Damien Miller (djm@) justnoted on social media that he has committed(starting here)changes which allow control overssh-agent(1)key-forwarding based on destination host and forwarding path.A detailed description isavailableon theOpenSSH site.
After much preparatory work in base and ports,clang(1)has been upgraded to version 13.0.0 (on the relevant platforms).Patrick Wildt (patrick@) made thecommits.
The OpenBSD projecthas releasedOpenBSD 7.0,the project's 51 release.As usual, the release pageoffers highlights, installation and upgrade instructions, as well as links toother resources such as thedetailed changelog.Notable improvements include, but are not limited to:
As a result of a licence change byRealtek,that company's wireless firmware images are now included in the tree.The followingcommitby Kevin Lo (kevlo@)explains the details:Read more…
Did you just runsyspatch(8)and see it fail?Here's the reason: one of the two root certificatesbehind the (excellent)Let's EncryptCA service has expired.A bug in (the "legacy" verifier of)LibreSSLalso contributed.The syspatches (for OpenBSD 6.8,032, for OpenBSD 6.9,018) mitigate the unfortunate situation.However, your syspatch may fail if your local mirror uses aLet's Encrypt certificate.Patch-22!In that case, the best advice may be to try a mirror that does notuse a Let's Encrypt certificate just to get past this speed bump.Read more…
EuroBSDCon 2021was held [virtually] earlier this month.Videos of the presentation arenow available.Amongst the OpenBSD-related presentations is that byMarc Espie (espie@) -Debug Packages in OpenBSD(slides,video).
In a recentmessageto tech@ Martin Pieuchot (mpi@) wrote aboutanalysis of kernel lock contention.We reproduce the message(s) here, reformatted with his permission.
Now enabled by default on OpenBSD -current is dhcpleased(8), a dynamic host configuration protocol daemon written by florian@ (Florian Obser), who spoke with us about his work:I suppose this is either the KAME project's fault, or if we don't want to go that far back, Theo's fault. At g2k16 he floated the idea of a network configuration daemon. It would collect "proposals" for IP addresses, default routes andDNS configuration from various sources (DHCP,IPv6 router advertisements, umb(4), etc.),make some policy decisions, configure the network, and set resolv.conf(5)Read more…
Frederic Cambus (fcambus@) hasbloggedabout the recent history and current state of toolchains on OpenBSD.It provides a good explanation of how and why things got to where they stand.
The OpenBSD project has releasedOpenBSD 6.9, the project's 50th release. As usual the release page offers highlights, installation and upgrade instructions as well as links to other resources such as the detailed changelog.Notable improvements include, but are not limited to
Hoping to be able to make a conference in Vienna in September (and doing it digitally if not), the EuroBSDCon is now accepting submissions for presentations and tutorials.
In a recent blog post, OpenBSD developer Solène Rapenne (solene@) offers an over view of the security features offered by a default OpenBSD installation. The first paragraph of the introduction reads,
With the followingcommit,Florian Obser (florian@) importeddhcpleased(8),DHCP daemon to acquire IPv4 address leasesfrom servers, plusdhcpleasectl(8),a utility to control the daemon:
OpenBSD has managed to drop KDE3 and KDE4 in the6.8 -> 6.9 release cycle. Thatmakes me very happy because it was a big piece of workand long discussions.This of course brings questions:Kde Plasma 5 package missing.After half a year of work, I managed to successfullyupdate the Qt5stack to the last LTS version 5.15.2.On the whole, the most work was updatingQtWebengine. What a monster! With my CPU power at home,I can build it 1-2times a day which makes testing a little bit annoyingand time intensive.But today we can be happy about an up-to-date KDE stack in OpenBSD.Currently - at the end of January - our stack is very up-to-date:
IntroductionPf-badhostis a very practical, robust, stable and lightweight security script for network servers.It's compatible with BSD based operating systems such as {Open,Free,Net,Dragonfly}BSD and MacOS. It prevents potentially-bad IP addresses that could possibly attack your servers (and waste your bandwidth and fill your logfiles), by blocking all those IPs contacting your server, and therefore it makes your server network/resources lighter and the logs of important services running on your server become simpler, more readable and efficient.Read more…
OpenBSD developer Vadim Zhukov (zhukov@)has added preliminary OpenBSD support toOpen Broadcaster Software (OBS) Studio release26.1.0and later. The changes come as part of an ongoing collaboration between the upstreamOBSproject and OpenBSD developers.Preliminary OpenBSD support was added in two commits.Oneintroducedsndio(7) support.This adds a sndio plugin which Zhukov advises will provide more reliable, lower latency audio mixing than the ffmpeg plugin for OpenBSD users.The otherprovides basic support such as help evaluating OpenBSD-specific filesystem paths.A link to the release waspostedon Reddit, with a title claiming full OpenBSD support.Bryan Steele (brynet@) was quick to provide helpful context in acomment:
On its 25 birthday,the OpenBSD project has releasedOpenBSD 6.8,the 49 release.The new release comes with a large number of improvements and debuts a new architecture, OpenBSD/powerpc64, running on the POWER9 family of processors. The full list of changes can be found in the announcement and on the release page. Some highlights:
IntroductionHitherto, releases of thefwobacsoftware (which underliesUndeadly)have been unsigned.This is overdue for change, so for the latest release [version 1.7], we are providing a digital signature.As signing is being performed manually, why not employ an additional [hardware] factor?signify(1)does not support the use of FIDO authenticators.However, recent versions ofOpenSSH do support signingusing the [under-appreciated]-Y sign option ofssh-keygen(1),and with the recent addition of FIDO authenticator support to OpenSSH[as reported previously],we have a means (using tools in base OpenBSD) of using a hardware factor when signing files.Read more…