path: root/share/man/man8/afterboot.8

.Dd October 20, 1997
.Dt AFTERBOOT 8
\!\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu
.Os
.Sh NAME
.Nm afterboot
.Nd things to check after the first complete boot
.Sh DESCRIPTION
This document attempts to list items for the system administrator
to check and set up after the installation and first complete boot of the
system.
The idea is to create a list of items that can be checked off so that you have
a warm fuzzy feeling that something obvious has not been missed.
.Pp
Complete instructions for correcting and fixing items is not provided.
There are man pages and other methodologies available for doing that.
For example, to view the manual page on the
.Xr ls 1
command, type:
.Ic man 1 ls .
.\"
.\" XXX This should be an enumerated list
.\"
.Ss Login
Login on the console as
.Dq Ic root .
You will not be able to login over the network \(em only on the console. This
behavior is controlled through the
.Pa /etc/ttys
file. See
.Xr ttys 5
for more information.
.Ss System Date
Check the system date with the
.Xr date 1
command.
If needed, change the date, and/or change the symbolic link of
.Pa /etc/localtime
to the correct time zone in the
.Pa /usr/share/zoneinfo
directory.
.Pp
Examples:
.Bl -tag -width date
.It Cm date 199901271504
Set the current date to January 27th, 1999 3:04pm.
.It Cm ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime
Set the time zone to Atlantic Standard Time.
.El
.Ss Root password
Check the password for the root user.
Choose a password that has numbers, digits, and special characters (not space)
as well as from the upper and lower case alphabet.
Do not choose any word in any
language.  It is common for an intruder to use dictionary attacks.
Type the command
.Ic /usr/bin/passwd
to change it.
.Pp
It is a good idea to always specify the full path name for both the
.Xr passwd 1
and
.Xr su 1
commands as this inhibits the possibility of files placed in your execution
.Ev PATH
for most shells. Furthermore, the super-user's
.Ev PATH
should never contain the current directory
.Po Dq \&.
.Pc .
.Ss Check hostname
Use the
.Xr hostname 1
command to verify that the name of your machine is correct.
See the man page for
.Xr hostname
if you need to change it.
You will also need to edit the
.Pa /etc/myname
file to have it stick around for the next reboot.
.Ss Verify network interfaces configured correctly
The first thing to do is an
.Ic ifconfig -a
to see if the network interfaces are properly configured.
Correct by editing
.Pa /etc/hostname. Ns Ar interface
(where
.Ar interface
is the interface name, e.g.
.Dq le0 )
and then using
.Xr ifconfig 8
to manually configure it
if you do not wish to reboot.
The loopback interface will look something like:
.Bd -literal -offset indent
lo0: flags=8009<UP,LOOPBACK,MULTICAST>
	inet 127.0.0.1 netmask 0xff000000
.Ed
.Pp
an ethernet interface something like:
.Bd -literal -offset indent
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
	inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
.Ed
.Pp
and, a PPP interface something like:
.Bd -literal -offset indent
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
        inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000
.Ed
\!\"--------------------------------------------------------------------------
\!\" Will someone else fill in the slip interface.
\!\"--------------------------------------------------------------------------
.Pp
You may wish to turn off multicast routing in
.Pa /etc/netstart
by commenting it out, i.e. by placing a # sign at the start of the line:
.Bd -literal -offset indent
# route add -net 224.0.0.0 -interface $hostname
.Ed
.Pp
See
.Xr dhcp 8
for instructions on configuring interfaces with DHCP.
.Ss Check for correct routing
Do a
.Ic netstat -r -n
command.  The output will look something like:
.Bd -literal -offset indent
Routing tables

Internet:
Destination    Gateway           Flags  Refs     Use  Mtu
Interface
default        192.168.4.254     UGS      0 11098028    -  le0
127            127.0.0.1         UGRS     0        0    -  lo0
127.0.0.1      127.0.0.1         UH       3       24    -  lo0
192.168.4      link#1            UC       0        0    -  le0
192.168.4.52   8:0:20:73:b8:4a   UHL      1     6707    -  le0
192.168.4.254  0:60:3e:99:67:ea  UHL      1        0    -  le0
.Ed
.Pp
Fix by editing the file
.Pa /etc/mygate
and using
.Ic route delete
and
.Ic route add
if you do not wish to reboot.
See
.Xr route 8 .
.Pp
If you wish to route packets between interfaces you do that by putting
.Bd -literal -offset indent
net.inet.ip.forwarding=1
.Ed
.Pp
in
.Pa /etc/sysctl.conf ,
or by compiling a new kernel with the GATEWAY option.
Packets are not forwarded by default, due to RFC requirements.
.Pp
You can add new "virtual interfaces" by adding the required entries to
.Pa /etc/ifaliases .
.Ss BIND Name Server (DNS)
If you are using the BIND Name Server, check the
.Pa /etc/resolv.conf
file.  It may look something like:
.Bd -literal -offset indent
domain nts.umn.edu
nameserver 128.101.101.101
nameserver 134.84.84.84
search nts.umn.edu. umn.edu.
lookup file bind
.Ed
.Pp
If using a caching name server add the line "nameserver 127.0.0.1" first.
For a local caching name server to run
you will need to set "named_flags" in
.Pa /etc/rc.conf
and create the
.Pa named.boot
file in the appropriate place for
.Xr named 8 .
The same holds true if the machine is going to be a
name server for your domain.  In both these cases, make sure that
.Xr named 8
is running
(otherwise there are long waits for resolver timeouts).
.Ss YP verification (NIS)
Check the YP domain name with the
.Xr domainname 1
command. If necessary, correct it by editing the
.Pa /etc/defaultdomain
file. The
.Pa /etc/netstart
script reads this file on bootup to determine and set the domain name.
You may also set the running system's domain name with the
.Xr domainname 1
command.
To start YP client services, simply run
.Ic ypbind ,
then perform the remaining
YP activation as described in
.Xr passwd 5
and
.Xr group 5 .
.Pp
In particular, to enable YP passwd support, you'll need to add the following
line to
.Pa /etc/master.passwd :
.Pp
+:*::::::::
.Pp
Once this is done, you'll need to run
.Ic pwd_mkdb /etc/master.passwd
to regenerate the password databases.
.Pp
There are many more YP man pages available to help you. You can find more
information by starting with
.Xr yp 8 .
.Ss Check disks are mounted correctly
Check that the disks are mounted correctly by
comparing the file
.Pa /etc/fstab
against the output of the
.Xr mount 8
and
.Xr df 1
commands.
Example:
.Bd -literal -offset indent
.Li # Ic cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0b none swap sw 0 0
/dev/sd0d /usr ffs rw,nodev 1 2
/dev/sd0e /var ffs rw,nodev,noexec 1 2
/dev/sd0g /tmp ffs rw,nodev,noexec,nosuid 1 2
/dev/sd0h /home ffs rw,nodev,nosuid 1 2
.Li # Ic mount
/dev/sd0a on / type ffs (local)
/dev/sd0d on /usr type ffs (local, nodev)
/dev/sd0e on /var type ffs (local, nodev, noexec)
/dev/sd0g on /tmp type ffs (local, nodev, noexec, nosuid)
/dev/sd0h on /home type ffs (local, nodev, nosuid)
.Li # Ic df
Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a         22311    14589     6606    69%    /
/dev/sd0d        203399   150221    43008    78%    /usr
/dev/sd0e         10447      682     9242     7%    /var
/dev/sd0g         18823        2    17879     0%    /tmp
/dev/sd0h          7519     5255     1888    74%    /home
.Li # Ic pstat -s
Device      512-blocks     Used    Avail Capacity  Priority
/dev/sd0b       131072    84656    46416    65%    0
.Ed
.Pp
Edit
.Pa /etc/fstab
and use the
.Xr mount 8
and
.Xr umount 8
commands as appropriate.
.Pp
You may wish to do NFS partitions now too, or you can do them later.
.Ss Concatenated disks (ccd)
If you are using
.Xr ccd 4
concatenated disks, edit
.Pa /etc/ccd.conf
and use the
.Ic ccdconfig -U
command to unload, and the
.Ic ccdconfig -C
command to create tables internal to the kernel for the concatenated disks.
You then
.Xr mount 8 ,
.Xr umount 8
and edit
.Pa /etc/fstab
as needed.
.Ss Automounter daemon (AMD)
If using the
.Xr amd 8
package,
go into the
.Pa /etc/amd
directory and set it up by
renaming
.Pa master.sample
to
.Pa master
and editing it and creating other maps as needed.
Alternatively, you can get your maps with YP.
.Sh INSTALLING SHARED CRYPTO LIBRARIES WITH RSA INCLUDED
Two OpenBSD libraries (
.Pa libssl
and 
.Pa libcrypto
, based on OpenSSL) implement many
cryptographic functions which are used by OpenBSD programs like 
.Xr ssh 1 ,
.Xr httpd 8 ,
and
.Xr isakmpd 8 .
Due to patent licensing reasons, those libraries may not be included
on the CD -- instead the base distribution contains libraries which have had
the troublesome code removed -- the programs listed above will not be fully
functional as a result.  Libraries which _include_ the troublesome routines
are available and can be FTP installed, as long as you meet the following
(legal) criteria:
.Ss Outside the USA, no restrictions apply
since the RSA algorithm patent by RSA inc. only applies in the United States
so you can use the free
.Pa ssl26.tgz
package. System install scripts on machine architectures that support
shared libraries will offer to let you install this package when you
are installing your system.
To see if you have it installed, type
.Bl -tag -width pkg_add
.It pkg_info ssl26
.El
.Pp
If the
.Pa ssl26
package is not installed, 
.Xr pkg_info 8 
will display a message that it can't find package `ssl26'. If you did
not install the package when you installed your system, 
You can install it with a 
.Xr pkg_add 8
command similar to: 
.Bl -tag -width pkg_add
.It pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/2.6/packages/<a>/ssl26.tgz
.El

replacing <a> with your machine architechture, e.g. i386.
.Ss Inside the USA, non-commercial use of RSAREF is permitted.
Non-commercial entities in the USA may install the
.Pa sslUSA26.tgz
package, which uses RSAREF. You install this with a 
.Xr pkg_add 8
command similar to: 
.Bl -tag -width pkg_add
.It pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/2.6/packages/<a>/sslUSA26.tgz
.El
replacing <a> with your machine architechture, e.g. i386.
.Ss Commercial entities in the USA are left in the cold.
While unfortunate, this is due to the way RSA inc. licences their patent
in the USA. (This is how the USA crypto export policy feels to the
rest of the world).
.Ss Shared Library Support is Required.
These packages update your system by installing shared libraries in
.Pa /usr/local/lib. 
This only works if your machine architecture supports shared libraries.
the
.Pa ssl26
and 
.Pa sslUSA26
packages are only available for machines which support shared libraries.
If your architecture does not support shared libraries and you wish it
did, consider donating hardware, cash, or quality time to the project
to assist developers in supporting your platform better.
.Sh CHANGING /ETC FILES
The system should be usable now, but you may wish to do more customizing,
such as adding users, etc.  Many of the following sections may be skipped
if you are not using that package (for example, skip the
.Sx Kerberos
section if you won't be using Kerberos). We suggest that you
.Ic cd /etc
and edit most of the files in that directory.
.Ss /etc/motd
Edit
.Pa motd
to make lawyers comfortable and make sure that no mention
of the word "Welcome" appears.  (Some U.S. lawyers have stated that
the word "Welcome" is an invitation to come on in.)
.Ss Add new users
Add users.  There is an
.Xr adduser 8
script.
You may use
.Xr vipw 8
to add users to the
.Pa /etc/passwd
file
and edit
.Pa /etc/group
by hand to add new groups.
The manual page for
.Xr su 8 ,
tells you to make sure to put people in
the
.Sq wheel
group if they need root access (non-Kerberos).  For example:
.Bd -literal -offset indent
wheel:*:0:root,myself
.Ed
.Pp
Follow instructions for
.Xr kerberos 1
if using
Kerberos
for authentication.
.Ss rc.conf, netstart, rc.local, rc.securelevel
Check for any local changes needed in the files:
.Pa /etc/rc.conf , /etc/netstart , /etc/rc.local , rc.securelevel .
Turning on something like the Network Time Protocol in
.Pa /etc/rc.securelevel
requires making sure the package is installed.
.Pp
If you've installed X, you may want to turn on
.Xr xdm 1 ,
the X Display Manager. To do this, change the value of xdm_flags in
.Pa /etc/rc.conf .
.Ss Printers
Edit
.Pa /etc/printcap
and
.Pa /etc/hosts.lpd
to get any printers set up.
Consult
.Xr lpd 8
and
.Xr printcap 5
if needed.
.Ss Tighten up security
You might wish to tighten up security more by editing
.Pa /etc/fbtab
as when installing X.
In
.Pa /etc/inetd.conf
turn off extra stuff that you do not need,
and only add things that are really needed.
.Ss Kerberos
If you are going to use
.Xr kerberos 1
for authentication, and you already have a
Kerberos
master, go into the directory
.Pa /etc/kerberosIV
and configure.
Remember to get a
.Pa srvtab
from the master so that the remote commands work.
.Ss Mail Aliases
Edit
.Pa /etc/aliases
and set the four standard aliases to go to either a mailing list, or
the system administrator.
.Bd -literal -offset indent
# Well-known aliases -- these should be filled in!
root:		sysadm
manager:	sysadm
dumper:		sysadm
operator:	sysadm
.Ed
.Pp
Run
.Xr newaliases 1
after changes.
.Ss Sendmail
.Ox
ships with a default
.Pa /etc/sendmail.cf
file that will work for simple installations; it was generated from
.Pa openbsd-proto.mc
in
.Pa /usr/share/sendmail/cf .
Please see
.Pa /usr/share/sendmail/README
and
.Pa /usr/share/doc/smm/08.sendmailop/op.me
for information on generating your own sendmail configuration files.
.Ss BOOTP server
If this is a
BOOTP
server, edit
.Pa /etc/bootptab
as needed.  You will have to turn it on in
.Pa /etc/inetd.conf
or run
.Xr bootpd 8
in its standalone mode.
.Ss NFS server
If this is an NFS server
make sure
.Pa /etc/rc.conf
has:
.Bd -literal -offset indent
nfs_server=YES
.Ed
.Pp
Edit
.Pa /etc/exports
and get it correct.
It is probably easier to reboot than to get the daemons running manually,
but you can get the order correct by looking at
.Pa /etc/netstart .
.Ss HP remote boot server
Edit
.Pa /etc/rbootd.config
if needed for remote booting.
If you do not have HP computers doing remote booting, do not enable this.
.Ss Daily, Weekly, Monthly scripts
Look at and possibly edit the
.Pa /etc/daily , /etc/weekly ,
and
.Pa /etc/monthly
scripts.  Your site specific things should go into
.Pa /etc/daily.local , /etc/weekly.local ,
and
.Pa /etc/monthly.local .
.Pp
These scripts have been limited so as to keep the system running without
filling up disk space from normal running processes and database updates.
(You probably do not need to understand them.)
.Ss Other files in /etc
Look at the other files in
.Pa /etc
and edit them as needed.
(Do not edit files ending in
.Pa .db
\(em like
.Pa aliases.db , pwd.db , spwd.db ,
nor
.Pa localtime ,
nor
.Pa rmt ,
nor any directories.)
.Ss Crontab (background running processes)
Check what is running by typing
.Ic crontab -l
as root
and see if anything unexpected is present.
Do you need anything else?  Do you wish to change things?  e.g. if you do not
like root getting standard output of the daily scripts, and want only
the security scripts that are mailed internally, you can type
.Ic crontab -e
and change some of the lines to read:
.Bd -literal -offset indent
30  1  *  *  *   /bin/sh /etc/daily 2>&1 > /var/log/daily.out
30  3  *  *  6   /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
30  5  1  *  *   /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
.Ed
See
.Xr crontab 5 .
.Ss Next day cleanup
After the first night's security run, change ownerships and permissions
on things.  The best bet is to have permissions as in the security list.
(The first of the two listed permissions, and the first group number of
the two).
Use
.Xr chmod 1 ,
.Xr chgrp 1 ,
and
.Xr chown 8
as needed.
.Ss Packages
Install your own packages.
The simple way is to copy source and compile and link/load.
.Pp
Copy vendor binaries and install them.  You will need to install any
shared libraries, etc.
(Hint:
.Ic man -k compat
to find out how to install and use compatibility mode.)
.Pp
Install any of a large group of Third-Party Software that is available
in source form.  See
.Pa http://www.openbsd.org
under
.Sq Ports: a Nice Way to Get Third-Party Software .
.Pp
You may have some difficulty installing due to various compiling errors.
Don't get discouraged easily!  Sometimes checking the mailing lists for
past problems that people have encountered will result in a fix posted.
One recent item says to delete
.Pa -lcrypt
from
.Pa Makefile
.Ns s
as the crypt routines are now present in the standard libraries.
.Sh COMPILING A KERNEL
First, review the system message buffer using the
.Xr dmesg 8
command to find out information on your system's devices as probed by the
kernel at boot. In particular, note which devices were not configured. This
information will prove useful when editing kernel configuration files.
.Pp
To compile your own kernel off a CDROM do the following:
.Sm off
.Bd -literal -offset indent
.Li #\  Xo
.Ic cd\ /
.Ar somedir
.Xc
.Li #\  Xo
.Ic cp\ /usr/src/sys/arch/
.Ar somearch
.Ic /conf/
.Ar SOMEFILE
.Ic \ .
.Xc
.Li #\  Xo
.Ic vi\ \&
.Ar SOMEFILE
.No \ \ \ (to\ make\ any\ changes)
.Xc
.Li #\  Xo
.Ic config\ -s\ /usr/src/sys\ -b\ .\ \&
.Ar SOMEFILE
.Xc
.Li #\  Xo
.Ic make
.Xc
.Ed
.Sm on
.Pp
To compile a kernel inside a writable source tree, do the following:
.Sm off
.Bd -literal -offset indent
.Li #\  Xo
.Ic cd\ /usr/src/sys/arch/
.Ar somearch
.Ic /conf
.Xc
.Li #\  Xo
.Ic vi\ \&
.Ar SOMEFILE
.No \ \ \ (to\ make\ any\ changes)
.Xc
.Li #\  Xo
.Ic config\ \&
.Ar SOMEFILE
.Xc
.Li #\  Xo
.Ic cd\ ../compile/
.Ar SOMEFILE
.Xc
.Li #\  Xo
.Ic make
.Xc
.Ed
.Sm on
.Pp
where
.Ar somedir
is a writable directory,
.Ar somearch
is the architecture (e.g.
.Ic i386 ) ,
and
.Ar SOMEFILE
should be a name indicative of a particular configuration (often
that of the hostname).
You can also do a
.Ic make depend
so that you will have dependencies there the next time you do a compile.
.Pp
After either of these two methods, you can place the new kernel (called
.Pa bsd )
in
.Pa /
(i.e.
.Pa /bsd )
and the system will boot it next time.
Most people save their backup kernels as
.Pa /bsd.1 ,
.Pa /bsd.2 ,
etc.
.Sh SEE ALSO
.Xr chgrp 1 ,
.Xr chmod 1 ,
.Xr crontab 1 ,
.Xr date 1 ,
.Xr df 1 ,
.Xr hostname 1 ,
.Xr kerberos 1 ,
.Xr make 1 ,
.Xr man 1 ,
.Xr netstat 1 ,
.Xr newaliases 1 ,
.Xr passwd 1 ,
.Xr su 1 ,
.Xr ccd 4 ,
.Xr aliases 5 ,
.Xr bootptab 5 ,
.Xr crontab 5 ,
.Xr exports 5 ,
.Xr fbtab 5 ,
.Xr fstab 5 ,
.Xr group 5 ,
.Xr krb.conf 5 ,
.Xr krb.realms 5 ,
.Xr passwd 5 ,
.Xr rbootd 5 ,
.Xr resolv.conf 5 ,
.Xr hostname 7 ,
.Xr adduser 8 ,
.Xr amd 8 ,
.Xr bootpd 8 ,
.Xr ccdconfig 8 ,
.Xr chown 8 ,
.Xr config 8 ,
.Xr dhcp 8 ,
.Xr domainname 8 ,
.Xr ext_srvtab 8 ,
.Xr ifconfig 8 ,
.Xr inetd 8 ,
.Xr mount 8 ,
.Xr named 8 ,
.Xr rc 8 ,
.Xr rmt 8 ,
.Xr route 8 ,
.Xr umount 8 ,
.Xr vipw 8 ,
.Xr ypbind 8
.Sh HISTORY
This document first appeared in
.Ox 2.2 .