1. EachPod

102: May Contain ZFS

Author
JT Pennington
Published
Wed 12 Aug 2015
Episode Link
https://www.bsdnow.tv/102

This week on the show, we'll be talking with Peter Toth. He's got a jail management system called "iocage" that's been getting pretty popular recently. Have we finally found a replacement for ezjail? We'll see how it stacks up.

This episode was brought to you by

Headlines

FreeBSD on Olimex RT5350F-OLinuXino


  • If you haven't heard of the RT5350F-OLinuXino-EVB, you're not alone (actually, we probably couldn't even remember the name if we did know about it)

  • It's a small board with a MIPS CPU, two ethernet ports, wireless support and... 32MB of RAM

  • This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment

  • In part two of the series, he talks about the GPIO and how you can configure it

  • Part three is still in the works, so check the site later on for further progress and info
    ***

The modern OpenBSD home router


  • In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network

  • "It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst"

  • Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless

  • This guide also covers PPP and IPv6, in case you have those requirements

  • In a similar but unrelated series, another user does a similar thing - his post also includes details on reusing your consumer router as a wireless bridge

  • He also has a separate post for setting up an IPSEC VPN on the router
    ***

NetBSD at Open Source Conference 2015 Kansai


  • The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference

  • They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event

  • Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k

  • They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it

  • And what conference would be complete without an LED-powered towel
    ***

OpenSSH 7.0 released


  • The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code

  • SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled

  • The syntax for permitting root logins has been changed, and is now called "prohibit-password" instead of "without-password" (this makes it so root can login, but only with keys) - all interactive authentication methods for root are also disabled by default now

  • If you're using an older configuration file, the "without-password" option still works, so no change is required

  • You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications

  • Various bug fixes and documentation improvements are also included

  • Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users

  • In the next release, even more deprecation is planned: RSA keys will be refused if they're under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled
    ***

Interview - Peter Toth - [email protected] / @pannonp

Containment with iocage

News Roundup

More c2k15 reports


  • A few more hackathon reports from c2k15 in Calgary are still slowly trickling in

  • Alexander Bluhm's up first, and he continued improving OpenBSD's regression test suite (this ensures that no changes accidentally break existing things)

  • He also worked on syslogd, completing the TCP input code - the syslogd in 5.8 will have TLS support for secure remote logging

  • Renato Westphal sent in a report of his very first hackathon

  • He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) - the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network

  • Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon

  • His report opens with "First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking." - not exactly beginner stuff

  • There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well
    ***

FreeBSD jails, the hard way


  • As you learned from our interview this week, there's quite a selection of tools available to manage your jails

  • This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf

  • Unlike with iocage, ZFS isn't actually a requirement for this method

  • If you are using it, though, you can make use of snapshots for making template jails
    ***

OpenSSH hardware tokens


  • We've talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?

  • This blog post will show you how to use a hardware token as a second authentication factor, for the "something you know, something you have" security model

  • It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd

  • Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too
    ***

LibreSSL 2.2.2 released


  • The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes

  • At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don't want in a crypto tool...) and much more

  • SSLv3 support was removed from the "openssl" command, and only a few other SSLv3 bits remain - once workarounds are found for ports that specifically depend on it, it'll be removed completely

  • Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc

  • It'll be in 5.8 (due out earlier than usual) and it's in the FreeBSD ports tree as well
    ***

Feedback/Questions

Share to: