Annotation of www/58.html, Revision 1.75
1.1 deraadt 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2: <html>
3: <head>
4: <title>OpenBSD 5.8</title>
5: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
6: <meta name="description" content="OpenBSD 5.8">
7: <meta name="copyright" content="This document copyright 2015 by OpenBSD.">
8: <link rel="canonical" href="http://www.openbsd.org/58.html">
9: </head>
10:
11: <body bgcolor="#ffffff" text="#000000" link="#24248E">
12:
13: <a href="index.html">
14: <img alt="[OpenBSD]" height="30" width="141" hspace="24" src="images/smalltitle.gif" border="0"></a>
15: <p>
16:
1.40 deraadt 17: <a href="images/fishhearts.jpg">
18: <img align="left" width="227" height="343" hspace="24" vspace="10" src="images/fishhearts.jpg"></a>
1.1 deraadt 19: <h2><font color="#0000e0">OpenBSD 5.8</font></h2>
20: <p>
1.7 deraadt 21: To be released Oct 18, 2015<br>
1.1 deraadt 22: Copyright 1997-2015, Theo de Raadt.<br>
23: <font color="#e00000">ISBN 978-0-9881561-6-6</font>
24: <br>
1.75 ! deraadt 25: 5.8 Songs: <a href="lyrics.html#58a">"20 years ago today"</a>,
! 26: <a href="lyrics.html#58b">"Fanza"</a>,
1.50 deraadt 27: <a href="lyrics.html#58c">"So much better"</a>,
28: <a href="lyrics.html#58d">"A Year in the Life"</a>
1.1 deraadt 29: <ul>
30: <li>Order a CDROM from our <a href="https://openbsdstore.com">ordering system</a>.
31: <li>See the information on <a href="ftp.html">the FTP page</a> for
32: a list of mirror machines.
33: <li>Go to the <font color="#e00000">pub/OpenBSD/5.8/</font> directory on
34: one of the mirror sites.
35: <li>Have a look at <a href="errata58.html">the 5.8 errata page</a> for a list
36: of bugs and workarounds.
37: <li>See a <a href="plus58.html">detailed log of changes</a> between the
38: 5.7 and 5.8 releases.
39: <p>
40: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=signify&sektion=1">signify(1)</a> pubkeys for this release:<br>
41: <pre>
1.3 deraadt 42: base: RWQNNZXtC/MqP3Eiu+6FBz/qrxiWQwDhd+9Yljzp62UP4KzFmmvzVk60
43: fw: RWTpkvg4fhJCDx9yL4bUCou/vtAecPVTfcaaGESQeBruwX/qHToMvWh6
44: pkg: RWRlkI2aFHvL/XGqD+lFerD/xUi/jnAXKwdFQwZDekYwDrEPSpSWgpI9
1.1 deraadt 45: </pre>
46: </ul>
47: <br clear=all>
48: All applicable copyrights and credits can be found in the applicable
49: file sources found in the files src.tar.gz, sys.tar.gz,
50: xenocara.tar.gz, or in the files fetched via ports.tar.gz. The
51: distribution files used to build packages from the ports.tar.gz file
52: are not included on the CDROM because of lack of space.
53: <p>
54:
55: <a name="new"></a>
56: <hr>
57: <p>
58: <h3><font color="#0000e0">What's New</font></h3>
59: <p>
60: This is a partial list of new features and systems included in OpenBSD 5.8.
61: For a comprehensive list, see the <a href="plus58.html">changelog</a> leading
62: to 5.8.
63: <p>
64:
65: <ul>
66: <li>Improved hardware support, including:
67: <ul>
1.36 mpi 68: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=rtwn&sec=4">rtwn(4)</a> driver for Realtek RTL8188CE wifi cards.
1.51 sobrado 69: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=hpb&sec=4&arch=macppc">hpb(4)</a> driver for HyperTransport bridges as found in the IBM CPC945.
1.23 guenther 70: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ugold&sec=4">ugold(4)</a> driver now supports TEMPerHUMV1.x temperature and humidity sensors.
71: <li>Improved sensor support for the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=upd&sec=4">upd(4)</a> driver for USB Power Devices (UPS).
72: <li>Support for jumbo frames on <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=re&sec=4">re(4)</a> devices using RTL8168C/D/E/F/G and RTL8411, including PC Engines APU.
73: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=re&sec=4">re(4)</a> now works with newer devices e.g. RTL8111GU.
74: <li>Partial support has been added for full-speed isochronous devices in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ehci&sec=4">ehci(4)</a>, allowing USB 1.1 audio devices to be used on EHCI-only systems in some cases.
1.51 sobrado 75: <li>Improved macppc stability and G5 performances with MP kernels.
1.23 guenther 76: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=acpicpu&sec=4">acpicpu(4)</a> uses ACPI C-state information to reduce power consumption of idle CPUs.
77: <li>Kernel supports x86 AVX instructions on CPUs that have them.
1.31 krw 78: <li>Avoid assigning low address to PCI BARs, fixing various issues on machines whose BIOSes neglect to claim low memory.
1.43 bentley 79: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=wscons&sec=4">wscons(4)</a> works with even more odd trackpads.
80: <li>Added <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pvbus&sec=4">pvbus(4)</a> paravirtual device tree root on virtual machines that are running on hypervisors.
1.39 jasper 81: <li>New octdwctwo(4) driver for USB support on OpenBSD/octeon.
1.52 lteo 82: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=amdcf&sec=4">amdcf(4)</a> driver for embedded flash on OpenBSD/octeon.
1.58 sthen 83: <li>Support for RTL8188EU devices was added to the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=urtwn&sec=4">urtwn(4)</a> driver.
1.1 deraadt 84: </ul>
85: <p>
86:
87: <li>Removed hardware support:
88: <ul>
1.45 schwarze 89: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.7/man4/lmc.4?query=lmc&sec=4">lmc(4)</a> driver for Lan Media Corporation SSI/T1/DS1/HSSI/DS3 devices has been removed.
90: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-5.7/man4/san.4?query=san&sec=4">san(4)</a> driver for Sangoma Technologies AFT T1/E1 devices has been removed.
1.1 deraadt 91: </ul>
92: <p>
93:
94: <li>Generic network stack improvements:
95: <ul>
1.13 sthen 96: <li>MTU of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=vlan&sektion=4">vlan(4)</a> devices can now be set independently from the parent interface's MTU.
97: <li>The same network range can now be assigned to multiple interfaces, using interface priorities to choose between them.
1.63 deraadt 98: <li>New MPLS pseudowire driver <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mpw&sektion=4">mpw(4)</a>.
1.68 deraadt 99: <li>Much preparatory work for MP unlocking of the network stack.
1.1 deraadt 100: </ul>
101: <p>
102:
103: <li>Installer improvements:
104: <ul>
1.33 rpe 105: <li>The logic of the 'Allow root ssh login?' question has been changed.
1.29 rpe 106: <ul>
107: <li>The default answer is now 'no'.
108: <li>'prohibit-password' has been added to the list of possible answers.
109: </ul>
1.45 schwarze 110: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=autoinstall&sec=8">autoinstall(8)</a>
1.29 rpe 111: has been extended to allow
112: <ul>
113: <li><tt>hostname-mode.conf</tt> response file names.
114: <li>response files to be placed in a subdir of the webserver's document root.
115: <li>passing a template file to
1.45 schwarze 116: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=disklabel&sec=8">disklabel(8)</a>
1.29 rpe 117: to automatically partition the disk.
118: </ul>
1.45 schwarze 119: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ntpd&sec=8">ntpd(8)</a>
1.29 rpe 120: is now enabled by default at install time.
1.21 guenther 121: <li>DUID support has improved enough that new installs now use them unconditionally.
1.29 rpe 122: <li>Installing sets from CD-ROM has been fixed if more than one CD-ROM drive is present.
123: <li>The 'Which CD-ROM contains the install media?' question has been removed.
124: Available cdrom devices are now shown directly in the 'Location of sets?' prompt.
1.1 deraadt 125: </ul>
126: <p>
127:
128: <li>Routing daemons and other userland network improvements:
129: <ul>
1.13 sthen 130: <li>Many improvements and simplifications in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ldpd&sektion=8">ldpd(8)</a>, including configuration reload and support for <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mpw&sektion=4">mpw(4)</a> pseudowire interfaces.
131: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd&sektion=8">bgpd(8)</a> now allows rules to match on the peer AS number.
132: <li>For terminated BGP sessions, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpctl&sektion=8">bgpctl(8)</a> now displays the number of prefixes received on the last session.
133: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ospfd&sektion=8">ospfd(8)</a> now correctly handles <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=carp&sektion=4">carp(4)</a> interfaces in "backup" mode at startup.
134: <li>Log messages in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=bgpd&sektion=8">bgpd(8)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ospfd&sektion=8">ospfd(8)</a> have been made more specific.
135: <li>The default Diffie-Hellman group for VPNs configured by <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ipsec.conf&sektion=5">ipsec.conf(5)</a> has been changed to modp3072.
1.41 yasuoka 136: <li>New <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=radiusd&sektion=8">radiusd(8)</a>,
137: Remote Authentication Dial In User Service (RADIUS) daemon.
1.6 deraadt 138: </ul>
1.1 deraadt 139: <p>
140:
141: <li>Security improvements:
142: <ul>
1.38 jsg 143: <li>sudo in base has been replaced with <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=doas&sektion=1">doas(1)</a>, sudo is available as a package.
1.13 sthen 144: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=file&sektion=1">file(1)</a> has been replaced with a new modern implementation, including sandbox and privilege separation.
1.52 lteo 145: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pax&sektion=1">pax(1)</a> (and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tar&sektion=1">tar(1)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cpio&sektion=1">cpio(1)</a>) now prevent archive extraction from escaping the current directory via symlinks; <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tar&sektion=1">tar(1)</a> without <tt>-P</tt> option now strips up through any "<tt>..</tt>" path components.
1.69 deraadt 146: <li>Static PIE support for sparc.
147: <li>Alpha switched to secure PLT.
1.23 guenther 148: <li>Improved kernel checks of ELF headers.
1.70 kettenis 149: <li>Support for the NX (No-eXecute) bit on i386, resulting in much better W^X enforcement in userland for hardware that has this feature.
150: <li>Enforcement of W^X in the kernel address space on i386 when using processors with the NX bit.
1.74 tim 151: <li>Work started on a new process-containment facility called <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tame&sektion=2&manpath=OpenBSD-5.8">tame(2)</a>.
1.1 deraadt 152: </ul>
153: <p>
154:
155: <li>Assorted improvements:
156: <ul>
1.11 tedu 157: <li>The <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=worm&sektion=6">worm(6)</a>
158: now grows at a rate proportional to terminal size.
1.21 guenther 159: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dlfcn&sektion=3">dlclose(3)</a> now unregisters handlers registered by a <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pthread_atfork&sektion=3">pthread_atfork(3)</a> call from the unloaded libraries.
160: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cp&sektion=1">cp(1)</a>, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mv&sektion=1">mv(1)</a>, and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pax&sektion=1">pax(1)</a> with the <tt>-rw</tt> option now preserve timestamps with full nanosecond precision.
161: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=pax&sektion=1">pax(1)</a> now detects failure to decompress an archive when reading it and errors out immediately.
162: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nm&sektion=1">nm(1)</a> now supports the <tt>-D</tt> option for displaying the dynamic symbol table.
163: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dump&sektion=8">dump(8)</a> now uses DUIDs in <tt>/etc/dumpdates</tt> when present and the <tt>-U</tt> option has thus been removed.
164: <li>Corrected <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kdump&sektion=1">kdump(1)</a> reporting of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=lseek&sektion=2">lseek(2)</a> return value on ILP32 archs and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getsockopt&sektion=2">getsockopt/setsockopt(2)</a> level and optname arguments. <tt>iovec</tt>, <tt>msghdr</tt>, and <tt>cmsghdr</tt> structures are now dumped.
165: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sed&sektion=1">sed(1)</a> <tt>-i</tt> option added.
1.44 schwarze 166: <li>New, much simpler <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=man.conf&sektion=5">man.conf(5)</a> configuration file format
167: for <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=man&sektion=1">man(1)</a>,
168: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=apropos&sektion=1">apropos(1)</a>,
169: and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=makewhatis&sektion=8">makewhatis(8)</a>.
170: <li>When using <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=man&sektion=1">man(1)</a>
171: with the <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=less&sektion=1">less(1)</a> pager,
172: support the <tt>:t</tt> internal command
173: to search for definitions of keywords similar to what
174: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ctags&sektion=1">ctags(1)</a> provides.
1.21 guenther 175: <li>Improvements in checking of numeric option values in <b>many</b> utilities.
1.22 guenther 176: <li>Upgraded to binutils version 2.17 with additional fixes.
1.23 guenther 177: <li>Improved correctness of <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=poll&sektion=2">poll(2)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=poll&sektion=2">poll(2)</a> of <tt>O_RDONLY</tt> FIFO fds.
178: <li>Restored reporting of closed sockets by <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=netstat&sektion=1">netstat(1)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=systat&sektion=1">systat(1)</a>.
1.31 krw 179: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk&sektion=8">fdisk(8)</a> now zeros correct GPT sector at end of disk.
180: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk&sektion=8">fdisk(8)</a> now accepts 'T' sizes for terabytes.
181: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=fdisk&sektion=8">fdisk(8)</a> repaired to work on 4K sector disks again.
182: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd&sektion=8">dhcpd(8)</a> now logs correct giaddr and ciaddr information even when DHCP relays are present.
183: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd&sektion=8">dhcpd(8)</a> now accommodates Linux and MS clients by not sending routers or static routes info when classless static routes are sent.
184: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhcpd&sektion=8">dhcpd(8)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> now accept hostnames beginning with a digit.
185: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=dhclient&sektion=8">dhclient(8)</a> no longer rejects leases with addresses overlapping existing subnets on other interfaces. Kernel routing logic now just works.
1.67 deraadt 186: <li>Improvements to <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=realloc&sektion=3">realloc(3)</a> decrease system calls and increase efficiency.
1.66 kettenis 187: <li>The reaper now tears down dead processes without holding on to
188: the kernel lock. This greatly reduces latency and increases
189: performance on multi-processor systems.
1.1 deraadt 190: </ul>
191: <p>
192:
193: <li>OpenBSD <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=httpd&sektion=8">httpd(8)</a>:
194: <ul>
1.34 reyk 195: <li>New features:
196: <ul>
197: <li>Added support for matching and redirections with Lua <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man7/patterns.7">patterns(7)</a>.
198: <li>Implemented If-Modified-Since for conditional GET or HEAD requests (RFC 7232).
199: <li>Added byte-range support for range requests (RFC 7233).
200: <li>Allowing to specify a global or per-location default media type instead of <tt>application/octet-stream</tt>.
201: <li>Added support for HTTP Strict Transport Security (HSTS; RFC 6797).
202: <li>Added initial regression test suite based on <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/relayd.8">relayd(8)</a>'s implementation.
203: </ul>
204: <li>Fixes and improvements:
205: <ul>
206: <li>TLS in <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/httpd.8">httpd(8)</a> and <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/relayd.8">relayd(8)</a> now defaults to TLSv1.2-only.
207: <li>Fixed support for large TLS keys or certificate bundles with up to 16KB each.
208: <li>Fixed the Content-Length header for files larger than 2 GB on 32-bit architectures.
209: <li>Fixed translation of CGI environment variables in accordance with RFCs 7230 and 3875.
210: <li>Improved memory usage and fixed possible memory exhaustion on large file transfers.
211: <li>Added URL-encoding of specific CGI variables before using them in the Location header.
212: <li>Prepend files or directories containing ":" with "./" in directory indexes as per RFC 3986.
213: <li>Allowing to specify characters like "?" in the Location URI.
214: <li>Various other bug fixes and improvements.
215: </ul>
1.73 deraadt 216: </ul>
217: <p>
218:
219: <li>OpenSMTPD 5.4.4
220: <ul>
221: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=smtpd&sektion=8">smtpd(8)</a> reliability and bug fixes.
222: <li><b>NOTE: Some security risks were discovered and fixed after the
223: OpenBSD 5.8 release.
224: See <a href="errata58.html#004_smtpd">5.8 errata 004</a>.</b>
1.1 deraadt 225: </ul>
226: <p>
227:
1.15 sobrado 228: <li>OpenSSH 7.0
1.1 deraadt 229: <ul>
1.15 sobrado 230: <li>Security:
231: <ul>
1.27 sobrado 232: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
233: when forwarding X11 connections with <tt>ForwardX11Trusted=no</tt>,
234: connections made after <tt>ForwardX11Timeout</tt> expired could be
235: permitted and no longer subject to XSECURITY restrictions because of
236: an ineffective timeout check in
237: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>
238: coupled with "fail open" behaviour in the X11 server when clients
239: attempted connections with expired credentials.
240: This problem was reported by Jann Horn.
241: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>:
242: fix weakness of agent locking (<tt>ssh-add -x</tt>) to
243: password guessing by implementing an increasing failure delay,
244: storing a salted hash of the password rather than the password
245: itself and using a timing-safe comparison function for verifying
246: unlock attempts. This problem was reported by Ryan Castellucci.
1.15 sobrado 247: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
248: OpenSSH 6.8 and 6.9 incorrectly set TTYs to be world-writable.
249: Local attackers may be able to write arbitrary messages to logged-in
250: users, including terminal escape sequences.
251: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
252: fix circumvention of <tt>MaxAuthTries</tt> using keyboard-interactive
253: authentication. By specifying a long, repeating keyboard-interactive
254: "devices" string, an attacker could request the same authentication
255: method be tried thousands of times in a single pass. The
256: <tt>LoginGraceTime</tt> timeout in
257: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>
258: and any authentication failure delays implemented by the authentication
259: mechanism itself were still applied.
260: </ul>
1.1 deraadt 261: <li>Potentially-incompatible changes:
262: <ul>
1.15 sobrado 263: <li>Support for the legacy <i>SSH version 1 protocol</i> is disabled by
264: default at compile time.
265: <li>Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
266: is disabled by default at run-time. It may be re-enabled using
267: the instructions at <tt>http://www.openssh.com/legacy.html</tt>.
268: <li>Support for <tt>ssh-dss</tt>, <tt>ssh-dss-cert-*</tt> <i>host</i>
269: and <i>user</i> keys is disabled by default at run-time. These may
270: be re-enabled using the instructions at
271: <tt>http://www.openssh.com/legacy.html</tt>.
272: <li>Support for the legacy <i>v00 cert format</i> has been removed.
273: <li>The default for the
274: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>
275: <tt>PermitRootLogin</tt> option has changed from "yes" to
1.51 sobrado 276: "prohibit-password" (but the OpenBSD installer defaults to "no").
1.47 deraadt 277: <li><b>NOTE: 'PermitRootLogin prohibit-password' is subtly broken
278: in the OpenBSD 5.8 / OpenSSH 7.0; see
279: <a href="errata58.html#001_sshd">5.8 errata 001</a>.</b>
1.1 deraadt 280: </ul>
281: <li>New/changed features:
282: <ul>
1.27 sobrado 283: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
284: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
285: promote <tt>chacha20-poly1305@openssh.com</tt> to be the default
286: cipher.
287: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
288: support admin-specified arguments to <tt>AuthorizedKeysCommand</tt>.
289: (bz#2081)
290: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
291: add <tt>AuthorizedPrincipalsCommand</tt> that allows retrieving
292: authorized principals information from a subprocess rather than a
293: file.
294: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
295: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>:
296: support PKCS#11 devices with external PIN entry devices. (bz#2240)
297: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
298: allow GSSAPI host credential check to be relaxed for multihomed
299: hosts via <tt>GSSAPIStrictAcceptorCheck</tt> option. (bz#928)
300: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:
301: support <tt>ssh-keygen -lF hostname</tt> to search <tt>known_hosts</tt>
302: and print key hashes rather than full keys.
303: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>:
304: add <tt>-D</tt> flag to leave
305: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>
306: in foreground without enabling debug mode. (bz#2381)
1.16 sobrado 307: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5">ssh_config(5)</a>:
1.15 sobrado 308: add <tt>PubkeyAcceptedKeyTypes</tt> option to control which public
309: key types are available for user authentication.
310: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5">sshd_config(5)</a>:
311: add <tt>HostKeyAlgorithms</tt> option to control which public key
312: types are offered for host authentications.
313: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
314: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
315: extend <tt>Ciphers</tt>, <tt>MACs</tt>, <tt>KexAlgorithms</tt>,
316: <tt>HostKeyAlgorithms</tt>, <tt>PubkeyAcceptedKeyTypes</tt> and
317: <tt>HostbasedKeyTypes</tt> options to allow appending to the default
318: set of algorithms instead of replacing it. Options may now be
319: prefixed with a <tt>+</tt> to append to the default, e.g.
320: "<tt>HostKeyAlgorithms=+ssh-dss</tt>".
1.1 deraadt 321: </ul>
322: <li>The following significant bugs have been fixed in this release:
323: <ul>
1.15 sobrado 324: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
325: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
1.27 sobrado 326: deprecate legacy <tt>SSH2_MSG_KEX_DH_GEX_REQUEST_OLD</tt> message and
327: do not try to use it against some 3rd-party SSH implementations that
328: use it (older PuTTY, WinSCP).
329: <li>Many fixes for problems caused by compile-time deactivation of
330: SSH1 support. (including bz#2369)
331: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
332: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
333: cap DH-GEX group size at 4Kbits for Cisco implementations as some
334: would fail when attempting to use group sizes greater than 4K.
335: (bz#2209)
336: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
337: fix out-of-bound read in <tt>EscapeChar</tt> configuration option
338: parsing. (bz#2396)
339: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
340: fix application of <tt>PermitTunnel</tt>, <tt>LoginGraceTime</tt>,
341: <tt>AuthenticationMethods</tt> and <tt>StreamLocalBindMask</tt>
342: options in <tt>Match</tt> blocks.
343: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
344: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
345: improve disconnection message on TCP reset. (bz#2257)
346: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
347: remove failed remote forwards established by multiplexing from the
348: list of active forwards. (bz#2363)
349: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
350: make parsing of <tt>authorized_keys</tt> "<tt>environment=</tt>"
351: options independent of <tt>PermitUserEnv</tt> being enabled. (bz#2329)
352: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
353: fix post-auth crash with <tt>permitopen=none</tt>. (bz#2355)
354: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
355: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1">ssh-add(1)</a>,
356: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:
357: allow new-format private keys to be encrypted with AEAD ciphers.
358: (bz#2366)
359: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
360: allow <tt>ListenAddress</tt>, <tt>Port</tt> and <tt>AddressFamily</tt>
361: configuration options to appear in any order. (bz#86)
362: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
363: check for and reject missing arguments for <tt>VersionAddendum</tt>
364: and <tt>ForceCommand</tt>. (bz#2281)
365: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
366: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
367: don't treat unknown certificate extensions as fatal. (bz#2387)
368: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1">ssh-keygen(1)</a>:
369: make <tt>stdout</tt> and <tt>stderr</tt> output consistent. (bz#2325)
370: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
371: mention missing <tt>DISPLAY</tt> environment in debug log when X11
372: forwarding requested. (bz#1682)
373: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
374: correctly record login when <tt>UseLogin</tt> is set. (bz#378)
375: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
376: add some missing options to <tt>sshd -T</tt> output and fix output
377: of <tt>VersionAddendum</tt> and <tt>HostCertificate</tt>. (bz#2346)
378: <li>Document and improve consistency of options that accept a
379: "<tt>none</tt>" argument: <tt>TrustedUserCAKeys</tt>,
380: <tt>RevokedKeys</tt> (bz#2382), <tt>AuthorizedPrincipalsFile</tt>
381: (bz#2288).
382: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
383: include remote username in debug output. (bz#2368)
384: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
385: avoid compatibility problem with some versions of Tera Term, which
386: would crash when they received the hostkeys notification message
387: (<tt>hostkeys-00@openssh.com</tt>).
388: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
389: mention <tt>ssh-keygen -E</tt> as useful when comparing legacy
390: <i>MD5 host key fingerprints</i>. (bz#2332)
391: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
392: clarify pseudo-terminal request behaviour and use make manual language
393: consistent. (bz#1716)
394: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
395: document that the <tt>TERM</tt> environment variable is not subject
396: to <tt>SendEnv</tt> and <tt>AcceptEnv</tt>. (bz#2386)
397: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
398: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
1.15 sobrado 399: add compatability workarounds for Cisco and more PuTTY versions.
400: (bz#2424)
401: <li>Fix some omissions and errors in the <tt>PROTOCOL</tt> and
402: <tt>PROTCOL.mux</tt> documentation relating to <i>Unix domain
403: socket</i> forwarding. (bz#2421, bz#2422)
404: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>:
405: Improve the
406: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>
407: manual page to include a better desciption of Unix domain socket
408: forwarding. (bz#2423)
409: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
410: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>:
411: skip uninitialised PKCS#11 slots, fixing failures to load keys when
412: they are present. (bz#2427)
413: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1">ssh(1)</a>,
414: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1">ssh-agent(1)</a>:
415: do not ignore PKCS#11 hosted keys that wth empty <tt>CKA_ID</tt>.
416: (bz#2429)
417: <li><a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8">sshd(8)</a>:
418: clarify documentation for <tt>UseDNS</tt> option. (bz#2045)
1.1 deraadt 419: </ul>
420: </ul>
421: <p>
422:
423: <li>LibreSSL
424: <ul>
425: <li>User-visible features:
426: <ul>
1.27 sobrado 427: <li>Reject all <i>server DH keys</i> smaller than 1024 bits.
428: <li>Multiple CVEs fixed including CVE-2015-0207, CVE-2015-0209,
429: CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289,
430: CVE-2015-1788, CVE-2015-1789, CVE-2015-1792.
431: <li>Protocol parsing conversions to BoringSSL's <i>CRYPTO ByteString</i>
432: (CBS) API.
433: <li>Added <tt>EC_curve_nid2nist</tt> and <tt>EC_curve_nist2nid</tt>
434: from OpenSSL.
435: <li>Removed Dynamic Engine support.
436: <li>Removed MDC-2DES support.
1.14 sobrado 437: <li>Switched <tt>openssl dhparam</tt> default from 512 to 2048 bits.
438: <li>Fixed <tt>openssl pkeyutl -verify</tt> to exit with a 0 on success.
439: <li>Fixed dozens of Coverity issues including dead code, memory leaks,
440: logic errors and more.
441: <li>Ensure that
442: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a>
443: restores terminal echo state after reading a password.
1.28 sobrado 444: <li>Incorporated fix for OpenSSL issue #3683.
1.14 sobrado 445: <li>Removed SSLv3 support from
446: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a>.
447: <li>Modified <tt>tls_write</tt> in <tt>libtls</tt> to allow partial
448: writes, clarified with examples in the documentation.
449: <li>Removed RSAX engine.
1.16 sobrado 450: <li>Tested SSLv3 removal with the OpenBSD ports tree and found several
451: applications that were not ready to build without SSLv3 yet.
452: For now, building a program that intentionally uses SSLv3 will
453: result in a linker warning.
1.14 sobrado 454: <li>Added <tt>TLS_method</tt>, <tt>TLS_client_method</tt> and
455: <tt>TLS_server_method</tt> as a replacement for the
456: <tt>SSLv23_*method</tt> calls.
457: <li>Default <tt>cert.pem</tt>, <tt>openssl.cnf</tt>, and
458: <tt>x509v3.cnf</tt> files are now installed under
459: <tt>$sysconfdir/ssl</tt> or the directory specified by
460: <tt>--with-openssldir</tt>. Previous versions of LibreSSL left
461: these empty.
1.49 deraadt 462: <li><b>NOTE: LibreSSL 2.2.2 in OpenBSD 5.8 incorrectly handles
463: ClientHello messages that do not include TLS extensions, resulting
464: in such handshakes being aborted. see
465: <a href="errata58.html#002_sslhello">5.8 errata 002</a>.</b>
1.1 deraadt 466: </ul>
467: <li>Code improvements:
468: <ul>
1.54 lteo 469: <li>Fix incorrect comparison function in <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a> certhash command.
1.27 sobrado 470: Thanks to Christian Neukirchen / Void Linux.
471: <li>Removal of <tt>OPENSSL_issetugid</tt> and all library getenv calls.
472: Applications can and should no longer rely on environment variables
473: for changing library behavior.
1.57 sthen 474: <tt>OPENSSL_CONF</tt> and <tt>SSLEAY_CONF</tt> are still supported with the
1.27 sobrado 475: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a>
1.57 sthen 476: command, but note that $ENV:: is no longer supported in .cnf files.
1.27 sobrado 477: <li><tt>libtls</tt> API and documentation additions.
1.28 sobrado 478: <li>Various bug fixes and simplifications to <tt>libssl</tt> and
1.27 sobrado 479: <tt>libcrypto</tt>.
1.14 sobrado 480: <li>Reworked
481: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=openssl&sektion=1">openssl(1)</a>
482: option handling.
483: <li>LibreSSL version define <tt>LIBRESSL_VERSION_NUMBER</tt> will now
484: be bumped for each portable release.
485: <li>Removed workarounds for TLS client padding bugs.
486: <li>Removed IE 6 SSLv3 workarounds.
487: <li><tt>--with-enginesdir</tt> is removed as a configuration parameter.
1.1 deraadt 488: </ul>
489: </ul>
490: <p>
491: <li>Syslogd:
492: <ul>
1.4 bluhm 493: <li>OpenBSD
494: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=syslogd&sektion=8">syslogd(8)</a>
495: can bind to explicitly given UDP or TCP sockets to receive messages.
496: TCP streams are accepted with the octet counting or the non
497: transparent framing method.
498: <li>Blocks in
499: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=syslog.conf&se
500: ktion=5">syslog.conf(5)</a>
501: started with <code>+host</code> process messages created by
502: certain hosts specifically.
503: <li>Handle situations when the file descriptor limit is exhausted
504: gracefully.
1.53 lteo 505: <li>Since libtls handles short writes smarter, <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=syslogd&sektion=8">syslogd(8)</a> can use the
1.12 tedu 506: complete output buffer to save messages, coping with
507: longer TLS server down times without losing messages.
1.1 deraadt 508: </ul>
509: <p>
510: <li>Ports and packages:
1.61 sthen 511: <dl>
512: <dt>Many pre-built packages for each architecture:
1.1 deraadt 513: <table border=0 cellspacing=0 cellpadding=2 width="95%">
514: <tr>
515: <td valign="top" width="25%">
516: <ul>
1.55 sthen 517: <li>alpha: 7093
1.32 sthen 518: <li>amd64: 8866
1.60 deraadt 519: <li>hppa: 5813
1.25 deraadt 520: </ul></td><td valign=top width="25%"><ul>
1.13 sthen 521: <li>i386: 8839
1.55 sthen 522: <li>mips64: 4267
1.60 deraadt 523: <li>mips64el: 5922
1.25 deraadt 524: </ul></td><td valign=top width="25%"><ul>
1.42 sthen 525: <li>powerpc: 8114
1.71 pirofti 526: <li>sh: 133
1.60 deraadt 527: <li>sparc64: 7851
1.1 deraadt 528: </ul></td><td valign=top width="25%"><ul>
1.55 sthen 529: <li>sparc: 3655
530: <li>vax: 1959
1.45 schwarze 531: </ul></td></tr></table>
1.61 sthen 532: <p>
1.1 deraadt 533:
1.61 sthen 534: <dt>Some highlights:
1.1 deraadt 535: <table border=0 cellspacing=0 cellpadding=2 width="95%">
536: <tr>
537: <td valign="top" width="33%"><ul>
1.10 lteo 538: <li>Chromium 44.0.2403.125
539: <li>Emacs 21.4 and 24.5
540: <li>GCC 4.8.4 and 4.9.3
1.1 deraadt 541: <li>GHC 7.8.4
1.10 lteo 542: <li>GNOME 3.16.2
543: <li>Go 1.4.2
1.1 deraadt 544: <li>Groff 1.22.3
1.10 lteo 545: <li>JDK 1.7.0.80 and 1.8.0.45
1.30 zhuk 546: <li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
1.1 deraadt 547: <li>LLVM/Clang 3.5 (20140228)
1.10 lteo 548: <li>LibreOffice 4.4.4.3
549: <li>MariaDB 10.0.20
550: <li>Mono 3.12.1
1.18 landry 551: <li>Mozilla Firefox 38.1.1esr and 39.0.3
1.10 lteo 552: <li>Mozilla Thunderbird 38.1.0
1.1 deraadt 553: </ul></td><td valign=top width="33%"><ul>
554: <li>Node.js 0.10.35
1.10 lteo 555: <li>OpenLDAP 2.3.43 and 2.4.41
556: <li>PHP 5.4.43, 5.5.27 and 5.6.11
557: <li>Postfix 3.0.2
558: <li>PostgreSQL 9.4.4
559: <li>Python 2.7.10 and 3.4.3
560: <li>R 3.2.1
561: <li>Ruby 1.8.7.374, 1.9.3.551, 2.0.0.645, 2.1.6, and 2.2.2
562: <li>Sendmail 8.15.2
563: <li>Sudo 1.8.14.3
1.9 stu 564: <li>Tcl/Tk 8.5.18 and 8.6.4
1.10 lteo 565: <li>TeX Live 2014
566: <li>Vim 7.4.769
567: <li>Xfce 4.12
1.1 deraadt 568: </ul></td><td valign=top width="34%">
569: </td></tr></table>
570: <p>
571:
572: <li>As usual, steady improvements in manual pages and other documentation.
573: <p>
574:
575: <li>The system includes the following major components from outside suppliers:
576: <ul>
577: <li>Xenocara (based on X.Org 7.7 with xserver 1.16.4 + patches,
1.8 matthieu 578: freetype 2.6, fontconfig 2.11.1, Mesa 10.2.9, xterm 314,
579: xkeyboard-config 2.14 and more)
1.1 deraadt 580: <li>Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
1.8 matthieu 581: <li>Perl 5.20.2 (+ patches)
582: <li>SQLite 3.8.9 (+ patches)
583: <li>NSD 4.1.3
584: <li>Unbound 1.5.4
1.1 deraadt 585: <li>Ncurses 5.7
1.8 matthieu 586: <li>Binutils 2.17 (+ patches)
1.1 deraadt 587: <li>Gdb 6.3 (+ patches)
588: <li>Less 458 (+ patches)
589: <li>Awk Aug 10, 2011 version
590: </ul>
591:
592: </ul>
593:
594: <a name="install"></a>
595: <hr>
596: <p>
597: <h3><font color="#0000e0">How to install</font></h3>
598: <p>
599: Following this are the instructions which you would have on a piece of
600: paper if you had purchased a CDROM set instead of doing an alternate
601: form of install. The instructions for doing an HTTP (or other style
602: of) install are very similar; the CDROM instructions are left intact
603: so that you can see how much easier it would have been if you had
604: purchased a CDROM instead.
605: <p>
606:
607: <hr>
608: Please refer to the following files on the three CDROMs or mirror site for
609: extensive details on how to install OpenBSD 5.8 on your machine:
610: <p>
611: <ul>
1.72 deraadt 612: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/alpha/INSTALL.alpha">
1.1 deraadt 613: .../OpenBSD/5.8/alpha/INSTALL.alpha (on CD1)</a>
614: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/i386/INSTALL.i386">
615: .../OpenBSD/5.8/i386/INSTALL.i386 (on CD1)</a>
616: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/hppa/INSTALL.hppa">
617: .../OpenBSD/5.8/hppa/INSTALL.hppa (on CD1)</a>
618: <p>
619: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/amd64/INSTALL.amd64">
620: .../OpenBSD/5.8/amd64/INSTALL.amd64 (on CD2)</a>
621: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/macppc/INSTALL.macppc">
622: .../OpenBSD/5.8/macppc/INSTALL.macppc (on CD2)</a>
623: <p>
624: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/sparc64/INSTALL.sparc64">
625: .../OpenBSD/5.8/sparc64/INSTALL.sparc64 (on CD3)</a>
626: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/sparc/INSTALL.sparc">
627: .../OpenBSD/5.8/sparc/INSTALL.sparc (on CD3)</a>
628: <p>
629: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/alpha/INSTALL.alpha">
630: .../OpenBSD/5.8/alpha/INSTALL.alpha</a>
631: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/armish/INSTALL.armish">
632: .../OpenBSD/5.8/armish/INSTALL.armish</a>
633: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/hppa/INSTALL.hppa">
634: .../OpenBSD/5.8/hppa/INSTALL.hppa</a>
635: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/landisk/INSTALL.landisk">
636: .../OpenBSD/5.8/landisk/INSTALL.landisk</a>
637: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/loongson/INSTALL.loongson">
638: .../OpenBSD/5.8/loongson/INSTALL.loongson</a>
639: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/luna88k/INSTALL.luna88k">
640: .../OpenBSD/5.8/luna88k/INSTALL.luna88k</a>
641: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/macppc/INSTALL.macppc">
642: .../OpenBSD/5.8/macppc/INSTALL.macppc</a>
643: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/octeon/INSTALL.octeon">
644: .../OpenBSD/5.8/octeon/INSTALL.octeon</a>
645: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/sgi/INSTALL.sgi">
646: .../OpenBSD/5.8/sgi/INSTALL.sgi</a>
647: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/socppc/INSTALL.socppc">
648: .../OpenBSD/5.8/socppc/INSTALL.socppc</a>
649: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/sparc/INSTALL.sparc">
650: .../OpenBSD/5.8/sparc/INSTALL.sparc</a>
651: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/vax/INSTALL.vax">
652: .../OpenBSD/5.8/vax/INSTALL.vax</a>
653: <li><a href="http://ftp.openbsd.org/pub/OpenBSD/5.8/zaurus/INSTALL.zaurus">
654: .../OpenBSD/5.8/zaurus/INSTALL.zaurus</a>
655: </ul>
656: <hr>
657:
658: <p>
659: Quick installer information for people familiar with OpenBSD, and the
660: use of the "disklabel -E" command. If you are at all confused when
661: installing OpenBSD, read the relevant INSTALL.* file as listed above!
662: <p>
663:
664: <h3><font color="#e00000">OpenBSD/i386:</font></h3>
665: <ul>
666: The OpenBSD/i386 release is on CD1.
667: Boot from the CD to begin the install - you may need to adjust
668: your BIOS options first.
669:
670: <p>
671: If your machine can boot from USB, you can write <i>install58.fs</i> or
672: <i>miniroot58.fs</i> to a USB stick and boot from it.
673:
674: <p>
675: If you can't boot from a CD, floppy disk, or USB,
676: you can install across the network using PXE as described in
677: the included INSTALL.i386 document.
678:
679: <p>
680: If you are planning on dual booting OpenBSD with another OS, you will need to
681: read INSTALL.i386.
682:
683: </ul>
684:
685: <p>
686: <h3><font color="#e00000">OpenBSD/amd64:</font></h3>
687: <ul>
688: The OpenBSD/amd64 release is on CD2.
689: Boot from the CD to begin the install - you may need to adjust
690: your BIOS options first.
691:
692: <p>
693: If your machine can boot from USB, you can write <i>install58.fs</i> or
694: <i>miniroot58.fs</i> to a USB stick and boot from it.
695:
696: <p>
697: If you can't boot from a CD, floppy disk, or USB,
698: you can install across the network using PXE as described in the included
699: INSTALL.amd64 document.
700:
701: <p>
702: If you are planning to dual boot OpenBSD with another OS, you will need to
703: read INSTALL.amd64.
704: </ul>
705:
706: <p>
707: <h3><font color="#e00000">OpenBSD/macppc:</font></h3>
708: <ul>
709: Burn the image from a mirror site to a CDROM, and power on your machine
710: while holding down the <i>C</i> key until the display turns on and
711: shows <i>OpenBSD/macppc boot</i>.
712:
713: <p>
714: Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
715: /5.8/macppc/bsd.rd</i>
716: </ul>
717:
718: <p>
719: <h3><font color="#e00000">OpenBSD/sparc64:</font></h3>
720: <ul>
721: Put CD3 in your CDROM drive and type <i>boot cdrom</i>.
722:
723: <p>
724: If this doesn't work, or if you don't have a CDROM drive, you can write
725: <i>CD3:5.8/sparc64/floppy58.fs</i> or <i>CD3:5.8/sparc64/floppyB58.fs</i>
726: (depending on your machine) to a floppy and boot it with <i>boot
727: floppy</i>. Refer to INSTALL.sparc64 for details.
728:
729: <p>
730: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
731: will most likely fail.
732:
733: <p>
734: You can also write <i>CD3:5.8/sparc64/miniroot58.fs</i> to the swap partition on
735: the disk and boot with <i>boot disk:b</i>.
736:
737: <p>
738: If nothing works, you can boot over the network as described in INSTALL.sparc64.
739: </ul>
740:
741: <p>
742: <h3><font color="#e00000">OpenBSD/alpha:</font></h3>
743: <ul>
744: <p>Write <i>FTP:5.8/alpha/floppy58.fs</i> or
745: <i>FTP:5.8/alpha/floppyB58.fs</i> (depending on your machine) to a diskette and
746: enter <i>boot dva0</i>. Refer to INSTALL.alpha for more details.
747:
748: <p>
749: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
750: will most likely fail.
751:
752: </ul>
753:
754: <p>
755: <h3><font color="#e00000">OpenBSD/armish:</font></h3>
756: <ul>
757: <p>
758: After connecting a serial port, Thecus can boot directly from the network
759: either tftp or http. Configure the network using fconfig, reset,
760: then load bsd.rd, see INSTALL.armish for specific details.
761: IOData HDL-G can only boot from an EXT-2 partition. Boot into linux
762: and copy 'boot' and bsd.rd into the first partition on wd0 (hda1)
763: then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition.
764: More details are available in INSTALL.armish.
765: </ul>
766:
767: <p>
768: <h3><font color="#e00000">OpenBSD/hppa:</font></h3>
769: <ul>
770: <p>
771: Boot over the network by following the instructions in INSTALL.hppa or the
772: <a href="hppa.html#install">hppa platform page</a>.
773: </ul>
774:
775: <p>
776: <h3><font color="#e00000">OpenBSD/landisk:</font></h3>
777: <ul>
778: <p>
779: Write <i>miniroot58.fs</i> to the start of the CF
780: or disk, and boot normally.
781: </ul>
782:
783: <p>
784: <h3><font color="#e00000">OpenBSD/loongson:</font></h3>
785: <ul>
786: <p>
787: Write <i>miniroot58.fs</i> to a USB stick and boot bsd.rd from it
788: or boot bsd.rd via tftp.
789: Refer to the instructions in INSTALL.loongson for more details.
790: </ul>
791: <p>
792:
793: <p>
794: <h3><font color="#e00000">OpenBSD/luna88k:</font></h3>
795: <ul>
796: <p>
797: Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
1.24 miod 798: from the PROM, and then bsd.rd from the bootloader.
1.1 deraadt 799: Refer to the instructions in INSTALL.luna88k for more details.
800: </ul>
801:
802: <p>
803: <h3><font color="#e00000">OpenBSD/octeon:</font></h3>
804: <ul>
805: <p>
806: After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
807: Refer to the instructions in INSTALL.octeon for more details.
808: </ul>
809:
810: <p>
811: <h3><font color="#e00000">OpenBSD/sgi:</font></h3>
812: <ul>
813: <p>
814: To install, burn cd58.iso on a CD-R, put it in the CD drive of your
815: machine and select <i>Install System Software</i> from the System Maintenance
816: menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
817: CD-ROM, and need a proper invocation from the PROM prompt.
818: Refer to the instructions in INSTALL.sgi for more details.
819:
820: <p>
821: If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
822: server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
823: system type. Refer to the instructions in INSTALL.sgi for more details.
824: </ul>
825:
826: <p>
827: <h3><font color="#e00000">OpenBSD/socppc:</font></h3>
828: <ul>
829: <p>
830: After connecting a serial port, boot over the network via DHCP/tftp.
831: Refer to the instructions in INSTALL.socppc for more details.
832: </ul>
833:
834: <p>
835: <h3><font color="#e00000">OpenBSD/sparc:</font></h3>
836: <ul>
837: Boot from one of the provided install ISO images, using one of the two
838: commands listed below, depending on the version of your ROM.
839:
840: <ul><pre>
841: ok <strong>boot cdrom 5.8/sparc/bsd.rd</strong>
842: or
843: > <strong>b sd(0,6,0)5.8/sparc/bsd.rd</strong>
844: </pre></ul>
845:
846: <p>
847: If your SPARC system does not have a CD drive, you can alternatively boot from floppy.
848: To do so you need to write <i>floppy58.fs</i> to a floppy.
849: For more information see <a href="faq/faq4.html#MkFlop">FAQ 4.3.2</a>.
850: To boot from the floppy use one of the two commands listed below,
851: depending on the version of your ROM.
852:
853: <ul><pre>
854: ok <strong>boot floppy</strong>
855: or
856: > <strong>b fd()</strong>
857: </pre></ul>
858:
859: <p>
860: Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
861: will most likely fail.
862:
863: <p>
864: If your SPARC system doesn't have a floppy drive nor a CD drive, you can either
865: setup a bootable tape, or install via network, as told in the
866: INSTALL.sparc file.
867: </ul>
868:
869: <p>
870: <h3><font color="#e00000">OpenBSD/vax:</font></h3>
871: <ul>
872: Boot over the network via mopbooting as described in INSTALL.vax.
873: </ul>
874:
875: <p>
876: <h3><font color="#e00000">OpenBSD/zaurus:</font></h3>
877: <ul>
878: <p>
879: Using the Linux built-in graphical ipkg installer, install the
880: openbsd58_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus
881: for a few important details.
882: </ul>
883:
884: <a name="upgrade"></a>
885: <hr>
886: <p>
887: <h3><font color="#0000e0">How to upgrade</font></h3>
888: <p>
1.2 deraadt 889: If you already have an OpenBSD 5.7 system, and do not want to reinstall,
1.1 deraadt 890: upgrade instructions and advice can be found in the
891: <a href="faq/upgrade58.html">Upgrade Guide</a>.
892:
893: <a name="sourcecode"></a>
894: <hr>
895: <p>
896: <h3><font color="#0000e0">Notes about the source code</font></h3>
897: <p>
898: src.tar.gz contains a source archive starting at /usr/src. This file
899: contains everything you need except for the kernel sources, which are
900: in a separate archive. To extract:
901: <p>
902: <ul><pre>
903: # <strong>mkdir -p /usr/src</strong>
904: # <strong>cd /usr/src</strong>
905: # <strong>tar xvfz /tmp/src.tar.gz</strong>
906: </pre></ul>
907: <p>
908: sys.tar.gz contains a source archive starting at /usr/src/sys.
909: This file contains all the kernel sources you need to rebuild kernels.
910: To extract:
911: <p>
912: <ul><pre>
913: # <strong>mkdir -p /usr/src/sys</strong>
914: # <strong>cd /usr/src</strong>
915: # <strong>tar xvfz /tmp/sys.tar.gz</strong>
916: </pre></ul>
917: <p>
918: Both of these trees are a regular CVS checkout. Using these trees it
919: is possible to get a head-start on using the anoncvs servers as
920: described <a href="anoncvs.html">here</a>.
921: Using these files
922: results in a much faster initial CVS update than you could expect from
923: a fresh checkout of the full OpenBSD source tree.
924: <p>
925:
926: <a name="ports"></a>
927: <hr>
928: <p>
929: <h3><font color="#0000e0">Ports Tree</font></h3>
930: <p>
931: A ports tree archive is also provided. To extract:
932: <p>
933: <ul><pre>
934: # <strong>cd /usr</strong>
935: # <strong>tar xvfz /tmp/ports.tar.gz</strong>
936: </pre></ul>
937: <p>
938: Go read the <a href="faq/ports/index.html">ports</a> page
939: if you know nothing about ports
940: at this point. This text is not a manual of how to use ports.
941: Rather, it is a set of notes meant to kickstart the user on the
942: OpenBSD ports system.
943: <p>
944: The <i>ports/</i> directory represents a CVS (see the manpage for
945: <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvs&sektion=1&arch=i386">
946: cvs(1)</a> if
947: you aren't familiar with CVS) checkout of our ports. As with our complete
948: source tree, our ports tree is available via
949: <a href="anoncvs.html">AnonCVS</a>.
950: So, in order to keep up to date with the <i>-stable</i> branch, you must make
951: the <i>ports/</i> tree available on a read-write medium and update the tree
952: with a command like:
953: <p>
954: <ul><pre>
955: # <strong>cd /usr/ports</strong>
1.2 deraadt 956: # <strong>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_8</strong>
1.1 deraadt 957: </pre></ul>
958: <p>
959: [Of course, you must replace the server name here with a nearby anoncvs
960: server.]
961: <p>
962: Note that most ports are available as packages on our mirrors. Updated
963: ports for the 5.8 release will be made available if problems arise.
964: <p>
965: If you're interested in seeing a port added, would like to help out, or just
966: would like to know more, the mailing list
967: <a href="mail.html">ports@openbsd.org</a> is a good place to know.
968: <p>
969: </body>
970: </html>