icon Top 9 categories map      RocketAware > man pages >


Tips: Browse or Search all pages for efficient awareness of more than 6000 of the most popular reusable and open source applications, functions, libraries, and FAQs.

The "RKT couplings" below include links to source code, updates, additional information, advice, FAQs, and overviews.


Search all pages


By activity
Professions, Sciences, Humanities, Business, ...

User Interface
Text-based, GUI, Audio, Video, Keyboards, Mouse, Images,...

Text Strings
Conversions, tests, processing, manipulation,...

Integer, Floating point, Matrix, Statistics, Boolean, ...

Algorithms, Memory, Process control, Debugging, ...

Stored Data
Data storage, Integrity, Encryption, Compression, ...

Networks, protocols, Interprocess, Remote, Client Server, ...

Hard World
Timing, Calendar and Clock, Audio, Video, Printer, Controls...

File System
Management, Filtering, File & Directory access, Viewers, ...


RocketLink!--> Man page versions: OpenBSD

AFTERBOOT(8)            OpenBSD System Manager's Manual           AFTERBOOT(8)

     afterboot - things to check after the first complete boot

     This document attempts to list items for the system administrator to
     check and set up after the installation and first complete boot of the
     system.  The idea is to create a list of items that can be checked off so
     that you have a warm fuzzy feeling that something obvious has not been

     Complete instructions for correcting and fixing items is not provided.
     There are man pages and other methodologies available for doing that.

     Login on console as `root'.  There is no password initially.  You will
     not be able to login over the network, only the console.

   System Date
     Check the system date with the date command.  If needed, set the system
     date, and/or change the symbolic link of /etc/localtime to the correct
     time zone in the /usr/share/zoneinfo directory.

   Root password
     Set the password for the root login.  Choose a password that has numbers,
     digits, and special characters (not space) as well as the upper and lower
     case alphabet.  Do not choose any word in any language.  It is common for
     an intruder to use dictionary attacks.  Use the /usr/bin/passwd command
     to change it.  It is a good idea to always specify the full path name for
     both the passwd and the su commands.  This inhibits the possibility of
     files placed in your execution PATH for most shells.

   Check hostname
     Type the hostname command to verify that the name of your machine is cor-
     rect.  See the man page for hostname if you need to change it.  You will
     also need to edit the /etc/myname file to have it stick around for the
     next reboot.

   Verify network interfaces configured correctly
     The first thing to do is an ifconfig -a to see if the network interfaces
     are properly configured.  Correct by editing /etc/hostname.{INTERFACE}
     and via ifconfig if you do not wish to reboot.  The loopback interface
     will look something like:

           lo0: flags=8009<UP,LOOPBACK,MULTICAST>
                   inet netmask 0xff000000

     An ethernet interface something like:

                   inet netmask 0xffffff00 broadcast

     You may wish to turn off multicast routing in /etc/netstart by commenting
     out the line (placing a # sign at the start of a line):

           # route add -net -interface $hostname

   Check for routing correct
     Do a netstat -r -n command.  The output will look something like:

           Routing tables

           Destination    Gateway           Flags  Refs     Use  Mtu
           default     UGS      0 11098028    -  le0
           127           UGRS     0        0    -  lo0
          UH       3       24    -  lo0
           192.168.4      link#1            UC       0        0    -  le0
    8:0:20:73:b8:4a   UHL      1     6707    -  le0
   0:60:3e:99:67:ea  UHL      1        0    -  le0

     Fix by editing the file /etc/mygate and using route delete and route add
     if you do not wish to reboot.

     If you wish to route packets between interfaces you do that by putting

           # sysctl -w net.inet.ip.forwarding=1

     early on in the boot process (ie. start of /etc/netstart, or by compiling
     a new kernel with the option GATEWAY.  Packets are not forwarded by de-
     fault, due to RFC requirements.

     You can add new "virtual interfaces" by adding the required entries to

   Bind Name Server
     If you are using the Bind Name Server (DNS), check the /etc/resolv.conf
     file.  It may look something like:

           domain nts.umn.edu
           search nts.umn.edu. umn.edu.
           lookup file bind

     If using a caching name server add the line "nameserver" first.
     (Of course, you need to change "named_flags" in /etc/rc.conf and add the
     named.boot file in the appropriate place.  The same holds true if this is
     the name server for your domain.  In addition, make sure that named is
     running.  [Otherwise there are long waits while timeouts happen.])

   YP verification
     Check the domainname with the domainname command, and edit
     /etc/defaultdomain to correct.  You may change the running system with
     the domainname command.  To start YP client services, simply run ypbind.
     Then perform the remaining YP activation as described in passwd(5),  and
     group(5).  There are many more YP man pages on the system.  You can find
     more information by starting at yp(8).

   Check disks are mounted correctly.
     Check that the disks are mounted correctly by checking file /etc/fstab
     against the output of the mount and the df commands.  Example:

           # cat /etc/fstab
           /dev/sd0a / ffs rw 1 1
           /dev/sd0b none swap sw 0 0
           /dev/sd0d /usr ffs rw,nodev 1 2
           /dev/sd0e /var ffs rw,nodev,noexec 1 2
           /dev/sd0g /tmp ffs rw,nodev,noexec,nosuid 1 2
           /dev/sd0h /home ffs rw,nodev,nosuid 1 2
           # mount
           /dev/sd0a on / type ffs (local)
           /dev/sd0d on /usr type ffs (local, nodev)
           /dev/sd0e on /var type ffs (local, nodev, noexec)
           /dev/sd0g on /tmp type ffs (local, nodev, noexec, nosuid)
           /dev/sd0h on /home type ffs (local, nodev, nosuid)
           # df
           Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
           /dev/sd0a         22311    14589     6606    69%    /
           /dev/sd0d        203399   150221    43008    78%    /usr
           /dev/sd0e         10447      682     9242     7%    /var
           /dev/sd0g         18823        2    17879     0%    /tmp
           /dev/sd0h          7519     5255     1888    74%    /home

     Edit /etc/fstab and use the umount and mount commands as appropriate.
     (See man pages.)

     You may wish to do NFS partitions later, but you may do them now.

   Concatenated disks (ccd)
     If you are using concatenated disks, edit /etc/ccd.conf and use the
     ccdconfig -U command to unload, and the ccdconfig -C command to create
     tables internal to the kernel for the concatenated disks.  You then mount
     and umount and edit /etc/fstab as needed.

     Go into the /etc/amd directory if using this package and set it up by re-
     naming amd.home.sample to amd.home. You may wish to create a file
     amd.home in this directory, or alternatively supply your amd.home map via

     To compile your own kernel off a CDROM do the following:

           # cd /somewhere
           # cp /usr/src/sys/arch/$ARCH/conf/SOMEFILE .
           # edit SOMEFILE (to make any changes you want)
           # config -s /usr/src/sys -b . SOMEFILE
           # make

     To compile a kernel inside a writable source tree, do the following:

           # cd /sys/arch/$ARCH/conf
           # edit SOMEFILE (to make any changes you want)
           # config SOMEFILE
           # cd ../compile/SOMEFILE
           # make

     $ARCH should be the architecture (e.g. i386).  You can do a make depend
     so that you will have dependencies there the next time you do a compile.

     After either of these two steps, you can place the new kernel (called
     bsd) in / (i.e. /bsd) and the system will boot it next time.  Most people
     save their backup kernels as /bsd.1, /bsd.2 ...

     The system should be usable now, but you may wish to do more customizing,
     such as adding of users, etc.  Many of the following sections may be
     skipped if you are not using that package (for example kerberos section).
     My suggestions are to cd /etc and edit most files.

     Edit motd to make lawyers comfortable and make sure that no mention of
     the word "Welcome" appears.  (Some U.S. lawyers have stated that the word
     "Welcome" is an invitation to come on in.)

   Add new users
     Add users.  There is a adduser script.  You may use vipw to add users to
     the /etc/passwd file and edit /etc/group by hand if you desire.  su(8),
     tells you to make sure to put people in /etc/group under the wheel group
     if they need root access (non-kerberos).  Something like:


     Follow instructions for kerberos if using kerberos for authentication.

   rc.conf, netstart, rc.local, rc.securelevel
     Check for any local changes needed in the files: /etc/rc.conf,
     /etc/netstart, /etc/rc.local, rc.securelevel. Turning on something like
     the Network Time Protocol in /etc/rc.securelevel requires: a) making sure
     the package is installed, b) uncommenting the lines in rc.securelevel
     (delete the # signs):

           if [ -x /usr/local/sbin/xntpd ]; then
                /usr/local/sbin/tickadj -Aq
                echo -n ' xntpd';       /usr/local/sbin/xntpd

     Edit /etc/printcap and /etc/hosts.lpd to get any printers set up.

   Tighten up security
     You might wish to tighten up security more by editing /etc/fbtab as when
     installing X.  In /etc/inetd.conf turn off extra stuff that you do not
     need, and only add things that are really needed.

     If you are going to use kerberos for authentication, and you already have
     a kerberos master, go into the directory /etc/kerberosIV and configure
     kerberos. Remember to get a srvtab from the master so that the remote
     commands work.

   Mail Aliases
     Edit /etc/aliases and set the four standard aliases to go to either a
     mailing list, or the system administrator.

           # Well-known aliases -- these should be filled in!
           root:           sysadm
           manager:        sysadm
           dumper:         sysadm
           operator:       sysadm

     Run newaliases after changes.

     OpenBSD ships with a default /etc/sendmail.cf file that will work for
     simple installations; it was generated from openbsd-proto.mc in
     /usr/share/sendmail/cf. Please see /usr/share/sendmail/README and
     /usr/share/doc/smm/08.sendmailop/op.me for information on generating your
     own sendmail configuration files.

   Bootp server
     If this is a bootp server, edit /etc/bootptab as needed.  You will have
     to turn it on in /etc/inetd.conf or run bootpd in stand-a-lone mode.

   NFS server
     If this is an NFS server make sure /etc/rc.conf has:


     Edit /etc/exports and get it correct.  It is probably easier to reboot
     than get the daemons running, manually, but you can get the order correct
     by looking at /etc/netstart.

   HP remote boot server
     Edit /etc/rbootd.config if needed for remote booting.  If you do not have
     HP computers doing remote booting, do not enable this.

   Daily, Weekly, Monthly scripts
     Look at and possibly edit the /etc/daily, /etc/weekly, and /etc/monthly
     scripts.  Your site specific things should go into /etc/daily.local,
     /etc/weekly.local, and /etc/monthly.local.

     These scripts have been limited so as to keep the system running without
     filling up disk space from normal running processes and database updates.
     (You probably do not need to understand them.)

   Other files in /etc
     Look at the other files in /etc and edit as needed.  (Do not edit files
     ending in .db -- like aliases.db, pwd.db, spwd.db, nor localtime, nor
     rmt, nor any directories.)

   Crontab (background running processes)
     Check what is running via crontab -l to see if anything unexpected is
     present.  Do you need anything else?  Do you wish to change things?  I do
     not like root getting standard output of the daily scripts, only the se-
     curity scripts that are mailed internally:

           30  1  *  *  *   /bin/sh /etc/daily 2>&1 > /var/log/daily.out
           30  3  *  *  6   /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
           30  5  1  *  *   /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out

   Next day cleanup
     After the first nights security run, change ownerships and permissions on
     things.  The best bet is to have permissions as in the security list.
     (The first of the two listed permissions, and the first group number of
     the two).  Use chmod, chgrp, and chown as needed.

   Install packages
     Install your own packages.  The simple way is to copy source and compile
     and link/load.

     Copy vendor binaries and install them.  You will need to install any
     shared libraries, etc.  (Hint: man -k compat to find out how to install
     and use compatibility mode.)

     Install any of a large group of Third-Party Software that is available in
     source form.  See http://www.openbsd.org under Ports: a Nice Way to Get
     Third-Party Software.

     You may have some difficulty installing due to various compiling errors.
     Don't get discouraged easily!  Sometimes checking the mailing lists for
     past problems that people have encountered will result in a fix posted.
     One recent item says to delete -lcrypt from Makefiles as the routines are
     present in the normal libraries.

     adduser(8),  aliases(5),  amd(8),  bootpd(8),  bootptab(5),  ccd(4),
     ccdconfig(8),  chgrp(1),  chmod(1),  chown(8),  config(8),  crontab(1),
     crontab(5),  date(1),  df(1),  domainname(8),  exports(5),
     ext_srvtab(8),  fbtab(5),  fstab(5),  group(5),  hostname(1),
     hostname(7),  ifconfig(8),  inetd(8),  kerberos(1),  krb.conf(5),
     krb.realms(5),  make(1),  man(1),  mount(8),  named(8),  netstat(1),
     newaliases(1),  passwd(1),  passwd(5),  rbootd(5),  rc(8),
     resolv.conf(5),  rmt(8),  route(8),  su(1),  umount(8),  vipw(8),

     This document first appeared OpenBSD 2.2.

OpenBSD                        October 20, 1997                              5

Source: OpenBSD 2.6 man pages. Copyright: Portions are copyrighted by BERKELEY
SOFTWARE DESIGN, INC., The Regents of the University of California, Massachusetts
Institute of Technology, Free Software Foundation, FreeBSD Inc., and others.

(Corrections, notes, and links courtesy of RocketAware.com)

[Detailed Topics]

[Overview Topics]

RocketLink!--> Man page versions: OpenBSD

Rapid-Links: Search | About | Comments | Submit Path: RocketAware > man pages > afterboot.8/
RocketAware.com is a service of Mib Software
Copyright 1999, Forrest J. Cavalier III. All Rights Reserved.
We welcome submissions and comments