OpenBSD 是一個從BSD派生出的類Unix操作系統,是在1995年由項目發起人Theo de Raadt從NetBSD分支而出。OpenBSD以對開放源代碼的堅持、高品質的文件、堅定的軟件受權條款和專注於系統安全及代碼品質而聞名。 OpenBSD以河豚作為項目吉祥物。
What's New
This is a partial list of new features and systems included in OpenBSD 4.9. For a comprehensive list, see the changelog leading to 4.9.
New/extended platforms:
OpenBSD/amd64 and OpenBSD/i386:
Enabled NTFS by default (read-only) on GENERIC kernels.
Enabled the vmt(4) driver by default for VMWare tools support as a guest.
SMP kernels can now boot on machines with up to 64 cores.
Maximum allocation size for i386 bumped to 2G.
Handle >16 disks when searching for kernel boot device.
Added support for AES-NI instructions found in recent Intel processors.
Further improvements in suspend and resume.
Processes are now switched to TSS per cpu on the amd64 platform, resulting in removal of the old limit of ~4000 processes.
OpenBSD/hppa:
Multiprocessor support.
OpenBSD/loongson and OpenBSD/sgi:
All MIPS64 based platforms now use MI softfloat code, which implements all MIPS IV specified floating point operations.
OpenBSD/sparc64:
The vdsp(4) driver now supports the vDisk 1.1 protocol, allowing Solaris to run on top of an OpenBSD control domain.
Improved hardware support, including:
New vte(4) driver for RDC R6040 10/100 Ethernet devices.
New rdcphy(4) driver for RDC Semiconductor R6040 10/100 Ethernet PHY.
New rsu(4) driver for Realtek RTL8188SU/RTL8191SU/RTL8192SU USB IEEE 802.11b/g/n wireless devices.
New urtwn(4) driver for Realtek RTL8188CU/RTL8192CU USB IEEE 802.11b/g/n wireless devices.
New utwitch(4) driver for YUREX USB twitch/jiggle of knee sensor.
Support for AR9271, AR9280+AR7010 and AR9287+AR7010 USB IEEE 802.11a/g/n wireless adapters has been added to athn(4).
Support for 82583V has been added to em(4).
Support for Yukon 88E8059 has been added to msk(4).
Support for SiS191 has been added to se(4).
Support for SAS2004 has been added to mpii(4).
Support for NVIDIA MCP89 SATA has been added to pciide(4).
Support for Mobility Radeon HD 4200 has been added to radeondrm(4).
pms(4) support has been significantly reworked and expanded.
MCLGETI support has been added to xl(4).
Support for low latency interrupt modulation has been added to ix(4).
Port multiplier support has been added to ahci(4) and sili(4).
Support for Sun XVR-300 graphics has been added to radeonfb(4).
Added workaround for BCM5906 A0/1/2 controller silicon bug in bge(4).
ugen(4) can now be attached along with other drivers to multifunction devices.
umodem(4) now supports more devices.
umsm(4) now supports more mobile broadband devices.
Support for more image processing controls was added to uvideo(4).
Generic network stack improvements:
Reworking of the MCLGETI livelock algorithm to improve forwarding and host performance under high network load.
Added support for socket splicing; sockets can be temporarily connected so that the kernel moves data without userland intervention. This will be used by relayd(8) in the next release.
Added AES-GCM support for IPsec.
Added automatic send and receive buffer scaling for TCP.
Added wpakey option to ifconfig(8) replacing wpa-psk(8).
TCP acknowledgments are no longer delayed on the loopback interface.
Network livelock counters are now exported via sysctl(3).
A radix tree sorting bug was fixed, which results in significant improvements to IPsec performance under certain conditions.
tcpdump(8) now decodes Multicast DNS (mDNS) traffic.
Wake on Lan support has been added to arp(8).
Enabled MPLS and mpe(4) by default on GENERIC kernels.
Added a mpls option to ifconfig(8) to enable MPLS on a per interface basis replacing the global sysctl knob.
OpenBGPD, OpenOSPFD and other routing daemon improvements:
bgpd(8) handles various message encoding errors more gracefully now.
Notification messages are now logged in bgpd(8).
ospfd(8) will now correctly redistribute overlapping routes.
ospfctl(8) now prints the LSDB checksum in the show summary output for quick verification that two LSDBs are in sync.
Fixed ldpd(8)'s message parser to work on all architectures and more LDP messages are now implemented.
Various improvements in ospf6d(8).
pf(4) improvements:
The logging subsystem has been largely rewritten, now logging the translated addresses again instead of the original ones.
match log rules cause a log on the fly, showing the packet exactly as pf(4) sees it at the moment of evaluating that rule. A packet can also be logged more than once now.
match log(matches) rules allow the further rule matching to be traced.
pflog(4) now includes the original addresses and ports for packets that have been rewritten. This is also displayed by tcpdump(8).
IPsec stack audit was performed, resulting in:
Several potential security problems have been identified and fixed.
ARC4 based PRNG code was audited and revamped.
New explicit_bzero kernel function was introduced to prevent a compiler from optimizing bzero calls away.
SCSI improvements:
Improved safety when detaching SCSI devices by waiting for the completion of pending commands.
Improved hotplug support on mpi(4) and mpii(4).
Continued iopoolification of SCSI drivers, notably on umass(4) which improves the reliability and performance of multi-LUN devices.
Added vscsi(4), a driver for userland handling of SCSI device commands.
Added iscsid(8), an iSCSI initiator.
Forcibly restrict devices incapable of tagged I/O to executing one command at a time.
Discover and honour read-only status of sd(4) devices.
Improve st(4) handling of I/O residual information.
sd(4) devices that can only execute one command at a time (e.g. USB) will now be allowed to spin up if necessary.
cd(4) will now attach CDROM devices identified as non-removable.
Assorted improvements:
Enabled wide character support in ncurses(3).
Added nsd(8), an authoritative name server implementation.
Disklabel UID support improved and added to more utilities.
rarpd(8) now accepts a list of interfaces to listen on.
dhclient(8) now accepts 'egress' as an interface name, meaning whichever interface is marked as being in the 'egress' group.
dhcpd(8) no longer listens on interfaces without a broadcast address (e.g. pflog(4)).
who(1) now displays as much of the hostname as fits on the line.
tcpdump(8) now correctly handles 'net' primitives when processing pflog(4) traffic.
fdisk(8) now respects failure to read the MBR.
fdisk(8) will no longer infinitely loop when encountering an improperly constructed EBR.
disklabel(8) no longer reuses information from a failed partition addition on the next addition of the same partition.
Many unused and obsolete disktab(5) entries removed.
Enabled X11 autoconfiguration on sparc and sparc64.
Implement attribute syntax from RFC4517 and support bsdauth in ldapd(8).
New video(1) utility which can record or display images from video(4).
httpd(8) mod_headers now handles apache2 style RequestHeader directives.
UNIX-domain datagram socket support has been added to nc(1) (-uU option).
Added support for terabyte units in disklabel(8).
loongson and sgi platforms have been switched over to gcc4.
ddb cpu support was added to the sgi platform.
Fast path TLB miss handling was added to the landisk platform, resulting in a 44-50% gain in performance.
PCIe extended configuration space can now be viewed using pcidump(8) (-xxx option).
The number of spurious IPIs has been decreased on the amd64 platform, resulting in improved performance.
Numerous improvements and bug fixes to tmux(1).
Considerable robustness and interoperability improvements in the IKEv2 daemon iked(8).
Skipjack and libdes were retired from the system. CAST-128 implementation was also removed from libc.
Removed some races in the USB subsystem, substantially increasing reliability.
Added a few more compat_linux(8) system calls to make it possible for newer versions of applications, such as Skype, to execute.
OpenBSD-specific package documentation is now centralised in /usr/local/share/doc/pkg-readmes.
Install/Upgrade process changes:
Fixed the hppa CD installation process.
Added some more free firmwares to the CD media that could fit them.
Make the macppc upgrade script update the boot blocks (oddly, this had been broken a very long time and no one noticed).
Teach the install script about the configuration of 802.11 interfaces. Visible networks can be listed, and even configured for WPA.
The install script now passes collected entropy better to the system which is booted next.
Upgrade now defaults to checking only the root filesystem.
Upgrade no longer checks filesystems with a fs_passno of 0.
Upgrade now asks if it should proceed even if one or more filesystem mounts fail.
Installer now configures ntpd(8) to use all provided time source IPs.
New rc.d(8) for starting, stopping and reconfiguring package daemons:
The rc.subr(8) framework allows for easy creation of rc scripts. This framework is still evolving.
Only a handful of packages have migrated for now.
rc.local can still be used instead of or in addition to rc.d(8).
OpenSSH 5.8:
New features:
Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
sftp(1) and sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command.
scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time.
ssh(1) and sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. (bz#1733)
sftp(1): the sftp client is now significantly faster at performing directory listings, using OpenBSD glob(3) extensions to preserve the results of stat(3) operations performed in the course of its execution rather than performing expensive round trips to fetch them again afterwards.
ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. Stale server sockets are now automatically removed. (also fixes bz#1711)
ssh(1) and sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
sftp(1) and scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1). (bz#1147)
The following significant bugs have been fixed in this release:
ssh(1) and ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories. (bz#1809)
ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel. (bz#1842)
sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode. (bz#1719)
scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case. (bz#1837)
sftp-server(8): umask should be parsed as octal.
sftp(1): escape '[' in filename tab-completion.
ssh(1): Typo in confirmation message. (bz#1827)
sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block.
sshd(8): Use default shell /bin/sh if $SHELL is "".
ssh(1): kill proxy command on fatal() (we already killed it on clean exit).
ssh(1): install a SIGCHLD handler to reap expired child process. (bz#1812)
Support building against openssl-1.0.0a
Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski.
Mandoc 1.10.9:
New integrated tbl(7) parser and renderer.
Support all roff code used in the standard pod2man(1) preamble.
Fully support roff quoting in man(7) documents.
Mandoc now copes with most formatting errors that used to be fatal.
Much simplified and improved reporting of errors and warnings.
Significantly improved -Thtml output quality.
The ports tree now allows ports to use either mandoc or groff to render manuals.
Over 6,800 ports, major robustness and speed improvements in package tools.
Many pre-built packages for each architecture: i386: 6620
sparc64: 6225
alpha: 6000
sh: 3656
amd64: 6570
powerpc: 6272
sparc: 4184
arm: 5679
hppa: 5838
vax: 1068
mips64: 5492
mips64el: 5499
Some highlights:
Gnome 2.32.1.
KDE 3.5.10.
Xfce 4.8.0.
MySQL 5.1.54.
PostgreSQL 9.0.3.
Postfix 2.7.2.
OpenLDAP 2.3.43 and 2.4.23.
Mozilla Firefox 3.5.16 and 3.6.13.
Mozilla Thunderbird 3.1.7.
LibreOffice 3.3.0.4.
Emacs 21.4 and 22.3.
Vim 7.3.3.
PHP 5.2.16.
Python 2.4.6, 2.5.4 and 2.6.6.
Ruby 1.8.7.330 and 1.9.2.136.
Mono 2.8.2.
Chromium 9.0.597.94.
As usual, steady improvements in manual pages and other documentation.
The system includes the following major components from outside suppliers:
Xenocara (based on X.Org 7.6 with xserver 1.9 + patches, freetype 2.4.4, fontconfig 2.8.0, Mesa 7.8.2, xterm 267 and more)
Gcc 2.95.3 (+ patches), 3.3.5 (+ patches) and 4.2.1 (+ patches)
Perl 5.12.2 (+ patches)
Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
OpenSSL 1.0.0a (+ patches)
Sendmail 8.14.3, with libmilter
Bind 9.4.2-P2 (+ patches)
Lynx 2.8.6rel.5 with HTTPS and IPv6 support (+ patches)
Sudo 1.7.2p8
Ncurses 5.7
Heimdal 0.7.2 (+ patches)
Arla 0.35.7
Binutils 2.15 (+ patches)
Gdb 6.3 (+ patches)
--------------------------------------
How to install
Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an FTP (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead.
---------------------------------
Please refer to the following files on the three CDROMs or FTP mirror for extensive details on how to install OpenBSD 4.9 on your machine:
CD1:4.9/i386/INSTALL.i386
CD2:4.9/amd64/INSTALL.amd64
CD2:4.9/macppc/INSTALL.macppc
CD3:4.9/sparc64/INSTALL.sparc64
FTP:.../OpenBSD/4.9/alpha/INSTALL.alpha
FTP:.../OpenBSD/4.9/armish/INSTALL.armish
FTP:.../OpenBSD/4.9/hp300/INSTALL.hp300
FTP:.../OpenBSD/4.9/hppa/INSTALL.hppa
FTP:.../OpenBSD/4.9/loongson/INSTALL.loongson
FTP:.../OpenBSD/4.9/mvme68k/INSTALL.mvme68k
FTP:.../OpenBSD/4.9/mvme88k/INSTALL.mvme88k
FTP:.../OpenBSD/4.9/sgi/INSTALL.sgi
FTP:.../OpenBSD/4.9/sparc/INSTALL.sparc
FTP:.../OpenBSD/4.9/vax/INSTALL.vax
FTP:.../OpenBSD/4.9/zaurus/INSTALL.zaurus