OpenBSD 5.7
Released May 1, 2015
Copyright 1997-2015, Theo de Raadt.
ISBN 978-0-9881561-5-9
5.7 Song: "XXX"
- Order a CDROM from our ordering system.
- See the information on the FTP page for
a list of mirror machines.
- Go to the pub/OpenBSD/5.7/ directory on
one of the mirror sites.
- Have a look at the 5.7 errata page for a list
of bugs and workarounds.
- See a detailed log of changes between the
5.6 and 5.7 releases.
- signify(1) pubkeys for this release:
base: RWSvUZXnw9gUb70PdeSNnpSmodCyIPJEGN1wWr+6Time1eP7KiWJ5eAM
fw: RWSuRBL44FVkb2QuvtlwOJmzS9UJtbKZd7GEYcol8HPXu4On/Ct1LoZr
pkg: RWTJ1iHLn/zcvJJSbxJIEU9ChlfAlU16XoLLxmxciliOFWfTLyOv0vQs
All applicable copyrights and credits can be found in the applicable
file sources found in the files src.tar.gz, sys.tar.gz,
xenocara.tar.gz, or in the files fetched via ports.tar.gz. The
distribution files used to build packages from the ports.tar.gz file
are not included on the CDROM because of lack of space.
What's New
This is a partial list of new features and systems included in OpenBSD 5.7.
For a comprehensive list, see the changelog leading
to 5.7.
- Improved hardware support, including:
- New xhci(4) driver for USB 3.0 host controllers.
- New umcs(4) driver for MosChip Semiconductor 78x0 USB multiport serial adapters.
- New skgpio(4) driver for Soekris net6501 GPIO and LEDs.
- New uslhcom(4) driver for Silicon Labs CP2110 USB HID based UART.
- New nep(4) driver for Sun Neptune 10Gb Ethernet devices.
- New iwm(4) driver for Intel 7260 wifi cards.
- The rtsx(4) driver now supports RTS5227 and RTL8411B card readers.
- The bge(4) driver now supports jumbo frames on various BCM57xx chipsets.
- The ciss(4) driver now supports HP Gen9 Smart Array/Smart HBA devices.
- The mpi(4) and mpii(4) drivers now have mpsafe interrupt handlers running without the big lock.
- The ppb(4) driver now supports PCI bridges that support subtractive decoding (fixes PCMCIA behind the ATI SB400 PCI bridge), and devices with 64-bit BARs behind PCI-PCI bridges as seen on SPARC T5-2 systems.
- The pucdata(4) driver now supports Winchiphead CH382 devices.
- The sdmmc(4) driver now supports eMMC storage devices larger than 2GB.
- The sdhc(4) driver now supports Ricoh R5U822 and R5U823 card readers.
- The mfii(4) driver now supports the Megaraid 3008 (Fury) and 3108 (Invader) cards.
- The myx(4) driver runs less code under big lock.
- The msk(4) driver now supports Yukon Prime, Yukon Optima 2, Yukon 88E8079, and various EC U and Surpreme chipsets.
- The umass(4) driver now supports Archos 24y Vision devices.
- The athn(4) driver now supports Atheros UB94 devices.
- The azalia(4) driver now supports Realtek ALC885 codecs and Bay Trail HD Audio devices.
- The ix(4) driver now supports onboard Ethernet devices in SPARC T5 machines.
- The upd(4) driver how handles UPSes with broken report descriptors.
- The ums(4) driver now supports the USB Tablet device emulated by Qemu.
- The umsm(4) driver now supports MEDION S4222 devices.
- The pciide(4) driver now supports Intel C610 chipsets.
- The ukbd(4) driver now supports "wellspring" Apple keyboards.
- The pms(4) driver now supports click-and-drag with Elantech v4 touchpads.
- The umodem(4) driver now supports Arduino Leonardo devices.
- Wireless network scanning problems with the iwn(4) driver have been fixed.
- Support for RS* IGP Radeon devices in the radeondrm(4) driver has been fixed.
- Removed hardware support:
- The lofn(4) and nofn(4) drivers for Hifn crypto accelerator devices have been removed.
- The art(4) driver for Accoom Networks Artery T1/E1 drives has been removed.
- The urio(4) driver for Diamond Multimedia Rio MP3 players has been removed.
- Generic network stack improvements:
- Installer improvements:
- The etc and xetc sets are now part of base and
xbase and are not distributed separately anymore. They are extracted
from base and xbase during installation.
- The installer now supports
trunk(4)
interfaces during upgrades.
- The discovery of the responsefile location for unattended installation and
upgrade has been extended to be more flexible.
- Ask for the location if dhcp discovery fails for location or mode.
- Provide a default url if the 'next-server' dhcp option is found.
- Use /auto_install.conf or /auto_upgrade.conf if present.
- Automatically start installer in unattended mode if either one of these
files is present when the system boots.
- Routing daemons and other userland network improvements:
- OpenSMTPD 5.4.4:
- Security improvements:
- Assorted improvements:
- OpenSSH 6.8
- Potentially-incompatible changes:
- sshd(8):
UseDNS now defaults to 'no'. Configurations that match
against the client host name (via
sshd_config(5)
or authorized_keys) may need to re-enable it or convert to
matching against addresses.
- New/changed features:
- Much of OpenSSH's internal code has been re-factored to be more
library-like. These changes are mostly not user-visible, but
have greatly improved OpenSSH's testability and internal layout.
- Add FingerprintHash option to
ssh(1)
and
sshd(8),
and equivalent command-line flags to the other tools to control
algorithm used for key fingerprints. The default changes from MD5
to SHA256 and format from hex to base64. Fingerprints now have the
hash algorithm prepended. Please note that visual host keys will also
be different.
- ssh(1),
sshd(8):
Host key rotation support. Add a protocol extension for a server
to inform a client of all its available host keys after authentication
has completed. The client may record the keys in known_hosts,
allowing it to upgrade to better host key algorithms and a server
to gracefully rotate its keys. The client side of this is controlled
by a UpdateHostkeys config option (default on).
- ssh(1):
Add a
ssh_config(5)
HostbasedKeyType option to control which host public key types
are tried during host-based authentication.
- ssh(1),
sshd(8):
fix connection-killing host key mismatch errors when
sshd(8)
offers multiple ECDSA keys of different lengths.
- ssh(1):
when host name canonicalisation is enabled, try to parse host names
as addresses before looking them up for canonicalisation. Fixes
bz#2074 and avoiding needless DNS lookups in some cases.
- ssh-keygen(1),
sshd(8):
Key Revocation Lists (KRLs) no longer require OpenSSH to be
compiled with OpenSSL support.
- ssh(1),
ssh-keysign(8):
Make ed25519 keys work for host based authentication.
- sshd(8):
SSH protocol v.1 workaround for the Meyer, et al., Bleichenbacher
Side Channel Attack. Fake up a bignum key before RSA decryption.
- sshd(8):
Remember which public keys have been used for authentication and
refuse to accept previously-used keys. This allows
AuthenticationMethods=publickey,publickey to require that
users authenticate using two different public keys.
- sshd(8):
add
sshd_config(5)
HostbasedAcceptedKeyTypes and PubkeyAcceptedKeyTypes
options to allow
sshd(8)
to control what public key types will be accepted. Currently defaults
to all.
- sshd(8):
Don't count partial authentication success as a failure against
MaxAuthTries.
- ssh(1):
Add RevokedHostKeys option for the client to allow text-file
or KRL-based revocation of host keys.
- ssh-keygen(1),
sshd(8):
Permit KRLs that revoke certificates by serial number or key ID without
scoping to a particular CA.
- ssh(1):
Add a "Match canonical" criteria that allows
ssh_config(5)
Match blocks to trigger only in the second config pass.
- ssh(1):
Add a -G option to
ssh(1)
that causes it to parse its configuration and dump the result to
stdout, similar to "sshd -T".
- ssh(1):
Allow Match criteria to be negated
(e.g. "Match !host").
- The regression test suite has been extended to cover more OpenSSH
features. The unit tests have been expanded and now cover key
exchange.
- The following significant bugs have been fixed in this release:
- ssh-keyscan(1):
ssh-keyscan(1)
has been made much more robust again servers that hang or violate
the SSH protocol.
- ssh(1),
ssh-keygen(1):
Fix regression bz#2306: Key path names were being lost as comment
fields.
- ssh(1):
Allow
ssh_config(5)
Port options set in the second config parse phase to be
applied (they were being ignored). (bz#2286)
- ssh(1):
Tweak config re-parsing with host canonicalisationmake the
second pass through the config files always run when host name
canonicalisation is enabled (and not whenever the host name changes).
(bz#2267)
- ssh(1):
Fix passing of wildcard forward bind addresses when connection
multiplexing is in use. (bz#2324)
- ssh-keygen(1):
Fix broken private key conversion from non-OpenSSH formats. (bz#2345)
- ssh-keygen(1):
Fix KRL generation bug when multiple CAs are in use.
- Various fixes to manual pages. (bz#2273, bz#2288 and bz#2316)
- LibreSSL
- mandoc 1.13.2:
- Ports and packages:
- Many pre-built packages for each architecture:
- i386: XXXX
- sparc64: XXXX
- alpha: XXXX
- sh: XXXX
|
- amd64: XXXX
- powerpc: XXXX
- m88k: XXXX
- sparc: XXXX
|
- arm: XXXX
- hppa: XXXX
- vax: XXXX
|
- mips64: XXXX
- mips64el: XXXX
|
- Some highlights:
- GNOME 3.14.2
- KDE 3.5.10
- KDE 4.14.3
- Xfce 4.10
- MariaDB 10.0.16
- PostgreSQL 9.4.1
- Postfix 2.11.4
- Sendmail 8.15.1
- OpenLDAP 2.3.43 and 2.4.40
- Mozilla Firefox 31.4.0esr and 35.0.1
- Mozilla Thunderbird 31.4.0
- GHC 7.8.4
- LibreOffice 4.3.5.2
- Emacs 21.4 and 24.4
- Vim 7.4.475
- PHP 5.3.29, 5.4.38, 5.5.22 and 5.6.5
- Python 2.7.9 and 3.4.2
- Ruby 1.8.7.374, 1.9.3.551, 2.0.0.598, 2.1.5, and 2.2.0
- Tcl/Tk 8.5.16 and 8.6.2
- JDK 1.7.0.71
- Mono 3.12.0
- Chromium 40.0.2214.114
- Groff 1.22.3
- Go 1.4.1
- GCC 4.8.4 and 4.9.2
- LLVM/Clang 3.5 (20140228)
- Node.js 0.10.35
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
- Xenocara (based on X.Org 7.7 with xserver 1.16.4 + patches,
freetype 2.5.5, fontconfig 2.11.1, Mesa 10.2.9, xterm 314,
xkeyboard-config 2.13 and more)
- Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
- Perl 5.20.1 (+ patches)
- SQLite 3.8.6 (+ patches)
- NSD 4.1.1
- Unbound 1.5.2rc1
- Sudo 1.7.2p8
- Ncurses 5.7
- Binutils 2.15 (+ patches)
- Gdb 6.3 (+ patches)
- Less 458 (+ patches)
- Awk Aug 10, 2011 version
How to install
Following this are the instructions which you would have on a piece of
paper if you had purchased a CDROM set instead of doing an alternate
form of install. The instructions for doing an FTP (or other style
of) install are very similar; the CDROM instructions are left intact
so that you can see how much easier it would have been if you had
purchased a CDROM instead.
Please refer to the following files on the three CDROMs or FTP mirror for
extensive details on how to install OpenBSD 5.7 on your machine:
Quick installer information for people familiar with OpenBSD, and the
use of the "disklabel -E" command. If you are at all confused when
installing OpenBSD, read the relevant INSTALL.* file as listed above!
OpenBSD/i386:
Play with your BIOS options to enable booting from a CD. The OpenBSD/i386
release is on CD1. If your BIOS does not support booting from CD, you will need
to create a boot floppy to install from. To create a boot floppy write
CD1:5.7/i386/floppy57.fs to a floppy and boot via the floppy drive.
If you can't boot from a CD or a floppy disk,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
To make a boot floppy under MS-DOS, use the "rawrite" utility located
at CD1:5.7/tools/rawrite.exe. To make the boot floppy under a Unix OS,
use the
dd(1)
utility. The following is an example usage of
dd(1),
where the device could be "floppy", "rfd0c", or
"rfd0a".
# dd if=<file> of=/dev/<device> bs=32k
Make sure you use properly formatted perfect floppies with NO BAD BLOCKS or
your install will most likely fail. For more information on creating a boot
floppy and installing OpenBSD/i386 please refer to
FAQ 4.3.2.
OpenBSD/amd64:
The 5.7 release of OpenBSD/amd64 is located on CD2.
Boot from the CD to begin the install - you may need to adjust
your BIOS options first.
If you can't boot from the CD, you can create a boot floppy to install from.
To do this, write CD2:5.7/amd64/floppy57.fs to a floppy, then
boot from the floppy drive.
If you can't boot from a CD or a floppy disk,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
OpenBSD/macppc:
Burn the image from the FTP site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/5.7/macppc/bsd.rd
OpenBSD/sparc64:
Put CD3 in your CDROM drive and type boot cdrom.
If this doesn't work, or if you don't have a CDROM drive, you can write
CD3:5.7/sparc64/floppy57.fs or CD3:5.7/sparc64/floppyB57.fs
(depending on your machine) to a floppy and boot it with boot
floppy. Refer to INSTALL.sparc64 for details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
You can also write CD3:5.7/sparc64/miniroot57.fs to the swap partition on
the disk and boot with boot disk:b.
If nothing works, you can boot over the network as described in INSTALL.sparc64.
OpenBSD/alpha:
Write FTP:5.7/alpha/floppy57.fs or
FTP:5.7/alpha/floppyB57.fs (depending on your machine) to a diskette and
enter boot dva0. Refer to INSTALL.alpha for more details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
OpenBSD/armish:
After connecting a serial port, Thecus can boot directly from the network
either tftp or http. Configure the network using fconfig, reset,
then load bsd.rd, see INSTALL.armish for specific details.
IOData HDL-G can only boot from an EXT-2 partition. Boot into linux
and copy 'boot' and bsd.rd into the first partition on wd0 (hda1)
then load and run bsd.rd, preserving the wd0i (hda1) ext2fs partition.
More details are available in INSTALL.armish.
OpenBSD/hppa:
OpenBSD/landisk:
Write miniroot57.fs to the start of the CF
or disk, and boot normally.
OpenBSD/loongson:
Write miniroot57.fs to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
OpenBSD/luna88k:
Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and the bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
OpenBSD/octeon:
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
OpenBSD/sgi:
To install, burn cd57.iso on a CD-R, put it in the CD drive of your
machine and select Install System Software from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
OpenBSD/socppc:
After connecting a serial port, boot over the network via DHCP/tftp.
Refer to the instructions in INSTALL.socppc for more details.
OpenBSD/sparc:
Boot from one of the provided install ISO images, using one of the two
commands listed below, depending on the version of your ROM.
ok boot cdrom 5.7/sparc/bsd.rd
or
> b sd(0,6,0)5.7/sparc/bsd.rd
If your SPARC system does not have a CD drive, you can alternatively boot from floppy.
To do so you need to write floppy57.fs to a floppy.
For more information see FAQ 4.3.2.
To boot from the floppy use one of the two commands listed below,
depending on the version of your ROM.
ok boot floppy
or
> b fd()
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
If your SPARC system doesn't have a floppy drive nor a CD drive, you can either
setup a bootable tape, or install via network, as told in the
INSTALL.sparc file.
OpenBSD/vax:
Boot over the network via mopbooting as described in INSTALL.vax.
OpenBSD/zaurus:
Using the Linux built-in graphical ipkg installer, install the
openbsd57_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus
for a few important details.
Notes about the source code:
src.tar.gz contains a source archive starting at /usr/src. This file
contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
How to upgrade
If you already have an OpenBSD 5.6 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.
Ports Tree
A ports tree archive is also provided. To extract:
# cd /usr
# tar xvfz /tmp/ports.tar.gz
The ports/ subdirectory is a checkout of the OpenBSD ports tree. Go
read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for
cvs(1) if
you aren't familiar with CVS) checkout of our ports. As with our complete
source tree, our ports tree is available via
AnonCVS.
So, in order to keep current with it, you must make the ports/ tree
available on a read-write medium and update the tree with a command
like:
# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_5_7
[Of course, you must replace the server name here with a nearby anoncvs
server.]
Note that most ports are available as packages through FTP. Updated
ports for the 5.7 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
ports@openbsd.org is a good place to know.