Home > OpenBSD > Authentication methods in OpenBSD; CD Sales Down Authentication methods in OpenBSD; CD Sales Down Eugenia Loli 2004-09-30 OpenBSD 35 Comments OpenBSD supports several authentication methods besides a simple password. Here are some ways you can keep your systems safe. Also, the new song for the next OpenBSD was released but Theo says that CD sales are very dissapointing. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 35 Comments 2004-09-30 1:09 am That’s not surprising, given the fact that OpenBSD has taken so hard of a line with licenses that they won’t even distribute new versions of Apache anymore. That and the fact that Linux has almost completely taken over the spotlight… 2004-09-30 1:21 am I thought the version apache in OpenBSD was frozen because the apache team wasn’t incorporating the security goals that the OpenBSD team wanted. I think they still support an older version that has been hardened by the OpenBSD team. 2004-09-30 1:27 am I thought the version apache in OpenBSD was frozen because the apache team wasn’t incorporating the security goals that the OpenBSD team wanted. I wish that were true, but it’s not. Because of the patent bomb clause added to the Apache 1.1 license, which both Apache 1 (newer versions) and Apache 2 use Theo refuses to include Apache in their distribution from now on. 2004-09-30 1:29 am If what’s happening in the music industry isn’t a good enough omen I don’t know what is. As faster Internet connections become more prevalent, more and more individuals will resort to downloads. Oh yeah, CD sales are a show of support, no? However, downloads are just more economical (time and effort-wise). Perhaps it is time to entertain other sustainable methods, or perhaps ways to add value to the CD sales (like books, 3-month support, a free mug, etc); or maybe a subscription type scheme for dedicated download servers? The idea is still support, but this time just to center around the evolving distribution media. 2004-09-30 2:01 am Uhm… performance of OpenBSD is so bad as a server that it’s years behind the other major competitors. Security is great, but performance can’t be totally ignored. 2004-09-30 2:11 am Is it a must to get revenue only by selling CDs? With all great minds in OpenBSD team, it could release some books for OpenBSD, and get a partial revenue from it. So far, I see in the IT industry, if you like to install & maintain a *BSD, you have to depend on only few books which will try to cover everything, instead of covering some topics in depth for a particular purpose like to webhosting, or groupware or mailserver or firewall or router etc. I guess it will take decade for *BSD-ers to understand this simple marketing strategy to attract people, instead they prefer to reply with RTFM again and again. -my2cents 2004-09-30 2:43 am “I guess it will take decade for *BSD-ers to understand this simple marketing strategy to attract people, instead they prefer to reply with RTFM again and again.” .. well did you read it? 2004-09-30 2:44 am Theo said : Suggestions will not get us anywhere. Isn’t that a little short-sighted? I mean, some of the suggestions might be helpful.. And help them boost CD sales? 2004-09-30 3:44 am but almost all of the machines I have a form of BSD installed on do not have CD-ROM drives. I’ve always installed BSD through ftp or NFS. I would purchase every OpenBSD CD if it came with a free (shirt || mug || poster). Maybe a nice printed manual of the realease notes or something. Too bad Theo isn’t taking suggestions. 2004-09-30 4:25 am I’m probably not a good one to ask since I have purchased every CD since 2.8. I have a subscription account with BSDMall to send me the latest OpenBSD release when it is available. However, if I wasn’t purchasing OpenBSD in the first place, I hardly think a free OpenBSD T-shirt would sway me any unless OpenBSD starts designing better looking artwork to put on their shirts. As it is now, I wouldn’t be caught dead wearing an OpenBSD T-shirt. 2004-09-30 4:54 am Don’t want to buy the cd? Donate some cash. Buy a t-shirt. Setup a mirror. Donate some hardware. Write some code. Help out with ports. I’ll be ordering the cd tomorrow (payday), probably along with a shirt or two. I like the artwork on the shirts, and wear them all of the time. 2004-09-30 5:04 am Theo said : Suggestions will not get us anywhere. Presumably he means CD sales will… 2004-09-30 5:07 am 1st he give us a snail working operating system without consumer drivers (dvb-tv, bluetooth, isdn-capi) and then he dream of beeing Torvalds??? The one thing OpenBSD is really good, is the TCP filtering system (PF, CARP…) with all integrated features (not like it is in FreeBSD) 2004-09-30 5:11 am I admit that I’ve have been an OpenBSD zealot once upon a time. I used to love OpenBSD and the security that came with it. Then, I realized that there were a lot better choices and OS’s that gave a lot better performance than OpenBSD (fs, networking, kernel, even security). I recently sent a few mails http://tinyurl.com/4qp6v and http://tinyurl.com/58blf . In about a period of a day, I got many reponses (from within OpenBSD and many users). Even Theo admits that sparc64 smp support is no more, many ask me why would I even consider moving from something like Solaris + Veritas to something like OpenBSD? Anyways, my take is that OpenBSD is slowly dying. There are still no major improvements (good threads, good IPC implementation, good/journaling filesystem etc.). 2004-09-30 5:54 am Uhm… performance of OpenBSD is so bad as a server that it’s years behind the other major competitors. Security is great, but performance can’t be totally ignored. True, if you want a suisse cheese that anyone can break into as your server, then just go for Linux. Interestingly enough, isn’t that why people switch from Windows to Linux? Because they “think” that makes them more secure??? geee, if people only read up on all Linux flaws… Rather a slow safe server then a server you put up for someone else to own! 2004-09-30 6:22 am “Rather a slow safe server then a server you put up for someone else to own!” 1> people dont want to own an openbsd box anyways what the hell is worth finding on it? 2> true security is unattainable, if openbsd were in the “lime light” then more holes would present themselves. 3> also saying linux is less secure then openbsd is FUD, a smart systems administrator could lock a linux machine down tighter then a glove 5 sizes to small. (selinux, grsecurty etc etc.) 4> could fill in more but its not worth it. kiddies should learn to research before talking crap. Use some of these things and you will see my point, if you want you can have root on one of my machines and i guarantee you wont harm it at all. infact i think debian and gentoo at one point had some test boxes up with available root access. bleh. bsd elitism these days is a way to tell yourself that its still actually ok to trash talk other OS’s. 2004-09-30 6:59 am I don’t pretend to know the economic particulars the OpenBSD guys are dealing with, or any of the major player other than by reputation (wait for it) BUUUUT… Seems to me that, on face value, Theo is pointing out that the cost of mass producing x very nicely packaged CDs is no longer breaking even; trends are that no-one is any longer bothering to buy them in sufficient quantity- for whatever reason. The number of download installs may or may not indicate a growing mindshare/interest in the project; regardless, OpenBSD can’t afford to produce the shiny package at a net loss. (boxed RedHat Desktop -> Fedora, anyone?) So, (paraphrase) “if you want that particular distribution channel to continue, umm, at least buy it every once in a while. We can’t afford to keep providing it at a (personal|project) loss.” I think it was uncharastically passive-aggressive for Theo to drum up support in this manner; It’s the “going-out-of-business” ploy, or the “you vote with your dollars” approach. Again, don’t know him personally, but think he must have been fully mindful of the various ways the mail would be interpreted. (From “this PROVES <your favorite OS> is better!” to “oh hell, now I feel guilty for taking advantage”) And that he was eating crow for at least a nanosecond for resorting to that tactic. On the other hand, (sic) “But please don’t give me or the list suggestions. Suggestions will not get us anywhere.” is pure Theo. Bound to reinforce his image as a surly brute, but, really, and no offence, how do suggestions along the lines of “come up with better t-shirts! and give them away in addition to stuff we’re already draining our funds with!” help? So maybe just take it at face value- a plea to buy official CDs if you want them to continue. Random comments from the peanut gallery not welcome, anything useful/novel/thought provoking (much like, imho, OpenBSD itself) will filter to the head honchos soon enough. And under the old license would be duly attributed ;-P 2004-09-30 7:51 am I pre-ordered my new CD and the new poster and a small donation, as I do each half year. Now .. what’s all this crap about Apache? OpenBSD is an operating system. It just so happens to ship with a secure, chrooted version of Apache. Is that a problem? No it’s not. Is that cool? Yes it is, because it saves time when deploying a secure webserver. But OMG THEY’RE NOT UPGRADING TO THE LATEST VERSION. Unless you’re a complete idiot, or at least twice as lazy as myself, installing Apache isn’t exactly a hard task. Not to mention that nothing is wrong wih 1.3.29. It’s stable, it’s secure, and it works like a charm. There’s no point in upgrading to 2.X (even if it weren’t for the license) because to put it simply, PHP still doesn’t like it. The only thing that I miss is an OpenBSD PHP 5.x port . 2004-09-30 8:15 am I’ve been OpenBSD since 3.2, and even purchased a 3.3 CD. However, rather than upgrade my installation to 3.5, I’ve decided to switch to FreeBSD (and NetBSD is a close second). The reason is that FreeBSD is simply too far ahead, with better support for IPv6 tools, Bluetooth, 802.11, etc — there is functionality on my hardware and peripherals I simply can’t activate without going to FreeBSD. I’m also attracted by the generally better performance reports I’ve seen from FreeBSD networking. With FreeBSD having OpenSSH and pf, I still get OpenBSD technologies, but without the burden of an old system. I think the other security technologies in OpenBSD are fantastic, and I wish that I could stay, but the “legacy drag” is simply too much for me to cope with. 2004-09-30 9:59 am i used to buy CDs. i valued openbsd’s pioneering work on some technologies. especially 3,4 years ago when the state of IPSEC and IKE was terrible on other unix-like OSes. the other OSes are much more approachable and flexible – like linux for example. and now that the others are getting increasingly better security focus … you find that there is less reason to use OpenBSD. especially when the performance isn’t great. and i speak as someone who contributed once – and i don’t use it anymore. if i need a simple single-purpose flexible router/firewall .. i use a very simple secured linux system with its very powerful and scalable netfilter subsystem. security technologies such as those similar to “fencing off” are now available in solaris and linux … ok – so openbsd rewrite software to make it more secure.. but in the big scheme of things … is it really a priority to rewrite the ntpd software right now? openbsd is losing focus. while linux is gaining enterprise and desktop focus. 2004-09-30 12:44 pm “or perhaps ways to add value to the CD sales (like books, 3-month support, a free mug, etc);” You mean like STICKERS?! 2004-09-30 1:07 pm Theo and the OpenBSD, however much you may not like it, are correct in being quite pedantic with the licensing terms of included software. One of the key selling points of BSD over Linux is that for an embedded systems producer, the BSD license is far more attractive, and your “base system” has everything, and you can be sure that the base system (i.e. everything other than ports) is BSD licensed. This makes it extremely easy and simply for an integrator, and they largely have two choices: NetBSD (high portability, high performance, medium security), OpenBSD (medium portability, medium performance, high security). FreeBSD is really in a different category: it’s server oriented, and not so applicable (but still workable) for embedding. Rewriting stuff like ntpd is actually a good thing. Just look at sendmail and number of other well known unix utilities: they’ve become bloated, complex, convoluted and bugridden. Sendmail is the classic example: patch after patch and nothing could get rid of the holes. Better to just start again in some cases. I think it’s great what they are doing for ntpd. I’m guessing that in a year or two or more, OpenNTPD may actually displace ntpd in a number of distributions (whether BSD or Linux based), especially for typically end-client scenarios (get the more risky ntpd for your full-blown ntpd server). The real challenge for the OpenBSD guys is to aggressively pursue the security, but not let the rest lag behind — and the smart move for them is to simply leverage the NetBSD and FreeBSD developments in these areas (e.g. popular wifi driver first written for FreeBSD, then ported to NetBSD, then to OpenBSD). It’s easy to integrate drivers and hardware support into OpenBSD, but it’s damn hard to integrate security from OpenBSD into another O/S. Unfortunately in my case, OpenBSD is now lagging too far on non-security performance and feature support, yet the other O/S’s have picked up some of the key front-end security features (pf & OpenSSH for example). This means OpenBSD is becoming too niche. Don’t underrate the strength of OpenBSD security, even if some of its other aspects are just average. 2004-09-30 1:43 pm 1> people dont want to own an openbsd box anyways what the hell is worth finding on it? Is this worth commenting? I guess DARPA don’t share your opinion… 2> true security is unattainable, if openbsd were in the “lime light” then more holes would present themselves. Yes, and Windows is as safe as Linux for the same reason or maybe even safer. Just that Linux is just a small time OS etc etc… 3> also saying linux is less secure then openbsd is FUD, a smart systems administrator could lock a linux machine down tighter then a glove 5 sizes to small. (selinux, grsecurty etc etc.) Still, the security record proves you wrong. Unfortunately the security record don’t bring in intelligence. But as a small note, Linux seems to be used by those who can’t harness OpenBSD. 4> could fill in more but its not worth it. kiddies should learn to research before talking crap. Use some of these things and you will see my point, if you want you can have root on one of my machines and i guarantee you wont harm it at all. infact i think debian and gentoo at one point had some test boxes up with available root access. bleh. bsd elitism these days is a way to tell yourself that its still actually ok to trash talk other OS’s. ZzzzZz Linux flaws (PLenty of them) http://www.securitytracker.com/archives/underlyingos/2811.html http://www.securitytracker.com/archives/underlyingos/210.html Linux hype is not worth anything to me OpenBSD flaws (pretty few) http://www.securitytracker.com/archives/target/1413.html Yes, I know hype seems very important to some, just like running X on servers etc etc…. but certain things are just not made with security in mind, Linux _IS_ one of them… 2004-09-30 1:54 pm OpenBSD doesn’t require things to be BSD licensed, in fact none of the BSDs do that. You’d be able to build a bare bones system, but you wouldn’t even get a working toolchain. No-one would use such a thing even if it existed. Their objection to the Apache license isn’t “it’s not BSD” (else they’d throw out a lot of development tools from GNU, and a lot of network tools contributed by US universities under non-BSD licenses) but that it doesn’t meet Theo’s interpretation of his obligation to keep it free from obnoxious restrictions. As to the security comparisons between bare OpenBSD (no ports) and a full desktop Linux distro, well what’s the point in that? If you install OpenBSD on the desktop you have to apply these hundreds of desktop-only fixes yourself manually, whereas if you Linux on a server you get the reduced number of patches, but with better package management. Either way Linux comes out looking better the moment you realise “GTK+ updated to fix buffer overflow” is no more a Linux bug, than “Firefox doesn’t handle some URLs safely” is a bug in MS Windows. 2004-09-30 3:17 pm OpenBSD – only the kernel vs. Debian – all packages. Is that fair? Maybe OpenBSD has no remote holes in the default install, but I don’t want to run it when its solution to running out of memory is simply freezing entirely. NetBSD seems to be innovating much faster. It just kills apps when the memory is full, the OpenBSD SMP implementation is based on that of NetBSD, which also supports SMP on other architectures than i386 in 2.0-beta, and also supports kernel threads. 2004-09-30 3:39 pm Sorry about that. Hurried to much… here is the correct URL http://www.securitytracker.com/archives/vendor/467.html Still VERY few holes compared to mentioned Linux distros… I don’t complain about NetBSD… it’s also a powerful system, I’m just saying Linux isn’t what it claims to be. Expectations vs what it delivers… 2004-09-30 4:11 pm @qq: I pretty much agree with most of what you said. I too like the fact that the OpenBSD group is being strict with licensing. It’s good to have a truely free open system. I also like the fact that the OpenBSD group is rewriting and replacing some of the GNU tools where it make sense. It would be awesome if most the base system was BSD licensed or at least licensed with a BSD-like license. The MIT license is also a good one. Unfortunately, it’s not going to happen. I too wish that the OpenBSD group would take a step back and focus a bit more on performance as well as security. 2004-09-30 4:12 pm It seems that unless you pre-order the CDs, delivery time for the CDs is enormous. It took 3 months to recieve my CDs, by then I have already updated my machines via ftp. I know they are a non-profit, poor, etc… but that’s ridiculous! 2004-09-30 5:55 pm Really, why should anyone buy CDs only to upgrade an open source OS? It has never been something that someone should base their income on. Every year it will become less important too, and you cannot count on nice people buying CD’s just to show some support. The future is that you download and upgrade the OS mostly from the net. apt-get dist-upgrade (or emerge bla bla etc.) That’s the way a modern OS is upgraded… 2004-09-30 6:29 pm focus should be security, not SMP. simple as that. 2004-09-30 6:58 pm What’s wrong with OpenNTPD? Only one (two if you count the guy taking care of the ports to other OS’s) developer is involved with it. And it’s not like he’s using the rest of the time to twiddle with his thumbs .. In fact, he’s also working on OpenBGPD and other stuff. 2004-09-30 7:42 pm I bought an OpenBSD CD a while back, don’t remember what release it was. Seems to me that a lot of their financial troubles began when DoD pulled their funding. Perhaps biting the hand that feeds you without having another hand lined up is not such a good idea. 2004-09-30 9:45 pm You clearly don’t understand the issues: “OpenBSD doesn’t require things to be BSD licensed, in fact none of the BSDs do that. You’d be able to build a bare bones system, but you wouldn’t even get a working toolchain. No-one would use such a thing even if it existed.” Firstly, I used “BSD licensed” loosely: I meant in the spirit of BSD licensing where use is not encumbered by publishing or advertising or related restrictions (i.e GPL). I (and, I assume other OEM’s) are quite happy that Theo is being so tight with the restrictions. Secondly, many people would use such a thing: you may need the toolchain in Engineering, but you don’t need it in the shipped product. And if it isn’t in the shipped product, you have no GPL obligations to the end users. Have you actually worked in a commercial development environment? Probably not. I’m assuming you’re just another slashdot reading “pop-techie”. ” If you install OpenBSD on the desktop ” That wouldn’t be a good comparison: I think you’ll find that even the core OpenBSD guys telling you that OpenBSD isn’t really aimed at the desktop. OpenBSD is primarily aimed at being used in headlines scenarios. You’re comparing apples and oranges. It’s not about _one_ O/S. BSD is my preferred headless O/S, but I wouldn’t use any of the BSD’s or Linux for the desktop: Windows XP is just fine, because I know that any hardware or any documentation or project management or other tools I need, will always work on _at least_ Windows XP. Considering the number of issues I’ve experienced with unsupported hardware and applications under Linux/BSD, I simply can’t afford to take that risk on the desktop. 2004-10-01 5:58 am I ordered my cds and the new tshirt. I’ll be ordering a second tshirt when I decide on which one I want (or I’ll buy a couple), and maybe a small donation. But that will probably have to wait a paycheck or two. I skipped most of the flaming because, well, I have better things to do. Hope it felt good to get it out of your system and potentially ruin a story that is interesting to the people that do use OpenBSD, despite its flaws. 2004-10-01 5:28 pm Speaking of paychecks, I’m currently setting up my business, and I think I’ll donate my initial profits to OpenBSD. After all, it does power all my juicy servers.