November 17, 2004

Review: OpenBSD 3.6 shows steady improvement

Author: Jem Matzan

The OpenBSD team earlier this month released version 3.6 of the free operating system, with support for more hardware, updated application software, and bug fixes included. This time around OpenBSD has added support for multi-CPU systems, a number of drivers for new peripheral hardware, and about 200 more applications to the Ports tree. We took the new version for a spin, and liked what we found.

Since we've previously reviewed OpenBSD 3.5, we won't repeat everything, but here is a quick list of the general features intrinsic to the operating system:

  • OpenBSD is secure by default -- in other words, the base system that you install will not have any security flaws or enabled services that could compromise the integrity of your system.
  • OpenBSD is easy to install, set up, and use, but it's all done from the command line. If you want to learn and use OpenBSD, you'd better be familiar with the man command.
  • The documentation via the manual pages is superb.
  • All of the software you'll need to run a Web, mail, NFS, DHCP, or file server is installed and ready to be configured and enabled.
  • New programs are easy to install, update, and manage through the Ports system.
  • OpenBSD includes integrated cryptography, which is used by some parts of the base system to enhance security.

OpenBSD doesn't necessarily make as complete a desktop system as FreeBSD or one of the desktop GNU/Linux distributions does, but you can certainly use it to get email, chat on IRC, browse the Web, or write a book. There are no hardware accelerated drivers for Nvidia, ATI, or Intel video chips, so 3D games are out of the question, but you can still get good color depth and resolution in X11 for 2D applications. Desktop environments like KDE 3.2.3 and GNOME 2.6.2 are available through the Ports system, as are several window managers and a host of GUI-based programs that run in them. In all there are more than 2,700 programs in the OpenBSD 3.6 Ports tree which, unlike FreeBSD's Ports tree, remains static for each release. In other words, OpenBSD Ports follows the same release schedule that the base system does, as opposed to the maintainers updating the Ports as they see fit. This means that you'll be stuck with the same software versions until the next release (six months), but it also means that each OpenBSD installation will have exactly the same software on it, providing a standard, stable environment for sysadmins.

The quickest way to get OpenBSD 3.6 is through an FTP install. You download a small CD ISO or diskette image, boot from it, then download the installation sets from the OpenBSD FTP servers. Every time I try this I have some kind of problem, but the CD set always works perfectly on my systems.

Speaking of which, the OpenBSD 3.6 CD set is an inexpensive $45 (or 45 euros). Anyone seriously considering OpenBSD on the i386, SPARC/SPARC64, AMD64, VAX, or macPPC architectures will find the CD set to be a much more convenient and speedy method of installation.

OpenBSD's installation routine is spartan, but quick and simple. It's merely a script that goes through each step of a complete installation or upgrade of the base system. Depending on the speed of your computer and the size of your hard drive, installation can take between 10 and 30 minutes, and upgrades will usually take about half that. The upgrade script unfortunately does not upgrade precompiled application packages or any programs that you've installed through Ports, and there is no Portupgrade program to automate this process as there is in FreeBSD. To upgrade your programs, you'll have to reinstall each one individually -- not difficult to do, but certainly tedious if you have a number of programs on your system. Some people prefer to deinstall all packages prior to the upgrade, then reinstall the new versions afterward. Packages are not as easy to get from the FTP repository as Ports are, but are much quicker to install on slower systems and easier to distribute to multiple installations.

If you choose to upgrade your Ports after the upgrade, you can run the /usr/ports/infrastructure/build/out-of-date script to determine which ones need to be upgraded, then locate each one and deinstall and reinstall it.

New in 3.6

Included with the standard installation are OpenSSH 3.9 (OpenSSH is part of the OpenBSD project) and OpenSSL 0.9.7d; GCC 2.95.3 and 3.3.2 with the ProPolice add-on installed and enabled by default; Perl 5.8.5; Apache 1.3.29 with default chrooting, privilege revocation, mod_ssl 2.8.16 and DSO support; Sendmail 8.13.0 with libmilter; BIND 9.2.3; Heimdal 0.6rc1; and a customized fork of XFree86 4.4.0 without the new, more restrictive licensing. Other packages like Lynx and Sudo are also included, and most of the above-listed programs include specialized patches from the OpenBSD team to enhance security and functionality.

Hands on

Security: A process, not a problem

If all you're running is a desktop machine or workstation, your only security precautions probably include enabling a firewall and disabling or uninstalling unused server software. But there's much more to security than an end-user can immediately see. In setting up an operating system for a server -- especially a production server -- a sysadmin should conduct a full audit of the system before it is brought online. This includes examining every piece of software on the system to ensure that it is configured properly and up to date with all security patches; testing the services and disabling any that are unnecessary; hardening the kernel; monitoring file permissions and logs, looking for suspicious activity; and finding and installing all security updates for both the OS and the installed software. In other words, security on a production machine is not a problem to be solved and then forgotten about; it is a continual process which requires attention and vigilance.

Where OpenBSD truly shines is in anticipating these kinds of tasks and helping you accomplish them more quickly and easily. On a GNU/Linux or proprietary Unix system you can create scripts and cron jobs to automate much of your security audit, but that takes a lot of knowledge and experience. OpenBSD takes the hassle out of an administrative security audit by checking the logs and file permissions and emailing the root account every day with a security report. It also disables all daemons by default and adds special security-enhancing modifications for Apache, OpenSSL, and other outward-facing programs.

In addition to the secure default state, the other facet of OpenBSD's top-quality security is behind the scenes. The code itself undergoes an ongoing and extensive security review by the OpenBSD security team to ensure that there are no known or potential vulnerabilities waiting to be exploited. Often times a potential problem is fixed in the OpenBSD code long before it is discovered, exploited, and patched in other operating systems.

In the end, OpenBSD offers little that any modern Unix operating system plus a good sysadmin doesn't, but it's a matter of convenience and preference. The process of maintaining a secure system is still up to the administrator, no matter what operating system you use.

I tested out OpenBSD 3.6 on my most temperamental system: a Dell Inspiron 3800 laptop. I had no trouble with my PCMCIA Xircom wired or Linksys wireless network cards, nor did I have any trouble switching between the two. I could install and use XFree86 without any trouble, and everything seemed to work just as perfectly as it did in the previous release. I didn't have any multi-CPU systems running the new SMP support on either the AMD64 or i386 editions.

The OpenBSD project cannot guarantee the security of programs in the Ports tree, but they do make an effort to ensure that obviously insecure programs don't make it into Ports. If a security bulletin is sent out about programs in either the base system or Ports, OpenBSD provides patches individually or as a separate branch of the entire project. The process for applying a single patch is detailed at the top of each patch file, making installation as easy as following a couple of lines of instructions. As of this writing there are no listed security bulletins, but if there are, they'd appear here.

The PATCH branch of OpenBSD is one of three separate yet related divisions of the project. The first and most obvious is RELEASE, which remains consistent throughout the six-month lifespan of an official OpenBSD release. PATCH is RELEASE plus any security updates, and is updated as patches are released. The third branch is CURRENT, which is the cutting edge of OpenBSD development. Obviously you don't want to run in-development code on a production machine, so CURRENT is really only useful to people interested in contributing to the project. These branches are not isolated to the base system; they also include the entire Ports tree.

Conclusions

I'm certain the OpenBSD team would think this a trivial matter, but for the next version I would really like to see a Portupgrade-like program to upgrade the compiled Ports to the new version without a great deal of hassle.

Aside from that single gripe, what strikes me most about OpenBSD in general is the professional manner in which it is developed and released. By professional I don't mean "corporate," as in meaningless meetings, bad design strategies, incompetent bosses, unreasonable deadlines, etc. I mean it's released on time with few problems and it does exactly what it claims to do.

Each release is a small step forward; operating system development should be a battle of inches instead of historically disastrous attempts at giant leaps, and OpenBSD 3.6 personifies that philosophy. With the exception of SMP support, every enhancement new to 3.6 is a few inches forward. Some things may seem little but mean a great deal to those who requested and developed them. Others might not be able to notice any difference at all between 3.5 and 3.6.

OpenBSD 3.6 is among the better AMD64 operating systems out there, which may make it a suitable server replacement for FreeBSD, which continues to suffer from a horrible AMD64 SMP implementation. If you want to set up a cheap, secure home server, or if you'd like to get into using the command line interface more proficiently, OpenBSD 3.6 is an excellent operating system to choose.

Purpose Server operating system
Manufacturer The OpenBSD Project
Architectures i386, AMD64/EM64T, SPARC, SPARC64Alpha, HP300, HPPA, Mac68k, MacPPC, mvme68k, mvme88k, luna88k, VAX
License BSD
Market Servers of all kinds, for home, office, or enterprise; security-minded users and sysadmins
Price (retail) $45 for a 3-CD set. Click here to buy it directly from the OpenBSD site. Can be installed over FTP for free
Previous version 3.5
Product Web site Click here

Jem Matzan is the author of three books, a freelance journalist and the editor-in-chief of The Jem Report.

Category:

  • BSD
Click Here!