.\" $OpenBSD: afterboot.8,v 1.42 2000/04/18 17:27:17 kjell Exp $ .Dd October 20, 1997 .Dt AFTERBOOT 8 \!\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu .Os .Sh NAME .Nm afterboot .Nd things to check after the first complete boot .Sh DESCRIPTION .Ss Starting Out This document attempts to list items for the system administrator to check and set up after the installation and first complete boot of the system. The idea is to create a list of items that can be checked off so that you have a warm fuzzy feeling that something obvious has not been missed. A basic knowledge of .Ux is assumed, otherwise type .Pp .Dl Ic # help .Pp Complete instructions for correcting and fixing items is not provided. There are manual pages and other methodologies available for doing that. For example, to view the man page for the .Xr ls 1 command, type: .Pp .Dl Ic man 1 ls .Pp Administrators will rapidly become more familiar with .Ox if they get used to using the high quality manual pages. .Pp .Ss Errata By the time that you have installed your system, it is quite likely that bugs in the release have been found. All significant and easily fixed problems will be reported at .Pa http://www.openbsd.org/errata.html . The web page will mention if a problem is security related. It is recommended that you check this page regularly. .Ss Login Login on the console as .Dq Ic root . You will not be able to login over the network \(em only on the console. This behavior is controlled through the .Pa /etc/ttys file. See .Xr ttys 5 for more information. .Pp Upon successful login, you may see the message .Dq Don't login as root, use su . For security reasons, it is bad practice to login as root during regular use and maintenance of the system. Instead, administrators are encouraged to add a .Dq regular user, add said user to the .Dq wheel group, then use the .Ic su and .Ic sudo commands when root privileges are required. This process is described in more detail later. .Ss Root password Change the password for the root user. (Note that throughout the documentation, the term .Dq superuser is a synonym for the root user.) Choose a password that has numbers, digits, and special characters (not space) as well as from the upper and lower case alphabet. Do not choose any word in any language. It is common for an intruder to use dictionary attacks. Type the command .Ic /usr/bin/passwd to change it. .Pp It is a good idea to always specify the full path name for both the .Xr passwd 1 and .Xr su 1 commands as this inhibits the possibility of files placed in your execution .Ev PATH for most shells. Furthermore, the superuser's .Ev PATH should never contain the current directory .Po Dq \&. .Pc . .Ss System date Check the system date with the .Xr date 1 command. If needed, change the date, and/or change the symbolic link of .Pa /etc/localtime to the correct time zone in the .Pa /usr/share/zoneinfo directory. .Pp Examples: .Bl -tag -width date .It Cm date 199901271504 Set the current date to January 27th, 1999 3:04pm. .It Cm ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime Set the time zone to Atlantic Standard Time. .El .Ss Check hostname Use the .Ic hostname command to verify that the name of your machine is correct. See the man page for .Xr hostname 1 if it needs to be changed. You will also need to edit the .Pa /etc/myname file to have it stick around for the next reboot. .Ss Verify network interface configuration The first thing to do is an .Ic ifconfig -a to see if the network interfaces are properly configured. Correct by editing .Pa /etc/hostname. Ns Ar interface (where .Ar interface is the interface name, e.g., .Dq le0 ) and then using .Xr ifconfig 8 to manually configure it if you do not wish to reboot. Read the .Xr hostname.if 5 man page for more information on the format of .Pa /etc/hostname. Ns Ar interface files. The loopback interface will look something like: .Bd -literal -offset indent lo0: flags=8009 inet 127.0.0.1 netmask 0xff000000 .Ed .Pp an Ethernet interface something like: .Bd -literal -offset indent le0: flags=9863 inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255 .Ed .Pp and, a PPP interface something like: .Bd -literal -offset indent ppp0: flags=8051 inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000 .Ed .Pp If you wish to turn on multicast routing, see the section titled .Dq Multicast routing. in .Pa /etc/netstart . .Pp See .Xr dhcp 8 for instructions on configuring interfaces with DHCP. .Ss Check routing tables Issue a .Ic netstat -r -n command. The output will look something like: .Bd -literal -offset indent Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 192.168.4.254 UGS 0 11098028 - le0 127 127.0.0.1 UGRS 0 0 - lo0 127.0.0.1 127.0.0.1 UH 3 24 - lo0 192.168.4 link#1 UC 0 0 - le0 192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0 192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0 .Ed .Pp The default gateway address is stored in the .Pa /etc/mygate file. If you need to edit this file, a painless way to reconfigure the network afterwards is .Ic route flush followed by a .Ic sh -x /etc/netstart command. Or, you may prefer to manually configure using a series of .Ic route add and .Ic route delete commands (see .Xr route 8 ) . .Pp If you wish to route packets between interfaces, add the directive .Bd -literal -offset indent net.inet.ip.forwarding=1 .Ed .Pp to .Pa /etc/sysctl.conf , or by compiling a new kernel with the .Cm GATEWAY option. Packets are not forwarded by default, due to RFC requirements. .Pp You can add new .Dq virtual interfaces by adding the required entries to .Pa /etc/ifaliases . .Ss BIND Name Server (DNS) If you are using the BIND Name Server, check the .Pa /etc/resolv.conf file. It may look something like: .Bd -literal -offset indent domain nts.umn.edu nameserver 128.101.101.101 nameserver 134.84.84.84 search nts.umn.edu. umn.edu. lookup file bind .Ed .Pp If using a caching name server add the line "nameserver 127.0.0.1" first. To get a local caching name server to run you will need to set "named_flags" in .Pa /etc/rc.conf and create the .Pa named.boot file in the appropriate place for .Xr named 8 . The same holds true if the machine is going to be a name server for your domain. In both these cases, make sure that .Xr named 8 is running (otherwise there are long waits for resolver timeouts). .Ss YP verification (NIS) Check the YP domain name with the .Xr domainname 1 command. If necessary, correct it by editing the .Pa /etc/defaultdomain file. The .Pa /etc/netstart script reads this file on bootup to determine and set the domain name. You may also set the running system's domain name with the .Xr domainname 1 command. To start YP client services, simply run .Ic ypbind , then perform the remaining YP activation as described in .Xr passwd 5 and .Xr group 5 . .Pp In particular, to enable YP passwd support, you'll need to add the following line to .Pa /etc/master.passwd : .Pp +:*:::::::: .Pp You do this by using .Xr vipw 8 , once this is done, you'll need to run .Ic pwd_mkdb /etc/master.passwd to regenerate the password databases. .Pp There are many more YP man pages available to help you. You can find more information by starting with .Xr yp 8 . .Ss Check disk mounts Check that the disks are mounted correctly by comparing the .Pa /etc/fstab file against the output of the .Xr mount 8 and .Xr df 1 commands. Example: .Bd -literal -offset indent .Li # Ic cat /etc/fstab /dev/sd0a / ffs rw 1 1 /dev/sd0b none swap sw 0 0 /dev/sd0d /usr ffs rw,nodev 1 2 /dev/sd0e /var ffs rw,nodev,noexec 1 2 /dev/sd0g /tmp ffs rw,nodev,noexec,nosuid 1 2 /dev/sd0h /home ffs rw,nodev,nosuid 1 2 .Li # Ic mount /dev/sd0a on / type ffs (local) /dev/sd0d on /usr type ffs (local, nodev) /dev/sd0e on /var type ffs (local, nodev, noexec) /dev/sd0g on /tmp type ffs (local, nodev, noexec, nosuid) /dev/sd0h on /home type ffs (local, nodev, nosuid) .Li # Ic df Filesystem 1024-blocks Used Avail Capacity Mounted on /dev/sd0a 22311 14589 6606 69% / /dev/sd0d 203399 150221 43008 78% /usr /dev/sd0e 10447 682 9242 7% /var /dev/sd0g 18823 2 17879 0% /tmp /dev/sd0h 7519 5255 1888 74% /home .Li # Ic pstat -s Device 512-blocks Used Avail Capacity Priority /dev/sd0b 131072 84656 46416 65% 0 .Ed .Pp Edit .Pa /etc/fstab and use the .Xr mount 8 and .Xr umount 8 commands as appropriate. Refer to the above example and .Xr fstab 5 for information on the format of this file. .Pp You may wish to do NFS partitions now too, or you can do them later. .Ss Concatenated disks (ccd) If you are using .Xr ccd 4 concatenated disks, edit .Pa /etc/ccd.conf . Use the .Ic ccdconfig -U command to unload and the .Ic ccdconfig -C command to create tables internal to the kernel for the concatenated disks. You then .Xr mount 8 , .Xr umount 8 , and edit .Pa /etc/fstab as needed. .Ss Automounter daemon (AMD) If using the .Xr amd 8 package, go into the .Pa /etc/amd directory and set it up by renaming .Pa master.sample to .Pa master and editing it and creating other maps as needed. Alternatively, you can get your maps with YP. .Sh INSTALLING SHARED CRYPTO LIBRARIES WITH RSA INCLUDED Two .Ox libraries .Pf ( Pa libssl and .Pa libcrypto , based on OpenSSL) implement many cryptographic functions which are used by OpenBSD programs like .Xr ssh 1 , .Xr httpd 8 , and .Xr isakmpd 8 . Due to patent licensing reasons, those libraries may not be included on the CD -- instead the base distribution contains libraries which have had the troublesome code removed -- the programs listed above will not be fully functional as a result. Libraries which _include_ the troublesome routines are available and can be FTP installed, as long as you meet the following (legal) criteria: .Ss Outside the USA, no restrictions apply Since the RSA algorithm patent by RSA Inc. only applies in the United States you can use the free .Pa ssl27.tgz package. System install scripts on machine architectures that support shared libraries will offer to let you install this package when you are installing your system. To see if you have it installed, type: .Bl -tag -width Ds .It Ic pkg_info ssl27 .El .Pp If the .Pa ssl27 package is not installed, .Xr pkg_info 8 will display a message that it can't find package `ssl27'. If you did not install the package when you installed your system, You can install it with a .Xr pkg_add 8 command similar to: .Bl -tag -width Ds .It Ic pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/2.7/packages//ssl27.tgz .El .Pp replacing .Dq with your machine architechture, e.g., .Dq i386 for Intel-based machines. .Ss Inside the USA, non-commercial use of RSAREF is permitted Non-commercial entities in the USA may install the .Pa sslUSA27.tgz package, which uses RSAREF. You install this with a .Xr pkg_add 8 command similar to: .Bl -tag -width Ds .It Ic pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/2.7/packages//sslUSA27.tgz .El .Pp replacing .Dq with your machine architechture, e.g., .Dq i386 for Intel-based machines. .Ss "Commercial entities in the USA are left in the cold." While unfortunate, this is due to the way RSA Inc. licences their patent in the USA. (This is how the USA crypto export policy feels to the rest of the world). .Ss Shared library support is required These packages update your system by installing shared libraries in .Pa /usr/local/lib. This only works if your machine architecture supports shared libraries. The .Pa ssl27 and .Pa sslUSA27 packages are only available for machines which support shared libraries. If your architecture does not support shared libraries and you wish it did, consider donating hardware, cash, or quality time to the project to assist developers in supporting your platform better. .Sh CHANGING /ETC FILES The system should be usable now, but you may wish to do more customizing, such as adding users, etc. Many of the following sections may be skipped if you are not using that package (for example, skip the .Sx Kerberos section if you won't be using Kerberos). We suggest that you .Ic cd /etc and edit most of the files in that directory. .Ss /etc/motd Edit .Pa motd to make lawyers comfortable and make sure that no mention of the word "Welcome" appears. (Some U.S. lawyers have stated that the word "Welcome" is an invitation to come on in.) Note that this file is modified by .Pa /etc/rc whenever the system is booted. To keep any custom message intact, ensure that you leave two blank lines at the top, or your message will be overwritten. .Ss Add new users Add users. There is an .Xr adduser 8 script. You may use .Xr vipw 8 to add users to the .Pa /etc/passwd file and edit .Pa /etc/group by hand to add new groups. The manual page for .Xr su 8 , tells you to make sure to put people in the .Sq wheel group if they need root access (non-Kerberos). For example: .Bd -literal -offset indent wheel:*:0:root,myself .Ed .Pp Follow instructions for .Xr kerberos 1 if using Kerberos for authentication. .Ss rc.conf, netstart, rc.local, rc.securelevel Check for any local changes needed in the files .Pa /etc/rc.conf , .Pa /etc/netstart , .Pa /etc/rc.local , and .Pa rc.securelevel . Turning on something like the Network Time Protocol in .Pa /etc/rc.conf requires making sure the package is installed. .Pp If you've installed X, you may want to turn on .Xr xdm 1 , the X Display Manager. To do this, change the value of xdm_flags in .Pa /etc/rc.conf . .Ss Printers Edit .Pa /etc/printcap and .Pa /etc/hosts.lpd to get any printers set up. Consult .Xr lpd 8 and .Xr printcap 5 if needed. .Ss Tighten up security You might wish to tighten up security more by editing .Pa /etc/fbtab as when installing X. In .Pa /etc/inetd.conf comment out any extra entries you do not need, and only add things that are really needed. Note that by default the .Xr telnetd 8 and .Xr ftpd 8 daemons are not enabled in favor of SSH (Secure Shell). .Ss Kerberos If you are going to use .Xr kerberos 1 for authentication, and you already have a Kerberos master, change directory to .Pa /etc/kerberosIV and configure. Remember to get a .Pa srvtab from the master so that the remote commands work. .Ss Mail Aliases Edit .Pa /etc/mail/aliases and set the three standard aliases to go to either a mailing list, or the system administrator. .Bd -literal -offset indent # Well-known aliases -- these should be filled in! root: sysadm manager: sysadm dumper: sysadm .Ed .Pp Run .Xr newaliases 1 after changes. .Ss Sendmail .Ox ships with a default .Pa /etc/mail/sendmail.cf file that will work for simple installations; it was generated from .Pa openbsd-proto.mc in .Pa /usr/share/sendmail/cf . Please see .Pa /usr/share/sendmail/README and .Pa /usr/share/doc/smm/08.sendmailop/op.me for information on generating your own sendmail configuration files. .Ss BOOTP server If this is a BOOTP server, edit .Pa /etc/bootptab as needed. You will have to turn it on in .Pa /etc/inetd.conf or run .Xr bootpd 8 in its standalone mode. .Ss NFS server If this is an NFS server make sure .Pa /etc/rc.conf has: .Bd -literal -offset indent nfs_server=YES .Ed .Pp Edit .Pa /etc/exports and get it correct. It is probably easier to reboot than to get the daemons running manually, but you can get the order correct by looking at .Pa /etc/netstart . .Ss HP remote boot server Edit .Pa /etc/rbootd.conf if needed for remote booting. If you do not have HP computers doing remote booting, do not enable this. .Ss Daily, weekly, monthly scripts Look at and possibly edit the .Pa /etc/daily , /etc/weekly , and .Pa /etc/monthly scripts. Your site specific things should go into .Pa /etc/daily.local , /etc/weekly.local , and .Pa /etc/monthly.local . .Pp These scripts have been limited so as to keep the system running without filling up disk space from normal running processes and database updates. (You probably do not need to understand them.) .Ss Other files in /etc Look at the other files in .Pa /etc and edit them as needed. (Do not edit files ending in .Pa .db \(em like .Pa pwd.db , spwd.db , nor .Pa localtime , nor .Pa rmt , nor any directories.) .Ss Crontab (background running processes) Check what is running by typing .Ic crontab -l as root and see if anything unexpected is present. Do you need anything else? Do you wish to change things? e.g., if you do not like root getting standard output of the daily scripts, and want only the security scripts that are mailed internally, you can type .Ic crontab -e and change some of the lines to read: .Bd -literal -offset indent 30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out 30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out 30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out .Ed .Pp See .Xr crontab 5 . .Ss Next day cleanup After the first night's security run, change ownerships and permissions on files, directories, and devices; root should have received mail with subject: " daily insecurity output.". This mail contains a set of security recommendations, presented as a list looking like this: .Bd -literal -offset indent var/mail: permissions (0755, 0775) etc/daily: user (0, 3) .Ed .Pp The best bet is to follow the advice in that list. The recommended setting is the first item in parentheses, while the current setting is the second one. This list is generated by .Xr mtree 8 using .Pa /etc/mtree/special . Use .Xr chmod 1 , .Xr chgrp 1 , and .Xr chown 8 as needed. .Ss Packages Install your own packages. The simple way is to copy source and compile and link/load. .Pp Copy vendor binaries and install them. You will need to install any shared libraries, etc. (Hint: .Ic man -k compat to find out how to install and use compatibility mode.) .Pp Install any of a large group of Third-Party Software that is available in source form. See .Pa http://www.openbsd.org under .Sq Ports: a Nice Way to Get Third-Party Software . .Pp You may have some difficulty installing due to various compiling errors. Don't get discouraged easily! Sometimes checking the mailing lists for past problems that people have encountered will result in a fix posted. One recent item says to delete .Pa -lcrypt from .Pa Makefile Ns No s as the crypt routines are now present in the standard libraries. .Sh COMPILING A KERNEL First, review the system message buffer using the .Xr dmesg 8 command to find out information on your system's devices as probed by the kernel at boot. In particular, note which devices were not configured. This information will prove useful when editing kernel configuration files. .Pp To compile your own kernel off a CD-ROM do the following: .Sm off .Bd -literal -offset indent .Li #\ Xo .Ic cd\ / .Ar somedir .Xc .Li #\ Xo .Ic cp\ /usr/src/sys/arch/ .Ar somearch .Ic /conf/ .Ar SOMEFILE .Ic \ . .Xc .Li #\ Xo .Ic vi\ \& .Ar SOMEFILE .No \ \ \ (to\ make\ any\ changes) .Xc .Li #\ Xo .Ic config\ -s\ /usr/src/sys\ -b\ .\ \& .Ar SOMEFILE .Xc .Li #\ Xo .Ic make .Xc .Ed .Sm on .Pp To compile a kernel inside a writable source tree, do the following: .Sm off .Bd -literal -offset indent .Li #\ Xo .Ic cd\ /usr/src/sys/arch/ .Ar somearch .Ic /conf .Xc .Li #\ Xo .Ic vi\ \& .Ar SOMEFILE .No \ \ \ (to\ make\ any\ changes) .Xc .Li #\ Xo .Ic config\ \& .Ar SOMEFILE .Xc .Li #\ Xo .Ic cd\ ../compile/ .Ar SOMEFILE .Xc .Li #\ Xo .Ic make .Xc .Ed .Sm on .Pp where .Ar somedir is a writable directory, .Ar somearch is the architecture (e.g. .Ic i386 ) , and .Ar SOMEFILE should be a name indicative of a particular configuration (often that of the hostname). You can also do a .Ic make depend so that you will have dependencies there the next time you do a compile. .Pp If you are building your kernel again, before you do a .Ic make you should do a .Ic make depend after making changes (including updates or patches) to your kernel source, or a .Ic make clean after making changes to your kernel options. .Pp After either of these two methods, you can place the new kernel (called .Pa bsd ) in .Pa / (i.e. .Pa /bsd ) and the system will boot it next time. Most people save their backup kernels as .Pa /bsd.1 , .Pa /bsd.2 , etc. .Pp It is not always necessary to recompile the kernel if only configuration changes are required. With .Xr config 8 , you can change the device configuration in the kernel file directly: .Bd -literal .Li #\ Ic config Fl e o Ar bsd.new /bsd OpenBSD 2.7-beta (GENERIC.rz0) #0: Mon Oct 4 03:57:22 MEST 1999 root@winona:/usr/src/sys/arch/pmax/compile/GENERIC.rz0 Enter 'help' for information ukc> .Pp Additionally, you can permanently save the changes made with UKC during boot time in the kernel image. .Ed .Sh SEE ALSO .Xr chgrp 1 , .Xr chmod 1 , .Xr crontab 1 , .Xr date 1 , .Xr df 1 , .Xr hostname 1 , .Xr kerberos 1 , .Xr make 1 , .Xr man 1 , .Xr netstat 1 , .Xr newaliases 1 , .Xr passwd 1 , .Xr su 1 , .Xr ccd 4 , .Xr aliases 5 , .Xr bootptab 5 , .Xr crontab 5 , .Xr exports 5 , .Xr fbtab 5 , .Xr fstab 5 , .Xr group 5 , .Xr krb.conf 5 , .Xr krb.realms 5 , .Xr passwd 5 , .Xr rbootd 5 , .Xr resolv.conf 5 , .Xr hostname 7 , .Xr adduser 8 , .Xr amd 8 , .Xr bootpd 8 , .Xr ccdconfig 8 , .Xr chown 8 , .Xr config 8 , .Xr dhcp 8 , .Xr domainname 8 , .Xr ext_srvtab 8 , .Xr ifconfig 8 , .Xr inetd 8 , .Xr mtree 8 , .Xr mount 8 , .Xr named 8 , .Xr rc 8 , .Xr rmt 8 , .Xr route 8 , .Xr umount 8 , .Xr vipw 8 , .Xr ypbind 8 .Sh HISTORY This document first appeared in .Ox 2.2 .