Show Notes/Links: https://www.bsdnow.tv/293

The post Booking Jails | BSD Now 293 first appeared on Jupiter Broadcasting.

This week on the show, we’ll be talking with Peter Toth. He’s got a jail management system called “iocage” that’s been getting pretty popular recently. Have we finally found a replacement for ezjail? We’ll see how it stacks up.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

• If you haven’t heard of the RT5350F-OLinuXino-EVB, you’re not alone (actually, we probably couldn’t even remember the name if we did know about it)
• It’s a small board with a MIPS CPU, two ethernet ports, wireless support and… 32MB of RAM
• This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
• In part two of the series, he talks about the GPIO and how you can configure it
• Part three is still in the works, so check the site later on for further progress and info

The modern OpenBSD home router

• In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
• “It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst”
• Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
• This guide also covers PPP and IPv6, in case you have those requirements
• In a similar but unrelated series, another user does a similar thing – his post also includes details on reusing your consumer router as a wireless bridge
• He also has a separate post for setting up an IPSEC VPN on the router

NetBSD at Open Source Conference 2015 Kansai

• The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
• They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
• Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
• They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
• And what conference would be complete without an LED-powered towel

OpenSSH 7.0 released

• The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
• SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
• The syntax for permitting root logins has been changed, and is now called “prohibit-password” instead of “without-password” (this makes it so root can login, but only with keys) – all interactive authentication methods for root are also disabled by default now
• If you’re using an older configuration file, the “without-password” option still works, so no change is required
• You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
• Various bug fixes and documentation improvements are also included
• Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
• In the next release, even more deprecation is planned: RSA keys will be refused if they’re under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled

Interview – Peter Toth – peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

• A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
• Alexander Bluhm’s up first, and he continued improving OpenBSD’s regression test suite (this ensures that no changes accidentally break existing things)
• He also worked on syslogd, completing the TCP input code – the syslogd in 5.8 will have TLS support for secure remote logging
• Renato Westphal sent in a report of his very first hackathon
• He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) – the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
• Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
• His report opens with “First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking.” – not exactly beginner stuff
• There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well

FreeBSD jails, the hard way

• As you learned from our interview this week, there’s quite a selection of tools available to manage your jails
• This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
• Unlike with iocage, ZFS isn’t actually a requirement for this method
• If you are using it, though, you can make use of snapshots for making template jails

OpenSSH hardware tokens

• We’ve talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
• This blog post will show you how to use a hardware token as a second authentication factor, for the “something you know, something you have” security model
• It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
• Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too

LibreSSL 2.2.2 released

• The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
• At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don’t want in a crypto tool…) and much more
• SSLv3 support was removed from the “openssl” command, and only a few other SSLv3 bits remain – once workarounds are found for ports that specifically depend on it, it’ll be removed completely
• Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
• It’ll be in 5.8 (due out earlier than usual) and it’s in the FreeBSD ports tree as well

Feedback/Questions

• James writes in
• Stuart writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• BSD Now tshirts are now available to preorder, and will be shipping in September (you have until the end of August to place an order, then they’re gone)
• Next week’s episode will be a shorter prerecorded one, since Allan’s going to BSDCam

The post May Contain ZFS | BSD Now 102 first appeared on Jupiter Broadcasting.

This week we’ll be talking with Ryan Lortie and Baptiste Daroussin about GNOME on BSD. Upstream development is finally treating the BSDs as a first class citizen, so we’ll hear about how the recent porting efforts have been since.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD presents tame

• Theo de Raadt sent out an email detailing OpenBSD’s new “tame” subsystem, written by Nicholas Marriott and himself, for restricting what processes can and can’t do
• When using tame, programs will switch to a “restricted-service operating mode,” limiting them to only the things they actually need to do
• As for the background: “Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program ‘initialization’ versus ‘main servicing loop.’ systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops.”
• Some initial categories of operation include: computation, memory management, read-write operations on file descriptors, opening of files and, of course, networking
• Restrictions can also be stacked further into the lifespan of the process, but removed abilities can never be regained (obviously)
• Anything that tries to access resources outside of its in-place limits gets terminated with a SIGKILL or, optionally, a SIGABRT (which can produce useful core dumps for investigation)
• Also included are 29 examples of userland programs that get additional protection with very minimal changes to the source – only 2 or 3 lines needing changed in the case of binaries like cat, ps, dmesg, etc.
• This is an initial work-in-progress version of tame, so there may be more improvements or further control options added before it hits a release (very specific access policies can sometimes backfire, however)
• The man page, also included in the mail, provides some specifics about how to integrate tame properly into your code (which, by design, was made very easy to do – making it simple means third party programs are more likely to actually use it)
• Kernel bits are in the tree now, with userland changes starting to trickle in too
• Combined with a myriad of memory protections, tight privilege separation and (above all else) good coding practices, tame should further harden the OpenBSD security fortress
• Further discussion can be found in the usual places you’d expect

Using Docker on FreeBSD

• With the experimental Docker port landing in FreeBSD a few weeks ago, some initial docs are starting to show up
• This docker is “the real thing,” and isn’t using a virtual machine as the backend – as such, it has some limitations
• The FreeBSD wiki has a page detailing how it works in general, as well as more info about those limitations
• When running Linux containers, it will only work as well as the Linux ABI compat layer for your version of FreeBSD (11.0, or -CURRENT when we’re recording this, is where all the action is for 64bit support)
• For users on 10.X, there’s also a FreeBSD container available, which allows you to use Docker as a fancy jail manager (it uses the jail subsystem internally)
• Give it a try, let us know how you find it to be compared to other solutions

OpenBSD imports doas, removes sudo

• OpenBSD has included the ubiquitous “sudo” utility for many years now, and the current maintainer of sudo (Todd C. Miller) is also a long-time OpenBSD dev
• The version included in the base system was much smaller than the latest current version used elsewhere, but was based on older code
• Some internal discussion lead to the decision that sudo should probably be moved to ports now, where it can be updated easily and offer all the extra features that were missing in base (LDAP and whatnot)
• Ted Unangst conjured up with a rewritten utility to replace it in the base system, dubbed “do as,” with the aim of being more simple and compact
• There were concerns that sudo was too big and too complicated, and a quick ‘n’ dirty check reveals that doas is around 350 lines of code, while sudo is around 10,000 – which would you rather have as a setuid root binary?
• After the initial import, a number of developers began reviewing and improving various bits here and there
• You can check out the code now if you’re interested
• Command usage and config syntax seem pretty straightforward
• More discussion on HN

What would you like to see in FreeBSD

• Adrian Chadd started a reddit thread about areas in which FreeBSD could be improved, asking the community what they’d like to see
• There are over 200 comments that span a wide range of topics, so we’ll just cover a few of the more popular requests – check the very long thread if you’re interested in more
• The top comment says things don’t “just work,” citing failover link aggregation of LACP laggs, PPPoE issues, disorganized jail configuration options, unclear CARP configuration and userland dtrace being unstable
• Another common one was that there are three firewalls in the base system, with ipfilter and pf being kinda dead now – should they be removed, and more focus put into ipfw?
• Video drivers also came up frequently, with users hoping for better OpenGL support and support for newer graphics cards from Intel and AMD – similar comments were made about wireless chipsets as well
• Some other replies included more clarity with pkgng output, paying more attention to security issues, updating PF to match the one in OpenBSD, improved laptop support, a graphical installer, LibreSSL in base, more focus on embedded MIPS devices, binary packages with different config options, steam support and lots more
• At least one user suggested better “marketing” for FreeBSD, with more advocacy and (hopefully) more business adoption
• That one really applies to all the BSDs, and regular users (that’s you listening to this) can help make it happen for whichever ones you use right now
• Maybe Adrian can singlehandedly do all the work and make all the users happy

Interview – Ryan Lortie & Baptiste Daroussin

Porting the latest GNOME code to the BSDs

News Roundup

Introducing resflash

• If you haven’t heard of resflash before, it’s “a tool for building OpenBSD images for embedded and cloud environments in a programmatic, reproducible way”
• One of the major benefits to images like this is the read-only filesystem, so there’s no possibility of filesystem corruption if power is lost
• There’s an optional read-write partition as well, used for any persistent changes you want to make
• You can check out the source code on Github or read the main site for more info

Jails with iocage

• There are a growing number of FreeBSD jail management utilities: ezjail, cbsd, warden and a few others
• After looking at all the different choices, the author of this blog post eventually settled on iocage for the job
• The post walks you through the basic configuration and usage of iocage for creating managing jails
• If you’ve been unhappy with ezjail or some of the others, iocage might be worth giving a try instead (it also has really good ZFS integration)

DragonFly GPU improvements

• DragonFlyBSD continues to up their graphics game, this time with Intel’s ValleyView series of CPUs
• These GPUs are primarily used in the newer Atom CPUs and offer much better performance than the older ones
• A git branch was created to hold the fixes for now while the last remaining bugs get fixed
• Fully-accelerated Broadwell support and an update to newer DRM code are also available in the git branch, and will be merged to the main tree after some testing

Branchless development

• Ted Unangst has a new blog post up, talking about software branches and the effects of having (or not having) them
• He covers integrating and merging code, and the versioning problems that can happen with multiple people contributing at once
• “For an open source project, branching is counter intuitively antisocial. For instance, I usually tell people I’m running OpenBSD, but that’s kind of a lie. I’m actually running teduBSD, which is like OpenBSD but has some changes to make it even better. Of course, you can’t have teduBSD because I’m selfish. I’m also lazy, and only inclined to make my changes work for me, not everyone else.”
• The solution, according to him, is bringing all the code the developers are using closer together
• One big benefit is that WIP code gets tested much faster (and bugs get fixed early on)

Feedback/Questions

• Matthew writes in
• Chris writes in
• Anonymous writes in
• Bill writes in

• There were a lot of links in today’s news – mailing list posts, wiki pages, discussion, source code commits and more – so hit up bsdnow.tv for all the show notes as usual
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We’re always looking for new interviews – get in touch if you’re doing anything cool with BSD that you’d like to talk about (or feel free to volunteer someone else)
• EuroBSDCon 2015 registration is now officially open

The post BSD Gnow | BSD Now 99 first appeared on Jupiter Broadcasting.

The long-awaited meetup is finally happening on today\’s show. We\’re going to be interviewing the original BSD podcaster, Will Backman, to discuss what he\’s been up to and what the future of BSD advocacy looks like. After that, we\’ll be showing you how to track (and even cross-compile!) the -CURRENT branch of NetBSD. We\’ve got answers to user-submitted questions and the latest news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD and OpenBSD in GSOC2014

• The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
• Both FreeBSD and OpenBSD were accepted, and we\’d love for anyone listening to check out their GSOC pages
• The FreeBSD wiki has a list of things that they\’d be interested in someone helping out with
• OpenBSD\’s want list was also posted
• DragonflyBSD and NetBSD were sadly not accepted this year

Yes, you too can be an evil network overlord

• A new blog post about monitoring your network using only free tools
• OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
• It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
• There\’s also details about flowd and nfsen, more great tools to make network monitoring easy
• If you\’re listening, Peter… stop ignoring our emails and come on the show! We know you\’re watching!

BSDMag\’s February issue is out

• The theme is \”configuring basic services on OpenBSD 5.4\”
• There\’s also an interview with Peter Hansteen
• Topics also include locking down SSH, a GIMP lesson, user/group management, and…
• Linux and Solaris articles? Why??

Changes in bcrypt

• Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
• There is a bug in bcrypt when hashing long passwords – other OSes need to update theirs too! (FreeBSD already has)
• \”The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor \’b\’.\”
• As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
• Lots of specifics in the email, check the full post

This episode was brought to you by

Interview – Will Backman – bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

• Xorg has long since required root privileges to run the main server
• With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
• Now you can set the \”machdep.allowaperture\” sysctl to 0 and still use a GUI

OpenSSH 6.6 CFT

• Shortly after the huge 6.5 release, we get a routine bugfix update
• Test it out on as many systems as you can
• Check the mailing list for the full bug list

Creating an OpenBSD USB drive

• Since OpenBSD doesn\’t distribute any official USB images, here are some instructions on how to do it
• Step by step guide on how you can make your very own
• However, there\’s some recent emails that suggest official USB images may be coming soon… oh wait

PCBSD weekly digest

• New PBI updates that allow separate ports from /usr/local
• You need to rebuild pbi-manager if you want to try it out
• Updates and changes to Life Preserver, App Cafe, PCDM

Feedback/Questions

• espressowar writes in: https://slexy.org/view/s2JpJ5EaZp
• Antonio writes in: https://slexy.org/view/s2QpPevJ3J
• Christian writes in: https://slexy.org/view/s2EZLxDfWh
• Adam writes in: https://slexy.org/view/s21gEBZbmG
• Alex writes in: https://slexy.org/view/s2RnCO1p9c

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We especially want to hear some tutorial ideas that you guys would like to see, so let us know
• Also, if you\’re a NetBSD or DragonflyBSD guy listening, we want to talk to you! We\’d love more interviews related to those, whether you\’re a developer or not
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post BSD Now vs. BSDTalk | BSD Now 27 first appeared on Jupiter Broadcasting.

On this week\’s show, you\’ll be getting the full jail treatment. We\’ll show you how to create and deploy BSD jails, as well as chatting with Poul-Henning Kamp – the guy who actually invented them! There\’s lots of interesting news items to cover as well.

So stay tuned to BSD Now – the place to B.. SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD turns it up to 11

• The -CURRENT branch is now known as 11
• 10 has been branched to -STABLE
• 10-BETA1 ISOs are available now
• Will be the next -RELEASE, probably next year

Stopping the SSH bruteforce with OpenBSD and pf

• The Hail Mary Cloud is an SSH bruteforce botnet that takes a different approach
• While most botnets pound port 22 rapidly, THMB does it very slowly and passively
• This makes prevention based on rate limiting more involved and complex
• Nice long blog post about some potential solutions and what we\’ve learned

ZFS and GELI in bsdinstall coming soon

• The man with the beard strikes again, new patch allows for ZFS-on-root installs
• Supports GELI for disk encryption
• Might be the push we need to make Michael W Lucas update his FreeBSD book

AsiaBSDCon 2014 announced

• Will be held in Tokyo, 13-16 March, 2014
• The conference is for anyone developing, deploying and using systems based on FreeBSD, NetBSD, OpenBSD, DragonFlyBSD, Darwin and Mac OS X
• Call for papers can be found here

Interview – Poul-Henning Kamp – phk@freebsd.org / @bsdphk

FreeBSD beginnings, md5crypt, jails, varnish and his… telescope project?

Tutorial

Everything you need to know about Jails

• Last week we showed you how to run VNC in a jail, but people asked \”how do I make a jail in the first place?\”
• This time around, we\’ll show you how to do exactly that
• Jails are a dream come true for both security experts and clean freaks, keeping everything isolated
• We\’ll be using the ezjail utility and making a basic jail setup

News Roundup

New pf queue system

• Henning Brauer committed the new kernel-side bandwidth shaping subsystem
• Uses the HFSC algorithm behind the scenes
• ALTQ to be retired \”in a release or two\” – everyone should migrate soon

Dragonfly imports FreeBSD KMS driver

• Hot on the trails of OpenBSD and later FreeBSD, Dragonfly gets AMD KMS
• Ported over from the FreeBSD port

Weekly PCBSD feature digest

• Weekly status update every Friday
• Will be a \”highlight of what important features have been added, what major bugs have been fixed, and what is presently going on in general with the project.\”

Get paid to hack OpenSSH

• Google has announced they will pay up to $3113.70 for security patches to OpenSSH
• Patches can fix security or improve security
• If you come up with something, send it to the OpenSSH guys

Feedback/Questions

• Darren writes in: https://slexy.org/view/s24RmwvEvE
• Kjell-Aleksander writes in: https://slexy.org/view/s2wFcFk9Yz
• Ryan writes in: https://slexy.org/view/s23e920gNG
• Alexander writes in: https://slexy.org/view/s2usxPqO9k

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Go Directly to Jail(8) | BSD Now 7 first appeared on Jupiter Broadcasting.