OpenBSD
|
OpenBSD is a secure, freely available, multi-platform BSD-based UNIX-like operating system. OpenBSD specialises in security and correctness. Its developers carefully and proactively audit the system's code, which in turn contributes to the stability and security of OpenBSD. The project is led by Theo de Raadt from Calgary, Alberta.
Like the other free, open source BSDs, OpenBSD is distributed under the modern BSD license.
Contents |
History
OpenBSD was created as a fork from NetBSD because of philosophical and developer personality differences between de Raadt and the other founders of NetBSD. Despite being the largest reason for OpenBSD's existence, security is not the only focus of the OpenBSD project. Being a descendant of NetBSD, OpenBSD is a very portable operating system, currently running on 16 different hardware platforms. Supported platforms are added and dropped as resources and practicality warrant.
Current release
The current release, 3.7 (released ~May 19 2005), includes X.Org Server 6.8.2, further enhancements to the packet filter, BGP daemon, NTP daemon (OpenNTPD) and a new OSPF daemon (ospfd) implementing the OSPFv2 routing protocol. Also much work has been done on the package tools, which can now perform in-place package updates. The next release will probably be sometime during October, 2005.
Security
Until June 2002 the OpenBSD web page featured the slogan "No remote hole in the default install, in nearly 6 years." This was changed to "Only one remote hole in the default install, in more than 8 years" after an exploit was discovered in OpenSSH. Some have criticised this statement since not much is enabled in the default install of OpenBSD, and stable releases have included software that later were found to have remote holes. The OpenBSD project maintains that the slogan is intended to refer to a default install of the operating system, and that the slogan is correct by that standard. One of the OpenBSD project's fundamental innovations is the drive for systems to be "Secure by Default". It is standard, and indeed fundamental, computer security practice to enable as few services as possible on production machines. However, even aside from this practice, OpenBSD is still a remarkably secure and stable operating system.
As part of the recent "string cleaning", countless occurrences of strcpy, strcat, sprintf, and vsprintf were replaced with bounded, safer variants like, strlcpy, strlcat, snprintf, vsnprintf, and asprintf (see OpenBSD man pages (http://www.openbsd.org/cgi-bin/man.cgi) for details). In addition to the ongoing source code auditing, OpenBSD contains strong cryptography. More recently, several new technologies have been integrated into the system, further increasing its security. As of version 3.3, ProPolice has been enabled by default in GCC, providing additional protection against stack smashing attacks. In OpenBSD 3.4, this protection has been enabled in the kernel as well. W^X (pronounced: "w x-or x") is a fine-grained memory management scheme ensuring that memory is either writable, or executable, but never both, providing yet another layer of protection against buffer overflows. Privilege separation, privilege revocation, and randomized loading of libraries also play an ever increasing role in the security of the system.
OpenBSD/sparc got further stack protection in the form of StackGhost in May 2004, with OpenBSD/sparc64 support added to -current at the end of March 2005.
A static bounds checker was added to the toolchain, which attempts to find common programming mistakes at compile time. Systrace can now be used to protect the system while building ports.
Due to its security benefits, OpenBSD is often used in the security industry as the underlying operating system for firewalls and intrusion detection systems. The OpenBSD packet filter, pf, is a full featured stateful firewall developed after license issues in ipf. OpenBSD was the first open source operating system to ship with a packet filter.
OpenBSD uses a password-hashing algorithm derived from Bruce Schneier's Blowfish block cipher. This takes advantage of the slow Blowfish key schedule to make password-checking inherently CPU-intensive, in a manner that is difficult to optimize or to speed up with parallel processing; it is hoped that this will frustrate password-cracking attempts.
OpenSSH, an open source SSH suite, and OpenNTPD, an open source and compatible alternative to the official NTP daemon, were developed within the OpenBSD project. Both were created for licensing reasons as an alternative to more restricted code bases.
Forks of OpenBSD
See also
External links
- OpenBSD homepage (http://www.openbsd.org/)
- OpenBSD CVS Web Repository (http://www.openbsd.org/cgi-bin/cvsweb/)
- OpenBSD man pages (http://www.openbsd.org/cgi-bin/man.cgi)
- OpenBSD songs (http://www.openbsd.org/lyrics.html)
- OpenSSH homepage (http://www.openssh.com/)
- OpenNTPD homepage (http://www.openntpd.org/)
- OpenBGPD homepage (http://www.openbgpd.org/)
- OpenCVS homepage (http://www.opencvs.org/)
- OpenBSD journal (http://www.undeadly.org/)
cs:OpenBSD de:OpenBSD es:OpenBSD eu:OpenBSD fr:OpenBSD it:OpenBSD lv:OpenBSD hu:OpenBSD nl:OpenBSD ja:OpenBSD no:OpenBSD pl:OpenBSD ro:OpenBSD ru:OpenBSD sl:OpenBSD fi:OpenBSD sv:OpenBSD tr:OpenBSD zh:OpenBSD