The most touted claim about OpenBSD is it’s security – and it’s definitely a great point. I think that can scare some beginners though. I don’t want people to think of this only as a hardened, pain in the ass to use UNIX. It’s not.
“Features are liabilities.”
Let’s talk documentation. When was the last time you actually used ‘man’ on Linux? You will be flooded with an insane amount of documentation about every little switch. I didn’t even know nice man pages existed – that is, until I saw OpenBSD’s. I rarely use Google for OpenBSD – they’re seriously that good. Namely, they have a large amount of examples of config files – so you can fill in the gaps with the rest of the documentation.
Linux no longer has a UNIX philosophical edge. Linux has become a research operating system. Sometimes Linux is more of a social movement than a kernel. Linux caters to both beginners and experts. Linux is confusing as hell. Too many distros, systemd, config files spewed all over the system, fractured package management systems, Software Collections, and who knows what else on the way. OpenBSD uses
rc.conf, all config files (including ported apps) are in
/etc, and there is one package management system.
Remember: features are liabilities. Some projects have so many liabilities, the OpenBSD team decided to roll their own:
relaydis a load balancer, application layer gateway, and transparent proxy.
vmmis a hypervisor.
bgpdhandles the BGP routing protocol (and
ikedallows for IPsec peering.
npppdtunnels L2TP, PPTP, and PPPoE.
nsdis a name server daemon.
slowcgiis a fastcgi replacement. (intentionally partial replacement)
httpdis a nginx replacement.
libresslis a openssl replacement (after Heartbleed.)
opensshis a SSH replacement (after Tatu Ylönen changed SSH licensing.)
- and many more…
You’ll definitely want to shop for hardware before you install it on bare metal – drivers are system specific. I would personally recommend a ThinkPad, and keep it to Intel NICs. NVidia hardware is barely supported, compared to Radeon.
Large applications (especially Chromium) crash often. OpenBSD is very strict with memory management, where other operating systems will commonly overlook memory access violations. Who needs valgrind?
Lack of software support for more complex applications. You’re not going to see docker, VirtualBox, metasploit, or any other behemoths. But if there is a need – they will roll their own.
Lack of enterprise support. There is no Red Hat for OpenBSD. However, any administrator which is comfortable in Linux, AIX, HP-UX, etc should do just fine in OpenBSD. Remember – UNIX philosophy.
OpenBSD was the first to implement many of the following (almost all are enabled by default globally, not just user/kernel space):
- secure by default configs
- stack canaries
- W^X/NX bit
- position independent executables (PIE)
- “return-to-libc” esque mitigations
- encrypted swap
- randomized PIDs
- randomized malloc memblocks
- randomized network sequence numbers
- native full disk encryption
telnetdremoved from base in 2005
bcrypt()implemented 1997 (how many sysadmins even know b/scrypt exist in 2019?)
- and many more…
Where other operating systems are still reactive, OpenBSD is proactive:
- constant code audits
- privilege separation (daemons have own user, are chroot’d)
- really, really strict privilege separation – default install and port apps which do not conform to a “security contract” will dump (via
- built-in crypto functions guide you to use only proven hash algos and encyption ciphers
- simplified configuration files (trust me – this matters a lot.)
- previously mentioned: strict memory management
doasis simpler to configure)
Next article looks at installing the OS, packages, and service administration.