When security is of the utmost importance, it's only logical to look to the same operating system that spawned today's standard in secure remote access, OpenSSH (Open Secure Shell). OpenSSH is just one part of OpenBSD, a distribution that has focused on security from the ground up, accomplishing a goal of creating a UNIX®-like operating system that is secure by default. This stand is in contrast to most operating systems today, which require significant time and energy to harden the environment before going live. In fact, OpenBSD is so secure that it was once banned for use in a DEF CON competition, where crackers go after each other's systems.
Berkeley Software Distribution (BSD) is one of the oldest and most common flavors of UNIX. Today, it has been split into multiple versions, with three common open source distributions leading the way:
While FreeBSD is the most widely used of the three distributions, each version has significant upsides that make choosing the correct solution an important decision. FreeBSD is the most general of the three and thrives in i386 environments. When security is the highest item on your priority list, OpenBSD is the right distribution. NetBSD offers a small and extremely portable alternative, running on a huge variety of architectures.
The OpenBSD audit process might be the biggest factor in the consistent security found in this distribution. A team of experienced developers focused on auditing each piece of code entered into the source tree. Codes are analyzed for security flaws as well as bugs in general -- bugs that might not affect general functionality but could be exploited as security flaws down the line. Every bug is taken seriously and immediately addressed. This proactive approach has kept OpenBSD from being susceptible to unknown exploits, which other distributions have to scramble to cover upon discovery.
Any environment in which security is important makes for a potential OpenBSD installation. In today's more security-conscious world -- a world in which computers are connected to the Internet 24x7 -- it's hard not to find a user who doesn't take security seriously, be it in a home, government, or corporate environment. Financial juggernauts have been known to rely on OpenBSD to secure corporate networks and customer records. OpenBSD might not have a huge user base compared to other UNIX-like operating systems, but it is installed at the most crucial points of many networks.
OpenBSD, being a close relative of NetBSD, also runs on a wide variety of hardware. Take a look:
- Alpha: Digital Alpha-based systems
- amd64: AMD64-based systems
- Cat: StrongARM 110 Evaluation Board
- hp300: Hewlett-Packard HP 9000 series 300 and 400 workstations
- HP/PA: Hewlett-Packard Precision Architecture (PA-RISC) systems
- i386: Standard computers based on the Intel® i386 architecture and compatible processors
- luna88k: Omron LUNA-88K and LUNA-88K2 workstations
- mac68k: Motorola 680x0-based Apple Macintosh with MMU
- macppc: Apple PowerPC-based machines, from the iMac on
- mvme68k: Motorola 680x0-based VME systems
- mvme88k: Motorola 881x0-based VME systems
- SGI: SGI MIPS-based workstations
- SPARC: Sun sun4-, sun4c-, and sun4m-class SPARC systems
- SPARC64: Sun UltraSPARC systems
- VAX: Digital VAX-based systems
- Zaurus: Sharp Zaurus C3x00 PDAs
Now that you've determined whether OpenBSD is an option for your hardware platform, let's take a closer look at some OpenBSD highlights.
The first package of note is OpenSSH, with which every UNIX and Linux® user is
familiar. However, many people might not know that it comes from OpenBSD developers.
OpenSSH was originally developed for OpenBSD and has since become the standard
Secure Shell (SSH) package, ported for just about every version of the UNIX,
Linux, and Microsoft® Windows® operating systems. OpenSSH includes
ssh for secure logins,
for secure copies, and
sftp -- a secure alternative
ftp. All source code falls into the open source
BSD license, following OpenBSD's directive to keep all proprietary code and
restrictive licensing schemes out of the distribution (which was the initial
impetus to create a new version of SSH). Every piece of software included in
OpenBSD is completely free, with no restrictions on use.
Because the OpenBSD project is based in Canada, no United States export restrictions on cryptography apply, allowing the distribution to make full use of modern algorithms for encryption. Encryption can be found almost everywhere in the operating system, from file transfers to file systems to networking. Pseudo-random number generators are also included in OpenBSD, which ensures that random numbers cannot be predicted based on the system state. Other features include cryptographic hash functions, cryptographic transform libraries, and cryptographic hardware support.
Another heavily exported piece of OpenBSD is the IP Security Protocol (IPSec), which the operating systems uses rather than relying on the inherently insecure TCP/IP Version 4 (IPV4). (IPV4 chooses to trust just about everybody and everything.) IPSec encrypts and validates packets to protect the privacy of data and to ensure that no changes are made to packets during the delivery process. IPSec became an integral piece of the standard Internet Protocol with the introduction of TCP/IP Version 6 (IPV6), making the future of the Internet more secure by default.
Because OpenBSD is both thin and secure, one of the most common OpenBSD implementation purposes is as a firewall. Firewalls operate at the ground level of most secure locations, and OpenBSD's implementation of packet filtering is top notch. Packet Filter (PF) -- an open source solution designed by the OpenBSD development community -- is the OpenBSD method of choice. Like many other pieces of OpenBSD software, its success has prompted the other BSD variants to port it into their own distributions.
OpenBSD is set up to be secure by default, so there aren't too many services that you must turn off to set up a rock-solid firewall. You will have to enable a second Ethernet interface and configure PF to your needs. See Resources for links to articles on how to set up an OpenBSD server as a firewall.
Most operating systems include little or no encryption in key elements, which creates an inherent lack of security. A big reason for this deficiency is the simple fact that most operating systems ship from the United States, where developers aren't allowed to export robust cryptographic software. Cryptographic hash libraries in OpenBSD include MD5, SHA1, and RIPEMD160. Cryptographic transform libraries in OpenBSD include Blowfish, Data Encryption Standard (DES), 3DES, and Cast.
Most of this cryptography operates behind the scenes, keeping users from having to become experts on cryptography to keep their systems safe. The OpenBSD development team understands that most administrators aren't experts in security and shouldn't be expected to jump through hoops to harden their environment. People who believe that OpenBSD isn't a user-friendly operating system are largely misinformed. If most administrators spent the time to put OpenBSD's default security measures in place on any other distribution, they would likely change their line of thinking.
Random numbers are a key component to making all this security happen. The OpenBSD kernel uses
interrupt information to create a constantly changing entropy pool that provides data to
seed cryptographic functions and provide numbers for transaction IDs. For instance,
pseudo-random numbers are used for process IDs and packet IDs, which makes spoofing
significantly more difficult for a would-be attacker. OpenBSD even uses random port
bind(2) system calls. Most UNIX-derived
operating systems either create IDs sequentially or have a simple algorithm that can be
exploited by predicting results.
While the OpenBSD team is still exploring more extensive encryption of the file system, steps have been taken to encrypt data where possible. The swap partition is divided into small sections, each encrypted with its own key, ensuring that sensitive data doesn't leak into an insecure part of the system -- a common problem on a traditional UNIX- or Linux-based system. If you want to encrypt user data, you can use Cryptographic File System (CFS) in OpenBSD. CFS operates at the user level, communicating with the kernel through Network File System (NFS). The system gives users transparent access to encrypted directories, so they can choose what data is encrypted without being burdened by the encrypt/decrypt process.
Note: See Resources for more information about cryptography in OpenBSD.
Without a full understanding of OpenBSD's benefits, new users might lean toward a familiar Linux distribution because they're intimidated by the BSD installation process, which has a reputation of being difficult. While the installation might not be what most users are accustomed to, this article provides a quick overview of the process to demonstrate how easy setup can be. Spending a bit of time to learn about the OpenBSD installation process to save hours locking down a Linux distribution that isn't secure by default is often the pragmatic decision.
There are several installation methods, and steps vary by platform. I focus on a basic CD-ROM installation on an i386 server (for example, a computer running an IBM server) by creating your own CD set. This process is not documented in the official FAQ.
First, visit the OpenBSD.org download page (see Resources),
choose any mirror on the list, and then go to
This is the first place you'll notice something different, if you're used to installing
Linux distributions. The only .iso file is a 5MB file called cd39.iso. Can this be
right? Don't worry: With an OpenBSD installation, the boot CD is a bare-bones kernel;
the rest is extracted from files that you can download and burn to an additional CD (or
purchase a CD set from OpenBSD.org to help support the project). Make sure you download
cd39.iso, all the .tgz files, bsd, bsd.rd, and bsd.mp. (Or, to make things easy, just
download everything in the directory.)
Create a boot CD from cd39.iso and label it Disk 1, as shown in Listing 1. Create a regular CD with all the other files in a directory called /3.9/i386/, and label it Disk 2, as shown in Listing 2. Other options include purchasing a CD set, performing a network installation, or building a custom .iso file, but I find the two-CD method easiest.
Listing 1. Use cd39.iso to create a boot CD
cd39.iso 02-Mar-2006 03:10 4.6M
Listing 2. Put the following files in a directory called /3.9/i386/ on Disk 2
base39.tgz 02-Mar-2006 03:10 38.6M bsd 02-Mar-2006 03:10 5.2M bsd.mp 02-Mar-2006 03:10 5.2M bsd.rd 02-Mar-2006 03:10 4.5M comp39.tgz 02-Mar-2006 03:10 71.8M etc39.tgz 02-Mar-2006 03:10 1.1M game39.tgz 02-Mar-2006 03:10 2.5M man39.tgz 02-Mar-2006 03:10 7.1M misc39.tgz 02-Mar-2006 03:10 2.2M xbase39.tgz 10-Mar-2006 12:04 10.1M xetc39.tgz 10-Mar-2006 12:04 88k xfont39.tgz 10-Mar-2006 12:04 31.7M xserv39.tgz 10-Mar-2006 12:04 19.0M xshare39.tgz 10-Mar-2006 12:04 2.0M
After you've created the installation CDs, boot the new server from Disk 1. Command prompts guide you through the installation process. You can find detailed instructions in Section 4 of the OpenBSD FAQ (see Resources).
The most complicated part is the Setting up disks section, but you can skip a lot of this information by choosing to use all of the disk for OpenBSD (if you don't have any other partitions you would like to retain). Regardless of your partitioning decision, make sure to follow the Creating a disklabel section step by step, with the only deviation being to create larger /usr and /home partitions, if you desire. Note the two-layer partitioning system in OpenBSD. The first step sets up traditional fdisk viewable partitions, while the second disklabel step sets up OpenBSD subpartitions.
Other than this, the only adjustment (to use your two-CD installation set) is to swap CDs at this step:
Let's install the sets! Location of sets? (cd disk ftp http or 'done') [cd]
Switch from Disk 1 to Disk 2 (the CD with all the files in /3.9/i386/).
With everything set up, you're ready to start computing.
In contrast to learning how to secure your system (which already has rational default settings), there are some steps that you might want to be aware of before you start administering your system as a new OpenBSD user.
First, by default, no users are included in the wheel group, which means that an attempt
to use the
su command will fail. Create new users from the
command line with the
adduser command, which leads you
through a simple question and answer session to set up defaults (a one-time process) and
to create your first user.
Say, for example, that you created a user called
bsdadmin is going to
be your primary administrative account, you want to be able to use the
su command to access the root account quickly. To do this, log
in under the root account, and then edit the /etc/group file to include
bsdadmin in the wheel
group. Simply append
bsdadmin to the first line (the one that
Second, check the system default settings in the /etc/ directory. Tread carefully here, as
most services are turned off by default for a reason. OpenBSD uses
rc.conf to launch most startup daemons. You'll see that services,
such as httpd and nfs, are turned off by default -- even PF is off. As an example, you can
turn Apache (httpd) on by adding the line
While OpenBSD might not have graphics-based tools to help in system administration, the
OpenBSD developers have given extra attention to providing extensive, accurate man pages
for each component of the operating system. I recommend that you make liberal use of the
man command any time you're confused or simply want
to learn about a new tool.
OpenBSD comes prepackaged with a small set of third-party components, again focusing on security and stability rather than trying do everything for everybody. Here's the default list of packages included in OpenBSD Version 3.9:
- OpenSSH Version 4.3
- X.org Version 6.9.0 (with V3.3 XFree86 servers included in i386 distributions)
- GCC Versions 2.95.3 and 3.3.5 (with Propolice stack protection technology enabled by default)
- Perl Version 5.8.6 (with patches and improvements from the OpenBSD team)
- Apache Version 1.3.29 Web server (including mod_ssl Version 2.8.16 and Dynamic Shared Object (DSO) support)
- OpenSSL Version 0.9.7g (with patches and improvements from the OpenBSD team)
- Groff Version 1.15
- Sendmail Version 8.13.4 (with libmilter)
- BIND Version 9.3.1 (with improvements in chroot operation and other security-related issues)
- Lynx Version 2.8.5rel.4 (with HTTP over Secure Sockets Layer (HTTPS) support added and patches from the OpenBSD team)
- Sudo Version 1.6.8p9
- Ncurses Version 5.2
- KAME IPv6
- Heimdal Version 0.7 (with patches)
- Arla Version 0.35.7
- gdb Version 6.3
Additional third-party packages are available, and you can easily install them with OpenBSD's pkg_add application. You can find full lists in the /3.9/packages/i386/ directory on OpenBSD mirrors. The pkg_add application takes a package name as input, automatically determines dependencies, and installs all necessary packages.
While the packages listed above have been specifically ported for OpenBSD, another tenet of
the platform is binary compatibility. OpenBSD supports binary emulation for most software
compiled for Linux, Solaris, HP-UX, and other forms of BSD. This functionality is turned
off by default. To turn it on, simply restart your system after removing the leading
#) character from /etc/sysctl.conf on the following line:
#kern.emul.linux=1 # enable running Linux binaries
In this way, you can run simple, statically-linked Linux applications. To run a wider variety of software, also install the Redhat/base package using pkg_add as described above.
OpenBSD strives to be the most secure UNIX derivation on the planet, and not much is left to be desired. Design principles, such as code auditing, extensive use of encryption, and careful configuration choices, combine to ensure OpenBSD's secure by default philosophy holds true. While it is most common to find OpenBSD installations in secure servers and firewalls, OpenBSD's wide hardware and software support makes the operating system suitable for a large range of purposes. UNIX and Linux gurus alike will find many parts of OpenBSD familiar, and they will likely appreciate the areas in which it purposely strays from the pack.
- OpenBSD home page: See what OpenBSD is all about.
- Documentation and Frequently Asked Questions: This page provides answers to common and not-so-common OpenBSD questions.
- Cryptography in OpenBSD: An Overview: For more information about how cryptography works in this system, read this paper by Theo de Raadt, et al.
- Firewalling with OpenBSD's PF packet filter: For more information about using OpenBSD as a firewall, read through this detailed guide by Peter N. M. Hansteen.
- OpenBSD's network stack: Get more information on OpenBSD's network security capabilities.
Cryptographic File System for UNIX: Read this paper for more information about CFS.
- AIX and UNIX: Want more? The developerWorks AIX and UNIX zone hosts hundreds of informative articles and introductory, intermediate, and advanced tutorials.
- New to AIX and UNIX: Visit the New to AIX and UNIX page to learn more about AIX and UNIX.
technical events and webcasts: Stay current with developerWorks technical events and webcasts.
- AIX 5L Wiki: A collaborative environment for technical information related to AIX.
- Podcasts: Tune in and catch up with IBM technical experts.
Get products and technologies
- OpenBSD mirrors: Download OpenBSD now.
- OpenBSD online ordering: Purchase OpenBSD CDs and other goods, or just to contribute to the cause.
- IBM trial software: Build your next development project with software for download directly from developerWorks.
Participate in the AIX and UNIX forums:
- AIX 5L -- technical
- AIX for Developers Forum
- Cluster Systems Management
- IBM Support Assistant
- Performance Tools -- technical
- Virtualization -- technical
- More AIX and UNIX forums
- Participate in the developerWorks
blogs and get involved in the developerWorks community.
Tim McIntire works as a consultant and co-founder of Cluster Corporation, a market leader in HPCC software, support, and consulting. He also contributes periodically to IBM developerWorks and Apple Developer Connection. Tim's research, conducted while leading the computer science effort at Scripps Institution of Oceanography's Digital Image Analysis Lab, has been published in a variety of journals, including Concurrency and Computation and IEEE Transactions on Geoscience and Remote Sensing. You can visit TimMcIntire.net to learn more.