Take a closer look at OpenBSD

Security where it counts

When security is of the utmost importance, it's only logical to look to the same operating system that spawned today's standard in secure remote access, OpenSSH (Open Secure Shell). OpenSSH is just one part of OpenBSD, a distribution that has focused on security from the ground up, accomplishing a goal of creating a UNIX®-like operating system that is secure by default. This stand is in contrast to most operating systems today, which require significant time and energy to harden the environment before going live. In fact, OpenBSD is so secure that it was once banned for use in a DEF CON competition, where crackers go after each other's systems.

An overview of BSD

Berkeley Software Distribution (BSD) is one of the oldest and most common flavors of UNIX. Today, it has been split into multiple versions, with three common open source distributions leading the way:

FreeBSD

OpenBSD

NetBSD

While FreeBSD is the most widely used of the three distributions, each version has significant upsides that make choosing the correct solution an important decision. FreeBSD is the most general of the three and thrives in i386 environments. When security is the highest item on your priority list, OpenBSD is the right distribution. NetBSD offers a small and extremely portable alternative, running on a huge variety of architectures.

The OpenBSD audit process

The OpenBSD audit process might be the biggest factor in the consistent security found in this distribution. A team of experienced developers focused on auditing each piece of code entered into the source tree. Codes are analyzed for security flaws as well as bugs in general -- bugs that might not affect general functionality but could be exploited as security flaws down the line. Every bug is taken seriously and immediately addressed. This proactive approach has kept OpenBSD from being susceptible to unknown exploits, which other distributions have to scramble to cover upon discovery.

OpenBSD: Where and when

Any environment in which security is important makes for a potential OpenBSD installation. In today's more security-conscious world -- a world in which computers are connected to the Internet 24x7 -- it's hard not to find a user who doesn't take security seriously, be it in a home, government, or corporate environment. Financial juggernauts have been known to rely on OpenBSD to secure corporate networks and customer records. OpenBSD might not have a huge user base compared to other UNIX-like operating systems, but it is installed at the most crucial points of many networks.

OpenBSD, being a close relative of NetBSD, also runs on a wide variety of hardware. Take a look:

Alpha: Digital Alpha-based systems

Digital Alpha-based systems amd64: AMD64-based systems

AMD64-based systems Cat: StrongARM 110 Evaluation Board

StrongARM 110 Evaluation Board hp300: Hewlett-Packard HP 9000 series 300 and 400 workstations

Hewlett-Packard HP 9000 series 300 and 400 workstations HP/PA: Hewlett-Packard Precision Architecture (PA-RISC) systems

Hewlett-Packard Precision Architecture (PA-RISC) systems i386: Standard computers based on the Intel® i386 architecture and compatible processors

Standard computers based on the Intel® i386 architecture and compatible processors luna88k: Omron LUNA-88K and LUNA-88K2 workstations

Omron LUNA-88K and LUNA-88K2 workstations mac68k: Motorola 680x0-based Apple Macintosh with MMU

Motorola 680x0-based Apple Macintosh with MMU macppc: Apple PowerPC-based machines, from the iMac on

Apple PowerPC-based machines, from the iMac on mvme68k: Motorola 680x0-based VME systems

Motorola 680x0-based VME systems mvme88k: Motorola 881x0-based VME systems

Motorola 881x0-based VME systems SGI: SGI MIPS-based workstations

SGI MIPS-based workstations SPARC: Sun sun4-, sun4c-, and sun4m-class SPARC systems

Sun sun4-, sun4c-, and sun4m-class SPARC systems SPARC64: Sun UltraSPARC systems

Sun UltraSPARC systems VAX: Digital VAX-based systems

Digital VAX-based systems Zaurus: Sharp Zaurus C3x00 PDAs

OpenBSD core packages and features

Now that you've determined whether OpenBSD is an option for your hardware platform, let's take a closer look at some OpenBSD highlights.

OpenSSH

The first package of note is OpenSSH, with which every UNIX and Linux® user is familiar. However, many people might not know that it comes from OpenBSD developers. OpenSSH was originally developed for OpenBSD and has since become the standard Secure Shell (SSH) package, ported for just about every version of the UNIX, Linux, and Microsoft® Windows® operating systems. OpenSSH includes ssh for secure logins, scp for secure copies, and sftp -- a secure alternative to ftp . All source code falls into the open source BSD license, following OpenBSD's directive to keep all proprietary code and restrictive licensing schemes out of the distribution (which was the initial impetus to create a new version of SSH). Every piece of software included in OpenBSD is completely free, with no restrictions on use.

Cryptography

Because the OpenBSD project is based in Canada, no United States export restrictions on cryptography apply, allowing the distribution to make full use of modern algorithms for encryption. Encryption can be found almost everywhere in the operating system, from file transfers to file systems to networking. Pseudo-random number generators are also included in OpenBSD, which ensures that random numbers cannot be predicted based on the system state. Other features include cryptographic hash functions, cryptographic transform libraries, and cryptographic hardware support.

Another heavily exported piece of OpenBSD is the IP Security Protocol (IPSec), which the operating systems uses rather than relying on the inherently insecure TCP/IP Version 4 (IPV4). (IPV4 chooses to trust just about everybody and everything.) IPSec encrypts and validates packets to protect the privacy of data and to ensure that no changes are made to packets during the delivery process. IPSec became an integral piece of the standard Internet Protocol with the introduction of TCP/IP Version 6 (IPV6), making the future of the Internet more secure by default.

OpenBSD as firewall

Because OpenBSD is both thin and secure, one of the most common OpenBSD implementation purposes is as a firewall. Firewalls operate at the ground level of most secure locations, and OpenBSD's implementation of packet filtering is top notch. Packet Filter (PF) -- an open source solution designed by the OpenBSD development community -- is the OpenBSD method of choice. Like many other pieces of OpenBSD software, its success has prompted the other BSD variants to port it into their own distributions.

OpenBSD is set up to be secure by default, so there aren't too many services that you must turn off to set up a rock-solid firewall. You will have to enable a second Ethernet interface and configure PF to your needs. See Related topics for links to articles on how to set up an OpenBSD server as a firewall.

Encryption and random numbers

Most operating systems include little or no encryption in key elements, which creates an inherent lack of security. A big reason for this deficiency is the simple fact that most operating systems ship from the United States, where developers aren't allowed to export robust cryptographic software. Cryptographic hash libraries in OpenBSD include MD5, SHA1, and RIPEMD160. Cryptographic transform libraries in OpenBSD include Blowfish, Data Encryption Standard (DES), 3DES, and Cast.

Most of this cryptography operates behind the scenes, keeping users from having to become experts on cryptography to keep their systems safe. The OpenBSD development team understands that most administrators aren't experts in security and shouldn't be expected to jump through hoops to harden their environment. People who believe that OpenBSD isn't a user-friendly operating system are largely misinformed. If most administrators spent the time to put OpenBSD's default security measures in place on any other distribution, they would likely change their line of thinking.

Random numbers are a key component to making all this security happen. The OpenBSD kernel uses interrupt information to create a constantly changing entropy pool that provides data to seed cryptographic functions and provide numbers for transaction IDs. For instance, pseudo-random numbers are used for process IDs and packet IDs, which makes spoofing significantly more difficult for a would-be attacker. OpenBSD even uses random port assignments in bind(2) system calls. Most UNIX-derived operating systems either create IDs sequentially or have a simple algorithm that can be exploited by predicting results.

While the OpenBSD team is still exploring more extensive encryption of the file system, steps have been taken to encrypt data where possible. The swap partition is divided into small sections, each encrypted with its own key, ensuring that sensitive data doesn't leak into an insecure part of the system -- a common problem on a traditional UNIX- or Linux-based system. If you want to encrypt user data, you can use Cryptographic File System (CFS) in OpenBSD. CFS operates at the user level, communicating with the kernel through Network File System (NFS). The system gives users transparent access to encrypted directories, so they can choose what data is encrypted without being burdened by the encrypt/decrypt process.

Note: See Related topics for more information about cryptography in OpenBSD.

Installing OpenBSD

Without a full understanding of OpenBSD's benefits, new users might lean toward a familiar Linux distribution because they're intimidated by the BSD installation process, which has a reputation of being difficult. While the installation might not be what most users are accustomed to, this article provides a quick overview of the process to demonstrate how easy setup can be. Spending a bit of time to learn about the OpenBSD installation process to save hours locking down a Linux distribution that isn't secure by default is often the pragmatic decision.

There are several installation methods, and steps vary by platform. I focus on a basic CD-ROM installation on an i386 server (for example, a computer running an IBM server) by creating your own CD set. This process is not documented in the official FAQ.

Step 1. Getting the distribution

First, visit the OpenBSD.org download page (see Related topics), choose any mirror on the list, and then go to /3.9/i386/ . This is the first place you'll notice something different, if you're used to installing Linux distributions. The only .iso file is a 5MB file called cd39.iso. Can this be right? Don't worry: With an OpenBSD installation, the boot CD is a bare-bones kernel; the rest is extracted from files that you can download and burn to an additional CD (or purchase a CD set from OpenBSD.org to help support the project). Make sure you download cd39.iso, all the .tgz files, bsd, bsd.rd, and bsd.mp. (Or, to make things easy, just download everything in the directory.)

Step 2. Create the installation media

Create a boot CD from cd39.iso and label it Disk 1, as shown in Listing 1. Create a regular CD with all the other files in a directory called /3.9/i386/, and label it Disk 2, as shown in Listing 2. Other options include purchasing a CD set, performing a network installation, or building a custom .iso file, but I find the two-CD method easiest.

Listing 1. Use cd39.iso to create a boot CD

cd39.iso 02-Mar-2006 03:10 4.6M

Listing 2. Put the following files in a directory called /3.9/i386/ on Disk 2

base39.tgz 02-Mar-2006 03:10 38.6M bsd 02-Mar-2006 03:10 5.2M bsd.mp 02-Mar-2006 03:10 5.2M bsd.rd 02-Mar-2006 03:10 4.5M comp39.tgz 02-Mar-2006 03:10 71.8M etc39.tgz 02-Mar-2006 03:10 1.1M game39.tgz 02-Mar-2006 03:10 2.5M man39.tgz 02-Mar-2006 03:10 7.1M misc39.tgz 02-Mar-2006 03:10 2.2M xbase39.tgz 10-Mar-2006 12:04 10.1M xetc39.tgz 10-Mar-2006 12:04 88k xfont39.tgz 10-Mar-2006 12:04 31.7M xserv39.tgz 10-Mar-2006 12:04 19.0M xshare39.tgz 10-Mar-2006 12:04 2.0M

Step 3. Start the installation

After you've created the installation CDs, boot the new server from Disk 1. Command prompts guide you through the installation process. You can find detailed instructions in Section 4 of the OpenBSD FAQ (see Related topics).

The most complicated part is the Setting up disks section, but you can skip a lot of this information by choosing to use all of the disk for OpenBSD (if you don't have any other partitions you would like to retain). Regardless of your partitioning decision, make sure to follow the Creating a disklabel section step by step, with the only deviation being to create larger /usr and /home partitions, if you desire. Note the two-layer partitioning system in OpenBSD. The first step sets up traditional fdisk viewable partitions, while the second disklabel step sets up OpenBSD subpartitions.

Other than this, the only adjustment (to use your two-CD installation set) is to swap CDs at this step:

Let's install the sets! Location of sets? (cd disk ftp http or 'done') [cd]

Switch from Disk 1 to Disk 2 (the CD with all the files in /3.9/i386/).

Step 4. Start computing!

With everything set up, you're ready to start computing.

Sounds great, now how do I use it?

In contrast to learning how to secure your system (which already has rational default settings), there are some steps that you might want to be aware of before you start administering your system as a new OpenBSD user.

First, by default, no users are included in the wheel group, which means that an attempt to use the su command will fail. Create new users from the command line with the adduser command, which leads you through a simple question and answer session to set up defaults (a one-time process) and to create your first user.

Say, for example, that you created a user called bsdadmin . If bsdadmin is going to be your primary administrative account, you want to be able to use the su command to access the root account quickly. To do this, log in under the root account, and then edit the /etc/group file to include bsdadmin in the wheel group. Simply append bsdadmin to the first line (the one that says wheel:*:0:root ).

Second, check the system default settings in the /etc/ directory. Tread carefully here, as most services are turned off by default for a reason. OpenBSD uses rc.conf to launch most startup daemons. You'll see that services, such as httpd and nfs, are turned off by default -- even PF is off. As an example, you can turn Apache (httpd) on by adding the line httpd=YES to /etc/rc.conf.

While OpenBSD might not have graphics-based tools to help in system administration, the OpenBSD developers have given extra attention to providing extensive, accurate man pages for each component of the operating system. I recommend that you make liberal use of the stalwart man command any time you're confused or simply want to learn about a new tool.

What else can I do with it?

OpenBSD comes prepackaged with a small set of third-party components, again focusing on security and stability rather than trying do everything for everybody. Here's the default list of packages included in OpenBSD Version 3.9:

OpenSSH Version 4.3

X.org Version 6.9.0 (with V3.3 XFree86 servers included in i386 distributions)

GCC Versions 2.95.3 and 3.3.5 (with Propolice stack protection technology enabled by default)

Perl Version 5.8.6 (with patches and improvements from the OpenBSD team)

Apache Version 1.3.29 Web server (including mod_ssl Version 2.8.16 and Dynamic Shared Object (DSO) support)

OpenSSL Version 0.9.7g (with patches and improvements from the OpenBSD team)

Groff Version 1.15

Sendmail Version 8.13.4 (with libmilter)

BIND Version 9.3.1 (with improvements in chroot operation and other security-related issues)

Lynx Version 2.8.5rel.4 (with HTTP over Secure Sockets Layer (HTTPS) support added and patches from the OpenBSD team)

Sudo Version 1.6.8p9

Ncurses Version 5.2

KAME IPv6

Heimdal Version 0.7 (with patches)

Arla Version 0.35.7

gdb Version 6.3

Additional third-party packages are available, and you can easily install them with OpenBSD's pkg_add application. You can find full lists in the /3.9/packages/i386/ directory on OpenBSD mirrors. The pkg_add application takes a package name as input, automatically determines dependencies, and installs all necessary packages.

While the packages listed above have been specifically ported for OpenBSD, another tenet of the platform is binary compatibility. OpenBSD supports binary emulation for most software compiled for Linux, Solaris, HP-UX, and other forms of BSD. This functionality is turned off by default. To turn it on, simply restart your system after removing the leading comment ( # ) character from /etc/sysctl.conf on the following line:

#kern.emul.linux=1 # enable running Linux binaries

In this way, you can run simple, statically-linked Linux applications. To run a wider variety of software, also install the Redhat/base package using pkg_add as described above.

Wrap-up

OpenBSD strives to be the most secure UNIX derivation on the planet, and not much is left to be desired. Design principles, such as code auditing, extensive use of encryption, and careful configuration choices, combine to ensure OpenBSD's secure by default philosophy holds true. While it is most common to find OpenBSD installations in secure servers and firewalls, OpenBSD's wide hardware and software support makes the operating system suitable for a large range of purposes. UNIX and Linux gurus alike will find many parts of OpenBSD familiar, and they will likely appreciate the areas in which it purposely strays from the pack.

Downloadable resources

Related topics