BSD DevCenter
oreilly.comSafari Books Online.Conferences.


OpenBSD Explained

An Overview of OpenBSD Security


OpenBSD is often noted for its code auditing and integrated crypto, but the security features go far beyond this. OpenBSD was built from the ground up on the model of being a fabric woven with security in mind, not a patchwork of bug fixes and security updates. This has led to OpenBSD finally being recognized today for what it is: the most secure operating system on earth. This article aims to illustrate these features and provide practical examples of their implication on production machines.


One of the most astounding things about the information superhighway is the number of people driving down it with their doors unlocked. Users and even administrators still commonly employ systems where sensitive information such as financial records and personal details are thrown over public networks as clear text. This is largely due to the proliferation of cleartext protocols such as telnet, rlogin, and http. OpenBSD solves these issues by containing encrypted replacements by default: OpenSSH for telnet and rlogin and https (OpenSSL). One of the first configuration tasks for an OpenBSD administrator should be the correct setup of ssh and ssl to ensure system security. OpenSSH is configured via two primary configuration files; some useful excerpts of those files follow:

/etc/ssh_config (OpenSSH client configuration):

UseRsh no
FallBackToRsh no 
  # OpenSSH will never fall back 
  # to the cleartext RSH protocol.
ForwardX11 no 
  # Do not allow X windows forwarding 
  # through the SSH session.

/etc/sshd_config (OpenSSH server configuration):

Port 22
  # Listen on all active interfaces
HostKey /etc/ssh_host_key 
  # Store the key in the default location
ServerKeyBits 1664 
  # Generate a 1664 bit key (stronger 
  # crypto than by default)
LoginGraceTime 600 
  # Allow 600 seconds for a client to login
KeyRegenerationInterval 3600 
  # Generate a new key every 3600 
  # seconds (hourly)
PermitRootLogin no 
  # Do not allow clients to login directly as 
  # root, must use su
X11Forwarding no 
  # Do not allow X windows forwarding through 
  # the SSH session.
PermitEmptyPasswords no 
  # A password MUST be issued - no passwordless 
  # logins allowed.

With SSH configured using these or similar options, the next step in enabling OpenBSD crypto is to set up OpenSSL-based https. This is a good replacement to cleartext http when sensitive information is being parsed through CGI POSTs or similar methods. The official documentation for mod_ssl (located by default in /var/www/htdocs/manual/mod/mod_ssl/ on OpenBSD systems) provides more detailed configuration information, but the process is three relatively simple steps:

1. Generate a server key and self-signed x.509 certificate:

  • Generate a server.key:
    openssl genrsa -des3 -out server.key 1024
    Place this file in /etc/ssl
  • Generate a CSR (Certificate Signing Request):
    openssl req -new -key server.key -out server.csr
    Place this file in /etc/ssl
  • Generate an RSA key for your CA (Certificate Authority):
    openssl genrsa -des3 -out ca.key 1024
    Place this file in /etc/ssl
  • Generate an x.509 certificate for your CA:
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    Place this file in /etc/ssl
  • Sign your CSR:
    ./ server.crt comes packaged with the OpenSSL source distribution.

2. Edit /var/www/httpd.conf:

In the main section:

<IfDefine SSL>
Listen 80
Listen 443

<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

A <VirtualHost> tag for your domain:
<VirtualHost _default_:443>
#  General setup for the virtual host
DocumentRoot /home/www/vhost/
ErrorLog logs/error_log
TransferLog logs/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

SSLCertificateFile    /etc/ssl/server.crt
SSLCertificateKeyFile /etc/ssl/server.key

3. Edit /etc/rc.conf to enable https:

  • httpd_flags="-DSSL"

Pages: 1, 2

Next Pagearrow

Sponsored by: