EuroBSDCon 2019 Talks

The presentations from this year's EuroBSDCon held during late September in Lillehammer, Norway are now available on YouTube.

The program lists a number of interesting talks from seasoned OpenBSD developers such as Alexander Bluhm's assay of performance metrics on OpenBSD (cf. test results), and Stefan Sperling sharing the new Game of Trees git tool—more commonly referred to as got. But there are also many other speakers from various backgrounds presenting an assortment of topics ranging from Paul Vixie—the author of cron, and numerous RFCs—discussing DNS over HTTP (DoH) to an exposition on the basics of ZFS by Dan Langille …

more ...

OpenBSD 6.6 Released Early

OpenBSD's second of its biannual releases came early again this year with the release of OpenBSD 6.6 last week; while this post comes late.

For anyone who isn't yet aware, Theo's announcement came a few days ago on Thursday, October 17 to the relevant mailing lists.

Among the many changes are:

  • sysupgrade(8): an automatic upgrade utility that performs release and snapshot upgrades with one command
  • LibreSSL 3.0.2: a new release of the project's OpenSSL fork
  • sshsig: a minimal signature and verification utility for ssh-keygen(1)
  • OpenSSH 8.1: a new release of the project's ubiquitous ssh protocol implementation …
more ...

OpenBSD: Secure by Default

Continuing with the theme of my last post regarding the impetus of the OpenBSD project, and the principles by which development of the operating system adheres, I felt compelled to enumerate some of the tangible benefits that such a system produces. The principled purist within me notwithstanding, for what reason do I not only choose to use but advocate for OpenBSD when there are so many viable alternatives? What are the benefits? Candidly, there are plenty. Beyond the intangible, esoteric, and ideological, there are myriad reasons that could incentivise installing and running OpenBSD; if not as a daily driver—a firewall, router …

more ...

OpenBSD: Clean, Correct Code by Default

I was perusing some not-too-recent-nor-old messages on the misc@openbsd.org mailing list when I entered a thread based on an interest in the subject—OpenBSD Project—where after reading the original message I would have normally passed on the rest but fortuitously didn't, and was pleased to read a contribution that reminded me of one of OpenBSD's most compelling merits:

"If your choice of operating system depends on any kind of formalities rather than on technical quality, OpenBSD is not the project you are looking for."

The entire message deserves a read but this key point made by author Ingo Schwarze …

more ...

OpenBSD DNS Server with unbound and nsd

Table of Contents

Introduction

The default installation of OpenBSD comes with both unbound(8) and nsd(8); unbound is a validating, recursive, and caching DNS resolver that provides DNSSEC validation, while nsd is an authoritative name server that holds DNS records. The combination of the two running locally, means that name server lookups (i.e., requests to resolve domain names into IP addresses and vice versa) can be handled locally without being sent upstream to your ISP or another public name server such as Google. This almost completely prevents snooping or tampering …

more ...

Starting ssh-agent on OpenBSD

You'll find that unlike macOS, ssh-agent doesn't automatically run at startup on OpenBSD, so you need to initialise it, which is quick and easy but somewhat abstruse.

First, don't do the seemingly obvious and simply run ssh-agent like so:

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-MUxDCsIBiG5G/agent.38206; export SSH_AUTH_SOCK;
SSH_AGENT_PID=65950; export SSH_AGENT_PID;
echo Agent pid 65950;

Despite what you might intuit from the output, ssh-agent has only printed the shell script needed to initialise the daemon—it hasn't actually set the variables. Instead, we should evaluate the output, which will set both the SSH_AUTH_SOCK and SSH_AGENT_PID variables that allow ssh-add to communicate with …

more ...

Quick and Convenient Command Line E-mail

If you spend a considerable amount of time in your terminal, you might find the ability to fire off short emails from within it—without context-switching to your mail client or browser or whichever means you use—a convenient shortcut. Not to mention the utility it affords any number of use cases you might later choose to implement; a simple shell script, for example, can deliver notifications via email. It's a convenient feature of Unices that requires very little setup.

First, edit /etc/mail/secrets, as a privileged user, to store your credentials in the following format:

relayid relayuser:secretpassword

Where relayuser …

more ...

Boost Nextcloud Performance with Redis Cache on OpenBSD

Introduction

A PHP memory caching utility such as Redis can significantly decrease load times, speeding up PHP requests by storing compiled files for quicker retrieval.

Install Redis

Both the Redis database and PHP interfacing extension need to be installed:

# pkg_add redis pecl-redis

Add to rc.d to run at startup and then start Redis:

# rcctl enable redis
# rcctl start redis

Redis and Nextcloud Configuration

First, make the directory with appropriate ownership and permissions in the chroot where Redis will create the unix socket file:

# mkdir /var/www/redis
# chown …
more ...

Let's Encrypt HTTPS with acme-client on OpenBSD

Introduction

Since OpenBSD 5.9, the base system comes with acme-client: an open source implementation in C that requests a free HTTPS/TLS certificate from the Let’s Encrypt Certificate Authority. It is really simple to setup and even easier to use. And once your certificate is issued, a cronjob will ensure your website stays TLS encrypted for the remainder of its lifetime.

ACME Setup

Open the file /etc/acme-client.conf in your favourite editor and ensure both instances of the agreement url contain the most up-to-date link. Then …

more ...

OpenBSD Web Server with httpd, MariaDB, PHP and WordPress

Introduction

The ubiquitous LAMP (Linux / Apache / MySQL / PHP) Stack that runs on just about every private or SOHO, and even enterprise level, deployment has scores of guides available across the Internet. If you are establishing your own web server for the first time, you can google "LAMP Stack $linux_flavour" and Google will return thousands of results; many of them up-to-date and accurate enough that you can reliably follow the steps provided to deploy a secure production environment where you can serve anything from your WordPress blog …

more ...