Released Oct 18, 2015 Copyright 1997-2015, Theo de Raadt. ISBN 978-0-9881561-6-6 5.8 Songs: "20 years ago today", "Fanza", "So much better", "A Year in the Life"
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via |
NOTE: The src.tar.gz file on the CD is incorrect; see 5.8 errata 006.
This is a partial list of new features and systems included in OpenBSD 5.8. For a comprehensive list, see the changelog leading to 5.8.
hostname-mode.conf
response file names.
-P
option now strips up through any "..
" path components.
-rw
option now preserve timestamps with full nanosecond precision.
-D
option for displaying the dynamic symbol table.
/etc/dumpdates
when present and the -U
option has thus been removed.
iovec
, msghdr
, and cmsghdr
structures are now dumped.
-i
option added.
:t
internal command
to search for definitions of keywords similar to what
ctags(1) provides.
O_RDONLY
FIFO fds.
application/octet-stream
.
ForwardX11Trusted=no
,
connections made after ForwardX11Timeout
expired could be
permitted and no longer subject to XSECURITY restrictions because of
an ineffective timeout check in
ssh(1)
coupled with "fail open" behaviour in the X11 server when clients
attempted connections with expired credentials.
This problem was reported by Jann Horn.
ssh-add -x
) to
password guessing by implementing an increasing failure delay,
storing a salted hash of the password rather than the password
itself and using a timing-safe comparison function for verifying
unlock attempts. This problem was reported by Ryan Castellucci.
MaxAuthTries
using keyboard-interactive
authentication. By specifying a long, repeating keyboard-interactive
"devices" string, an attacker could request the same authentication
method be tried thousands of times in a single pass. The
LoginGraceTime
timeout in
sshd(8)
and any authentication failure delays implemented by the authentication
mechanism itself were still applied.
https://www.openssh.com/legacy.html
.
ssh-dss
, ssh-dss-cert-*
host
and user keys is disabled by default at run-time. These may
be re-enabled using the instructions at
https://www.openssh.com/legacy.html
.
PermitRootLogin
option has changed from "yes" to
"prohibit-password" (but the OpenBSD installer defaults to "no").
[email protected]
to be the default
cipher.
AuthorizedKeysCommand
.
(bz#2081)
AuthorizedPrincipalsCommand
that allows retrieving
authorized principals information from a subprocess rather than a
file.
GSSAPIStrictAcceptorCheck
option. (bz#928)
ssh-keygen -lF hostname
to search known_hosts
and print key hashes rather than full keys.
-D
flag to leave
ssh-agent(1)
in foreground without enabling debug mode. (bz#2381)
PubkeyAcceptedKeyTypes
option to control which public
key types are available for user authentication.
HostKeyAlgorithms
option to control which public key
types are offered for host authentications.
Ciphers
, MACs
, KexAlgorithms
,
HostKeyAlgorithms
, PubkeyAcceptedKeyTypes
and
HostbasedKeyTypes
options to allow appending to the default
set of algorithms instead of replacing it. Options may now be
prefixed with a +
to append to the default, e.g.
"HostKeyAlgorithms=+ssh-dss
".
SSH2_MSG_KEX_DH_GEX_REQUEST_OLD
message and
do not try to use it against some 3rd-party SSH implementations that
use it (older PuTTY, WinSCP).
EscapeChar
configuration option
parsing. (bz#2396)
PermitTunnel
, LoginGraceTime
,
AuthenticationMethods
and StreamLocalBindMask
options in Match
blocks.
authorized_keys
"environment=
"
options independent of PermitUserEnv
being enabled. (bz#2329)
permitopen=none
. (bz#2355)
ListenAddress
, Port
and AddressFamily
configuration options to appear in any order. (bz#86)
VersionAddendum
and ForceCommand
. (bz#2281)
stdout
and stderr
output consistent. (bz#2325)
DISPLAY
environment in debug log when X11
forwarding requested. (bz#1682)
UseLogin
is set. (bz#378)
sshd -T
output and fix output
of VersionAddendum
and HostCertificate
. (bz#2346)
none
" argument: TrustedUserCAKeys
,
RevokedKeys
(bz#2382), AuthorizedPrincipalsFile
(bz#2288).
[email protected]
).
ssh-keygen -E
as useful when comparing legacy
MD5 host key fingerprints. (bz#2332)
TERM
environment variable is not subject
to SendEnv
and AcceptEnv
. (bz#2386)
PROTOCOL
and
PROTOCOL.mux
documentation relating to Unix domain
socket forwarding. (bz#2421, bz#2422)
CKA_ID
.
(bz#2429)
UseDNS
option. (bz#2045)
EC_curve_nid2nist
and EC_curve_nist2nid
from OpenSSL.
openssl dhparam
default from 512 to 2048 bits.
openssl pkeyutl -verify
to exit with a 0 on success.
tls_write
in libtls
to allow partial
writes, clarified with examples in the documentation.
TLS_method
, TLS_client_method
and
TLS_server_method
as a replacement for the
SSLv23_*method
calls.
cert.pem
, openssl.cnf
, and
x509v3.cnf
files are now installed under
$sysconfdir/ssl
or the directory specified by
--with-openssldir
. Previous versions of LibreSSL left
these empty.
OPENSSL_issetugid
and all library getenv calls.
Applications can and should no longer rely on environment variables
for changing library behavior.
OPENSSL_CONF
and SSLEAY_CONF
are still supported with the
openssl(1)
command, but note that $ENV:: is no longer supported in .cnf files.
libtls
API and documentation additions.
libssl
and
libcrypto
.
LIBRESSL_VERSION_NUMBER
will now
be bumped for each portable release.
--with-enginesdir
is removed as a configuration parameter.
+host
process messages created by
certain hosts specifically.
Ports and packages:
Many pre-built packages for each architecture:
Some highlights:
Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an HTTP (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead.
Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!
The OpenBSD/i386 release is on CD1. Boot from the CD to begin the install - you may need to adjust your BIOS options first.
If your machine can boot from USB, you can write install58.fs or miniroot58.fs to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.i386 document.
If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386.
The OpenBSD/amd64 release is on CD2. Boot from the CD to begin the install - you may need to adjust your BIOS options first.
If your machine can boot from USB, you can write install58.fs or miniroot58.fs to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.amd64 document.
If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64.
Burn the image from a mirror site to a CDROM, and power on your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /5.8/macppc/bsd.rd
Put CD3 in your CDROM drive and type boot cdrom.
If this doesn't work, or if you don't have a CDROM drive, you can write CD3:5.8/sparc64/floppy58.fs or CD3:5.8/sparc64/floppyB58.fs (depending on your machine) to a floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
You can also write CD3:5.8/sparc64/miniroot58.fs to the swap partition on the disk and boot with boot disk:b.
If nothing works, you can boot over the network as described in INSTALL.sparc64.
Write 5.8/alpha/floppy58.fs or 5.8/alpha/floppyB58.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
After connecting a serial port, Thecus can boot directly from the network either tftp or http. Configure the network using fconfig, reset, then load bsd.rd, see INSTALL.armish for specific details. IOData HDL-G can only boot from an EXT-2 partition. Boot into linux and copy 'boot' and bsd.rd into the first partition on wd0 (hda1) then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition. More details are available in INSTALL.armish.
Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page.
Write miniroot58.fs to the start of the CF or disk, and boot normally.
Write miniroot58.fs to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details.
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details.
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details.
To install, burn cd58.iso on a CD-R, put it in the CD drive of your machine and select Install System Software from the System Maintenance menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from CD-ROM, and need a proper invocation from the PROM prompt. Refer to the instructions in INSTALL.sgi for more details.
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your system type. Refer to the instructions in INSTALL.sgi for more details.
After connecting a serial port, boot over the network via DHCP/tftp. Refer to the instructions in INSTALL.socppc for more details.
Boot from one of the provided install ISO images, using one of the two commands listed below, depending on the version of your ROM.
ok boot cdrom 5.8/sparc/bsd.rd or > b sd(0,6,0)5.8/sparc/bsd.rd
If your SPARC system does not have a CD drive, you can alternatively boot from floppy. To do so you need to write floppy58.fs to a floppy. For more information see this page. To boot from the floppy use one of the two commands listed below, depending on the version of your ROM.
ok boot floppy or > b fd()
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
If your SPARC system doesn't have a floppy drive nor a CD drive, you can either setup a bootable tape, or install via network, as told in the INSTALL.sparc file.
Boot over the network via mopbooting as described in INSTALL.vax.
Using the Linux built-in graphical ipkg installer, install the openbsd58_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus for a few important details.
If you already have an OpenBSD 5.7 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide.
src.tar.gz
contains a source archive starting at /usr/src
.
This file contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
# mkdir -p /usr/src # cd /usr/src # tar xvfz /tmp/src.tar.gz
sys.tar.gz
contains a source archive starting at /usr/src/sys
.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys # cd /usr/src # tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.
A ports tree archive is also provided. To extract:
# cd /usr # tar xvfz /tmp/ports.tar.gz
Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for cvs(1) if you aren't familiar with CVS) checkout of our ports. As with our complete source tree, our ports tree is available via AnonCVS. So, in order to keep up to date with the -stable branch, you must make the ports/ tree available on a read-write medium and update the tree with a command like:
# cd /usr/ports # cvs -d [email protected]:/cvs update -Pd -rOPENBSD_5_8
[Of course, you must replace the server name here with a nearby anoncvs server.]
Note that most ports are available as packages on our mirrors. Updated ports for the 5.8 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list [email protected] is a good place to know.