OpenBSD in CSCF

CSCF's ability to support OpenBSD is very limited. In mid-2007, CSCF starting looking at OpenBSD for low-cost network load balancing using CARP/pfsync and relayd (formerly hoststated). CSCF is not looking at OpenBSD for firewalling (yet), as a pair of Netscreen 500 appliances serve that purpose quite nicely.

User Accounts

Since OpenBSD does not support LDAP, one needs to create account in the local database using the useradd command. The good news is that OpenBSD supports external authentication such as radius and krb5. We use radius to authenticate off the TwoFactor service, which essentially involves:

• Creating a new user class named twofactor that uses radius authentication. See login.conf(5) and login_radius(8) for details.
• Creating /etc/raddb/servers to store the shared secrets.
• Ensure users are created with useradd -L twofactor

Notes

• OpenBSD 4.2 doesn't work properly with the NET0 and NET1 ports on the Sun Fire X4200 M2 server. This has been fixed for version 4.3 (out in Spring 2008). We worked around the issue by rebuilding the 4.2 kernel with a patch.

Resources

• man pages, OpenBSD has excellent documentation in the form of man pages. They are available on-line at http://www.openbsd.org/cgi-bin/man.cgi
• The FAQ is a great resource - http://www.openbsd.org/faq/index.html
• OpenBSD Journal

-- JasonTestart - 12 Dec 2007