinued with OpenBSD 6.3.

In addition to the slogans on t-shirts and posters, OpenBSD occasionally comes up with other things: over the years, a few buzzwords such as “Promotion of scriptkiddies to / dev / null since 1995”, “Functional, safe and free, choose three of them”, “Security as standard ”and a few other slogans that can only be found on T-shirts printed for developer meetings, such as“ World-class security, much cheaper than a cruise missile ”, or a disgruntled old squid that“ shut up und Hacken! ”for the best.

On July 25, 2007, the non-profit organization The OpenBSD Foundation was founded under Canadian law to support the project.

In-house developments

Many in-house developments originated from OpenBSD. Including:

Version table

Distributions and derivatives

Distributions

• Anonymous.OS (OpenBSD 3.8, 2006 only)
• FuguIta: Live CD with iceWM , which can also be installed on the hard drive
• jggimi
• MarBSD: rescue and test system in several variants (for i386, amd64 and sparc64)

Derivatives

• ÆrieBSD
• MirOS BSD
• Bitter
• LibertyBSD

See also

• ISC license
• GNU General Public License
• Comparison of BSD operating systems
• Disklabel

literature

• Peter NM Hansteen: The Book of PF, A No-Nonsense Guide to the OpenBSD Firewall (3rd Edition). ISBN 978-1-59327-589-1 .
• Yanek Korff, Paco Hope, Bruce Potter: Mastering FreeBSD and OpenBSD Security. ISBN 0-596-00626-8 .
• Jacek Artymiak: Building Firewalls with OpenBSD and PF: Third Edition. ISBN 83-60869-02-2 .
• Brandon Palmer, Jose Nazario: Secure Architectures with OpenBSD. ISBN 0-321-19366-0 .
• Michael W. Lucas: Absolute OpenBSD, Unix for the Practical Paranoid (2nd Edition). ISBN 978-1-59327-476-4 .
• Wes Sonnenreich, Tom Yates: Building Linux and OpenBSD Firewalls. ISBN 0-471-35366-3 .
• Harris Brakmic: OpenBSD - server structure, security, firewall. ISBN 3-936546-21-5 .
• René Maroufi, Jörg Braun: OpenBSD. ISBN 978-3-936546-21-7 .

Web links

Commons : OpenBSD  - collection of images, videos and audio files

• OpenBSD website
• OpenBSD Foundation
• OpenBSD Journal

Individual evidence