Tags: #OpenBSD #security #installation #SSD #TRIM #fstab #syspatch #network #doas #sudo #vi
OpenBSD: Post Installation Steps
Some steps that may be useful after a successful installation of the OpenBSD…
User Locale
The list of supported locales can be obtained by running the command:
$ locale -a
If logging in via the text console, add:
$ echo "export LANG=\"en_AU.UTF-8\"" >> ~/.xsession
$ echo "export LC_ALL=\"en_AU.UTF-8\"" >> ~/.profile
If logging in via xdm, add:
$ echo "export LANG=\"en_AU.UTF-8\"" >> ~/.xsession
$ echo "export LC_ALL=\"en_AU.UTF-8\"" >> ~/.xsession
OpenBSD’s version of vi
has not supported UTF-8 yet. When Unicode needed, the multibyte fork of the nvi
editor for BSD called nvi2
needs to be installed (optionally, with iconv
support):
$ pkg_add nvi
...
nvi-2.1.3p1-iconv: ok
Partition Mount Options
The TRIM feature for SSDs (also known as “Soft updates”) can be achieved by modification of /etc/fstab
file (saving into a temporary fstab
file):
$ sed 's/rw/rw,softdep,noatime/g' /etc/fstab > /tmp/fstab
If not present the /etc/fstab
file, SWAP can be added as follows (using the temporary fstab
file and considering sd0
as root disk):
$ echo "`disklabel sd0 | grep uid | sed "s/^.* //g"`.b none swap sw 0 0" >> /tmp/fstab
File copy and server restart:
$ mv /tmp/fstab /etc/fstab
$ reboot
Privilege Command Execution
As an alternative to the sudo
tool known from Linux environment, the doas
tool can be used to execute commands as another user. Luckily, this software is already installed and just needs to be activated, e.g. for group wheel
(in /etc/doas.conf
):
$ su -
$ echo "permit setenv { PKG_PATH } :wheel as root" > /etc/doas.conf
$ echo "permit nopass keepenv root as root" >> /etc/doas.conf
Network Interface Setup
In order to get interface setup details, the following can be run (e.g. vio0
is the physical interface):
$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 3 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
vio0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 52:54:00:00:5d:c4
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect
status: active
inet IPv4-ADDRESS netmask 0xffffff00 broadcast IPv4-BROADCAST-ADDRESS
enc0: flags=0<>
index 2 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 7 priority 0 llprio 3
groups: pflog
Network interfaces usually have their configuration present in /etc/hostname.XYZ
where XYZ
is the interface system identifier. Assuming vio0
, the particular network interface setup can be viewed as follows:
$ cat /etc/hostname.vio0
inet IPv4-ADDRESS NETWORK-MASK
After changing this file accordingly, the interface needs to be restarted using:
$ sh /etc/netstart vio0
Routing table(s) of IPv4 can be shown as follows:
$ netstat -nrf inet
The active internet IPv4 connections (including servers) can be shown as follows:
$ netstat -naf inet
IPv6 details will be shown after replacing the inet
with inet6
parameter. Details of both protocols will be shown after removing the -f inet
option.
IP Address Provisioning
If required, the IPv4 Dynamic Host Configuration Protocol (DHCP) daemon (dhcpd
) can be configured through the dhcpd.conf
configuration files as follows:
$ vi /etc/dhcpd.conf
default-lease-time 86400;
option domain-name "domain.example";
subnet NETWORK_IP_ADDRESS netmask NETWORK_IP_MASK {
option subnet-mask NETWORK_IP_MASK;
option broadcast-address BROADCAST_IP_ADDRESS;
option routers ROUTER_IP_ADDRESS;
option domain-name-servers DNS1_IP_ADDRESS, DNS2_IP_ADDRESS;
option ntp-servers NTP1_IP_ADDRESS, NTP2_IP_ADDRESS;
range START_IP_ADDRESS END_IP_ADDRESS;
}
Furthermore, if static MAC-to-IP assignment is required, the following can be added to the configuration:
$ vi /etc/dhcpd.conf
group {
option domain-name "domain.tld";
use-host-decl-names on;
host HOST1 {
hardware ethernet MAC_ADDRESS_1;
fixed-address IP_ADDRESS_1;
}
host HOST2 {
hardware ethernet MAC_ADDRESS_2;
fixed-address IP_ADDRESS_2;
}
# etc.
}
Naturally, the DHCP server needs to be enabled and started as follows:
$ rcctl {enable|start} dhcpd
The DHCP server lease database can be shown as follows:
$ cat /var/db/dhcpd.leases
Time Synchronisation
OpenNTP daemon OpenNTPD is a FREE, easy to use implementation of the Network Time Protocol (NTP), which was primarily developed as part of the OpenBSD Project. The ntpd
acts in both modes, i.e. as client as well as server. The listen on
directive instructs the daemon to listen on a particular IP, while the servers
directive specifies, which NTP server should the daemon synchronise its time with.
By default, the ntpd
does not listen on any IP address and works in the client mode only. Its configuration can be changed in ntpd.conf
as follows:
$ vi /etc/ntpd.conf
listen on IP_ADDRESS1 # Addresses to listen on
listen on IP_ADDRESS2 # Multiple IP addresses can be defined
servers pool.ntp.org # or using the country prefered version: XY.pool.ntp.org
sensor *
constraints from "https://www.google.com"
Once configured, the server can be enabled and started as follows:
$ rcctl {enable|start} ntpd
The OpenNTPD can be controlled by the ntpctl utility. In order to show all available data, the following command can be used:
$ ntpctl -s all
Logging is available in:
$ tail -f /var/log/daemon.log
Sep 15 01:23:45 openbsd ntpd[1234]: adjusting local clock by -0.123456s
Should the time become more than a couple of minutes off, it is recommended to bring it close to accurate initially with the -s
flag, e.g. by running:
$ rcctl stop ntpd
$ ntpd -s
$ tail -f /var/log/daemon # until the following message appears
Apr 28 12:34:56 hostname ntpd[12345]: peer PEER-IP-ADDRESS now valid
$ kill `pgrep ntpd`
$ rcctl start ntpd
System Patches
The base system binary patches can be managed using the syspatch
utility, which fetches, verifies, installs and reverts OpenBSD binary patches (since 6.1).
In order to list installed patches, the following command needs to be run:
$ syspatch -l
In order to list available patches, the following command needs to be applied:
$ syspatch -c
And in order to apply the available patches:
$ syspatch
A reboot is necessary to load a newly patched kernel:
$ reboot
Note: The currently available patches are also available online via the Errata and Patches section.
Rollback to the latest patch is possible using:
$ syspatch -r
or a recursive rollback (of all patches) using:
$ while true; syspatch -r || break; done
A Couple of Notes to the VI Editor
Coming from Linux environment, administrators may be only familiar with nano
, emacs
or other text editors. OpenBSD enables to install various software as well, but why not using the built-in vi
editor. It’s just a matter of time to get used to it.
Let’s try to create a text file /tmp/hello-world.txt
that contains the immortal phrase: “Hello world!
”. Yeah, the briefest way is:
$ echo "Hello world!" > /tmp/hello-world.txt
That is obviously not using the vi
. Let’s use it then:
$ vi /tmp/hello-world.txt
Let’s delete the (single) line by pressing: d1d
(for 99 lines, it would be d99d
).
Let’s save the file by pressing: <ESCAPE>:w<ENTER>
. Notice the :w
appearing and disappearing at the bottom left of the terminal window.
Let’s write two new lines by pressing i
(as for “insert”) first, and then by typing:
What a great experience.
I can now work with the vi editor.
Let’s exit the file while saving the changes by pressing: <ESCAPE>:wq<ENTER>
(w
for “write” and q
for “quit”). A simpler solution is using <ESCAPE>:x<ENTER>
, but the idea was to present that the commands can be “grouped”.
Now in the terminal window, let’s print the file content using:
$ cat /tmp/hello-world.txt
What a great experience.
I can now work with the vi editor.
Let’s open the file again and copy both lines by pressing (cursor on the first line): y2y
(yank). Then move the cursor down to the second line and press: p
(paste). Voilà, the lines got copied behind the cursor.
Note: Lines that were previously deleted using the dNUMBERd
command can be brought back using the p
command as well (a <CTRL>+x
– <CTRL>+v
process known from other operating systems).
The are many other useful commands within the vi
editor. It is possible to either go through the man pages:
$ man vi
or using the favourite web search engine to find a “vi cheat sheet”.
Packet Filtering
More information on packet filtering can be found in OpenBSD: Packet Filtering.
Software Installation
This part is a stub. The explanation is necessary…