Linked by Thom Holwerda on Wed 20th Jun 2007 20:07 UTC, submitted by Valour
OpenBSD "If you're a software enthusiast who has never used OpenBSD before, you might enjoy installing it by yourself and figuring it out as you go. If, however, you're looking for a more practical approach to using OpenBSD 4.1 on a desktop or server machine, here's a quick guide to get you started in this spectacular operating system."
Thread beginning with comment 249383
To read all comments associated with this story, please click here.
Secure by default != Secure
by jfryman on Wed 20th Jun 2007 20:55 UTC
jfryman
Member since:
2005-07-06

I think one of the things to make sure to take into account is the concept that once I install OpenBSD and start making changes to the OS to make it 'usable', I am losing the various security aspects that are enabled by default. It is necessary to make the system less secure to make it usable.

That being said, OpenBSD is great, and has it's uses. Just don't think that once you install the core OS and install the applications that you are secure. Once you start installing applications, it will be necessary to practice due care and get the necessary service/apps secured.

Reply Score: 4

openwookie Member since:
2006-04-25

The idea is that at least you are starting with a secure base, and do not have to take action in order to make it secure. This differs from other OS's where a fresh install is not secure at all unless the administrator does *something* first. Ex: Windows 2003 requires a ton of patches after an initial install (along with turning off extra services) as the first step towards a secure system.

Reply Parent Score: 5

fretinator Member since:
2005-07-06

I think Microsoft is doing better in this regard. If I remember correctly, the default install of Sql Server (or MSDE) used to have an SA password of blank - ripe for the picking! Fresh installs of Sql Server 2005 require a password and have network connectivity shut off until you specifically enable it. WIndows 2003 Server is also much more secure by default that 2000. However, I would still prefer a fresh install of OpenBSD.

One clarification to the article - it says OpenSSH if shutoff untill you specifically enable it. That makes it sound like you have to manually edit a file to enable it after install. The install asks if you want SSH enabled and it does it for you durng the install process (unless they have changed this in 4.1).

Reply Parent Score: 4

BluenoseJake Member since:
2005-08-11

Actually, installing updates is not the same as having a small attack surface to begin with, and Win2k3 is pretty locked down by default. It's certainly not OpenBSD, but you don't have to run around turning off services in 2003 like you did with Windows 2000 or XP.

Reply Parent Score: 3

RE: Secure by default != Secure
by Doc Pain on Thu 21st Jun 2007 21:29 in reply to "Secure by default != Secure"
Doc Pain Member since:
2006-10-08

"I think one of the things to make sure to take into account is the concept that once I install OpenBSD and start making changes to the OS to make it 'usable', I am losing the various security aspects that are enabled by default. It is necessary to make the system less secure to make it usable."

This is a tendency that other UNIXes and Linux have to deal with today. Because users could need certain services, these serveices have to be enabled by default so the user does not get bothered. There are other security aspects such as automated login, asterisks displayed in the password input field, not needing root passwords to install systemwide software - marginal aspects, I agree, but step by step security barriers get overridden by comfortability considerations. Most of them feature the loss of the difference between system user and system administrator which does not exist at the home user's site in fact.

Because OpenBSD is an OS only distribution (in opposite to most Linusi or DesktopBSD / PC-BSD), it does not contain software the OS developers do not have any control over. This is one important aspect regarding security.

"That being said, OpenBSD is great, and has it's uses. Just don't think that once you install the core OS and install the applications that you are secure. Once you start installing applications, it will be necessary to practice due care and get the necessary service/apps secured."

Home users do not care anyway, but surely OpenBSD would not be their choice either. :-)

Luckily, OpenBSD is usually used by people who know what they're doing, so they know what they can take the responsibility for.

Reply Parent Score: 3