OpenBSD facts for kids

Kids Encyclopedia Facts

Quick facts for kids
OpenBSD
Free, Functional, and Secure
OpenBSD 7.0 default desktop with various utilities: top, xterm, xcalc, and glxgears
Company / developer	Theo de Raadt et al.
Programmed in	C, assembly, Perl, Unix shell
OS family	Unix-like (BSD)
Working state	Current
Source model	Open source
Initial release	July 1996; 29 years ago (1996-07)
Package manager	OpenBSD package tools
Supported platforms	Alpha, x86-64, ARMv7, ARMv8 (64-bit), PA-RISC, IA-32, LANDISK, Loongson, Omron LUNA-88K, MIPS64, macppc, PowerPC, 64-bit RISC-V, SPARC64
Kernel type	Monolithic
Userland	BSD
Default user interface	Modified pdksh, X11 (FVWM)
License	BSD, ISC, other permissive licenses

OpenBSD is a special kind of operating system that focuses on security. It's also free and open-source, meaning anyone can use, change, and share its code. OpenBSD is based on Unix-like systems, specifically the Berkeley Software Distribution (BSD).

Theo de Raadt started OpenBSD in 1995. He created it by taking the code from NetBSD 1.0 and making his own version. The OpenBSD project cares a lot about making software that works on many different computers (portability). They also focus on following rules (standardization), fixing mistakes (correctness), and building in cryptography (secret codes) for safety.

The OpenBSD project also makes many parts of its system available for other operating systems. For example, the firewall in Apple's macOS uses code from OpenBSD's PF firewall. Also, Windows 10 uses OpenSSH (OpenBSD Secure Shell), which helps you connect to other computers safely.

The word "open" in OpenBSD means that its source code is available for everyone to see on the Internet. It also means that OpenBSD works on many different types of computers. This includes common ones like x86-64 and ARM, and others like PowerPC.

History of OpenBSD

In December 1994, Theo de Raadt was a founding member of the NetBSD project. He left the NetBSD team because of disagreements. In October 1995, De Raadt started OpenBSD. This new project was based on NetBSD 1.0.

The first release, OpenBSD 1.2, came out in July 1996. OpenBSD 2.0 followed in October of the same year. Since then, the project has released a new version every six months. Each version is supported for one year.

In 2007, OpenBSD developers created the OpenBSD Foundation. This is a non-profit group in Canada. Its goal is to help people and organizations support OpenBSD legally.

How Many People Use OpenBSD?

This chart shows how many people used different BSD systems in a 2005 survey.

It's hard to know exactly how many people use OpenBSD. The developers don't track or share these numbers.

In 2005, a survey of 4,330 BSD users showed that 32.8% used OpenBSD. This was less than FreeBSD (77%) but more than NetBSD (16.3%). However, the survey creators said it wasn't perfect. It mainly reached people through online groups, so it might not show the full picture.

What OpenBSD Is Used For

OpenBSD is known for being very secure and stable. This makes it useful for many different jobs.

Network Devices

OpenBSD has strong TCP/IP networking features. It can be used as a router or a wireless access point. Its security features, built-in cryptography, and packet filter make it great for security. This includes firewalls, systems that detect attacks, and VPN gateways.

Some companies use OpenBSD as the base for their own security products.

Other Operating Systems

Parts of OpenBSD's code are used in other operating systems. For example, some versions of Microsoft's Windows Services for UNIX use OpenBSD code. The pf firewall from OpenBSD is also used in FreeBSD and macOS.

Personal Computers

OpenBSD comes with Xenocara, which is its version of the X Window System. This means it can be used as a desktop system for personal computers, including laptops. As of 2018, OpenBSD had about 8,000 software packages available. These include desktop environments like GNOME and Xfce, and web browsers like Firefox and Chromium.

Servers

OpenBSD has all the tools needed for a server. It can be set up as a mail server, web server, FTP server, DNS server, router, firewall, or NFS file server. Since version 6.8, OpenBSD also includes WireGuard support, which is a modern VPN technology.

Security Focus

OpenBSD console login screen showing system messages.

OpenBSD is very focused on security. When OpenBSD was new, Theo de Raadt worked with a security company. This helped make security the main goal of the OpenBSD project.

OpenBSD has many features to make it more secure:

It uses safer ways to handle data in its C programming library.
It has tools that check code for problems.
It uses memory protection to stop unauthorized access.
It uses strong cryptography and randomization to make things harder for attackers.
It limits what programs can do, like what files they can access.

To make it harder for attackers to take control, many programs in OpenBSD are designed with "privilege separation." This means a program is split into parts. One part does sensitive tasks with special permissions, while the main part runs with very few permissions. This limits damage if a program is attacked.

OpenBSD developers also created OpenSSH (OpenBSD Secure Shell). This tool helps you connect to other computers securely. It's based on the original SSH and is now used on many operating systems.

The project constantly checks its own code for security problems. Developers look for bugs and try to fix them. They also try to improve the tools that help find these bugs.

OpenBSD's Security Track Record

OpenBSD is famous for its security record. For many years, their website proudly stated:

Five years without a remote hole in the default install!

In 2002, a serious bug was found in OpenSSH. This bug allowed an attacker to gain full control of a computer from far away. Because OpenSSH was used widely, this was a big deal. The slogan on the OpenBSD website changed to:

One remote hole in the default install, in nearly 6 years!

In 2007, another remote security problem was found. The slogan changed again:

Only two remote holes in the default install, in a heck of a long time!

Some people have criticized this slogan. They say the default OpenBSD installation has very few running services. If you add more software, you might introduce new security risks. However, the project says the slogan only refers to the basic, default installation, which is very secure.

OpenBSD believes in making systems simple and secure by default. The basic installation is very minimal. This helps new users stay safe without needing to be security experts right away. Users must manually turn on extra services, which makes them think about security first.

Alleged Backdoor

In 2010, a former FBI consultant claimed that the FBI paid some OpenBSD developers to add secret backdoors. These backdoors would allow unauthorized access. Theo de Raadt made this claim public and asked developers to check the code. They fixed some bugs, but found no evidence of backdoors. De Raadt thought that if backdoors were written, they probably didn't make it into OpenBSD's main code.

Criticisms of Security

In 2017, a security expert named Ilja van Sprundel said that even though OpenBSD was the most secure BSD system, "Bugs are still easy to find in those kernels."

In 2019, another talk at a conference argued that while OpenBSD has good security features, some of them might not be as effective as believed. They suggested a more scientific approach to designing security measures.

Key Projects Started by OpenBSD

Many open-source projects began as parts of OpenBSD. These projects are often used in other operating systems too.

bioctl: A tool to manage RAID storage systems.
CARP: A free way to make network systems more reliable.
cwm: A simple window manager for the desktop.
doas: A safer replacement for the `sudo` command.
OpenBSD httpd: OpenBSD's own web server.
hw.sensors: A system for reading hardware sensors.
LibreSSL: A version of SSL and TLS protocols, made from OpenSSL.
OpenBGPD: A tool for managing network routing.
OpenIKED: A tool for secure network connections.
OpenNTPD: A simpler way to keep computer clocks accurate.
OpenOSPFD: A tool for managing network routing.
OpenSMTPD: An email server.
OpenSSH: A very popular tool for secure remote connections.
PF: A powerful firewall for network traffic.
pfsync: A way to keep firewall settings in sync for high reliability.
sndio: A small system for audio and MIDI.
spamd: A spam filter that works with the PF firewall.
Xenocara: OpenBSD's custom version of the X.Org system.

Many of these tools are used by other Unix-like systems. OpenBSD developers often create new tools from scratch if they feel existing ones are not good enough. This leads to many useful components that other systems adopt.

OpenBSD runs most of its standard programs in a very secure way. This means they are limited in what they can access on the system.

How OpenBSD Is Developed

OpenBSD developers at a "hackathon" event in 2001.

OpenBSD hackathon s2k17

OpenBSD is always being developed. Anyone with the right skills can help. New versions are released twice a year, and each is supported for 12 months. There are also "snapshot" releases available often.

Users can update their systems with patches using `syspatch`. They can also upgrade to newer versions using `sysupgrade`. The standard OpenBSD kernel is recommended for most users.

Software not part of the main system is managed through a "ports tree." This is a collection of instructions for building software packages. OpenBSD builds these packages centrally for different computer types. It's usually best for users to install these pre-built packages.

OpenBSD developers often meet at special events called "hackathons." Here, they work together intensely on coding. Most new releases also come with a unique song!

Open Source and Documentation

OpenBSD is known for its good documentation.

When OpenBSD started, its creator, Theo de Raadt, decided that the source code should be open to everyone. This was unusual at the time. This decision allowed more people to help improve the project. OpenBSD still uses a system called CVS (or its own version, OpenCVS) to manage its code.

OpenBSD does not include secret, "closed source" drivers. They also don't use code that requires signing non-disclosure agreements. This means all the code is open for review.

Because OpenBSD is based in Canada, it doesn't have the same export rules for cryptography as the United States. This allows it to use strong encryption. For example, sensitive data on the system is encrypted to keep it safe.

OpenBSD also makes many things random. This makes it harder for attackers to predict how the system works. For example, process IDs and port numbers are random. This also helps find bugs in the system.

OpenBSD believes that hardware companies should provide documentation for their devices. Without it, developers can make mistakes when writing drivers. They also don't trust closed-source drivers from vendors because they can't fix them if they break.

Licensing Rules

OpenBSD has strict rules about software licenses. They prefer licenses like the ISC license and other BSD licenses. These licenses allow people to use and share the code freely. They consider licenses like the Apache License and GNU General Public License to be too restrictive.

In 2001, OpenBSD checked all its code for licensing issues. They found some code that wasn't properly licensed. They either removed it, replaced it, or got new permission to use it. For example, they removed all software from Daniel J. Bernstein because he required approval for any changes.

Because of these license concerns, OpenBSD developers have rewritten software from scratch. For instance, they created the PF packet filter after problems with another firewall's license. PF first appeared in OpenBSD 3.0 and is now used in many other operating systems. OpenBSD has also replaced tools licensed under the GPL with more open alternatives.

Funding OpenBSD

Even though OpenBSD is used in many commercial products, most of its funding doesn't come from companies. Instead, it comes from user donations and people buying their CD-ROMs.

In the early 2000s, the project received some funding from DARPA. This helped pay developers and buy hardware.

In 2006, OpenBSD faced financial problems. Organizations like the Mozilla Foundation and GoDaddy helped them. However, Theo de Raadt noted that most of the money came from individual users, not big companies.

In 2014, OpenBSD needed money to cover electricity costs. They received a large donation from Mircea Popescu, a bitcoin creator. The project raised enough money to secure its future for a while.

OpenBSD Foundation

OpenBSD Foundation
Formation	July 25, 2007; 18 years ago (2007-07-25)
Founder	OpenBSD developers
Legal status	Nonprofit organization
Location	Canada

The OpenBSD Foundation is a non-profit group in Canada. It was started by the OpenBSD project in 2007. Its main job is to be a legal contact point for people and groups who want to support OpenBSD. It also helps protect other related projects like OpenSSH and LibreSSL.

Since 2014, big companies like Microsoft, Facebook, and Google have given money to the OpenBSD Foundation. In 2015, Microsoft became a "gold level" supporter. This was to help develop OpenSSH, which Microsoft started using in Windows.

How OpenBSD Is Shared

OpenBSD is available in several ways for free. You can get its source code or download ready-to-use versions. For a small fee, you used to be able to order CD-ROM sets. These CDs, with their artwork and theme songs, were a key way the project earned money. However, CD-ROM sets are no longer released since version 6.1.

OpenBSD has a system for installing and managing extra programs. These are called "packages." They are pre-built files that you can easily add or remove. OpenBSD's packages are designed to work perfectly with each specific version of the operating system.

Songs and Artwork

Puffy, the mascot of OpenBSD

A 3D animated version of Puffy.

The cover for OpenBSD 2.3.

OpenBSD first used a special version of the BSD daemon as its mascot. This was drawn by Erick Green for versions 2.3 and 2.4.

Later, OpenBSD chose a pufferfish named Puffy as its mascot. Puffy now appears on OpenBSD's promotional items. He is also featured in the release songs and artwork.

Each OpenBSD release has a unique theme, including CD-ROMs, songs, posters, and T-shirts. These often share a message important to the project, sometimes using humor or parody.

For example, OpenBSD 3.3 had "Puff the Barbarian," a rock song parody of Conan the Barbarian. It was about open documentation. OpenBSD 3.7 featured "The Wizard of OS," a parody of The Wizard of Oz about wireless drivers. OpenBSD 3.8 had "Hackers of the Lost RAID," a parody of Indiana Jones about new RAID tools.

OpenBSD Versions

The table below lists the different versions of the OpenBSD operating system.

Legend:	Old version, not maintained	Older version, still maintained	Current stable version	Latest preview version	Future release

Version	Release date	Supported until	Key changes
Old version, no longer maintained: 1.1	18 October 1995		OpenBSD's code storage (CVS) was created. This was an early development version, not an official release.
Old version, no longer maintained: 1.2	1 July 1996		Added a manual page for kernel details. Integrated the `update(8)` command. Also an early development version.
Old version, no longer maintained: 2.0	1 October 1996		The first official OpenBSD release. XFree86 recognized OpenBSD as separate from NetBSD. Added the FreeBSD ports system. Replaced `gawk` with AT&T `awk`. Included zlib and sudo.
Old version, no longer maintained: 2.1	1 June 1997		Replaced the old `sh` with pdksh.
Old version, no longer maintained: 2.2	1 December 1997		Added the `afterboot(8)` manual page.
Old version, no longer maintained: 2.3	19 May 1998		Introduced the "haloed daemon" mascot (head only).
Old version, no longer maintained: 2.4	1 December 1998		Featured the complete "haloed daemon" mascot.
Old version, no longer maintained: 2.5	19 May 1999		Introduced the Cop daemon image.
Old version, no longer maintained: 2.6	1 December 1999		First release of OpenSSH, which is now widely used.
Old version, no longer maintained: 2.7	15 June 2000		Added support for SSH2 in OpenSSH.
Old version, no longer maintained: 2.8	1 December 2000		Included `isakmpd(8)`.
Old version, no longer maintained: 2.9	1 June 2001		Improved filesystem performance.
Old version, no longer maintained: 3.0	1 December 2001		Featured the song E-Railed (OpenBSD Mix). Developed the pf packet filter after license issues with IPFilter.
Old version, no longer maintained: 3.1	19 May 2002		Systemagic song released. First official remote security flaw found in OpenSSH.
Old version, no longer maintained: 3.2	1 November 2002		Goldflipper song released.
Old version, no longer maintained: 3.3	1 May 2003		Puff the Barbarian song released, about open documentation. Integrated ALTQ code into pf. Introduced the W^X memory protection feature.
Old version, no longer maintained: 3.4	1 November 2003		The Legend of Puffy Hood song released, about free speech. Changed executable format on i386. Replaced GPL-licensed tools like `gzip` and `grep` with BSD-licensed ones. Added Address space layout randomization (ASLR) by default. Introduced basic hardware monitoring.
Old version, no longer maintained: 3.5	1 May 2004		CARP License song released, with an anti-software patents message. Introduced CARP. Replaced more GPL-licensed tools with BSD equivalents. AMD64 platform became stable enough for release.
Old version, no longer maintained: 3.6	1 November 2004		Pond-erosa Puff (live) song released, about liberal license enforcement. Developed OpenNTPD. Removed Ethereal from ports due to security concerns. Added support for I²C devices.
Old version, no longer maintained: 3.7	19 May 2005		The Wizard of OS song released, about wireless drivers.
Old version, no longer maintained: 3.8	1 November 2005	1 November 2006	Hackers of the Lost RAID song released, about new RAID tools. Removed the telnet daemon. Introduced bioctl for RAID management.
Old version, no longer maintained: 3.9	1 May 2006	1 May 2007	Attack of the Binary BLOB song released, about fighting binary blobs. Enhanced OpenBGPD. Improved hardware sensors support.
Old version, no longer maintained: 4.0	1 November 2006	1 November 2007	Humppa Negala song released. Second official remote security flaw found.
Old version, no longer maintained: 4.1	1 May 2007	1 May 2008	Puffy Baba and the 40 Vendors song released, criticizing hardware vendors. Redesigned the hardware sensor system.
Old version, no longer maintained: 4.2	1 November 2007	1 November 2008	100001 1010101 song released. Improved usability of sensors.
Old version, no longer maintained: 4.3	1 May 2008	1 May 2009	Home to Hypocrisy song released.
Old version, no longer maintained: 4.4	1 November 2008	18 October 2009	Trial of the BSD Knights song released, about BSD history. Improved sparc64 support. Enhanced memory allocation security. Hardware sensors used by more drivers.
Old version, no longer maintained: 4.5	1 May 2009	19 May 2010	Games song released. Hardware sensors used by even more drivers.
Old version, no longer maintained: 4.6	18 October 2009	1 November 2010	Planet of the Users song released. Introduced `smtpd(8)` (SMTP server) and `tmux(1)` (terminal multiplexer). Hardware sensors used by more drivers.
Old version, no longer maintained: 4.7	19 May 2010	1 May 2011	I'm Still Here song released.
Old version, no longer maintained: 4.8	1 November 2010	1 November 2011	El Puffiachi song released. Introduced `iked(8)` (IKEv2 daemon) and `ldapd(8)` (LDAP daemon).
Old version, no longer maintained: 4.9	1 May 2011	1 May 2012	The Answer song released. Introduced `rc.d(8)` for daemon control.
Old version, no longer maintained: 5.0	1 November 2011	1 November 2012	What Me Worry? song released.
Old version, no longer maintained: 5.1	1 May 2012	1 May 2014	Bug Busters song released.
Old version, no longer maintained: 5.2	1 November 2012	1 November 2013	Aquarela do Linux song released. Included `nginx(8)` HTTP server. Disabled SSLv2.
Old version, no longer maintained: 5.3	1 May 2013	1 May 2014	Blade Swimmer song released. Enabled Position-independent executables (PIE) by default on many platforms.
Old version, no longer maintained: 5.4	1 November 2013	1 November 2014	Our favorite hacks song released.
Old version, no longer maintained: 5.5	1 May 2014	1 May 2015	Wrap in Time song released. Introduced `signify(1)` for cryptographic signatures. Made 64-bit `time_t` standard, ready for the Year 2038 problem.
Old version, no longer maintained: 5.6	1 November 2014	18 October 2015	Ride of the Valkyries song released. LibreSSL was created from OpenSSL. Apache HTTPD was removed from the base system.
Old version, no longer maintained: 5.7	1 May 2015	29 March 2016	Source Fish song released. Introduced `rcctl(8)` for controlling daemons. `nginx(8)` and procfs were removed from the base system.
Old version, no longer maintained: 5.8	18 October 2015	1 September 2016	Multiple songs for the 20th anniversary release. Introduced `doas(1)` as a replacement for sudo.
Old version, no longer maintained: 5.9	29 March 2016	11 April 2017	Doctor W^X and Systemagic (Anniversary Edition) songs released. W^X enforced in i386 kernel. Introduced `pledge(2)` for process restriction.
Old version, no longer maintained: 6.0	1 September 2016	9 October 2017	Songs parodying Pink Floyd's albums. Introduced `vmm(4)` virtualization (disabled by default). Removed support for vax and 32-bit SPARC.
Old version, no longer maintained: 6.1	11 April 2017	15 April 2018	Winter of 95 song released. Introduced `syspatch(8)` for binary system updates. Added new `arm64` platform.
Old version, no longer maintained: 6.2	9 October 2017	18 October 2018	A three-line diff song released. Improved Intel graphics support. clang(1) became the default compiler on `i386` and `amd64`.
Old version, no longer maintained: 6.3	2 April 2018	3 May 2019	SMP (multiple processors) supported on `arm64`. Network stack improvements. Security improvements, including Meltdown/Spectre fixes. `pledge()` modified to support "execpromises."
Old version, no longer maintained: 6.4	18 October 2018	17 October 2019	Introduced `unveil(2)` for filesystem visibility restriction.
Old version, no longer maintained: 6.5	24 April 2019	19 May 2020	Support for NMEA 0183 altitude and ground speed sensors. Xenocara: Xorg (X Window Server) no longer runs with special permissions.
Old version, no longer maintained: 6.6	17 October 2019	18 October 2020	`sysupgrade(8)` automates upgrades to new releases. Added `amdgpu(4)` AMD RADEON GPU video driver.
Old version, no longer maintained: 6.7	19 May 2020	1 May 2021	Made ffs2 the default filesystem type for most installs.
Old version, no longer maintained: 6.8	18 October 2020	14 October 2021	25th anniversary release. New powerpc64 platform.
Old version, no longer maintained: 6.9	1 May 2021	21 April 2022	50th release.
Old version, no longer maintained: 7.0	14 October 2021	20 October 2022	51st release. New riscv64 platform.
Old version, no longer maintained: 7.1	21 April 2022	10 April 2023	52nd release. loongson support temporarily stopped for this release.
Old version, no longer maintained: 7.2	20 October 2022	16 October 2023	53rd release.
Old version, no longer maintained: 7.3	10 April 2023	5 April 2024	54th release. New security features for memory and executables. Full-disk encryption support in the installer.
Older version, yet still maintained: 7.4	16 October 2023	November 2024	55th release.
Current stable version: 7.5	5 April 2024	May 2024	56th release.