Migrating to OpenBSD: Understanding OpenBSD
The most touted claim about OpenBSD is it’s security – and it’s definitely a great point. I think that can scare some beginners though. I don’t want people to think of this only as a hardened, pain in the ass to use UNIX. It’s not.
The Pros
“Features are liabilities.”
Let’s talk documentation. When was the last time you actually used ‘man’ on Linux? You will be flooded with an insane amount of documentation about every little switch. I didn’t even know nice man pages existed – that is, until I saw OpenBSD’s. I rarely use Google for OpenBSD – they’re seriously that good. Namely, they have a large amount of examples of config files – so you can fill in the gaps with the rest of the documentation.
Linux no longer has a UNIX philosophical edge. Linux has become a research operating system. Sometimes Linux is more of a social movement than a kernel. Linux caters to both beginners and experts. Linux is confusing as hell. Too many distros, systemd, config files spewed all over the system, fractured package management systems, Software Collections, and who knows what else on the way. OpenBSD uses init
and rc.conf
, all config files (including ported apps) are in /etc
, and there is one package management system.
Remember: features are liabilities. Some projects have so many liabilities, the OpenBSD team decided to roll their own:
relayd
is a load balancer, application layer gateway, and transparent proxy.vmm
is a hypervisor.bgpd
handles the BGP routing protocol (andospfd
implements OSPF;ripd
implements RIP.)iked
allows for IPsec peering.npppd
tunnels L2TP, PPTP, and PPPoE.ldapd
implements LDAP.nsd
is a name server daemon.slowcgi
is a fastcgi replacement. (intentionally partial replacement)httpd
is a nginx replacement.libressl
is a openssl replacement (after Heartbleed.)openssh
is a SSH replacement (after Tatu Ylönen changed SSH licensing.)- and many more…
The Cons
You’ll definitely want to shop for hardware before you install it on bare metal – drivers are system specific. I would personally recommend a ThinkPad, and keep it to Intel NICs. NVidia hardware is barely supported, compared to Radeon.
Large applications (especially Chromium) crash often. OpenBSD is very strict with memory management, where other operating systems will commonly overlook memory access violations. Who needs valgrind?
Lack of software support for more complex applications. You’re not going to see docker, VirtualBox, metasploit, or any other behemoths. But if there is a need – they will roll their own.
Lack of enterprise support. There is no Red Hat for OpenBSD. However, any administrator which is comfortable in Linux, AIX, HP-UX, etc should do just fine in OpenBSD. Remember – UNIX philosophy.
Security
OpenBSD was the first to implement many of the following (almost all are enabled by default globally, not just user/kernel space):
- secure by default configs
- stack canaries
- W^X/NX bit
- ASLR
- position independent executables (PIE)
- “return-to-libc” esque mitigations
- encrypted swap
- randomized PIDs
- randomized malloc memblocks
- randomized network sequence numbers
- native full disk encryption
telnetd
replaced bysshd
in 1999;telnetd
removed from base in 2005bcrypt()
implemented 1997 (how many sysadmins even know b/scrypt exist in 2019?)- and many more…
Where other operating systems are still reactive, OpenBSD is proactive:
- constant code audits
- privilege separation (daemons have own user, are chroot’d)
- really, really strict privilege separation – default install and port apps which do not conform to a “security contract” will dump (via
pledge()
syscall) - built-in crypto functions guide you to use only proven hash algos and encyption ciphers
- simplified configuration files (trust me – this matters a lot.)
- previously mentioned: strict memory management
doas
instead ofsudo
(doas
is simpler to configure)
Up Next
Next article looks at installing the OS, packages, and service administration.