+
+Copyright 1997-2014, Theo de Raadt.
-ISBN 978-0-9881561-4-2 +ISBN 978-0-9881561-4-2
5.6 Song: "Ride of the Valkyries"
@@ -30,29 +43,28 @@
- See the information on the FTP page for a list of mirror machines. -
- Go to the pub/OpenBSD/5.6/ directory on +
- Go to the
pub/OpenBSD/5.6/directory on one of the mirror sites. - Have a look at the 5.6 errata page for a list of bugs and workarounds.
- See a detailed log of changes between the
5.5 and 5.6 releases.
-
- signify(1) pubkeys for this release:
+
- signify(1) pubkeys for this release:
-
- + +
openbsd-56-base.pub: - + RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV - + openbsd-56-fw.pub: - + RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw - + openbsd-56-pkg.pub: - + RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb - @@ -60,16 +72,17 @@ sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the files fetched via ports.tar.gz. -
+
-What's New
++ What's New
+This is a partial list of new features and systems included in OpenBSD 5.6. For a comprehensive list, see the changelog leading to 5.6. -
- LibreSSL @@ -192,7 +205,7 @@
- Merged MDA, MTA and SMTP processes into a single unprivileged process.
- Killed the MFA process, it is no longer needed.
- Added support for email addresses lookups in the - table_db backend. + table_db backend.
- Added RSA privilege separation support to prevent possible private key leakage.
- The following significant bugs have been fixed in this release: @@ -302,11 +315,11 @@
- Potentially-incompatible changes:
-
-
- sshd(8): +
- sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. -
- sshd(8): +
- sshd(8): Support for tcpwrappers/libwrap has been removed.
- OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the "curve25519-sha256@libssh.org" KEX exchange method @@ -320,36 +333,36 @@ as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form. -
- ssh(1), - sshd(8): +
- ssh(1), + sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. -
- ssh(1), - ssh-keygen(1): +
- ssh(1), + ssh-keygen(1): Add support for SSHFP DNS records for Ed25519 key types. -
- sftp(1): +
- sftp(1): Allow resumption of interrupted uploads. -
- ssh(1): +
- ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. (bz#2154) -
- sshd(8): +
- sshd(8):
Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
- GatewayPorts=no; allows client to choose address family.
+
GatewayPorts=no; allows client to choose address family. (bz#2222) - - sshd(8): +
- sshd(8):
Add a
- sshd_config(5)
- PermitUserRC option to control whether ~/.ssh/rc is
- executed, mirroring the no-user-rc authorized_keys option.
+ sshd_config(5)
+
PermitUserRCoption to control whether~/.ssh/rcis + executed, mirroring theno-user-rcauthorized_keys option. (bz#2160) - - ssh(1): - Add a %C escape sequence for LocalCommand and - ControlPath that expands to a unique identifer based on a +
- ssh(1):
+ Add a %C escape sequence for
LocalCommandand +ControlPaththat expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths. (bz#2220) - - sshd(8): +
- sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success/failure messages. (bz#2199) @@ -357,59 +370,59 @@
- The following significant bugs have been fixed in this release:
-
-
- sshd(8): +
- sshd(8): Fix remote forwarding with same listen port but different listen address. -
- ssh(1): +
- ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in - ssh_config(5) + ssh_config(5) or on the commandline not to be preferred. -
- ssh-keygen(1): +
- ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted. -
- ssh(1): - Reflect stdio-forward ("ssh -W host:port ...") failures in +
- ssh(1):
+ Reflect stdio-forward ("
ssh -W host:port ...") failures in exit status. Previously we were always returning 0. (bz#2255) - - ssh(1), - ssh-keygen(1): +
- ssh(1), + ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border. (bz#2247) -
- ssh-agent(1): +
- ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(). (bz#2236) -
- ssh-add(1): +
- ssh-add(1): Make stdout line-buffered; saves partial output getting lost when - ssh-add(1) + ssh-add(1) fatal()s part-way through (e.g. when listing keys from an agent that supports key types that - ssh-add(1) + ssh-add(1) doesn't). (bz#2234) -
- ssh-keygen(1): +
- ssh-keygen(1): When hashing or removing hosts, don't choke on "@revoked" markers and don't remove "@cert-authority" markers. (bz#2241) -
- ssh(1): +
- ssh(1):
Don't fatal when hostname canonicalisation fails and a
- ProxyCommand is in use; continue and allow the
- ProxyCommand to connect anyway (e.g. to a host with a name
+
ProxyCommandis in use; continue and allow the +ProxyCommandto connect anyway (e.g. to a host with a name outside the DNS behind a bastion). - - scp(1): +
- scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end. -
- sftp(1): +
- sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string. (bz#2238) -
- ssh-keyscan(1): +
- ssh-keyscan(1): Scan for Ed25519 keys by default. -
- ssh(1): - When using VerifyHostKeyDNS with a DNSSEC resolver, +
- ssh(1):
+ When using
VerifyHostKeyDNSwith a DNSSEC resolver, down-convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. - - sshd(8): +
- sshd(8): Avoid crash at exit via NULL pointer reference. (bz#2225)
- Fix some strict-alignment errors.
- mandoc 1.13.0:
-
-
- New implementation of apropos(1), - whatis(1), - and makewhatis(8) based on SQLite3 databases. -
- Substantial improvements of mandoc(1) error and warning messages. -
- Almost complete implementation of roff(7) numerical expressions. +
- New implementation of apropos(1), + whatis(1), + and makewhatis(8) based on SQLite3 databases. +
- Substantial improvements of mandoc(1) error and warning messages. +
- Almost complete implementation of roff(7) numerical expressions.
- About a dozen minor new features and numerous bug fixes.
- Many pre-built packages for each architecture: -
-
+- - -
+
- i386: 8588
- sparc64: 7965
- alpha: 6278
- sh: 2626 -
- amd64: 8588
- powerpc: 8049
- m88k: 2475
- sparc: 3394 -
- arm: 5633
- hppa: 6143
- vax: 1995 -
- mips64: 4686
- mips64el: 6697 -
+ +
How to install
+-
How to install
-Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an FTP (or other style @@ -566,14 +574,16 @@
+
Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above! -
-
OpenBSD/i386:
--
+
OpenBSD/i386:
+ +Play with your BIOS options to enable booting from a CD. The OpenBSD/i386 release is on CD1. If your BIOS does not support booting from CD, you will need to create a boot floppy to install from. To create a boot floppy write @@ -600,26 +610,25 @@ To make a boot floppy under MS-DOS, use the "rawrite" utility located at CD1:5.6/tools/rawrite.exe. To make the boot floppy under a Unix OS, use the -dd(1) +dd(1) utility. The following is an example usage of -dd(1), +dd(1), where the device could be "floppy", "rfd0c", or "rfd0a". -
+# dd if=<file> of=/dev/<device> bs=32k -+
Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or your install will most likely fail. For more information on creating a boot floppy and installing OpenBSD/i386 please refer to this page. - +
OpenBSD/amd64:
+-
OpenBSD/amd64:
--
The 5.6 release of OpenBSD/amd64 is located on CD2.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
@@ -639,11 +648,10 @@
If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64. -
OpenBSD/macppc:
+-
OpenBSD/macppc:
--
Burn the image from the FTP site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
@@ -651,11 +659,10 @@
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /5.6/macppc/bsd.rd -
OpenBSD/sparc64:
+-
OpenBSD/sparc64:
--
Put CD3 in your CDROM drive and type boot cdrom.
@@ -674,12 +681,11 @@
If nothing works, you can boot over the network as described in INSTALL.sparc64. -
OpenBSD/alpha:
+-
OpenBSD/alpha:
--
-
Write FTP:5.6/alpha/floppy56.fs or +Write FTP:5.6/alpha/floppy56.fs or FTP:5.6/alpha/floppyB56.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details. @@ -687,12 +693,9 @@ Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail. -
OpenBSD/armish:
-
OpenBSD/armish:
--
-
After connecting a serial port, Thecus can boot directly from the network either tftp or http. Configure the network using fconfig, reset, then load bsd.rd, see INSTALL.armish for specific details. @@ -700,55 +703,42 @@ and copy 'boot' and bsd.rd into the first partition on wd0 (hda1) then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition. More details are available in INSTALL.armish. -
OpenBSD/hppa:
+-
OpenBSD/hppa:
--
-
Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page. -
OpenBSD/landisk:
+-
OpenBSD/landisk:
--
-
Write miniroot56.fs to the start of the CF or disk, and boot normally. -
OpenBSD/loongson:
+-
OpenBSD/loongson:
--
-
Write miniroot56.fs to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details. -
+
OpenBSD/luna88k:
+-
OpenBSD/luna88k:
--
-
-Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader +Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and the bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details. -
OpenBSD/octeon:
+-
OpenBSD/octeon:
--
-
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details. -
OpenBSD/sgi:
+-
OpenBSD/sgi:
--
-
To install, burn cd56.iso on a CD-R, put it in the CD drive of your machine and select Install System Software from the System Maintenance menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from @@ -759,27 +749,24 @@ If your machine doesn't have a CD drive, you can setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your system type. Refer to the instructions in INSTALL.sgi for more details. -
OpenBSD/socppc:
+-
OpenBSD/socppc:
--
-
After connecting a serial port, boot over the network via DHCP/tftp. Refer to the instructions in INSTALL.socppc for more details. -
OpenBSD/sparc:
+-
OpenBSD/sparc:
--
Boot from one of the provided install ISO images, using one of the two
commands listed below, depending on the version of your ROM.
-
-ok boot cdrom 5.6/sparc/bsd.rd ++ok boot cdrom 5.6/sparc/bsd.rd or -> b sd(0,6,0)5.6/sparc/bsd.rd -+> b sd(0,6,0)5.6/sparc/bsd.rd +
If your SPARC system does not have a CD drive, you can alternatively boot from floppy. @@ -788,11 +775,11 @@ To boot from the floppy use one of the two commands listed below, depending on the version of your ROM. -
-ok boot floppy ++ok boot floppy or -> b fd() -+> b fd() +
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install @@ -802,45 +789,46 @@ If your SPARC system doesn't have a floppy drive nor a CD drive, you can either setup a bootable tape, or install via network, as told in the INSTALL.sparc file. - +
OpenBSD/vax:
+-
OpenBSD/vax:
--
Boot over the network via mopbooting as described in INSTALL.vax.
-
OpenBSD/zaurus:
+-
OpenBSD/zaurus:
--
-
Using the Linux built-in graphical ipkg installer, install the openbsd56_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus for a few important details. -
Notes about the source code:
+-
Notes about the source code:
--
src.tar.gz contains a source archive starting at /usr/src. This file
contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
+
+
++# mkdir -p /usr/src +# cd /usr/src +# tar xvfz /tmp/src.tar.gz +
-
-# mkdir -p /usr/src -# cd /usr/src -# tar xvfz /tmp/src.tar.gz --
sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract: -
-
-# mkdir -p /usr/src/sys -# cd /usr/src + +++# mkdir -p /usr/src/sys +# cd /usr/src # tar xvfz /tmp/sys.tar.gz -+
Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as @@ -848,29 +836,31 @@ Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree. -
+ +
How to upgrade
-
How to upgrade
-If you already have an OpenBSD 5.5 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide. +
+ +
Ports Tree
-
Ports Tree
-A ports tree archive is also provided. To extract:
-
-# cd /usr -# tar xvfz /tmp/ports.tar.gz -+
+# cd /usr +# tar xvfz /tmp/ports.tar.gz +
The ports/ subdirectory is a checkout of the OpenBSD ports tree. Go read the ports page @@ -880,7 +870,7 @@ OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for - + cvs(1) if you aren't familiar with CVS) checkout of our ports. As with our complete source tree, our ports tree is available via @@ -889,10 +879,10 @@ available on a read-write medium and update the tree with a command like:
-
+# cd /usr/ports # cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_6 -+
[Of course, you must replace the server name here with a nearby anoncvs server.] @@ -903,6 +893,4 @@ If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list ports@openbsd.org is a good place to know. -
- - +