AFTERBOOT(8) OpenBSD System Manager's Manual AFTERBOOT(8)
NAME
afterboot - things to check after the first complete boot
DESCRIPTION
This document attempts to list items for the system administrator to
check and set up after the installation and first complete boot of the
system. The idea is to create a list of items that can be checked off so
that you have a warm fuzzy feeling that something obvious has not been
missed.
Complete instructions for correcting and fixing items is not provided.
There are man pages and other methodologies available for doing that.
Login
Login on console as `root'. There is no password initially. You will
not be able to login over the network, only the console.
System Date
Check the system date with the date command. If needed, set the system
date, and/or change the symbolic link of /etc/localtime to the correct
time zone in the /usr/share/zoneinfo directory.
Root password
Set the password for the root login. Choose a password that has numbers,
digits, and special characters (not space) as well as the upper and lower
case alphabet. Do not choose any word in any language. It is common for
an intruder to use dictionary attacks. Use the /usr/bin/passwd command
to change it. It is a good idea to always specify the full path name for
both the passwd and the su commands. This inhibits the possibility of
files placed in your execution PATH for most shells.
Check hostname
Type the hostname command to verify that the name of your machine is cor-
rect. See the man page for hostname if you need to change it. You will
also need to edit the /etc/myname file to have it stick around for the
next reboot.
Verify network interfaces configured correctly
The first thing to do is an ifconfig -a to see if the network interfaces
are properly configured. Correct by editing /etc/hostname.{INTERFACE}
and via ifconfig if you do not wish to reboot. The loopback interface
will look something like:
lo0: flags=8009<UP,LOOPBACK,MULTICAST>
inet 127.0.0.1 netmask 0xff000000
An ethernet interface something like:
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
You may wish to turn off multicast routing in /etc/netstart by commenting
out the line (placing a # sign at the start of a line):
# route add -net 224.0.0.0 -interface $hostname
Check for routing correct
Do a netstat -r -n command. The output will look something like:
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default 192.168.4.254 UGS 0 11098028 - le0
127 127.0.0.1 UGRS 0 0 - lo0
127.0.0.1 127.0.0.1 UH 3 24 - lo0
192.168.4 link#1 UC 0 0 - le0
192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0
192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0
Fix by editing the file /etc/mygate and using route delete and route add
if you do not wish to reboot.
If you wish to route packets between interfaces you do that by putting
# sysctl -w net.inet.ip.forwarding=1
early on in the boot process (ie. start of /etc/netstart, or by compiling
a new kernel with the option GATEWAY. Packets are not forwarded by de-
fault, due to RFC requirements.
You can add new "virtual interfaces" by adding the required entries to
/etc/ifaliases.
Bind Name Server
If you are using the Bind Name Server (DNS), check the /etc/resolv.conf
file. It may look something like:
domain nts.umn.edu
nameserver 128.101.101.101
nameserver 134.84.84.84
search nts.umn.edu. umn.edu.
lookup file bind
If using a caching name server add the line "nameserver 127.0.0.1" first.
(Of course, you need to change "named_flags" in /etc/rc.conf and add the
named.boot file in the appropriate place. The same holds true if this is
the name server for your domain. In addition, make sure that named is
running. [Otherwise there are long waits while timeouts happen.])
YP verification
Check the domainname with the domainname command, and edit
/etc/defaultdomain to correct. You may change the running system with
the domainname command. To start YP client services, simply run ypbind.
Then perform the remaining YP activation as described in passwd(5), and
group(5). There are many more YP man pages on the system. You can find
more information by starting at yp(8).
Check disks are mounted correctly.
Check that the disks are mounted correctly by checking file /etc/fstab
against the output of the mount and the df commands. Example:
# cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0b none swap sw 0 0
/dev/sd0d /usr ffs rw,nodev 1 2
/dev/sd0e /var ffs rw,nodev,noexec 1 2
/dev/sd0g /tmp ffs rw,nodev,noexec,nosuid 1 2
/dev/sd0h /home ffs rw,nodev,nosuid 1 2
# mount
/dev/sd0a on / type ffs (local)
/dev/sd0d on /usr type ffs (local, nodev)
/dev/sd0e on /var type ffs (local, nodev, noexec)
/dev/sd0g on /tmp type ffs (local, nodev, noexec, nosuid)
/dev/sd0h on /home type ffs (local, nodev, nosuid)
# df
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/sd0a 22311 14589 6606 69% /
/dev/sd0d 203399 150221 43008 78% /usr
/dev/sd0e 10447 682 9242 7% /var
/dev/sd0g 18823 2 17879 0% /tmp
/dev/sd0h 7519 5255 1888 74% /home
Edit /etc/fstab and use the umount and mount commands as appropriate.
(See man pages.)
You may wish to do NFS partitions later, but you may do them now.
Concatenated disks (ccd)
If you are using concatenated disks, edit /etc/ccd.conf and use the
ccdconfig -U command to unload, and the ccdconfig -C command to create
tables internal to the kernel for the concatenated disks. You then mount
and umount and edit /etc/fstab as needed.
AMD
Go into the /etc/amd directory if using this package and set it up by re-
naming amd.home.sample to amd.home. You may wish to create a file
amd.home in this directory, or alternatively supply your amd.home map via
YP.
COMPILING A KERNEL
To compile your own kernel off a CDROM do the following:
# cd /somewhere
# cp /usr/src/sys/arch/$ARCH/conf/SOMEFILE .
# edit SOMEFILE (to make any changes you want)
# config -s /usr/src/sys -b . SOMEFILE
# make
To compile a kernel inside a writable source tree, do the following:
# cd /sys/arch/$ARCH/conf
# edit SOMEFILE (to make any changes you want)
# config SOMEFILE
# cd ../compile/SOMEFILE
# make
$ARCH should be the architecture (e.g. i386). You can do a make depend
so that you will have dependencies there the next time you do a compile.
After either of these two steps, you can place the new kernel (called
bsd) in / (i.e. /bsd) and the system will boot it next time. Most people
save their backup kernels as /bsd.1, /bsd.2 ...
CHANGING /ETC FILES
The system should be usable now, but you may wish to do more customizing,
such as adding of users, etc. Many of the following sections may be
skipped if you are not using that package (for example kerberos section).
My suggestions are to cd /etc and edit most files.
/etc/motd
Edit motd to make lawyers comfortable and make sure that no mention of
the word "Welcome" appears. (Some U.S. lawyers have stated that the word
"Welcome" is an invitation to come on in.)
Add new users
Add users. There is a adduser script. You may use vipw to add users to
the /etc/passwd file and edit /etc/group by hand if you desire. su(8),
tells you to make sure to put people in /etc/group under the wheel group
if they need root access (non-kerberos). Something like:
wheel:*:0:root,myself
Follow instructions for kerberos if using kerberos for authentication.
rc.conf, netstart, rc.local, rc.securelevel
Check for any local changes needed in the files: /etc/rc.conf,
/etc/netstart, /etc/rc.local, rc.securelevel. Turning on something like
the Network Time Protocol in /etc/rc.securelevel requires: a) making sure
the package is installed, b) uncommenting the lines in rc.securelevel
(delete the # signs):
if [ -x /usr/local/sbin/xntpd ]; then
/usr/local/sbin/tickadj -Aq
echo -n ' xntpd'; /usr/local/sbin/xntpd
fi
Printers
Edit /etc/printcap and /etc/hosts.lpd to get any printers set up.
Tighten up security
You might wish to tighten up security more by editing /etc/fbtab as when
installing X. In /etc/inetd.conf turn off extra stuff that you do not
need, and only add things that are really needed.
Kerberos
If you are going to use kerberos for authentication, and you already have
a kerberos master, go into the directory /etc/kerberosIV and configure
kerberos. Remember to get a srvtab from the master so that the remote
commands work.
Mail Aliases
Edit /etc/aliases and set the four standard aliases to go to either a
mailing list, or the system administrator.
# Well-known aliases -- these should be filled in!
root: sysadm
manager: sysadm
dumper: sysadm
operator: sysadm
Run newaliases after changes.
Sendmail
OpenBSD ships with a default /etc/sendmail.cf file that will work for
simple installations; it was generated from openbsd-proto.mc in
/usr/share/sendmail/cf. Please see /usr/share/sendmail/README and
/usr/share/doc/smm/08.sendmailop/op.me for information on generating your
own sendmail configuration files.
Bootp server
If this is a bootp server, edit /etc/bootptab as needed. You will have
to turn it on in /etc/inetd.conf or run bootpd in stand-a-lone mode.
NFS server
If this is an NFS server make sure /etc/rc.conf has:
nfs_server=YES
Edit /etc/exports and get it correct. It is probably easier to reboot
than get the daemons running, manually, but you can get the order correct
by looking at /etc/netstart.
HP remote boot server
Edit /etc/rbootd.config if needed for remote booting. If you do not have
HP computers doing remote booting, do not enable this.
Daily, Weekly, Monthly scripts
Look at and possibly edit the /etc/daily, /etc/weekly, and /etc/monthly
scripts. Your site specific things should go into /etc/daily.local,
/etc/weekly.local, and /etc/monthly.local.
These scripts have been limited so as to keep the system running without
filling up disk space from normal running processes and database updates.
(You probably do not need to understand them.)
Other files in /etc
Look at the other files in /etc and edit as needed. (Do not edit files
ending in .db -- like aliases.db, pwd.db, spwd.db, nor localtime, nor
rmt, nor any directories.)
Crontab (background running processes)
Check what is running via crontab -l to see if anything unexpected is
present. Do you need anything else? Do you wish to change things? I do
not like root getting standard output of the daily scripts, only the se-
curity scripts that are mailed internally:
30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out
30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
Next day cleanup
After the first nights security run, change ownerships and permissions on
things. The best bet is to have permissions as in the security list.
(The first of the two listed permissions, and the first group number of
the two). Use chmod, chgrp, and chown as needed.
Install packages
Install your own packages. The simple way is to copy source and compile
and link/load.
Copy vendor binaries and install them. You will need to install any
shared libraries, etc. (Hint: man -k compat to find out how to install
and use compatibility mode.)
Install any of a large group of Third-Party Software that is available in
source form. See http://www.openbsd.org under Ports: a Nice Way to Get
Third-Party Software.
You may have some difficulty installing due to various compiling errors.
Don't get discouraged easily! Sometimes checking the mailing lists for
past problems that people have encountered will result in a fix posted.
One recent item says to delete -lcrypt from Makefiles as the routines are
present in the normal libraries.
SEE ALSO
adduser(8), aliases(5), amd(8), bootpd(8), bootptab(5), ccd(4),
ccdconfig(8), chgrp(1), chmod(1), chown(8), config(8), crontab(1),
crontab(5), date(1), df(1), domainname(8), exports(5),
ext_srvtab(8), fbtab(5), fstab(5), group(5), hostname(1),
hostname(7), ifconfig(8), inetd(8), kerberos(1), krb.conf(5),
krb.realms(5), make(1), man(1), mount(8), named(8), netstat(1),
newaliases(1), passwd(1), passwd(5), rbootd(5), rc(8),
resolv.conf(5), rmt(8), route(8), su(1), umount(8), vipw(8),
ypbind(8).
HISTORY
This document first appeared OpenBSD 2.2.
OpenBSD October 20, 1997 5
Source: OpenBSD 2.6 man pages. Copyright: Portions are copyrighted by BERKELEY
SOFTWARE DESIGN, INC., The Regents of the University of California, Massachusetts
Institute of Technology, Free Software Foundation, FreeBSD Inc., and others. |
![[Detailed Topics]](/inbndsm.gif)
![[Overview Topics]](/outbndsm.gif)