• linkedin

Archives for : OpenBSD

How to install Kippo SSH honeypot on OpenBSD 5.5 with chroot

This is a basic guide how to install Kippo SSH Honeypot on OpenBSD 5.5 using chroot.

Please remember that this might be dangerous since the hacker depending of the skill set might find a way to escape from the honeypot or tries to find other service that are related to you. Only run a honeypot if you know what you are doing since the offender might retaliate

More information about Kippo can be found here:

Don’t run Kippo as root and use ports above 1024 (non privileged ports). Use port forwarding if you want to listen on port 22

smtpd instead of sendmail in OpenBSD

sendmail is in my opinion unessisary advanced and compicated for the most installations and there are a more simpler solution already in base for OpenBSD which is smtpd. This daemon is not active by default but it’s simple to change.

Stop sendmail

pkill sendmail

Edit /etc/mailer.conf and change to the following

sendmail       /usr/sbin/smtpctl

send-mail     /usr/sbin/smtpctl

mailq           /usr/sbin/smtpctl

makemap         /usr/libexec/smtpd/makemap

newaliases      /usr/libexec/smtpd/makemap

hoststat        /usr/libexec/sendmail/sendmail

purgestat       /usr/libexec/sendmail/sendmail

Rebuild aliases database


Make sure smtpd starts with the system and stop sendmail

echo “sendmail_flags=NO” >> /etc/rc.conf.local

echo “smtpd_flags=” >> /etc/rc.conf.local

Start smtpd



Modifiy /etc/mail/smtpd.conf for your system, it’s a dream in comparison to sendmail

–  Johan Ryberg

Preorder OpenBSD 5.1 today

Theo de Raadt announced today that it’s now possible to preorder OpenBSD 5.1 that will be released May 1 2012. As usual is the preorders delivered a few days before the release date.  It’s also important to buy since the money is used by the developers to keep the project running.

It is that time again.  I have just activated pre-orders for CDs,
tshirts, and posters for the 5.1 release — due May 1.

At the same time, I am making available the song that will come out
with the release (hmm, it is still moving out to the ftp mirrors at
the moment, but that is ok).  The song and details of it are linked

And there is something else.  Five years ago we made available an
Audio CD that contained 5 years of songs.  Well, we have made a new
audio CD since enough new songs have been made.  It is not very
expensive, so please consider buying this as well when you place any
order.  It has some rather nice liner notes.  Had some great fun
coming up with the cover for that CD:

I’d also like you remind you that Michael Lucas new “SSH Mastery” book
is also now available, in case anyone was waiting for the 5.1 release
to place one order.

Please consider purchasing these items and/or making a donation, since
this is a very important revenue source which keeps the project going.

– Johan Ryberg

Configure SSH for high security

There are some steps to do after SSH is installed on a system and there is a old saying that says “A chain is only as strong as its weakest link” and if you are using a weak password for your root account (or any other account) then you are extremely vulnerable. It does not matter if the communication is secure when you are easily brute forced. All steps is used on a Ubuntu 11.10 but should be the same on OpenBSD, Debian, Linux Mint or any other Linux distribution with none or very few modifications.

We are going to do the following steps

  • Create certificate
  • Set correct credentials to .ssh folder and files
  • Shut down the possibility to log in with password
  • Prevent root to log in via SSH
  • Remove less secure encryption methods
  • Enable visual identification of the server fingerprint
  • Optional: Change SSH port (does really not not increase security)

Create certificate
We are going to use a RSA-key with a key length of 4096 bits. Open a terminal and enter the following “‘ssh-keygen -t rsa -b 4096″.  1024 bits key should be enough but better to be safe than sorry.

johan@johan-laptop:~$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.

Then you will be asked where to store the key. If you already got keys in id_dsa then you should enter another file name or your existing keys will be overwritten. If you are satisfied with the suggestion simply press enter.

Enter file in which to save the key (/home/johan/.ssh/id_rsa):

It’s now time to enter a password. Use a strong password with big and small letters, numbers and symbols. The password should also be unique and stored on a secure place like in a encrypted container like Keepass.

Enter passphrase (empty for no passphrase): 2sWf3+@/’?B>.%DpBU”r
Enter same passphrase again: 2sWf3+@/’?B>.%DpBU”r
Your identification has been saved in /home/johan/.ssh/id_rsa.

Your public key has been saved in /home/johan/.ssh/
The key fingerprint is:
The key’s randomart image is:
+–[ RSA 4096]—-+
|     o++ ..o.    |
|      Eoo ..     |
|      . o   . .  |
|     .   o o +   |
|      . S   +    |
|     . o o o     |
|    . + o .      |
|     + o .       |
|    . .          |

Enable the public key for authentication
The public key should be stored in ~/.ssh/authorized_keys and there can be more then one key for a single user. Just make a new row for each public key. If you key should be installed on the same system from where you just created the private key simply copy to authorized_keys

johan@johan-laptop:~$ cd ~/.ssh
johan@johan-laptop:~/.ssh$ cp authorized_keys

If you want to use the public key on another machine you could simply copy the public key using scp (secure copy). Please notice that you will replace existing authorized_keys if you already has one in place. To copy simply write the following command.

johan@johan-laptop:~/.ssh$ scp -p ~/.ssh/authorized_keys
johan@’s password:
authorized_keys 100% 1839 1.2MB/s 00:00

Set correct credentials to .ssh folder and files

Make sure that your working folder is your home folder, replace “johan” with your username.

johan@johan-laptop:~/.ssh$ cd ~
johan@johan-laptop:~/.ssh$ sudo chown -R johan:johan .ssh
johan@johan-laptop:~/.ssh$ sudo chmod -R 600 .ssh
johan@johan-laptop:~/.ssh$ sudo chmod +x .ssh

Do a test log in to test the public key

johan@johan-laptop:~/.ssh$ ssh johan@localhost
Enter passphrase for key ‘/home/johan/.ssh/id_rsa’:

After you entered the private key password you should have access to your machine, if not you will have to look for errors in the logs but I will not cover this in this guide.

Configure sshd
The next step is to modify sshd. All settings we will change is in the file /etc/ssh/sshd_config. Start to make a backup of sshd_config just in case.

johan@johan-laptop:/$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup


Use desired editor to edit sshd_config. I prefer vi but I will use nano in this example

johan@johan-laptop:/$ sudo nano /etc/ssh/sshd_config

The following lines is going to be added or altered:

  • PermitRootLogin yes
  • #PasswordAuthentication yes
  • Ciphers

PermitRootLogin no

root should never be used since it much more secure to use a regular user instead and then you need to perform a administrative task use the command sudo instead which gives you temporary administrative rights
We are also going to prevent the possibility to log in with password (you will be forced to use the private key). Find the rows which looks like  this:

PermitRootLogin yes

Modify it to look like this

PermitRootLogin no

Find the row which look like this

#PasswordAuthentication yes

Modify it to look like this

PasswordAuthentication no

At the end Cipers is going to be added and it may not apply never installations but the default ciphers has not always been the best choices and sshd should be forced to only use the strongest ones.

Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc

More information about why to alter the ciphers can be found here:

Verify these entries:

  • Protocol 2
  • UsePrivilegeSeparation yes
  • StrictModes yes
  • RSAAuthentication yes
  • PubkeyAuthentication yes

Save and exit

Restart to active the settings.

johan@johan-laptop:~/.ssh$ sudo service ssh restart
ssh start/running, process 2212

Enable visual identification of the servers fingerprint (Visual Host Key)
It’s not easy to verify and remember the fingerprint of a host since it’s a long hexadecimal string that may look like this one: ” 31:b0:be:0b:5b:7c:f1:79:65:e4:72:42:18:08:c4:8d” , some one may have altered the DNS record so that you in fact are trying to authenticate to a rouge server and to remember that string is near impossible. . It’s more easy to remember a visual fingerprint but it’s still not bulletproof. It’s absolute best to verify the exact string every time and that is done by most SSH clients and for example openssh stored them in ~/.ssh/known_hosts and gives you a warning if it has changed.

Do the following to enable visual host key

Edit eider /etc/ssh/ssh_config witch effects all users on the system or ~/.ssh/config to enable it for a single user.

Add the following lines (“Host * is already at top of ssh_config)

Host *
VisualHostKey yes

Test and verify
It’s now time to test and verify. You should not be able to log in without your private key and password authentication should been disabled. You should also see your visual finger print when you tries to log in.

Your SSH should be more safe now but remember that SSH probably was the most secure software from the beginning with default settings and MySQL, Apache or any other system also has to be secured.

–  Johan Ryberg

OpenBSD 5.0 ute nu

Idag släpps OpenBSD 5.0 vilket är riktigt roligt. Flashboot kommer ganska så snart uppgraderas för att klara av att bygga 5.0 och jag hoppas att det skall gå inom de närmsta dagarna.

Detta skrev Theo angående 5.0

Nov 1, 2011.

We are pleased to announce the official release of OpenBSD 5.0.
This is our 30th release on CD-ROM (and 31th via FTP). We remain
proud of OpenBSD’s record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.0 provides significant improvements,
including new features, in nearly all areas of the system:

- Improved hardware support, including:
o MSI interrupts for many devices, on those architectures which can
support them (amd64, i386, sparc64 only so far).
o A new dma_alloc(9) API makes it easier for kernel code to allocate
dma-safe memory. Many drivers (especially network drivers) and
subsystems (in particular scsi and the buffer cache) were adapted
to use this.
o As a result, big-memory support has been enabled on all possible
o The rather rare bce(4) driver now copies mbufs all the time, to cope
with the hardware having a 1GB limit.
o Added hds(4), a driver for Hitachi Modular Storage SCSI devices.
o Added myx(4), a driver for the Myricom Myri-10G 10GB Ethernet devices.
o Added dfs(4), a driver for Dynamic Frequency Switching on some macppc
o cardbus(4) and pcmcia(4) support on sgi.
o Suspend/resume support on Loongson Yeelong laptops.
o Interrupt handlers for bnx(4), em(4), ix(4) and sis(4) have been
improved reducing overhead and increasing performance.
o New acpitoshiba(4) driver providing ACPI support for Toshiba laptops.
o Added nvt(4), a driver for the W83795G and W83795ADG hardware monitor.
o Added support to sdhc(4) for the Ricoh 5U823 SD/MMC controller.
o A new fw_update(1) tool to install and update non-free firmware packages.

- Generic network stack improvements:
o Added support for sending Wake on LAN packets using arp(8).
o Permit turning Wake on LAN support on/off using ifconfig(8).
o Added Wake on LAN support to xl(4), re(4), and vr(4).
o Allow ftp-proxy to proxy across rdomains.
o The IPv4 stack will no longer accept ICMP redirects when
acting as a router.
o By default the IPv6 stack will not process ICMP6 redirects.
rtsol(8) will turn it back if -F is used.
o Reworked large parts of the dhclient(8) options processing for better
o Fixed carp(4) to work in IPv6 only setups.
o Make it possible to bind(2) to the local network broadcast address
on datagram and raw sockets.
o The default multicast reject route is now ignored if the UDP socket
uses the IP_MULTICAST_IF socket option.
o Make gre(4) work between systems in the same LAN.
o Removed the link1 mode special addressing mode on lo(4).
o New net.inet.tcp.always_keepalive sysctl, effectively enabling
SO_KEEPALIVE on all TCP sockets.

- Routing daemons and other userland network improvements:
o bgpd(8) no longer bumps the rlimits: the rc.d framework respects
login classes which is a much better solution.
o Correctly set the network filtersets on reload in bgpd(8).
o The routing socket is now sending RTM_DESYNC messages if the
socketbuffer overflows.
o Allow ospfd(8) to send out LS updates and other messages
larger than the MTU.
o Fixed nexthop calculation in ospfd(8) for directly connected P2P links.
o First bits to support opaque LSA in ospfd(8). Only basic redistribute
logic and LSDB handling for now.
o Creating new interfaces will no longer cause a fatal error in ospf6d(8).
o ospf6d(8) handles link-state changes better.
o Better loopback handling in ospf6d(8).
o No longer install extra multicast routes in ripd(8) and ldpd(8).
o Make kqueue(2) work with sosplice(9).
o Enabled sosplice(9) in relayd(8) for TCP.
o Added support for divert-to which provides some benefits over
rdr-to in relayd(8).
o Reload support in relayd(8) has been fixed.
o Fixed trap sending in snmpd(8).
o Make ping6(8) compare minimum amount of bytes between what
was received and what was sent out.
o Make traceroute(8) with type-of-service setted (-t) display
a message if the returned packet has a different tos type.
o Added the socket splicing fields of struct socket to netstat -vP output.
o tcpbench(1) now uses libevent and supports both TCP and UDP modes.
o TCP socket buffer sizes can now be displayed using the netstat(1) -B flag.
o tcpdump(8) can now filter on icmptype and tcpflags.
o bgplg(8) now supports “show ip bgp peer-as”.

- pf(4) improvements:
o Make pf(4) reassemble IPv6 fragments. In the forward case, pf
refragments the packets with the same maximum size.
o Allow pf(4) to filter on the rdomain a packet belongs to.
o Make pf(4) allow userland proxies to establish cross rdomain
proxy sessions.
o Added IPv6 ACK prioritization in pf(4).
o Change ‘set skip on <…>’ to work with interface groups.
o pfsync(4) supports IPv6 as network protocol.
o Switched ftp-proxy(8) over to divert-to instead of rdr-to.
o Switched tftp-proxy(8) over to divert-to instead of rdr-to.
o New very low overhead priority queueing implementation for pf(4) used via
the “prio” keyword.
o Support for least-states in load balancing pools and tables.
o Support for weighted round-robin in load balancing pools and tables.

- SCSI improvements:
o Most SCSI hardware drivers now use the new iopools infrastructure.
o scsi(4) devices are now all provided with a unique devid, which
is displayed during the probe process.
o ASC/ASCQ error codes and verbiage now in sync with
o Progress on iSCSI includes better login, better logout, preliminary
FSM support in iscsid(8), and improved logging and debug information.
o uk(4) can now safely and reliably detach an unknown SCSI device.
o SCSI multipath device and kernel support has been improved.
o vscsi(4) now ensures output always goes to the correct connection.
o vscsi(4) connections can now be reset gracefully.
o scsi(4) devices on fibre channel fabrics no longer inherit the adapter’s

- Assorted improvements:
o Kernel randomization speed and quality improved substantially.
o For additional security, security(8) was rewritten in Perl.
o Mandoc 1.11.4: Now accepts eqn(7) input (no fancy formatting yet)
and supports -Tutf8 output (but no utf8 input yet).
o Removed a variety of OS-compat emulation code, leaving just the Linux
o Small improvements to Linux compat (only available on i386).
o Improved our own pkg-config(1) implementation with extended comparison
scheme and implementing various new options.
o The math library, libm, was fully fleshed out to support all C99 required
parts. Many bugs for various architectures were fixed along the way.
o malloc(3) is a lot faster and has a few further security features (more
randomization, as well as the ‘S’ flag to enable all paranoia checks).
o ‘make depend’ is no longer neccessary in kernel compilation directories
since the dependencies are calculated automatically.
o Increased the default size of the buffer cache.
o kqueue(2) now works on /dev/random and spliced sockets
o On MBR-based disks, scan through up to 256 extended partition tables
when looking for an OpenBSD partition table.
o Added POSIX 2008 fdopendir(3) and openat(2) functions, as well as the
o Improved lint format string checks and added a few other checks.
o kdump(8) now dumps stat and sockaddr structures, sysctl mib
strings, and decodes syscall flags and operation bits.
o Improved kernel pool debug checking.
o Improved correctness of signals and various syscalls when rthreads
are in use.
o Kernel malloc(9) space and stacks moved to non-dma memory.
o Fixed some shutdown/reboot hangs on NFS clients.
o UNIX-domain socket paths are now guaranteed to be NUL-terminated.
o Added support for *wprintf(3), wcs{,n}casecmp(3), and wcsdup(3).
o NULL is now a (void *).
o grep(1) now supports a -H option to always print filename headers.
o Whitelist expiry for spamlogd(8) can now be configured via a -W flag.
o ls(1) now supports the POSIX -H option to follow symbolic links specified
on the command line.
o disklabel(8) now tries the next auto-allocation scheme if the current one
fails due to insufficient available partitions.
o bc(1) gained editline(3) support.
o Many enhancements and new functionality has been added to tmux(1).
o disklabel(8) supports absolute resizing of partitions in auto-allocated
o newfs(8) accepts k/m/g suffixes for the -S and -s options.

- Install/Upgrade process changes:
o Completed support for DUID disk installs, and enabled it fully.
o Install non-free firmwares from the internet upon first boot, based on a
question in the installer.
o svnd(4)-like behaviour became the default for vnd(4) devices. This is
what is used to build the media.

- rc.d(8) framework improvements:
o rc.d(8) is now also used for the base system daemons.
o Backward compatible with the historic way of starting daemons.
o Notify the user by appending (ok) or (failed) in interactive mode.
o Better diagnostics with the introduction of RC_DEBUG.

- OpenSSH 5.9:
o New features:
- Introduce sandboxing of the pre-auth privsep child using an
optional sshd_config(5) “UsePrivilegeSeparation=sandbox” mode
that enables mandatory restrictions on the syscalls the privsep
child can perform.
- Add new SHA256-based HMAC transport integrity modes from
These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
and hmac-sha2-512-96, and are available by default in ssh(1)
and sshd(8).
- The pre-authentication sshd(8) privilege separation slave process
now logs via a socket shared with the master process, avoiding
the need to maintain /dev/log inside the chroot.
- ssh(1) now warns when a server refuses X11 forwarding.
- sshd_config(5)’s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace. The undocumented AuthorizedKeysFile2
option is deprecated (though the default for AuthorizedKeysFile
includes .ssh/authorized_keys2).
- sshd_config(5): similarly deprecate UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile and
GlobalKnownHostsFile accept multiple options and default to
include known_hosts2.
- sshd_config(5)’s ControlPath option now expands %L to the host
portion of the destination host name.
- sshd_config(5) “Host” options now support negated Host matching.
- sshd_config(5): a new RequestTTY option provides control over
when a TTY is requested for a connection, similar to the existing
-t/-tt/-T ssh(1) commandline options.
- ssh-keygen(1): Add -A option. For each of the key types (rsa1,
rsa, dsa and ecdsa) for which host keys do not exist, generate
the host keys with the default key file path, an empty passphrase,
default bits for the key type, and default comment. This is useful
for system initialisation scripts.
- ssh(1): Allow graceful shutdown of multiplexing: request that
mux server removes its listener socket and refuse future
multiplexing requests but don’t kill existing connections. This
may be requested using “ssh -O stop …”.
- ssh-add(1): now accepts keys piped from standard input.
- Retain key comments when loading v.2 keys. These will be visible
in “ssh-add -l” and other places. (bz#439)
- ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as
IPv4 ToS/DSCP). (bz#1855)
o The following significant bugs have been fixed in this
- sshd(8): allow GSSAPI authentication to detect when a server-side
failure causes authentication failure and don’t count such failures
against MaxAuthTries. (bz#1244)
- ssh-keysign(8): now signs hostbased authentication challenges
correctly using ECDSA keys. (bz#1858)

- Over 7,200 ports, major robustness and speed improvements in package tools.
- Many pre-built packages for each architecture:
o i386: 7008 o sparc64: 6456
o alpha: 6046 o sh: 3721
o amd64: 6960 o powerpc: 6691
o sparc: 3277 o arm: 2963
o hppa: 6125 o vax: 1409
o mips64: 5689 o mips64el: 5709

- Some highlights:
o Gnome 2.32.2 o KDE 3.5.10
o Xfce 4.8.0 o MySQL 5.1.54
o PostgreSQL 9.0.5 o Postfix 2.8.4
o OpenLDAP 2.3.43 and 2.4.25 o Mozilla Firefox 3.5.19, 3.6.18 and 5.0
o Mozilla Thunderbird 5.0 o GHC 7.0.4
o LibreOffice o Emacs 21.4, 22.3 and 23.3
o Vim 7.3.154 o PHP 5.2.17 and 5.3.6
o Python 2.4.6, 2.5.4 and 2.7.1 o Ruby and
o Mono 2.10.2 o Chromium 12.0.742.122
o Groff 1.21

- As usual, steady improvements in manual pages and other documentation.
o Base system and Xenocara manuals are now installed as source code,
making grep(1) more useful in /usr/share/man/ and /usr/X11R6/man/.
o If both formatted and source versions of manuals are installed,
man(1) automatically displays the newer version of each page.

- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.6 with xserver 1.9 + patches,
freetype 2.4.5, fontconfig 2.8.0, Mesa 7.8.2, xterm 270,
xkeyboard-config 2.3 and more)
o Gcc 2.95.3 (+ patches), 3.3.5 (+ patches) and 4.2.1 (+patches)
o Perl 5.12.2 (+ patches)
o Our improved and secured version of Apache 1.3, with
SSL/TLS and DSO support
o OpenSSL 1.0.0a (+ patches)
o Sendmail 8.14.5, with libmilter
o Bind 9.4.2-P2 (+ patches)
o Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
o Sudo 1.7.2p8
o Ncurses 5.7
o Heimdal 0.7.2 (+ patches)
o Arla 0.35.7
o Binutils 2.15 (+ patches)
o Gdb 6.3 (+ patches)

If you’d like to see a list of what has changed between OpenBSD 4.9
and 5.0, look at

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 5.0 FTP/CD-ROM binaries and the actual 4.9
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems — and we always provide patches as soon as
possible. Therefore, we advise regular visits to

Security patch announcements are sent to the
mailing list. For information on OpenBSD mailing lists, please see:
OpenBSD 5.0 is also available on CD-ROM. The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world. The set includes a colourful booklet which carefully explains the
installation of OpenBSD. A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol). As an added bonus, the second CD contains an audio
track, a song entitled “What Me Worry?”. MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

Profits from CD sales are the primary income source for the OpenBSD
project — in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.0 CD-ROMs are bootable on the following four platforms:

o i386
o amd64
o macppc
o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are
highly appreciated, as described in more detail at:
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation ( is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses. There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD’s
infrastructure needs. Contact the foundation directors at for more information.
The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them, too. We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP or HTTP downloads. Typically you need a single
small piece of boot media (e.g., a boot floppy) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet. Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via FTP or HTTP. With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of ftp/http
mirrors which provide OpenBSD, then choose one near you:

As of Nov 1, 2011, the following ftp mirror sites have the 5.0 release: Stockholm, Sweden Oldenburg, Germany Zurich, Switzerland Paris, France Vienna, Austria Brisbane, Australia CO, USA CA, USA Michigan, USA

The release is also available at the master site: Alberta, Canada

However it is strongly suggested you use a mirror.

Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/5.0/ which contains these files and directories.
This is a list of what you will see:

ANNOUNCEMENT armish/ mvme68k/ sparc64/
Changelogs/ ftplist mvme88k/ src.tar.gz
HARDWARE hp300/ packages/ sys.tar.gz
PACKAGES hppa/ ports.tar.gz tools/
PORTS i386/ root.mail vax/
README landisk/ sgi/ xenocara.tar.gz
alpha/ mac68k/ socppc/ zaurus/
amd64/ macppc/ sparc/

It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.

HARDWARE – list of hardware we support
PORTS – description of our “ports” tree
PACKAGES – description of pre-compiled packages
root.mail – a copy of root’s mail at initial login.
(This is really worthwhile reading).

3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:

INSTALL.i386 cd50.iso floppyB50.fs pxeboot*
INSTALL.linux cdboot* floppyC50.fs xbase50.tgz
MD5 cdbr* game50.tgz xetc50.tgz
base50.tgz cdemu50.iso index.txt xfont50.tgz
bsd* comp50.tgz install50.iso xserv50.tgz* etc50.tgz man50.tgz xshare50.tgz
bsd.rd* floppy50.fs misc50.tgz

If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs or install50.iso files. Consult the
INSTALL.i386 file if you don’t know which of the floppy images
you need (or simply fetch all of them).

If you use the install50.iso file (roughly 250MB in size), then you
do not need the various *.tgz files since they are contained on that
one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.

6) Just in case, take a peek at:

This is the page where we talk about the mistakes we made while
creating the 5.0 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
you can use “fdimage.exe” located in the pub/OpenBSD/5.0/tools
directory to do so.
X.Org has been integrated more closely into the system. This release
contains X.Org 7.6. Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc. During installation, you can install
X.Org quite easily. Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.
The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 5.0 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
A large number of binary packages are provided. Please see the PACKAGES
file ( for more details.
The CD-ROMs contain source code for all the subsystems explained
above, and the README (
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.0/ directory:

xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
Ports tree and package building by Jasper Lievisse Adriaanse,
Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler,
Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber.
System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat.
X11 builds by Todd Fries and Miod Vallat. ISO-9660 filesystem
layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 5.0 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Alexander Bluhm, Alexander Hall, Alexander Schrijver,
Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov,
Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot,
Ariane van der Steldt, Austin Hook, Benoit Lecocq, Bernd Ahlers,
Bob Beck, Bret Lambert, Charles Longeau, Chris Kuethe,
Christian Weisgerber, Christiano F. Haesbaert, Claudio Jeker,
Dale Rahn, Damien Bergamini, Damien Miller, Darren Tucker,
David Coppa, David Gwynne, David Hill, David Krause, Edd Barrett,
Eric Faurot, Federico G. Schwindt, Felix Kronlage, Gilles Chehade,
Giovanni Bechis, Gleydson Soares, Henning Brauer, Ian Darwin,
Igor Sobrado, Ingo Schwarze, Jacek Masiulaniec, Jakob Schlyter,
Janne Johansson, Jason George, Jason McIntyre, Jason Meltzer,
Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Sing,
Joerg Zinke, Jolan Luff, Jonathan Armani, Jonathan Gray,
Jonathan Matthew, Jordan Hargrave, Joshua Stein,
Kenneth R Westerback, Kevin Lo, Kevin Steves, Kurt Miller,
Landry Breuil, Laurent Fanis, Marc Espie, Marco Peereboom,
Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden,
Mark Uemura, Markus Friedl, Martin Pieuchot, Martynas Venckus,
Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb,
Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat,
Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor,
Nikolay Sturm, Okan Demirmen, Otto Moerbeek, Owain Ainsworth,
Paul de Weerd, Paul Irofti, Peter Hessler, Peter Valchev,
Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard,
Remi Pointel, Reyk Floeter, Robert Nagy, Ryan Freeman,
Ryan Thomas McBride, Sasano, Sebastian Reitenbach, Simon Bertrang,
Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt,
Thordur I Bjornsson, Tobias Weingartner, Todd C. Miller, Todd Fries,
Will Maier, William Yodlowsky, Yasuoka Masahiko, Yojiro Uo

– Johan Ryberg

mysqlbackup-ng i ny tappning

MySQLBackup-NG är ett trevligt litet skript som tar backup på MySQL-databaser, komprimerar filen och sedan skickar iväg den med scp till önskad plats.

Jag har nästan skrivit om det totalt sedan version 1.1 som tidigare fanns på Google Code vilket betyder att 2.0 är 100% POSIX-kompatibelt och fungerar på både OpenBSD och under Linux som t.ex. Ubuntu Server 10.04.

Ni hittar MySQLBackup-NG hos github:

–  Johan Ryberg

Förboka OpenBSD 5.0 redan nu

OpenBSD 5.0 Den 1:e november släpps OpenBSD 5.0 och om man förbokar redan nu så brukar man få skivorna ett par dagar tidigare vilket för vissa av oss är en tidig julklapp.

Man kan ju undra varför man skall köpa en skiva och svaret är enkelt. Utan försäljning eller sponsring så kan inte OpenBSD leva vidare för det kostar pengar att hålla igång hela maskineriet.

Bästa alternativ är att direkt donera pengar till projektet för då går allt oavkortat ner i kassan men arbetar man på ett företag kanske det är enklare att få igenom ett köp av en fysisk produkt och då är ju skivförsäljningen ett perfekt alternativ.

För oss i Europa är det enklast att köpa via OpenBSD Europe som du hittar här:

Vill du istället donera finns utförliga instruktioner här:

–  Johan Ryberg

Flashboot 4.9 nu hos github inkl. avbildningar och live-cd

Har totalt glömt av att berätta detta, mycket jobb och en hel del sena kvällar med test av Flashboot är väl största anledningen till detta.

Flashboot är ett script som bygger en minimalistiskt OpenBSD-kärna med de mest grundläggande verktygen. För att förenkla ännu mer finns det även script som bygger en avbildning av ett helt filsystem som man kan lägga på ett Flash-minne och som kan köras i en Soekris 4801 som exempel. Scripten bygger även en live-cd om man vill testa på sin PC eller virtuellt. Om man vill köra virtuellt som i t.ex. Virtualbox är det dock bättre att köra GENERIC-RD.image men det kräver lite jobb och en guide hur man gör kommer att komma här lite senare.

Här hittar ni Flashboot:

Färdiga binärer av både kärnan och färdiga filsystem finns här:

–  Johan Ryberg


pfSense 2.0 ute nu

Några dagar för sent men detta är såpass stort att det inte gör något.

pfSense är en mjukvarubrandvägg som man installerar på lämplig hårdvara, på såväl traditionell hårddisk eller på en flashdisk. FreeBSD 8.1 används i botten med OpenBSDs pf som brandvägg.

Här kan ni läsa om alla nyheter:

pfSense hemsida:

–  Johan Ryberg

Flashboot 4.7 finns nu tillgänglig

Flashboot är OpenBSD 4.7 som är specialanpassat att köras på minneskort som t.ex. ett flashminne i en Soekris net4801, alltså perfekt för den som gillar att bygga sin egna lilla router, brandvägg, dhcp eller vad man nu kan tänka sig.

Här hittar du Flashboot 4.7:

— Johan Ryberg