Total Pageviews

Search: This Blog, Linked From Here, The Web, My fav sites, My Blogroll

23 March 2010

OpenBSD --- An Overview for newbies


OpenBSD is a member of the BSD family of operating systems
and is widely regarded as the most secure operating system 
available anywhere, under any licensing terms, for 
its excellent documentation and its fanatical 
focus on security debugging, 
code correctness and 
 freedom.

It's widely used by Internet service providers, embedded 
systems manufacturers, and anyone who needs security 
and stability.

 Most people think that OpenBSD is not the easiest UNIX-like 
operating system, or the easiest version of BSD, or even the 
easiest version of open-source BSD. It doesn't have handy 
"wizards" that walk you through each stage of the 
configuration process. It has very few 
menu-driven front ends. Once 
you're familiar with how 
the system works, 
though, such 
wizards only 
get in the 
way. 

The OpenBSD developers and support groups are not really 
interested in helping rank UNIX beginners and usually refuse 
to answer basic UNIX questions. To really understand 
OpenBSD you need to be willing to learn, experiment, 
and spend some time accumulating understanding. 
The good news is, OpenBSD merely shows you 
what other operating systems conceal. Much 
of this knowledge can be directly applied to 
other versions of  BSD, other UNIX-like 
operating systems, and even completely 
foreign operating systems such as 
Microsoft's Windows platforms.

 Because UNIX is not designed to be particularly easy to use, 
don’t feel bad if you have to look up a number of topics 
before you feel comfortable using the computer. 
Most computer users, after all, never have 
to face anything as daunting as UNIX!
 That’s how you know it’s UNIX. 
Looks odd, but works great.


Windows is warm and tasty,
blowfish goes down hard.
 

Intro

What Is BSD?
Indulge us while we tell a historical parable. Imagine that UNIX is a kind of automobile rather than a computer system. In the early days, every UNIX system was distributed with a complete set of source code and development tools. If UNIX had been a car, this distribution method would have  been the same as every car’s being supplied with a complete set of blueprints, wrenches, arc-welders, and other car-building tools. Now imagine that nearly all these cars were sold to engineering schools. You may expect that the students would get to work on their cars and that soon no two cars would be the same. That’s pretty much what happened to UNIX.
AT&T employees created UNIX in the early 1970s. At the time, the monster telephone company was forbidden to compete in the computer industry. The telecommunications company used UNIX internally, but could not transform it into a commercial product. As such, AT&T was willing to license the UNIX software and its source code to universities for a nominal fee. This worked well for all parties:
  1. AT&T got a few pennies and 
  2. a generation of computer scientists who cut their teeth on AT&T technology, 
  3. the universities avoided high operating system license fees, and 
  4. the students were able to dig around inside the source code and see how computers really worked.
Compared to some of the other operating systems of the time, the original UNIX wasn't very good. But all these students had the source code for it and could improve the parts that they didn't like.
  1. If an instructor found a certain bug particularly vexing, he could assign his students the job of fixing it. 
  2. If a university network engineer, professor, or student needed a feature, he could use the source code to quickly implement it. 
As the Internet grew in the early 1980s, these additions and features were exchanged between universities in the form of patches. The Computer Science Research Group (CSRG) at the University of California, Berkeley, acted as a central clearinghouse for these patches. The CSRG distributed these patches to anyone with a valid AT&T source code license. The resulting collection of patches became known as the Berkeley Software Distribution, or BSD. This continued for a long, long time. If you look at the copyright for any BSD-derived code, you will see the following text: 
Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 2009
The Regents of the University of California. All rights reserved.
Thirty years of continuous development by the brightest students of the best computer science programs in the world, moderated by the faculty of one of the top technical schools(Berkley) in the USA. That's more than a lifetime in software development. As you might imagine, the result was pretty darn good — almost everyone who used UNIX was really using BSD. The CSRG was quite surprised, near the end of these years, when it found that it had replaced almost all of the original AT&T code!
Although about 75 percent of the important stuff is the same on all UNIX  systems, knowing exactly which kind of UNIX you’re using helps

BSD Goes Public

In the early 1990s, the CSRG's funding started to run out. The University of California had to decide what to do with all this wonderful source code it owned. The simplest thing would have been to drop the original tapes down a well and pretend that the CSRG had never happened. In keeping with the spirit of academic freedom, however, it released the entire BSD collection to the public under an extremely liberal license. The license can be summarized like this:
  1. Don't claim you wrote this.
  2. Don't sue us if it breaks.
  3. Don't use our name to promote your product.
Compare this with the software license found on almost any commercial operating system. The BSD license is much easier to understand and unobjectionable to almost anyone. Anyone in the world can take the BSD code and use it for any purpose they like, from desktop computers to self-guided lawnmowers. Not surprisingly, many computer manufacturers jumped right on BSD. Not only was the code free, but also every computer science graduate for the last 22 years was familiar with it.


AT&T UNIX
As the CSRG was merrily improving AT&T's product, AT&T was doing its own UNIX development work to meet its internal needs.
  1. As AT&T developers implemented features, they also evaluated patches that came from the CSRG. 
  2. When they liked a chunk of BSD code, they incorporated it wholesale into AT&T UNIX, 
  3. then turned around and relicensed the result back to the universities, 
  4. who used it as the basis for their next round of work.
This somewhat incestuous relationship kept going for many years, until the grand AT&T breakup. Suddenly, the telecommunications giant was no longer forbidden to dabble in commercial computing. Thanks to years of development, and that generation of computer scientists who knew it, UNIX abruptly looked like a solidly marketable product.
Berkeley's release of the BSD code met with great displeasure from AT&T and instigated one of the most famous computer-related lawsuits of all time. After some legal wrangling, the case was settled out of court. The Berkeley lawyers proved that most of the code in dispute originated in BSD, not in original AT&T UNIX. Only a half-dozen files were original AT&T property, while the rest of the operating system belonged to the CSRG and its contributors. As if that wasn't bad enough, AT&T had even removed the original Berkeley copyright statement from the files it had appropriated from the CSRG! 
AT&T went away and sulked for a while, finally releasing System V UNIX. The CSRG removed disputed files and released BSD 4.4-Lite2, a complete collection of CSRG code utterly unencumbered by any AT&T copyrights.
    BSD 4.4-Lite2, also known just as "Lite 2," is the grandfather of all modern BSD software.
This code was not usable out of the box, and it required some tweaks and additions to function. Various groups of programmers, such as BSDi, the NetBSD Project, and the FreeBSD Project, took it on themselves to make this code usable and to maintain it. Each project was independently managed.

What Is OpenBSD?

OpenBSD's founder, Theo de Raadt, started as a NetBSD developer several years ago. He had several strong disagreements, on many fronts, with the NetBSD developers about how the operating system should be developed. Eventually, he went out on his own and founded the OpenBSD Project, attracting quite a few like-minded developers to work with him.
The OpenBSD team introduced several ideas into the open-source OS world that are now taken for granted, such as public access to the CVS repository and commit logs.
The OpenBSD team quickly established an identity of its own as a security-focused group and is now one of the best-known types of open-source BSD. Today, major companies such as Adobe Systems rely on OpenBSD to provide a reliable, secure operating system.
    Nowadays, OpenBSD is a BSD-based UNIX-like operating system with a fanatical attention to security, correctness, usability, and freedom. It runs on many different sorts of hardware including the standard "Intel PC" (i386), the Macintosh (mac68k and macppc), Sun's Sparc (sparc and sparc64), Compaq's Alpha (alpha), and more. OpenBSD puts almost all its efforts into security features, security debugging, and code correctness. The OpenBSD folks have demonstrated that correct code has a much lower chance of failing, and hence greater security. While some other BSDs focus on different goals, OpenBSD strives to be the ultimate secure operating system.
    The OpenBSD team continually improves the operating system to enhance its security, stability, and freedom. This includes everything from
  • the actual code in the operating system, 
  • to the online manual (which has a nearly legendary quality in the free software community), 
  • to the debugging and development environment, 
  • to the continuous software license auditing
In October of 1995, Theo de Raadt forked the NetBSD code and formed OpenBSD with the goal of making a free (in the context of rights, not price), highly functional operating system that concentrated on security while remaining as portable as possible. NetBSD was originally based on the last release of the academic replacement for AT&T Unix known as the Berkeley Software Distribution (4.4BSD-Lite), so OpenBSD's heritage reaches back considerably further than many other operating systems in development today.
    OpenBSD is designed to be secure by default. The simplest way to explain this concept is to say that everything that could potentially be a security risk is turned off or disabled until you turn on or enable it. That means that while you may have the Apache web server installed, it is not going to start until you either run its daemon from the command line or manually add httpd (the service name that corresponds to Apache) to the system startup script. OpenSSH services will also be unavailable unless specifically enabled. Because it is secure by default, you may have to do more initial configuration with OpenBSD than with most other Unix-like operating systems, and that is why this guide exists to show you how to get an OpenBSD machine up and running quickly.


What Is OpenBSD Good For?
OpenBSD is frequently employed as a web, email, and FTP server, though it can just as easily run BIND to do DNS name resolution, OpenLDAP to form a directory server, and the PostgreSQL and MySQL databases, among a few others. Many people also use OpenBSD in a network appliance machine as a firewall, router, and wireless access point.
    You can also make a suitable desktop operating system out of OpenBSD if you wish. The X.org server is provided on the installation media, and relatively recent editions of KDE, GNOME, Xfce, Fluxbox, Enlightenment (e16), IceWM, and other window managers are available through the Ports system (a collection of optional software that is common to all operating systems in the BSD family). A respectable selection of desktop software is also available, including Firefox, the GIMP, LyX, Evolution, G-Rip, XMMS, and many more. There is an OpenOffice.org port, but it is nonfunctional in OpenBSD 4.0.
    One thing you won't get with OpenBSD is hardware 3-D acceleration for graphics cards, so while you can get a highly usable 24-bit color display in X.org with nearly any video card, you won't be able to play 3-D-accelerated games like Unreal Tournament or Tux Racer. The issue here is not X.org drivers but kernel drivers; Nvidia, AMD, and Intel refuse to make OpenBSD drivers or supply sufficient hardware documentation for OpenBSD programmers to make their own.
    Actually there are more than 5600 programs available for OpenBSD, but through a procedure that you'll learn about in a later section, you can also run Linux, FreeBSD, SCO Unix, System V Release 4, HP-UX, and BSD/OS binary programs in OpenBSD with little or no performance loss.
Operating systems derived from BSD have a well-earned reputation for stability and security. BSD was developed at a time when computing resources (disk space, network bandwidth, and memory) were meager by today’s standards. So BSD systems were operated by efficient commands, instead of the bloated applications and dumbed-down graphical interfaces often seen today.
    Because of the nature of BSD systems, people running those systems required a high level of expertise. Even when simplified graphical user interfaces based onthe X Window System began to appear, to effectively operate a BSD system youstill needed to know about such things as kernels, device drivers, modules, anddaemons. Because security came before ease-of-use, a BSD expert needed to know how to deal with the fact that many features they may have wanted were not installed, or were turned off, by default.
    If you are someone who has used Linux before, transitioning to a BSD system shouldn’t be too hard. However, BSD systems tend to behave a bit more like older UNIX systems than they do like Linux. Many interfaces are text-based, offering lots of power if you know what you are doing. Despite that fact, however, all the major desktop components that, for example, you get with the GNOME desktop environment are available with BSD systems. So you don’t have to live on the command line.

Supported Architectures and Hardware
OpenBSD works with a diverse array of hardware on 16 different computing platforms, but for the sake of brevity, this guide will cover only the most popular and common CPU architectures: i386 (otherwise known as x86 or IA32) and AMD64 (also known as x86-64 or EM64T).
    Ideally you should have at least 10 GB of hard drive space (though you can get away with much less if you're building a network appliance) and at least 128 MB of RAM (but the more, the better).
    The BSD operating systems have an unwarranted reputation for poor peripheral hardware support. In reality, OpenBSD natively supports more network and RAID devices than any other operating system. That means two things:
  1. first, the days of hunting for and installing third-party drivers are over; 
  2. second, if a device isn't recognized out of the box by OpenBSD, there is nothing you can do to OpenBSD to get it to work. 
What you won't get, though, is support for chiefly desktop hardware such as high-end sound cards (though many ordinary sound cards will work), some kinds of scanners, and other things that are generally unnecessary in a server, network appliance, workstation, or work-oriented desktop machine. In other words, OpenBSD is not quite as suited to home desktop use as FreeBSD or GNU/Linux.
    What about laptop systems? Most Pentium 3, Celeron, Pentium M (Centrino), Pentium 4 M, Pentium 4, Celeron M, early Turion, and some Core Duo (Centrino Duo) notebook computers have been reported to work wonderfully with OpenBSD softmodems and exotic hardware (like fingerprint readers, webcams, and certain Wi-Fi cards) aside. Native ACPI and wireless networking support in OpenBSD is frequently superior to that of even some the fanciest desktop GNU/Linux distributions.
    If you have a mass-produced workstation or server, chances are good that everything you need to work video, sound, network, drive controller, PCI/AGP controller will be fully supported. If you have a home-built system that is more than a year old, it's probably going to be okay, too. If you just built a top-of-the-line Intel Core 2 Duo system with the latest, fanciest 802.11g wireless card, a $400 PCI Express video card, and you expect to set up a RAID-5 array with the built-in SATA fake-RAID controller on your just-released Abit motherboard...well, you're probably going to have at least a moderate amount of trouble with any operating system, but OpenBSD 4.0 probably won't work very well for you. The more your target computer resembles the latter scenario, the less pleased you'll be with OpenBSD at this time.
If you aren't sure if a critical piece of hardware will work with OpenBSD 4.0, your first stop should be the hardware compatibility list for your processor architecture: For i386 (x86), For AMD64 (x86-64).


Other BSDs

So, what are these other versions of BSD, anyway? The main variants are NetBSD, FreeBSD, DragonFly BSD, Mac OS X, Solaris and BSD/OS.

NetBSD
NetBSD is the direct ancestor of OpenBSD and was written to run on as many different types of hardware as possible. So NetBSD has a reputation for being very portable, with versions of NetBSD running as an embedded system on a variety of hardware. NetBSD can run on anything from 32-bit and 64-bit PCs to personal digital assistants (PDAs) to VAX minicomputers.
    OpenBSD maintains much of this platform-independent design, but doesn't support all of the platforms NetBSD does. Moreover unlike FreeBSD and NetBSD, which are covered under the BSD license, OpenBSD is covered primarily under the more-permissive Internet Systems Consortium (ISC) license.


FreeBSD
FreeBSD is the most popular of the BSD open-source operating system distributions. It can be operated as a server, workstation, or desktop system, but has also been used in network appliances and special-purpose embedded systems. It has a reputation for maximum performance.
    While the FreeBSD team considers security important, security is not its reason for eating, sleeping, and breathing as it is for the OpenBSD folks.

DragonFly BSD 
DragonFly BSD was originally based on FreeBSD. Its goal was to develop technologies different from FreeBSD in such areas as symmetric multiprocessing and concurrency. So the focus has been on expanding features in the kernel.

Other free (as in no cost, as well as freedom to do what you like with the code) operating systems based on BSD include Darwin (on which Mac OS X is based)
and desktop-oriented systems such as PC-BSD and DesktopBSD. FreeSBIE is a
live CD BSD system. Proprietary operating systems that have been derived from BSD include:

Mac OS X
The latest version of the Macintosh operating system is based on BSD. OpenBSD makes a comfortable and full-featured desktop for a computer professional, but may scare your grandparents. If you want a very friendly, candy-coated desktop that you can put down in front of grandma, but want power and flexibility under the hood, you might check it out. The source code for the graphic interface of Mac OS X is not available, but you can get the source code for the BSD layer and the Mach kernel from Apple.

    There is also a Mac OS X Server product available. Although Mac OS X was originally based on Darwin, it is considered a closed-source operating system with open source components.

SunOS
SunOS was developed by Sun Microsystems and was very popular as a professional workstation system. Sun stopped development of SunOS in favor of Solaris. However, because Solaris represented a merging of SunOS and UNIX System V, many BSD features made their way into Solaris.


BSD/OS
BSD/OS is a commercial, closed-source operating system produced by Wind  River that greatly resembles the open-source BSDs. Some hardware manufacturers will not release specifications for their hardware unless the recipient signs a non-disclosure agreement (NDA). These NDAs are anathema to any open-source development project. Wind River will sign these NDAs and include reliable drivers for this hardware in BSD/OS. If you need to run particular server-grade hardware, and it isn't supported under OpenBSD or any other open-source BSD, you might investigate BSD/OS.

There is a larger list of BSD distributions that you can find at the DistroWatch site. Besides offering descriptions of those BSD distributions, you can also find links to where you can purchase or download the software.


OpenBSD Users (Not really a social OS)

OpenBSD is more than just a collection of bits on CD-ROM. It's also a community of users, developers, and contributors. This community can be a bit of a culture shock for anyone who doesn't know what to expect.
    Many other open-source operating systems place large amounts of effort into growing their user bases and bringing new people into the UNIX fold. The OpenBSD community doesn't. Most open-source UNIX-like operating systems do a lot of pro-UNIX advocacy. Again, OpenBSD doesn't. Some of the communities that have grown up around these operating systems actively welcome new users and do their best to make newbies feel welcome. OpenBSD does not. They are not trying to be the most popular operating system, just the best at what they do. The OpenBSD developers know exactly who their target market is: themselves.
    The OpenBSD community generally expects users to be advanced computer users. They have written extensive documentation about OpenBSD, and expect people to be willing to read it. They're not interested in coddling new UNIX users and will say so if pressed. They don't object to new UNIX users using OpenBSD, but do object to people asking them for basic UNIX help just because they happen to be running OpenBSD. If you're a new UNIX user, they will not hold your hand. They will not develop features just to please users. OpenBSD exists to meet the needs of the developers, and while others are welcome to ride along the needs of the passengers do not steer the project.


OpenBSD Developers

So, how can a group of volunteers scattered all over the world actually create, maintain, and develop an operating system? Almost all discussion takes place via email and online chat. This can be slower than a face-to-face meeting, but is the only means by which people everywhere in the world can openly and reasonably communicate. This also has the advantage of providing a written record of discussions. OpenBSD has three tiers of developers:
  1. the coordinator, 
  2. the committers, and 
  3. the contributors
Contributors
Contributors are OpenBSD users who have the skills necessary to add features to the operating system, fix problems, or write documentation. Almost anyone can be a contributor. Problems range from a typographical error in the documentation to a device driver that crashes the system under particular circumstances. Every feature that is included in OpenBSD is there because some contributor took the time to sit down and write the code for it. Contributors who submit careful, correct fixes are welcome in the OpenBSD group.
    If a contributor submits enough fixes of high enough quality, he may be offered the role of committer.

Committers
Committers are people who have direct access to the central OpenBSD source code repository. Most committers are skilled programmers who work on OpenBSD in their own time, as a hobby. They can make whatever changes they deem necessary for their OpenBSD projects, but are answerable to each other and to the project coordinator. They communicate via a variety of mailing lists, which are available for reading by interested parties. As these mailing lists are meant for developers to discuss coding and implementation details on, users asking basic questions are either ignored or asked to be quiet.
    A committer's work is frequently available on websites and mailing lists before being integrated into the main OpenBSD source code collection, allowing interested people to preview their work. While being a committer seems glamorous, these people also carry a lot of responsibility — if they break the operating system or change something so that it conflicts with the driving "vision" of the Project, they must fix it. All OpenBSD committers answer to the project coordinator.

Coordinator
Theo de Raadt started OpenBSD in 1995 and still coordinates the project. He is the final word on how the system works, what is included in the system and who gets direct access to the repository. He resolves all disputes that contributors and committers cannot resolve amongst themselves. Theo takes whatever actions are necessary to keep the OpenBSD Project running smoothly.
    Many people have very specific coordination roles within OpenBSD — quite a few architectures have a "point man" for issues that affect that hardware, the compiler has a maintainer, and so on. These are people who have earned that position of trust within the community. The only time that Theo acts as the final word is when someone has broken one of OpenBSD's few rules, such as bringing bad licenses into the source tree or behaving poorly with other committers.
    This style of organization, with a central benevolent dictator, avoids a lot of the problems other large open-source projects have with management boards, core teams, or other structures. When someone decides to work on OpenBSD, they can either accept Theo's decisions as final or risk conflicting with the main OpenBSD Project. Thanks to the cooperative nature of OpenBSD development, Theo doesn't have to use that Big Stick nearly as often as one might think.


OpenBSD's Strengths

So, what makes OpenBSD OpenBSD? Why bother with another open-source UNIX-like operating system when there are many out there, many closely related to OpenBSD? What makes this OS worth a computer, let alone entrusting with your corporate firewall?


Portability
OpenBSD is designed to run on a wide variety of popular processors and hardware platforms. These platforms include, but are not limited to: Intel (80386 and compatibles), Alpha, Macintosh (both PowerPC and 68000 models), almost everything from Sun, and a variety of more obscure platforms. Chances are, any computer you will come across can run OpenBSD. The OpenBSD team wants to support as many interesting hardware architectures as they have the hardware and skills to maintain, so more are being added regularly.


Power
OpenBSD runs on hardware that's been obsolete for ten years. This isn't a deliberate design decision — the hardware was in popular use when OpenBSD was started, and the developers try to maintain speed and compatibility when they can. People who are running OpenBSD on an ancient VAX quickly catch changes that badly affect system performance on 486s, while people running modern Pentium 4 would probably never notice. Some of these changes are required by the advancing nature of the Internet, changes in the tools used to build OpenBSD, and added functionality in the system, but those that are the result of programming errors or misunderstandings are caught quickly.
    OpenBSD leaves you every scrap of computing power possible to run your applications. In the end, people use applications and not operating systems. This means that a system with a one-gig disk and a 486 CPU can still make a solid web server once you install OpenBSD! A low-footprint operating system gives the most bang out of hardware.


Documented
OpenBSD has some of the industry's finest integrated documentation. Many free software projects are satisfied with releasing code. Some think that they're going above and beyond by including a help function in the program itself, available by typing some command-line flag. Others really go all out and provide a grammatically incorrect and technically vague manual page.
    OpenBSD's documentation is expected to be both complete and accurate. The manual pages for system and library calls are extensive, even when compared to the other BSDs, and include discussions on usage and security. In its audit of the OpenBSD source code tree, the OpenBSD team found any number of circumstances where people had used the library interface as the manual page said they should, but the manual page was incorrect! This created both potential and actual security problems. As such, a documentation error is considered a serious bug and treated as harshly as any other serious bug.


Free
In keeping with the spirit of the original BSD license, OpenBSD is free for use in any way by anyone. You can use it in any tool you like, on any computer, for any purpose. Most of today's free software is licensed under terms that require distributors of software to return any changes back to the project owner(GPL licence). OpenBSD doesn't come with even that minor requirement. You can take OpenBSD, modify it, and embed it in refrigerators that order replacement food over the Internet, without ever paying the developers a dime.
    OpenBSD is perhaps the freest of the free operating systems. Like every other free UNIX-like operating system, the source code tree inherited from OpenBSD originally contained a wide variety of programs that shipped under conditional licenses. Some were free for non-commercial use; some were free if you changed the name once you made a change to the code; others had a variety of obscure licensing terms, such as indemnifying a third party against lawsuits. These have been either ripped out or replaced with freely licensed alternatives. Theo de Raadt said on a mailing list during a discussion of licensing terms:
     We know what a free license should say.
        It should say
      * Copyright foo
      * I give up my rights and permit others to:
                      distribute
                      sell
                      give
                      modify
                      use
      * I retain the right to be known as the author/owner
      When it says something else, ask this:
      * - is it 100% guaranteed fluff which cannot ever affect anyone?
      * - is it giving away even more rights (the author right)?
      If not, then it must be giving someone more rights, or by the same token -
      taking more rights away from someone else!
      Then it is _less_ free than our requirements state!
The OpenBSD Project does a lot of work to guarantee that its licensing is as stringently free as its code is correct.


Correctness
OpenBSD developers strive to implement solutions correctly. This means that they follow UNIX standards such as POSIX and ANSI in their implementations. They make it a strict rule to write programs in a reliable and secure manner, following programming's best current practices. Every skilled programmer knows that programs written correctly are more reliable, predictable, and secure. Many free software producers are satisfied if it compiles and seems to work, however, and quite a few commercial software companies don't give their programmers time to write code that correctly. Code in OpenBSD has been made correct by dint of much hard work, and anyone who tries to introduce incorrect code will be turned away — generally politely, and often with constructive criticism, but turned away nonetheless. And that brings us to OpenBSD's most well-known claim to fame.


Security
OpenBSD strives to be the most secure operating system in the world. While it can reasonably make that claim now, it's a position that requires a constant struggle to maintain. People who break into systems are constantly trying new ways to penetrate computer systems, which means that today's feature may be tomorrow's security hole. As OpenBSD developers learn of new classes of programming errors and security holes, they scan the entire source tree for that class of problem and fix them before anyone even knows how they might be exploited. The history of computer security shows that users cannot be expected to patch or maintain their own systems; those systems must be secure out of the box. OpenBSD's goal is to eliminate those problems before they exist.
    If you work at a company implementing such technology, please base it on OpenBSD. I do not want my refrigerator to be hacked and find 4,000 gallons of sour cream on my doorstep the next day!


OpenBSD Security

Even though OpenBSD is tightly secured, computers running OpenBSD are still broken into. That might seem contradictory, but in truth it means that the person running the computer didn't understand computer security.
    OpenBSD has many integrated security features, but people frequently assume that these features handle security for everything that can be installed on the computer. A moment's thought will show that this really isn't possible. No operating system can protect itself from the computer operator's mistakes. An OS can protect itself from problems in installed software to a limited extent, but ultimately the responsibility for security is in the hands of the administrator.
Consider a web server program running on OpenBSD. OpenBSD will provide the server with a stable, reliable platform, and will do as the server program asks, within the permissions the systems administrator has assigned to it. If the systems administrator has set up the server in a careful and correct manner, something going wrong with the web server will not endanger the operating system. If the sysadmin has integrated the web server with OpenBSD or has chosen to let the web server run with unrestricted privileges, the web server can inflict almost unrestricted damage to the computer software. If an intruder breaks into such a web server, they can use that integration and high permissions setting to lever their way into the operating system itself.
If such a break-in happens, is it OpenBSD's fault? Obviously not. The systems administrator is expected to follow basic security precautions when installing and configuring programs. No operating system can protect itself from an ignorant or careless sysadmin. Ultimately, security is the responsibility of the systems administrator. Here, we will discuss some of the basic security precautions you should be taking when installing and running programs. We will also discuss the advanced security features OpenBSD offers in order to protect itself and help in your systems administration duties.


OpenBSD's Uses

So, OpenBSD has all these nifty features, abilities, and strengths. Where does it fit into your "computing strategy"? That ultimately depends on what your strategy is and where you need it. OpenBSD can be used anywhere you need a solid, reliable, and secure system. I recommend OpenBSD for any of three different uses:
  • on the desktop, 
  • as a server, or 
  • as a network management device

Desktop
If you need a powerful desktop with all the features you'd expect from a complete UNIX-like workstation, OpenBSD will do nicely. Desktop GUIs, office suites, web browsers, and other programs an average user likes on a computer are available. OpenBSD supports a variety of
  • development tools
  • application environments
  • network servers, and 
  • other features needed by programmers and web developers. 
  • If you're a network administrator OpenBSD supports packet sniffers
  • traffic analyzers
  • and all the other programs you might have come to rely upon.

Server
If you're
  • serving web pages
  • handling email
  • providing LDAP services, or 
  • offering any sort of network services to clients
OpenBSD can help you. It's a cheap and reliable platform. Once it's set up, it just works. Web servers, database servers, and more all work under OpenBSD. And, of course, it's secure, which you cannot underestimate on today's Internet.


Network Management
OpenBSD makes an excellent: 
You can use it to support:
The integrated PF firewall provides state-of-the-art network connection management and control and strips out many dangerous types of traffic before they even reach your servers. Of course, OpenBSD can do all this as cheaply and reliably as it can do anything else.

 ➪





Resources

  • OpenBSD101
  • Faq
  • Documentation
  • Mailing lists
  • IRC chat: #openbsd
  • OpenBSD News
  • OpenBSD support
  • Forums
  • Absolute OpenBSD: UNIX for the Practical Paranoid
    by Michael W. Lucas
    (No Starch Press  2003)
    ISBN:1886411999
  • The OpenBSD 4.0 Crash Course
    By Jem Matzan (O'Reilly 2007)
    ISBN-10: 0-596-51015-2
  • BSD UNIX Toolbox: 1000+ Commands for FreeBSD, OpenBSD, and NetBSD  Power Users by Christopher Negus,  François Caen (Wiley 2008)
    ISBN: 978-0-470-37603-4

No comments:

Post a Comment