summaryrefslogtreecommitdiff
path: root/share/man/man8/afterboot.8
blob: c4410c07393d8c1b065ce882c84ddc9e37179e0b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
.Dd October 20, 1997
.Dt AFTERBOOT 8
\!\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu
.Os OpenBSD
.Sh NAME
.Nm afterboot
.Nd things to check after the first complete boot
.Sh DESCRIPTION
This document attempts to list items for the system administrator
to check and set up after the installation and first complete boot of the
system.
The idea is to create a list of items that can be checked off so that you have
a warm fuzzy feeling that something obvious has not been missed.
.Pp
Complete instructions for correcting and fixing items is not provided.
There are man pages and other methodologies available for doing that.
For example, to view the manual page on the
.Xr ls 1
command, type:
.Ic man 1 ls .
.\" 
.\" XXX This should be an enumerated list
.\"
.Ss Login
Login on the console as
.Dq Ic root .
You will not be able to login over the network \(em only on the console. This
behavior is controlled through the
.Pa /etc/ttys
file. See
.Xr tty 5
for more information.
.Ss System Date
Check the system date with the
.Xr date 1
command.
If needed, change the date, and/or change the symbolic link of
.Pa /etc/localtime
to the correct time zone in the
.Pa /usr/share/zoneinfo
directory.
.Pp
Examples:
.Bl -tag -width date
.It Cm date 199901271504
Set the current date to January 27th, 1999 3:04pm.
.It Cm ln -s /usr/share/zoneinfo/Canada/Atlantic /etc/localtime
Set the time zone to Atlantic Standard Time.
.El
.Ss Root password
Check the password for the root user.
Choose a password that has numbers, digits, and special characters (not space)
as well as from the upper and lower case alphabet.
Do not choose any word in any
language.  It is common for an intruder to use dictionary attacks.
Type the command
.Ic /usr/bin/passwd
to change it.
.Pp
It is a good idea to always specify the full path name for both the
.Xr passwd 1
and
.Xr su 1
commands as this inhibits the possibility of files placed in your execution
.Ev PATH
for most shells. Furthermore, the super-user's
.Ev PATH
should never contain the current directory
.Po Dq \&.
.Pc .
.Ss Check hostname
Use the
.Xr hostname 1
command to verify that the name of your machine is correct.
See the man page for
.Xr hostname
if you need to change it.
You will also need to edit the
.Pa /etc/myname
file to have it stick around for the next reboot.
.Ss Verify network interfaces configured correctly
The first thing to do is an
.Ic ifconfig -a
to see if the network interfaces are properly configured.
Correct by editing
.Pa /etc/hostname. Ns Ar interface
(where
.Ar interface
is the interface name, e.g.
.Dq le0 )
and then using
.Xr ifconfig 8
to manually configure it
if you do not wish to reboot.
The loopback interface will look something like:
.Bd -literal -offset indent
lo0: flags=8009<UP,LOOPBACK,MULTICAST>
	inet 127.0.0.1 netmask 0xff000000
.Ed
.Pp
an ethernet interface something like:
.Bd -literal -offset indent
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
	inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
.Ed
.Pp
and, a PPP interface something like:
.Bd -literal -offset indent
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
        inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000
.Ed
\!\"--------------------------------------------------------------------------
\!\" Will someone else fill in the slip interface.
\!\"--------------------------------------------------------------------------
.Pp
You may wish to turn off multicast routing in
.Pa /etc/netstart
by commenting it out, i.e. by placing a # sign at the start of the line:
.Bd -literal -offset indent
# route add -net 224.0.0.0 -interface $hostname
.Ed
.Pp
.Ss Check for correct routing
Do a
.Ic netstat -r -n
command.  The output will look something like:
.Bd -literal -offset indent
Routing tables

Internet:
Destination    Gateway           Flags  Refs     Use  Mtu
Interface
default        192.168.4.254     UGS      0 11098028    -  le0
127            127.0.0.1         UGRS     0        0    -  lo0
127.0.0.1      127.0.0.1         UH       3       24    -  lo0
192.168.4      link#1            UC       0        0    -  le0
192.168.4.52   8:0:20:73:b8:4a   UHL      1     6707    -  le0
192.168.4.254  0:60:3e:99:67:ea  UHL      1        0    -  le0
.Ed
.Pp
Fix by editing the file
.Pa /etc/mygate
and using
.Ic route delete
and
.Ic route add
if you do not wish to reboot.
See
.Xr route 8 .
.Pp
If you wish to route packets between interfaces you do that by putting
.Bd -literal -offset indent
net.inet.ip.forwarding=1
.Ed
.Pp
in
.Pa /etc/sysctl.conf ,
or by compiling a new kernel with the GATEWAY option.
Packets are not forwarded by default, due to RFC requirements.
.Pp
You can add new "virtual interfaces" by adding the required entries to
.Pa /etc/ifaliases .
.Ss BIND Name Server (DNS)
If you are using the BIND Name Server, check the
.Pa /etc/resolv.conf
file.  It may look something like:
.Bd -literal -offset indent
domain nts.umn.edu
nameserver 128.101.101.101
nameserver 134.84.84.84
search nts.umn.edu. umn.edu.
lookup file bind
.Ed
.Pp
If using a caching name server add the line "nameserver 127.0.0.1" first.
For a local caching name server to run
you will need to set "named_flags" in
.Pa /etc/rc.conf
and create the
.Pa named.boot
file in the appropriate place for
.Xr named 8 .
The same holds true if the machine is going to be a
name server for your domain.  In both these cases, make sure that
.Xr named 8
is running
(otherwise there are long waits for resolver timeouts).
.Ss YP verification (NIS)
Check the YP domain name with the
.Xr domainname 1
command. If necessary, correct it by editing the
.Pa /etc/defaultdomain
file. The
.Pa /etc/netstart
script reads this file on bootup to determine and set the domain name.
You may also set the running system's domain name with the
.Xr domainname 1
command.
To start YP client services, simply run
.Ic ypbind ,
then perform the remaining
YP activation as described in
.Xr passwd 5
and
.Xr group 5 .
.Pp
In particular, to enable YP passwd support, you'll need to add the following
line to
.Pa /etc/master.passwd :
.Pp
+:*::::::::
.Pp
Once this is done, you'll need to run
.Ic pwd_mkdb /etc/master.passwd
to regenerate the password databases.
.Pp
There are many more YP man pages available to help you. You can find more
information by starting with
.Xr yp 8 .
.Ss Check disks are mounted correctly
Check that the disks are mounted correctly by
comparing the file
.Pa /etc/fstab
against the output of the
.Xr mount 8
and
.Xr df 1
commands.
Example:
.Bd -literal -offset indent
.Li # Ic cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0b none swap sw 0 0
/dev/sd0d /usr ffs rw,nodev 1 2
/dev/sd0e /var ffs rw,nodev,noexec 1 2
/dev/sd0g /tmp ffs rw,nodev,noexec,nosuid 1 2
/dev/sd0h /home ffs rw,nodev,nosuid 1 2
.Li # Ic mount
/dev/sd0a on / type ffs (local)
/dev/sd0d on /usr type ffs (local, nodev)
/dev/sd0e on /var type ffs (local, nodev, noexec)
/dev/sd0g on /tmp type ffs (local, nodev, noexec, nosuid)
/dev/sd0h on /home type ffs (local, nodev, nosuid)
.Li # Ic df
Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a         22311    14589     6606    69%    /
/dev/sd0d        203399   150221    43008    78%    /usr
/dev/sd0e         10447      682     9242     7%    /var
/dev/sd0g         18823        2    17879     0%    /tmp
/dev/sd0h          7519     5255     1888    74%    /home
.Li # Ic pstat -s
Device      512-blocks     Used    Avail Capacity  Type
/dev/sd0b       131072    84656    46416    65%    Interleaved
.Ed
.Pp
Edit
.Pa /etc/fstab
and use the
.Xr mount 8
and
.Xr umount 8
commands as appropriate.
.Pp
You may wish to do NFS partitions now too, or you can do them later.
.Ss Concatenated disks (ccd)
If you are using
.Xr ccd 4
concatenated disks, edit
.Pa /etc/ccd.conf
and use the
.Ic ccdconfig -U
command to unload, and the
.Ic ccdconfig -C
command to create tables internal to the kernel for the concatenated disks.
You then
.Xr mount 8 ,
.Xr umount 8
and edit
.Pa /etc/fstab
as needed.
.Ss Automounter daemon (AMD)
If using the
.Xr amd 8
package,
go into the
.Pa /etc/amd
directory and set it up by
renaming
.Pa master.sample
to
.Pa master
and editing it and creating other maps as needed.
Alternatively, you can get your maps with YP.
.Sh CHANGING /ETC FILES
The system should be usable now, but you may wish to do more customizing,
such as adding users, etc.  Many of the following sections may be skipped
if you are not using that package (for example, skip the
.Sx Kerberos
section if you won't be using Kerberos). We suggest that you
.Ic cd /etc
and edit most of the files in that directory.
.Ss /etc/motd
Edit
.Pa motd
to make lawyers comfortable and make sure that no mention
of the word "Welcome" appears.  (Some U.S. lawyers have stated that
the word "Welcome" is an invitation to come on in.)
.Ss Add new users
Add users.  There is an
.Xr adduser 8
script.
You may use
.Xr vipw 8
to add users to the
.Pa /etc/passwd
file
and edit
.Pa /etc/group
by hand to add new groups.
The manual page for
.Xr su 8 ,
tells you to make sure to put people in
the
.Sq wheel
group if they need root access (non-Kerberos).  For example:
.Bd -literal -offset indent
wheel:*:0:root,myself
.Ed
.Pp
Follow instructions for
.Xr kerberos 1
if using
Kerberos
for authentication.
.Ss rc.conf, netstart, rc.local, rc.securelevel
Check for any local changes needed in the files:
.Pa /etc/rc.conf , /etc/netstart , /etc/rc.local , rc.securelevel .
Turning on something like the Network Time Protocol in
.Pa /etc/rc.securelevel
requires:
a) making sure the package is installed,
b) uncommenting the lines in
.Pa rc.securelevel ,
i.e. delete the leading # signs of:
.Bd -literal -offset indent
if [ -x /usr/local/sbin/ntpd ]; then
     /usr/local/sbin/tickadj -Aq
     echo -n ' ntpd';       /usr/local/sbin/ntpd
fi
.Ed
.Pp
If you've installed X, you may want to turn on
.Xr xdm 1 ,
the X Display Manager. To do this, change the value of xdm_flags in
.Pa /etc/rc.conf .
.Ss Printers
Edit
.Pa /etc/printcap
and
.Pa /etc/hosts.lpd
to get any printers set up.
Consult
.Xr lpd 8
and
.Xr printcap 5
if needed.
.Ss Tighten up security
You might wish to tighten up security more by editing
.Pa /etc/fbtab
as when installing X.
In
.Pa /etc/inetd.conf
turn off extra stuff that you do not need,
and only add things that are really needed.
.Ss Kerberos
If you are going to use
.Xr kerberos 1
for authentication, and you already have a
Kerberos
master, go into the directory
.Pa /etc/kerberosIV
and configure.
Remember to get a
.Pa srvtab
from the master so that the remote commands work.
.Ss Mail Aliases
Edit
.Pa /etc/aliases
and set the four standard aliases to go to either a mailing list, or
the system administrator.
.Bd -literal -offset indent
# Well-known aliases -- these should be filled in!
root:		sysadm
manager:	sysadm
dumper:		sysadm
operator:	sysadm
.Ed
.Pp
Run
.Xr newaliases 1
after changes.
.Ss Sendmail
.Ox
ships with a default
.Pa /etc/sendmail.cf
file that will work for simple installations; it was generated from
.Pa openbsd-proto.mc
in
.Pa /usr/share/sendmail/cf .
Please see
.Pa /usr/share/sendmail/README
and
.Pa /usr/share/doc/smm/08.sendmailop/op.me
for information on generating your own sendmail configuration files.
.Ss BOOTP server
If this is a
BOOTP
server, edit
.Pa /etc/bootptab
as needed.  You will have to turn it on in
.Pa /etc/inetd.conf
or run
.Xr bootpd 8
in its standalone mode.
.Ss NFS server
If this is an NFS server
make sure
.Pa /etc/rc.conf
has:
.Bd -literal -offset indent
nfs_server=YES
.Ed
.Pp
Edit
.Pa /etc/exports
and get it correct.
It is probably easier to reboot than to get the daemons running manually,
but you can get the order correct by looking at
.Pa /etc/netstart .
.Ss HP remote boot server
Edit
.Pa /etc/rbootd.config
if needed for remote booting.
If you do not have HP computers doing remote booting, do not enable this.
.Ss Daily, Weekly, Monthly scripts
Look at and possibly edit the
.Pa /etc/daily , /etc/weekly ,
and
.Pa /etc/monthly
scripts.  Your site specific things should go into
.Pa /etc/daily.local , /etc/weekly.local ,
and
.Pa /etc/monthly.local .
.Pp
These scripts have been limited so as to keep the system running without
filling up disk space from normal running processes and database updates.
(You probably do not need to understand them.)
.Ss Other files in /etc
Look at the other files in
.Pa /etc
and edit them as needed.
(Do not edit files ending in
.Pa .db
\(em like
.Pa aliases.db , pwd.db , spwd.db ,
nor
.Pa localtime ,
nor
.Pa rmt ,
nor any directories.)
.Ss Crontab (background running processes)
Check what is running by typing
.Ic crontab -l
as root
and see if anything unexpected is present.
Do you need anything else?  Do you wish to change things?  e.g. if you do not
like root getting standard output of the daily scripts, and want only 
the security scripts that are mailed internally, you can type
.Ic crontab -e
and change some of the lines to read:
.Bd -literal -offset indent
30  1  *  *  *   /bin/sh /etc/daily 2>&1 > /var/log/daily.out
30  3  *  *  6   /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
30  5  1  *  *   /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
.Ed
See
.Xr crontab 5 .
.Ss Next day cleanup
After the first night's security run, change ownerships and permissions
on things.  The best bet is to have permissions as in the security list.
(The first of the two listed permissions, and the first group number of
the two).
Use
.Xr chmod 1 ,
.Xr chgrp 1 ,
and
.Xr chown 8
as needed.
.Ss Packages
Install your own packages.
The simple way is to copy source and compile and link/load.
.Pp
Copy vendor binaries and install them.  You will need to install any
shared libraries, etc.
(Hint:
.Ic man -k compat
to find out how to install and use compatibility mode.)
.Pp
Install any of a large group of Third-Party Software that is available
in source form.  See
.Pa http://www.openbsd.org
under
.Sq Ports: a Nice Way to Get Third-Party Software .
.Pp
You may have some difficulty installing due to various compiling errors.
Don't get discouraged easily!  Sometimes checking the mailing lists for
past problems that people have encountered will result in a fix posted.
One recent item says to delete
.Pa -lcrypt
from
.Pa Makefile
.Ns s
as the crypt routines are now present in the standard libraries.
.Sh COMPILING A KERNEL
First, review the system message buffer using the
.Xr dmesg 8
command to find out information on your system's devices as probed by the
kernel at boot. In particular, note which devices were not configured. This
information will prove useful when editing kernel configuration files.
.Pp
To compile your own kernel off a CDROM do the following:
.Sm off
.Bd -literal -offset indent
.Li #\  Xo
.Ic cd\ /
.Ar somedir
.Xc
.Li #\  Xo
.Ic cp\ /usr/src/sys/arch/
.Ar somearch
.Ic /conf/
.Ar SOMEFILE
.Ic \ .
.Xc
.Li #\  Xo
.Ic vi\ \&
.Ar SOMEFILE
.No \ \ \ (to\ make\ any\ changes)
.Xc
.Li #\  Xo
.Ic config\ -s\ /usr/src/sys\ -b\ .\ \&
.Ar SOMEFILE
.Xc
.Li #\  Xo
.Ic make
.Xc
.Ed
.Sm on
.Pp
To compile a kernel inside a writable source tree, do the following:
.Sm off
.Bd -literal -offset indent
.Li #\  Xo
.Ic cd\ /usr/src/sys/arch/
.Ar somearch
.Ic /conf
.Xc
.Li #\  Xo
.Ic vi\ \&
.Ar SOMEFILE
.No \ \ \ (to\ make\ any\ changes)
.Xc
.Li #\  Xo
.Ic config\ \&
.Ar SOMEFILE
.Xc
.Li #\  Xo
.Ic cd\ ../compile/
.Ar SOMEFILE
.Xc
.Li #\  Xo
.Ic make
.Xc
.Ed
.Sm on
.Pp
where
.Ar somedir
is a writable directory,
.Ar somearch
is the architecture (e.g.
.Ic i386 ) ,
and
.Ar SOMEFILE
should be a name indicative of a particular configuration (often
that of the hostname).
You can also do a
.Ic make depend
so that you will have dependencies there the next time you do a compile.
.Pp
After either of these two methods, you can place the new kernel (called
.Pa bsd )
in
.Pa /
(i.e.
.Pa /bsd )
and the system will boot it next time.
Most people save their backup kernels as
.Pa /bsd.1 ,
.Pa /bsd.2 ,
etc.
.Sh SEE ALSO
.Xr chgrp 1 ,
.Xr chmod 1 ,
.Xr crontab 1 ,
.Xr date 1 ,
.Xr df 1 ,
.Xr hostname 1 ,
.Xr kerberos 1 ,
.Xr make 1 ,
.Xr man 1 ,
.Xr netstat 1 ,
.Xr newaliases 1 ,
.Xr passwd 1 ,
.Xr su 1 ,
.Xr ccd 4 ,
.Xr aliases 5 ,
.Xr bootptab 5 ,
.Xr crontab 5 ,
.Xr exports 5 ,
.Xr fbtab 5 ,
.Xr fstab 5 ,
.Xr group 5 ,
.Xr krb.conf 5 ,
.Xr krb.realms 5 ,
.Xr passwd 5 ,
.Xr rbootd 5 ,
.Xr resolv.conf 5 ,
.Xr hostname 7 ,
.Xr adduser 8 ,
.Xr amd 8 ,
.Xr bootpd 8 ,
.Xr ccdconfig 8 ,
.Xr chown 8 ,
.Xr config 8 ,
.Xr domainname 8 ,
.Xr ext_srvtab 8 ,
.Xr ifconfig 8 ,
.Xr inetd 8 ,
.Xr mount 8 ,
.Xr named 8 ,
.Xr rc 8 ,
.Xr rmt 8 ,
.Xr route 8 ,
.Xr umount 8 ,
.Xr vipw 8 ,
.Xr ypbind 8 
.Sh HISTORY
This document first appeared in
.Ox 2.2 .