The most touted claim about OpenBSD is it’s security – and it’s definitely a great point. I think that can scare some beginners though. I don’t want people to think of this only as a hardened, pain in the ass to use UNIX. It’s not.

The Pros

“Features are liabilities.”

Let’s talk documentation. When was the last time you actually used ‘man’ on Linux? You will be flooded with an insane amount of documentation about every little switch. I didn’t even know nice man pages existed – that is, until I saw OpenBSD’s. I rarely use Google for OpenBSD – they’re seriously that good. Namely, they have a large amount of examples of config files – so you can fill in the gaps with the rest of the documentation.

Linux no longer has a UNIX philosophical edge. Linux has become a research operating system. Sometimes Linux is more of a social movement than a kernel. Linux caters to both beginners and experts. Linux is confusing as hell. Too many distros, systemd, config files spewed all over the system, fractured package management systems, Software Collections, and who knows what else on the way. OpenBSD uses init and rc.conf, all config files (including ported apps) are in /etc, and there is one package management system.

Remember: features are liabilities. Some projects have so many liabilities, the OpenBSD team decided to roll their own:

  • relayd is a load balancer, application layer gateway, and transparent proxy.
  • vmm is a hypervisor.
  • bgpd handles the BGP routing protocol (and ospfd implements OSPF; ripd implements RIP.)
  • iked allows for IPsec peering.
  • npppd tunnels L2TP, PPTP, and PPPoE.
  • ldapd implements LDAP.
  • nsd is a name server daemon.
  • slowcgi is a fastcgi replacement. (intentionally partial replacement)
  • httpd is a nginx replacement.
  • libressl is a openssl replacement (after Heartbleed.)
  • openssh is a SSH replacement (after Tatu Ylönen changed SSH licensing.)
  • and many more…

The Cons

You’ll definitely want to shop for hardware before you install it on bare metal – drivers are system specific. I would personally recommend a ThinkPad, and keep it to Intel NICs. NVidia hardware is barely supported, compared to Radeon.

Large applications (especially Chromium) crash often. OpenBSD is very strict with memory management, where other operating systems will commonly overlook memory access violations. Who needs valgrind?

Lack of software support for more complex applications. You’re not going to see docker, VirtualBox, metasploit, or any other behemoths. But if there is a need – they will roll their own.

Lack of enterprise support. There is no Red Hat for OpenBSD. However, any administrator which is comfortable in Linux, AIX, HP-UX, etc should do just fine in OpenBSD. Remember – UNIX philosophy.

Security

“This problem was fixed in OpenBSD about 6 months ago

OpenBSD was the first to implement many of the following (almost all are enabled by default globally, not just user/kernel space):

  • secure by default configs
  • stack canaries
  • W^X/NX bit
  • ASLR
  • position independent executables (PIE)
  • “return-to-libc” esque mitigations
  • encrypted swap
  • randomized PIDs
  • randomized malloc memblocks
  • randomized network sequence numbers
  • native full disk encryption
  • telnetd replaced by sshd in 1999; telnetd removed from base in 2005
  • bcrypt() implemented 1997 (how many sysadmins even know b/scrypt exist in 2019?)
  • and many more…

Where other operating systems are still reactive, OpenBSD is proactive:

  • constant code audits
  • privilege separation (daemons have own user, are chroot’d)
  • really, really strict privilege separation – default install and port apps which do not conform to a “security contract” will dump (via pledge() syscall)
  • built-in crypto functions guide you to use only proven hash algos and encyption ciphers
  • simplified configuration files (trust me – this matters a lot.)
  • previously mentioned: strict memory management
  • doas instead of sudo (doas is simpler to configure)

Up Next

Next article looks at installing the OS, packages, and service administration.