.\" $OpenBSD: afterboot.8,v 1.127 2010/02/25 01:14:04 schwarze Exp $ .\" .\" Copyright (c) 1997 Marshall M. Midden .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. All advertising materials mentioning features or use of this software .\" must display the following acknowledgement: .\" This product includes software developed by Marshall M. Midden. .\" 4. The name of the author may not be used to endorse or promote products .\" derived from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .Dd $Mdocdate: February 25 2010 $ .Dt AFTERBOOT 8 .\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu .Os .Sh NAME .Nm afterboot .Nd things to check after the first complete boot .Sh DESCRIPTION .Ss Starting out This document attempts to list items for the system administrator to check and set up after the installation and first complete boot of the system. The idea is to create a list of items that can be checked off so that you have a warm fuzzy feeling that something obvious has not been missed. A basic knowledge of .Ux is assumed, otherwise type: .Pp .Dl # help .Pp Complete instructions for correcting and fixing items is not provided. There are manual pages and other methodologies available for doing that. For example, to view the man page for the .Xr ls 1 command, type: .Pp .Dl # man 1 ls .Pp Administrators will rapidly become more familiar with .Ox if they get used to using the high quality manual pages. .Ss Errata By the time that you have installed your system, it is quite likely that bugs in the release have been found. All significant and easily fixed problems will be reported at .Pa http://www.openbsd.org/errata.html . The web page will mention if a problem is security related. It is recommended that you check this page regularly. .Ss Login Log in as .Dq root . You can do so on the console, or over the network using .Xr ssh 1 . If you wish to deny root logins over the network, edit the .Pa /etc/ssh/sshd_config file and set .Cm PermitRootLogin to .Dq no (see .Xr sshd_config 5 ) . .Pp For security reasons, it is bad practice to log in as root during regular use and maintenance of the system. Instead, administrators are encouraged to add a .Dq regular user, add said user to the .Dq wheel group, then use the .Xr su 1 and .Xr sudo 8 commands when root privileges are required. This process is described in more detail later. .Ss Root password Change the password for the root user. (Note that throughout the documentation, the term .Dq superuser is a synonym for the root user.) Choose a password that has digits and special characters (not space) as well as from the upper and lower case alphabet. Do not choose any word in any language. It is common for an intruder to use dictionary attacks. Type the command .Ic /usr/bin/passwd to change it. .Pp It is a good idea to always specify the full path name for the .Xr passwd 1 , .Xr su 1 and .Xr sudo 8 commands as this inhibits the possibility of files placed in your execution .Ev PATH for most shells. Furthermore, the superuser's .Ev PATH should never contain the current directory .Pq Dq \&. . .Ss System date Check the system date with the .Xr date 1 command. If needed, change the date, and/or change the symbolic link of .Pa /etc/localtime to the correct time zone in the .Pa /usr/share/zoneinfo directory. .Pp Examples: .Pp Set the current date to January 27th, 1999 3:04pm: .Dl # date 199901271504 .Pp Set the time zone to Atlantic Standard Time: .Dl # ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime .Ss Check hostname Use the .Ic hostname command to verify that the name of your machine is correct. See the man page for .Xr hostname 1 if it needs to be changed. You will also need to edit the .Pa /etc/myname file to have it stick around for the next reboot. .Ss Verify network interface configuration The first thing to do is an .Ic ifconfig -a to see if the network interfaces are properly configured. Correct by editing .Pa /etc/hostname. Ns Ar interface (where .Ar interface is the interface name, e.g., .Dq le0 ) and then using .Xr ifconfig 8 to manually configure it if you do not wish to reboot. Read the .Xr hostname.if 5 man page for more information on the format of .Pa /etc/hostname. Ns Ar interface files. The loopback interface will look something like: .Bd -literal -offset indent lo0: flags=8009 mtu 32972 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 .Ed .Pp an Ethernet interface something like: .Bd -literal -offset indent le0: flags=9863 inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255 inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1 .Ed .Pp and a PPP interface something like: .Bd -literal -offset indent ppp0: flags=8051 inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000 .Ed .Pp See .Xr netstart 8 for instructions on configuring multicast routing. .Pp See .Xr dhcp 8 for instructions on configuring interfaces with DHCP. .Ss Check routing tables Issue a .Ic netstat -rn command. The output will look something like: .Bd -literal -offset indent Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 192.168.4.254 UGS 0 11098028 - le0 127 127.0.0.1 UGRS 0 0 - lo0 127.0.0.1 127.0.0.1 UH 3 24 - lo0 192.168.4 link#1 UC 0 0 - le0 192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0 192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0 Internet6: Destination Gateway Flags Refs Use Mtu Interface ::/96 ::1 UGRS 0 0 32972 lo0 => ::1 ::1 UH 4 0 32972 lo0 ::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0 fc80::/10 ::1 UGRS 0 0 32972 lo0 fe80::/10 ::1 UGRS 0 0 32972 lo0 fe80::%le0/64 link#1 UC 0 0 1500 le0 fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0 ff01::/32 ::1 U 0 0 32972 lo0 ff02::%le0/32 link#1 UC 0 0 1500 le0 ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0 .Ed .Pp The default gateway address is stored in the .Pa /etc/mygate file. If you need to edit this file, a painless way to reconfigure the network afterwards is .Ic route flush followed by a .Ic sh -x /etc/netstart command. Or, you may prefer to manually configure using a series of .Ic route add and .Ic route delete commands (see .Xr route 8 ) . If you run .Xr dhclient 8 you will have to kill it by running .Ic pkill dhclient after you flush the routes. .Pp If you wish to route packets between interfaces, add one or both of the following directives (depending on whether IPv4 or IPv6 routing is required) to .Pa /etc/sysctl.conf : .Pp .Dl net.inet.ip.forwarding=1 .Dl net.inet6.ip6.forwarding=1 .Pp Packets are not forwarded by default, due to RFC requirements. .Ss Check disk mounts Check that the disks are mounted correctly by comparing the .Pa /etc/fstab file against the output of the .Xr mount 8 and .Xr df 1 commands. Example: .Bd -literal -offset indent # cat /etc/fstab /dev/sd0a / ffs rw 1 1 /dev/sd0d /usr ffs rw,nodev 1 2 /dev/sd0e /var ffs rw,nodev,nosuid 1 3 /dev/sd0g /tmp ffs rw,nodev,nosuid 1 4 /dev/sd0h /home ffs rw,nodev,nosuid 1 5 # mount /dev/sd0a on / type ffs (local) /dev/sd0d on /usr type ffs (local, nodev) /dev/sd0e on /var type ffs (local, nodev, nosuid) /dev/sd0g on /tmp type ffs (local, nodev, nosuid) /dev/sd0h on /home type ffs (local, nodev, nosuid) # df Filesystem 1024-blocks Used Avail Capacity Mounted on /dev/sd0a 22311 14589 6606 69% / /dev/sd0d 203399 150221 43008 78% /usr /dev/sd0e 10447 682 9242 7% /var /dev/sd0g 18823 2 17879 0% /tmp /dev/sd0h 7519 5255 1888 74% /home # pstat -s Device 512-blocks Used Avail Capacity Priority swap_device 131072 84656 46416 65% 0 .Ed .Pp Edit .Pa /etc/fstab and use the .Xr mount 8 and .Xr umount 8 commands as appropriate. Refer to the above example and .Xr fstab 5 for information on the format of this file. .Pp You may wish to do NFS partitions now too, or you can do them later. .Ss Check the running system You can use .Xr ps 1 , .Xr netstat 1 , and .Xr fstat 1 to check on running processes, network connections, and opened files, respectively. .Sh FURTHER CHANGES The system should be usable now, but you may wish to do more customizing, such as adding users, etc. Many of the following sections may be skipped if you are not using that package. We suggest that you .Ic cd /etc and edit any files in that directory as necessary. .Pp Note that the .Pa /etc/motd file is modified by .Pa /etc/rc whenever the system is booted. To keep any custom message intact, ensure that you leave two blank lines at the top, or your message will be overwritten. .Ss Add new users Add users. There is an .Xr adduser 8 script. You may use .Xr vipw 8 to add users to the .Pa /etc/passwd file and edit .Pa /etc/group by hand to add new groups. You may also wish to edit .Pa /etc/login.conf and tune some of the limits documented in .Xr login.conf 5 . The manual page for .Xr su 1 tells you to make sure to put people in the .Sq wheel group if they need root access (non-Kerberos). For example: .Pp .Dl wheel:*:0:root,myself .Pp Follow instructions for .Xr login_krb5 8 if using Kerberos for authentication. .Ss System command scripts The .Pa /etc/rc.*\& scripts are invoked at boot time, after single user mode has exited, and at shutdown. The whole process is controlled, more or less, by the master script .Pa /etc/rc . This script should not be changed by administrators. .Pp .Pa /etc/rc is in turn influenced by the configuration variables present in .Pa /etc/rc.conf . Again this script should not be changed by administrators: site-specific changes should be made to .Pq freshly created if necessary .Pa /etc/rc.conf.local . .Pp Any commands which should be run before the system sets its secure level should be made to .Pa /etc/rc.securelevel , and commands to be run after the system sets its secure level should be made to .Pa /etc/rc.local . Commands to be run before system shutdown should be set in .Pa /etc/rc.shutdown . .Pp For more information about system startup/shutdown files, see .Xr rc 8 , .Xr rc.conf 8 , .Xr securelevel 7 , and .Xr rc.shutdown 8 . .Pp If you've installed X, you may want to turn on .Xr xdm 1 , the X Display Manager. To do this, change the value of .Va xdm_flags in .Pa /etc/rc.conf.local . .Ss Set keyboard type Some architectures permit keyboard type control. Use the .Xr kbd 8 command to change the keyboard encoding. .Ic kbd -l will list all available encodings. .Ic kbd xxx will select the .Ic xxx encoding. Store the encoding in .Pa /etc/kbdtype to make sure it is set automatically at boot time. .Ss Printers Edit .Pa /etc/printcap and .Pa /etc/hosts.lpd to get any printers set up. Consult .Xr lpd 8 and .Xr printcap 5 if needed. .Ss Mail aliases Edit .Pa /etc/mail/aliases and set the three standard aliases to go to either a mailing list, or the system administrator. .Bd -literal -offset indent # Well-known aliases -- these should be filled in! root: sysadm manager: root dumper: root .Ed .Pp Run .Xr newaliases 8 after changes. .Ss Sendmail The default mail agent on .Ox is .Xr sendmail 8 . Details on how to configure an alternative mailer are documented in .Xr mailer.conf 5 . .Pp .Ox ships with a default .Pa /etc/mail/localhost.cf file that will work for simple installations; it was generated from .Pa openbsd-localhost.mc in .Pa /usr/share/sendmail/cf . Please see .Pa /usr/share/sendmail/README and .Pa /usr/share/doc/smm/08.sendmailop/op.me for information on generating your own sendmail configuration files. For the default installation, sendmail is configured to only accept connections from the local host and to not accept connections on any external interfaces. This makes it possible to send mail locally, but not receive mail from remote servers, which is ideal if you have one central incoming mail machine and several clients. To cause sendmail to accept external network connections, modify the .Va sendmail_flags variable in .Pa /etc/rc.conf.local to use the .Pa /etc/mail/sendmail.cf file in accordance with the comments therein. This file was generated from .Pa openbsd-proto.mc . .Pp Note that sendmail now also listens on port 587 by default. This is to implement the RFC 2476 message submission protocol. You may disable this via the .Ic no_default_msa option in your sendmail .mc file. See .Pa /usr/share/sendmail/README for more information. .Ss Daily, weekly, monthly scripts Review .Xr daily 8 to understand what the periodic system maintenance scripts do and how to customize them: For example, to enable .Ev ROOTBACKUP or to disable .Ev VERBOSESTATUS , or to add local maintenance code to .Pa /etc/daily.local , /etc/weekly.local , or .Pa /etc/monthly.local . .Ss Tighten up security You might wish to tighten up security more by editing .Pa /etc/fbtab as when installing X. In .Pa /etc/inetd.conf comment out any extra entries you do not need, and only add things that are really needed. .Ss Other files in /etc Look at the other files in .Pa /etc and edit them as needed. (Do not edit files ending in .Pa .db \(em like .Pa pwd.db , spwd.db , nor .Pa localtime , nor .Pa rmt , nor any directories.) .Ss Crontab (background running processes) Check what is running by typing .Ic crontab -l as root and see if anything unexpected is present. Do you need anything else? Do you wish to change things? See .Xr crontab 5 . .Ss Next day cleanup After the first night's .Xr security 8 run, change ownerships and permissions on files, directories, and devices; root may have received mail with subject: " daily insecurity output". This mail contains a set of security recommendations, presented as a list looking something like this: .Bd -literal -offset indent var/mail: permissions (0755, 0775) etc/daily: user (0, 3) .Ed .Pp The best bet is to follow the advice in that list. The recommended setting is the first item in parentheses, while the current setting is the second one. This list is generated by .Xr mtree 8 using .Pa /etc/mtree/special . Use .Xr chmod 1 , .Xr chgrp 1 , and .Xr chown 8 as needed. .Ss Daemons Enable/disable any daemon processes as necessary. .Xr intro 8 contains a comprehensive guide to the various daemons available on the .Ox system. .Ss Packages Install your own packages. The .Ox ports collection includes a large set of third-party software. A lot of it is available as binary packages that you can download from .Pa ftp://ftp.openbsd.org or a mirror, and install using .Xr pkg_add 1 . See .Xr ports 7 and .Xr packages 7 for more details. .Pp Copy vendor binaries and install them. You will need to install any shared libraries, etc. Read the compat_* man pages to find out how to install and use compatibility mode. .Pp There is also other third-party software that is available in source form only, either because it has not been ported to .Ox yet, or because licensing restrictions make binary redistribution impossible. Sometimes checking the mailing lists for past problems that people have encountered will result in a fix posted. .Ss Compiling a kernel Information on building and modifying kernels is contained within .Xr config 8 . .Sh SEE ALSO .Xr ksh 1 , .Xr man 1 , .Xr pkg_add 1 , .Xr ps 1 , .Xr vi 1 , .Xr hier 7 , .Xr config 8 , .Xr dmesg 8 , .Xr ifconfig 8 , .Xr intro 8 , .Xr sudo 8 , .Xr sysctl 8 .Sh HISTORY This document first appeared in .Ox 2.2 .