OpenBSD: Users' View

Many users have commented on their use of OpenBSD. The following are unsolicited comments from our public mailing lists or, occasionally, other mailing lists (these have links to the original articles). Postings have been shortened, and edited slightly for spelling and grammar, but are otherwise unchanged.

Jules Desforges wrote this in an introduction to the ukopenbsdusers mailing list:

My name is Jules and I live in Kent. I've been using OpenBSD since 2.9. I have OpenBSD running on 6 x Nexcom NSA1086's to provide core routing between our Data Centres. All the routes are running from read-only Compact Flash. Largely runs untroubled, pushing ~ 400Mb/s. Main motivation was the cost savings compared to equivalent Junpier/Cisco kit. I hope to be testing the new MPLS code soon.

Shawn Kohrman writes:

As a Security/Network Administrator for over ten years, I have to say OpenBSD is hands down the best out-of-the-box OS I have seen yet. I have worked with MS NT/2000, Linux (from its humble beginnings), Solaris, etc. OpenBSD is simple, clean, secure and reliable. Many thanks to the developers for an outstanding job.

Kris Wilkinson writes:

I've been securing networks for quite some time now, and until recently when I installed Open BSD 3.0 I never realized how easy my life could have been had I tried it earlier. After experiencing all the "other" operating systems available, 3.0 has to be the most secure, easily managed and well organized package I have ever seen. Not only is it completely cutting edge, it focuses on the smaller points of security which I'm tired of having to manually tweak every time you setup a box.

I am securing networks all over Alberta using your fantastic setup. Thank you so much! Keep up the incredible work.

Matthew Haas says this:

I've been very impressed with OpenBSD since my decision to install it. Definitely a great system, reminds me of my Slackware days, but better.


Grant Bayley, an IT Manager from Australia, writes:

By way of success stories, since a few of us at 2600 Australia started using OpenBSD about 12 months ago now in some form or another, we've seen... friends load it onto their machines and been simply amazed at the quality of it, in particular the forethought that goes into securing things out of the box.

We've also had one of our guys working at an ISP go head-to-head with an in-house SuSE zealot of sorts on a compatibility, stability and security test in advance of them selecting an operating system for their servers (which, while using RedHat, had been rooted at least once). OpenBSD passed with flying colors and as of today, they're beginning a roll-out of 2.6 onto their servers, mostly using stock components and software from the ports tree (qmail, cucipop etc).

System and Network Administrator Jeff Schneiter offers this:

With a frozen budget it sure makes one squeeze every last bit of power out of whatever hardware one can lay his hands on... and thanks to OpenBSD, I have been doing just that.

Tony Sarendal says this:

I tried OpenBSD because of the IPsec support. The reason I stick with it is because it really is nice to use and it gives a feeling of quality which no other OS can match.

I did some programming on an OpenBSD machine, after this I really appreciated the man pages. Other Unices I used had man pages that simply weren't any good.

Keep up the good work guys.

Security Engineer Tyler Allison writes:

I have installed, secured, and maintained Linux, Windows NT and OpenBSD in highly secure environments. (yes you can secure Linux and Windows NT in this environment :) ). Having said that I have to point out that if you want a minimum administration to keep up with security issues option you need to pick OpenBSD by far. It is not uncommon for people to go years without updating their production OpenBSD machines because they are just rock solid and there are no known "remote" vulnerabilities. Thus no good reason to upgrade...

I would feel perfectly happy to have one of my [novice] interns do a basic OpenBSD install on a PC (no extra security work after the install) and then put the companies crown jewels on that machine and then walk away for a year. Knowing full well that machine hasn't crashed, been broken into or in need of an OS upgrade. You can't say that about NT or Linux. Or if you do you obviously haven't ever used the product that way :)

Another thing that I hear people point out is go check your local exploit site or vulnerability alert mailing list and see if you can find a "remote" root level exploit that works on OpenBSD. I dare say you won't find any that are less than 12 months old.

Jan Johansson gave this reply to a "how do I build a cheap web server?" query:

I work today with Solaris, OpenBSD, NT Server, NT Workstation and Win 95.

After reading Bugtraq for some weeks I will say that I will never put any (important) machine on the Internet if there is not a firewall in front and for packet filtering I go for OpenBSD...

For a cheap web server I say hardware from a known vendor, an ordered OpenBSD CD-ROM and Apache...

William Yodlowsky at Devry Institute wrote:

[A few] years ago I was just getting into system administration. I learned Linux first. Then one of our old (I mean *really* old) BSDi servers crashed, and it was up to me to rebuild the system.

I looked at FreeBSD, NetBSD, OpenBSD and Linux. In the end, it came down to "secure and stable" that took the prize. OpenBSD 2.1 was installed.

Since then, I've run 2.1-2.5 on everything from production servers to laptops. We've never (repeat: NEVER) had a break-in.

A coworker setup a RedHat based box to test his skills at setting up SSL and a secure web site. It was hacked literally overnight, and by the next morning was attacking other sites.

Our OpenBSD servers were probed and then left alone.

In the intervening two years, that original server got upgraded and patched several times and the OS never gave us reason to question the reliability or security of OpenBSD.

We have another box, acting as a router for about 800 workstations doing very basic filtering and NAT. It's on a P120 with 32MB RAM and typically the uptime would look like this:

% uptime
 9:05PM  up 266 days,  4:23, 1 user, load averages: 0.06, 0.06, 0.06

As well, OpenBSD runs on my laptop. A Gateway Solo 2500 with a Xircom modem, and a Linksys fast Ethernet NIC.

And it never crashes :)

One other incident that made me a believer... we were pingbombed [perhaps a predecessor to the early2000 DDOS attacks?]. I mean, 900 different hosts on different networks floodpinging an OpenBSD 2.3 box simultaneously, while it was processing email and web pages for 3500 users.

It was a P133 with 64MB ram. And it didn't go down. It got a bit slower, but never crashed :-)

John J. Adelsberger III said this about us in Bruce Schneier's Crypto-Gram:

(the comments he is responding to are Schneier's)

> Real systems show no signs of becoming less
> complex. In fact, they are becoming more complex,
> faster and faster. Microsoft Windows is a poster
> child for this trend to complexity.
> The other choice is to slow down, to simplify,
> and to try to add security.

OpenBSD does this. I am unaware of any other group whose workings are publicly viewable that does so [emphasis added], which is regrettable, because I would prefer not to have this appear as an OpenBSD plug; rather, my purpose is to point out that not only is this approach feasible, but it is being done.

Andrew Hermetz commented as follows:

Hey all,

Just wanted to drop a line and thank all who have worked to make OpenBSD such a clean, cool, & efficient project.

Major kudos to Theo for being a man ahead of his time! ;-)

As I have to frequently explain to people *why* security is important at all ("if you have nothing to hide...", "nothing you do is important enough to warrant encryption...", "only criminals and terrorists need to sneak around anonymously...", etc. ad nauseam), let alone *why* it's important in this day and age of personal networks behind a DSL or even a full T1, I love being able to point them to a page which sets out a well-reasoned explanation for taking computer security seriously.

[... OpenBSD installed] effortlessly onto a Pentium 90 Compaq LTE 5100 laptop -- even the no-name brand LAN card came right up and did a kickass install over a friend's office T1. When I sing its praises, the thing that seems to get most people is its spartan look & feel, but I like knowing where everything is and not having a distro that shoves [stuff] into dark corners I'll never find...

Ben Smith, president of wbp systems says:

OpenBSD is the most secure operating system wbp systems has ever used. With all of our products, OpenBSD has allowed us to focus on our customers instead of tweaking the OS to make it secure. Internally we use OpenBSD for everything imaginable. With its rock solid performance, we never have to worry about a file server, proxy server or application server crashing.