Take a closer look at OpenBSD

Security where it counts

OpenBSD is quite possibly the most secure operating system on the planet. Every step of the development process focuses on building a secure, open, and free platform. UNIX® and Linux® administrators take note: Without realizing it, you probably use tools ported from OpenBSD every day. Maybe it's time to give the whole operating system a closer look.

Share:

Tim McIntire, Consultant, Freelance Writer

Photo of Tim McIntireTim McIntire works as a consultant and co-founder of Cluster Corporation, a market leader in HPCC software, support, and consulting. He also contributes periodically to IBM developerWorks and Apple Developer Connection. Tim's research, conducted while leading the computer science effort at Scripps Institution of Oceanography's Digital Image Analysis Lab, has been published in a variety of journals, including Concurrency and Computation and IEEE Transactions on Geoscience and Remote Sensing. You can visit TimMcIntire.net to learn more.



08 August 2006

Also available in Chinese

When security is of the utmost importance, it's only logical to look to the same operating system that spawned today's standard in secure remote access, OpenSSH (Open Secure Shell). OpenSSH is just one part of OpenBSD, a distribution that has focused on security from the ground up, accomplishing a goal of creating a UNIX®-like operating system that is secure by default. This stand is in contrast to most operating systems today, which require significant time and energy to harden the environment before going live. In fact, OpenBSD is so secure that it was once banned for use in a DEF CON competition, where crackers go after each other's systems.

An overview of BSD

Berkeley Software Distribution (BSD) is one of the oldest and most common flavors of UNIX. Today, it has been split into multiple versions, with three common open source distributions leading the way:

  • FreeBSD
  • OpenBSD
  • NetBSD

While FreeBSD is the most widely used of the three distributions, each version has significant upsides that make choosing the correct solution an important decision. FreeBSD is the most general of the three and thrives in i386 environments. When security is the highest item on your priority list, OpenBSD is the right distribution. NetBSD offers a small and extremely portable alternative, running on a huge variety of architectures.


The OpenBSD audit process

The OpenBSD audit process might be the biggest factor in the consistent security found in this distribution. A team of experienced developers focused on auditing each piece of code entered into the source tree. Codes are analyzed for security flaws as well as bugs in general -- bugs that might not affect general functionality but could be exploited as security flaws down the line. Every bug is taken seriously and immediately addressed. This proactive approach has kept OpenBSD from being susceptible to unknown exploits, which other distributions have to scramble to cover upon discovery.


OpenBSD: Where and when

Any environment in which security is important makes for a potential OpenBSD installation. In today's more security-conscious world -- a world in which computers are connected to the Internet 24x7 -- it's hard not to find a user who doesn't take security seriously, be it in a home, government, or corporate environment. Financial juggernauts have been known to rely on OpenBSD to secure corporate networks and customer records. OpenBSD might not have a huge user base compared to other UNIX-like operating systems, but it is installed at the most crucial points of many networks.

OpenBSD, being a close relative of NetBSD, also runs on a wide variety of hardware. Take a look:

  • Alpha: Digital Alpha-based systems
  • amd64: AMD64-based systems
  • Cat: StrongARM 110 Evaluation Board
  • hp300: Hewlett-Packard HP 9000 series 300 and 400 workstations
  • HP/PA: Hewlett-Packard Precision Architecture (PA-RISC) systems
  • i386: Standard computers based on the Intel® i386 architecture and compatible processors
  • luna88k: Omron LUNA-88K and LUNA-88K2 workstations
  • mac68k: Motorola 680x0-based Apple Macintosh with MMU
  • macppc: Apple PowerPC-based machines, from the iMac on
  • mvme68k: Motorola 680x0-based VME systems
  • mvme88k: Motorola 881x0-based VME systems
  • SGI: SGI MIPS-based workstations
  • SPARC: Sun sun4-, sun4c-, and sun4m-class SPARC systems
  • SPARC64: Sun UltraSPARC systems
  • VAX: Digital VAX-based systems
  • Zaurus: Sharp Zaurus C3x00 PDAs

OpenBSD core packages and features

Now that you've determined whether OpenBSD is an option for your hardware platform, let's take a closer look at some OpenBSD highlights.

OpenSSH

The first package of note is OpenSSH, with which every UNIX and Linux® user is familiar. However, many people might not know that it comes from OpenBSD developers. OpenSSH was originally developed for OpenBSD and has since become the standard Secure Shell (SSH) package, ported for just about every version of the UNIX, Linux, and Microsoft® Windows® operating systems. OpenSSH includes ssh for secure logins, scp for secure copies, and sftp -- a secure alternative to ftp. All source code falls into the open source BSD license, following OpenBSD's directive to keep all proprietary code and restrictive licensing schemes out of the distribution (which was the initial impetus to create a new version of SSH). Every piece of software included in OpenBSD is completely free, with no restrictions on use.

Cryptography

Because the OpenBSD project is based in Canada, no United States export restrictions on cryptography apply, allowing the distribution to make full use of modern algorithms for encryption. Encryption can be found almost everywhere in the operating system, from file transfers to file systems to networking. Pseudo-random number generators are also included in OpenBSD, which ensures that random numbers cannot be predicted based on the system state. Other features include cryptographic hash functions, cryptographic transform libraries, and cryptographic hardware support.

Another heavily exported piece of OpenBSD is the IP Security Protocol (IPSec), which the operating systems uses rather than relying on the inherently insecure TCP/IP Version 4 (IPV4). (IPV4 chooses to trust just about everybody and everything.) IPSec encrypts and validates packets to protect the privacy of data and to ensure that no changes are made to packets during the delivery process. IPSec became an integral piece of the standard Internet Protocol with the introduction of TCP/IP Version 6 (IPV6), making the future of the Internet more secure by default.

OpenBSD as firewall

Because OpenBSD is both thin and secure, one of the most common OpenBSD implementation purposes is as a firewall. Firewalls operate at the ground level of most secure locations, and OpenBSD's implementation of packet filtering is top notch. Packet Filter (PF) -- an open source solution designed by the OpenBSD development community -- is the OpenBSD method of choice. Like many other pieces of OpenBSD software, its success has prompted the other BSD variants to port it into their own distributions.

OpenBSD is set up to be secure by default, so there aren't too many services that you must turn off to set up a rock-solid firewall. You will have to enable a second Ethernet interface and configure PF to your needs. See Resources for links to articles on how to set up an OpenBSD server as a firewall.


Encryption and random numbers

Most operating systems include little or no encryption in key elements, which creates an inherent lack of security. A big reason for this deficiency is the simple fact that most operating systems ship from the United States, where developers aren't allowed to export robust cryptographic software. Cryptographic hash libraries in OpenBSD include MD5, SHA1, and RIPEMD160. Cryptographic transform libraries in OpenBSD include Blowfish, Data Encryption Standard (DES), 3DES, and Cast.

Most of this cryptography operates behind the scenes, keeping users from having to become experts on cryptography to keep their systems safe. The OpenBSD development team understands that most administrators aren't experts in security and shouldn't be expected to jump through hoops to harden their environment. People who believe that OpenBSD isn't a user-friendly operating system are largely misinformed. If most administrators spent the time to put OpenBSD's default security measures in place on any other distribution, they would likely change their line of thinking.

Random numbers are a key component to making all this security happen. The OpenBSD kernel uses interrupt information to create a constantly changing entropy pool that provides data to seed cryptographic functions and provide numbers for transaction IDs. For instance, pseudo-random numbers are used for process IDs and packet IDs, which makes spoofing significantly more difficult for a would-be attacker. OpenBSD even uses random port assignments in bind(2) system calls. Most UNIX-derived operating systems either create IDs sequentially or have a simple algorithm that can be exploited by predicting results.

While the OpenBSD team is still exploring more extensive encryption of the file system, steps have been taken to encrypt data where possible. The swap partition is divided into small sections, each encrypted with its own key, ensuring that sensitive data doesn't leak into an insecure part of the system -- a common problem on a traditional UNIX- or Linux-based system. If you want to encrypt user data, you can use Cryptographic File System (CFS) in OpenBSD. CFS operates at the user level, communicating with the kernel through Network File System (NFS). The system gives users transparent access to encrypted directories, so they can choose what data is encrypted without being burdened by the encrypt/decrypt process.

Note: See Resources for more information about cryptography in OpenBSD.


Installing OpenBSD

Without a full understanding of OpenBSD's benefits, new users might lean toward a familiar Linux distribution because they're intimidated by the BSD installation process, which has a reputation of being difficult. While the installation might not be what most users are accustomed to, this article provides a quick overview of the process to demonstrate how easy setup can be. Spending a bit of time to learn about the OpenBSD installation process to save hours locking down a Linux distribution that isn't secure by default is often the pragmatic decision.

There are several installation methods, and steps vary by platform. I focus on a basic CD-ROM installation on an i386 server (for example, a computer running an IBM server) by creating your own CD set. This process is not documented in the official FAQ.

Step 1. Getting the distribution

First, visit the OpenBSD.org download page (see Resources), choose any mirror on the list, and then go to /3.9/i386/. This is the first place you'll notice something different, if you're used to installing Linux distributions. The only .iso file is a 5MB file called cd39.iso. Can this be right? Don't worry: With an OpenBSD installation, the boot CD is a bare-bones kernel; the rest is extracted from files that you can download and burn to an additional CD (or purchase a CD set from OpenBSD.org to help support the project). Make sure you download cd39.iso, all the .tgz files, bsd, bsd.rd, and bsd.mp. (Or, to make things easy, just download everything in the directory.)

Step 2. Create the installation media

Create a boot CD from cd39.iso and label it Disk 1, as shown in Listing 1. Create a regular CD with all the other files in a directory called /3.9/i386/, and label it Disk 2, as shown in Listing 2. Other options include purchasing a CD set, performing a network installation, or building a custom .iso file, but I find the two-CD method easiest.

Listing 1. Use cd39.iso to create a boot CD
cd39.iso                02-Mar-2006 03:10   4.6M
Listing 2. Put the following files in a directory called /3.9/i386/ on Disk 2
base39.tgz              02-Mar-2006 03:10  38.6M  
bsd                     02-Mar-2006 03:10   5.2M  
bsd.mp                  02-Mar-2006 03:10   5.2M  
bsd.rd                  02-Mar-2006 03:10   4.5M  
comp39.tgz              02-Mar-2006 03:10  71.8M  
etc39.tgz               02-Mar-2006 03:10   1.1M  
game39.tgz              02-Mar-2006 03:10   2.5M  
man39.tgz               02-Mar-2006 03:10   7.1M  
misc39.tgz              02-Mar-2006 03:10   2.2M  
xbase39.tgz             10-Mar-2006 12:04  10.1M  
xetc39.tgz              10-Mar-2006 12:04    88k  
xfont39.tgz             10-Mar-2006 12:04  31.7M  
xserv39.tgz             10-Mar-2006 12:04  19.0M  
xshare39.tgz            10-Mar-2006 12:04   2.0M

Step 3. Start the installation

After you've created the installation CDs, boot the new server from Disk 1. Command prompts guide you through the installation process. You can find detailed instructions in Section 4 of the OpenBSD FAQ (see Resources).

The most complicated part is the Setting up disks section, but you can skip a lot of this information by choosing to use all of the disk for OpenBSD (if you don't have any other partitions you would like to retain). Regardless of your partitioning decision, make sure to follow the Creating a disklabel section step by step, with the only deviation being to create larger /usr and /home partitions, if you desire. Note the two-layer partitioning system in OpenBSD. The first step sets up traditional fdisk viewable partitions, while the second disklabel step sets up OpenBSD subpartitions.

Other than this, the only adjustment (to use your two-CD installation set) is to swap CDs at this step:

Let's install the sets!
Location of sets? (cd disk ftp http or 'done') [cd]

Switch from Disk 1 to Disk 2 (the CD with all the files in /3.9/i386/).

Step 4. Start computing!

With everything set up, you're ready to start computing.


Sounds great, now how do I use it?

In contrast to learning how to secure your system (which already has rational default settings), there are some steps that you might want to be aware of before you start administering your system as a new OpenBSD user.

First, by default, no users are included in the wheel group, which means that an attempt to use the su command will fail. Create new users from the command line with the adduser command, which leads you through a simple question and answer session to set up defaults (a one-time process) and to create your first user.

Say, for example, that you created a user called bsdadmin. If bsdadmin is going to be your primary administrative account, you want to be able to use the su command to access the root account quickly. To do this, log in under the root account, and then edit the /etc/group file to include bsdadmin in the wheel group. Simply append bsdadmin to the first line (the one that says wheel:*:0:root).

Second, check the system default settings in the /etc/ directory. Tread carefully here, as most services are turned off by default for a reason. OpenBSD uses rc.conf to launch most startup daemons. You'll see that services, such as httpd and nfs, are turned off by default -- even PF is off. As an example, you can turn Apache (httpd) on by adding the line httpd=YES to /etc/rc.conf.

While OpenBSD might not have graphics-based tools to help in system administration, the OpenBSD developers have given extra attention to providing extensive, accurate man pages for each component of the operating system. I recommend that you make liberal use of the stalwart man command any time you're confused or simply want to learn about a new tool.


What else can I do with it?

OpenBSD comes prepackaged with a small set of third-party components, again focusing on security and stability rather than trying do everything for everybody. Here's the default list of packages included in OpenBSD Version 3.9:

  • OpenSSH Version 4.3
  • X.org Version 6.9.0 (with V3.3 XFree86 servers included in i386 distributions)
  • GCC Versions 2.95.3 and 3.3.5 (with Propolice stack protection technology enabled by default)
  • Perl Version 5.8.6 (with patches and improvements from the OpenBSD team)
  • Apache Version 1.3.29 Web server (including mod_ssl Version 2.8.16 and Dynamic Shared Object (DSO) support)
  • OpenSSL Version 0.9.7g (with patches and improvements from the OpenBSD team)
  • Groff Version 1.15
  • Sendmail Version 8.13.4 (with libmilter)
  • BIND Version 9.3.1 (with improvements in chroot operation and other security-related issues)
  • Lynx Version 2.8.5rel.4 (with HTTP over Secure Sockets Layer (HTTPS) support added and patches from the OpenBSD team)
  • Sudo Version 1.6.8p9
  • Ncurses Version 5.2
  • KAME IPv6
  • Heimdal Version 0.7 (with patches)
  • Arla Version 0.35.7
  • gdb Version 6.3

Additional third-party packages are available, and you can easily install them with OpenBSD's pkg_add application. You can find full lists in the /3.9/packages/i386/ directory on OpenBSD mirrors. The pkg_add application takes a package name as input, automatically determines dependencies, and installs all necessary packages.

While the packages listed above have been specifically ported for OpenBSD, another tenet of the platform is binary compatibility. OpenBSD supports binary emulation for most software compiled for Linux, Solaris, HP-UX, and other forms of BSD. This functionality is turned off by default. To turn it on, simply restart your system after removing the leading comment (#) character from /etc/sysctl.conf on the following line:

#kern.emul.linux=1      # enable running Linux binaries

In this way, you can run simple, statically-linked Linux applications. To run a wider variety of software, also install the Redhat/base package using pkg_add as described above.


Wrap-up

OpenBSD strives to be the most secure UNIX derivation on the planet, and not much is left to be desired. Design principles, such as code auditing, extensive use of encryption, and careful configuration choices, combine to ensure OpenBSD's secure by default philosophy holds true. While it is most common to find OpenBSD installations in secure servers and firewalls, OpenBSD's wide hardware and software support makes the operating system suitable for a large range of purposes. UNIX and Linux gurus alike will find many parts of OpenBSD familiar, and they will likely appreciate the areas in which it purposely strays from the pack.

Resources

Learn

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=153135
ArticleTitle=Take a closer look at OpenBSD
publish-date=08082006