########################################################################## # OpenBSD Notes # # Anuradha Weeraman, 2001 # # $Id: openbsd-notes.txt,v 1.1 2004/06/02 21:17:54 anuradha Exp $ # ########################################################################## ----- Packages 'pkg_info' displays information on all software packages installed. setenv PKG_PATH ftp://ftp.openbsd.org/pub/OpenBSD/2.8/i386 will Let pkg_add automatically download dependencies as well. If a certain package requires foo-6 and you have foo-7, do a 'ln -s /var/db/pkg/foo-7 /var/db/pkg/foo-6' to satisfy the dependency. pkg_delete is aware of this and will safely delete the symbolic links as well. ---------- ----- pf With openbsd 3.0, the packet filter is pf : /etc/rc.conf -> pf=YES /etc/pf.conf Commands to control the packet filter : pfctl Packets are logged to : /var/log/pflog in tcpdump format To read /var/log/pflog : tcpdump -n -e -ttt -r /var/log/pflog To load filter rules from a text file to the kernel : pfctl -R file To diplay the active ruleset : pfctl -s r see pf(4), nat.conf(5), pf.conf(5), pfctl(8), ftp-proxy(8) ---------- ----- Media wd0 for IDE/RLL/ESDI/ST506 sd0 for for SCSI drives fd0a for the first floppy drive nrst0 for no-rewind, raw interface tape drives cd0/acd0 (partition a) for CD-Drives TCP mode during NFS install only works with newer NFS servers as opposed to UDP ---------- ----- disklabel during install Root partition is usually in a Swap is usually b Partition c in disklabels always represent the whole hard disk Dos or Linux partition appear as h or i Skip c when creating new partitions for different mount points and leave it as type 'unused'. Swap partitions should be of type swap and all other partition 4.2BSD ---------- ----- Package selection during install You can use 'all' to select all packages, 'list' to do the obvious, or even use wildcards such as '*.tgz' or 'base*|comp*' with 'done' to activate it. ---------- ----- Upgrading if you are upgrading manually, you must use the -r flag when using disklabel. You must also change the partition table, such that partition c encompasses the entire drive, and not only the OpenBSD partition. Finally, partition 'd' is no longer special and can be used for any purpose whatsoever. OpenBSD now uses the partition ID 0xA6 (decimall 166) but continues to work with 0xA5 for compatibility reasons. However, if you change the partition ID to 0xA6 you can share the disk with 386BSD, FreeBSD or NetBSD. ---------- ----- man When you don't specify a section, the least numbered section with such a manpage will be displayed. Check out 'man intro', 'man afterboot', 'man boot', 'man packages' type 'help' to get bash help ---------- ----- SSH If you want to prevent root logins from across the network, put PermitRootLogin to 'no' in /etc/sshd_config ---------- ----- hostname Edit /etc/myname and /etc/hosts to set the hostname for the machine and the 'hostname' command to check if it is working ---------- ----- ifconfig Use 'ifconfig -a' to see if the network interfaces are working. if you wish to configure them, edit '/etc/hostname.interface' where interface is a device name such as 'le0'. le0 is the Linux equivalent of eth0. ---------- ----- Network If you want to enable multicast routing, see the section titles "Multicast Routing" in /etc/netstart. See dhcp(8) for instruction on configuring interfaces using dhcp Use 'netstat -rn' to see the routing tables the default gateway is stored in /etc/mygate, if you edit this file, a painless way to restart the network is 'route flush' followed by 'sh -x /etc/netstart' or by using a series of 'route add' or 'route delete' commands (route(8)) if you wish to route packets between interfaces, add the line route.inet.ip.forwarding=1 or route.inet.ip6.forwarding=1 to /etc/sysctl.conf or compile a new kernel with the GATEWAY option. packets are not forwarded by default. you can add 'virtual interfaces' by adding entries to /etc/hostname.if to get a local caching named server you need to set the appropriate "named_flags" in /etc/rc.conf and create the named.boot file (named(8)) ---------- ----- su In order to su to root, the user has to be added to the wheel group in /etc/group. ---------- ----- yp Use 'domainname' to see or set the domain name on the running system. edit /etc/defaultdomain file to set it permanently. This file is read by /etc/rc.conf during startup. To start the yp client services, simply run 'ypbind'. You'll also need to add the line '+:*::::::::' to /etc/master.passwd using 'vipw' and do a 'pwd_mkdb /etc/master.passwd' to regenerate the password databases. see afterboot(8) and yp(8) for more details. ---------- ----- Swap To see swap usage : pstat -s swapctl -l ---------- ----- Concatenated disks (ccd) If you are using ccd(4) concatenated disks, /etc/ccd.conf. Use the 'ccdconfig -U' command to unload and the 'ccdconfig -C' command to create tables internal to the kernel for concatenated disks. ----------- ----- motd /etc/motd is edited by /etc/rc everytime the system is booted, so in order to keep any custom motd's intact, make sure to add two blank lines at the very top. ---------- ----- xdm To turn on xdm, edit xdm_flags in /etc/rc.conf ---------- ----- Security You can tighten up security by editing /etc/fbtab and /etc/inetd.conf daily security mails will be sent if ownerships of important files and directories have changed with the recommended and the current permissions indicated within parenthesis in that order. This list is generated using mtree(8) using the /etc/mtree/special. ---------- ----- Mail Sendmail configuration file is /etc/mail/sendmail.cf. The default has been generated using openbsd-proto.mc in /usr/share/sendmail/cf. by default, sendmail does not accept mail across the network, to do so you need to edit the 'sendmail_flags' variable in /etc/rc.conf to add mail aliases, edit /etc/mail/aliases and add or modify the entries. remember to run 'newaliases' afterwards. see the /usr/share/sendmail/README for more details. ---------- ----- DHCP If this is a DHCP server, edit /etc/dhcpd.conf and /etc/dhcpd.interfaces. make sure /etc/rc.conf has 'dhcpd_flags=-q' or run dhcpd(8) manually. ---------- ----- bootp Edit /etc/bootptab, /etc/inetd.conf or run bootpd(8) in standalone mode. ---------- ----- NFS Make 'nfs_server=YES' in /etc/rc.conf. Edit /etc/exports and reboot. You can get the order correct by editing /etc/netstart. ---------- ----- HP remote boot server /etc/rbootd.conf ---------- ----- /altroot The /altroot filesystem can optionally be used to provide a backup of the root filesystem on a daily basis. To take advantage of this you must have an entry in /etc/fstab with 'xx' for the mount option: /dev/wd0j /altroot ffs xx 0 0 And add the line 'ROOTBACKUP=1' to root's crontab. The /etc/daily script will backup the root filesystem on a daily basis. ---------- ----- Warning When editing file in /etc, do not edit .db, like pwd.db, spwd.db or localtime or rmt. ---------- ----- crontab 'crontab -l' lists the users crontab entries. 'crontab -e' allows you to edit it. ---------- ----- Kernel Compiling kernel: cd /sys/arch/i386/conf config ./GENERIC cd ../compile/GENERIC make depend && make After compiling the kernel, copy it to /bsd. Backups are made by copying it as /bsd.1, /bsd.2 etc. With config(8) you can change the device configuration in the kernel directly. config -e -o bsd.new /bsd to see the different kernel options, see options(4) man page. /usr/src/sys/conf/GENERIC contains the platform independent kernel options. Kernel options such as option DEBUG in the kernel config files gets translated into compiler preprocessor options therefore an option like DEBUG would have the source compiled with the option -DDEBUG which is equivalent to doing a : #define DEBUG throughout the kernel. ---------- ----- disklabel To see the disklabel of wd0, just do a, 'disklabel wd0' ---------- ----- ipf To enable ip filtering, edit /etc/rc.conf and set 'ipfilter=YES'. The default ruleset is stored in /etc/ipf.rules. set net.inet.ip.forwarding=1 in /etc/sysctl.conf if the machine is to act as a firewall or deal in NAT. ipf -Fa -f /etc/ipf.rules -E will flush current ruleset, get the new rules from the file specified and enable (-E) ipf. see the ipf,ipfstat manpage or /usr/share/ipf for more info. ---------- ----- NT Loader and OpenBSD dd if=/dev/rsd0c of=openbsd.pbr bs=512 count=1 put c:\openbsd.pbr="OpenBSD" into c:\boot.ini. ---------- ----- Network First, do an ifconfig and find out which network cards are detected, then edit /etc/hostname.$IF where $IF is the name of your network card like 'ne3' would mean /etc/hostname.ne3. See the hostname.if(5) man page for more info. This file would have the format [address_family] [your_ip] [your_netmask] [media_options] inet 10.0.0.38 255.255.255.0 NONE Setup the default gateway by editin /etc/mygate. Setup the nameservers by editing /etc/resolv.conf and edit /etc/hosts and setup any static routes if any. Now, either reboot or rerun /etc/netstart with 'sh /etc/netstart'. Check your routing tables with a 'netstat -rn' or 'route show'. To setup your openbsd box as a router or a gateway, read the openbsd faq 6. ---------- ----- X You can switch to the text consoles using [ctrl] [alt] Fx while in X and to switch back, the combination [ctrl] [alt] F5 has to be pressed. ---------- ----- Forgot password 1) boot in single user mode, 'boot -s' at the boot prompt. 2) fsck -p / && mount -u / 3) if /usr is not in / partition u have to similarly mount that partition as well. 4) run the passwd command. ---------- ----- boot boot -c at the boot prompt will take you to the boot time configuration. ---------- ----- Hardware detection Sometimes the computer does not correctly detect the hardware or freezes when more than one NIC is encountered. To overcome this problem, go into the boot time configuration by typing 'boot -c' at the boot prompt and say 'disable pcibios' and 'quit'. ---------- ----- OpenBSD default shell Korn shell ----------- ----- Device names In OpenBSD, devices are named by driver, not type, so there isn't any eth0 instead there are ne0 for ne2000 cards, xl0 for 3Com Etherlink XL. ----------- ----- Linux compatibility Default OpenBSD kernel is compiled in with COMPAT_LINUX, so to run Linux binaries that are not statically linked, install linux_lib and read compat_linux(8). ----------- ----- Duplicating a filesystem Duplicating filesystem using dump and restore : cd /SRC; dump 0f - . | (cd /DST; restore -rf -) Dump and restore and used for backup purposes and might be overkill to duplicate just a part of a filesystem, to do that you can quite conveniently use tar. cd /SRC; tar cv - . | (cd /DST; tar xpf - ) ----------- ----- Startup OpenBSD uses an rc(8) style startup. This uses a few key files for startup. * /etc/rc - Main script. Should not be edited. * /etc/rc.conf - Configuration file used by /etc/rc to know what daemons should start with the system. * /etc/netstart - Script used to initialize the network. Shouldn't be edited. * /etc/rc.local - Script used for local administration. This is where new daemons or host specific information should be stored. * /etc/rc.securelevel - Script which runs commands that must be run before the security level changes. See init(8) * /etc/rc.shutdown - Script run on shutdown. Put anything you want done before shutdown in this file. See rc.shutdown(8) The files that sysadmins concentrate most on are /etc/rc.conf, /etc/rc.local and /etc/rc.shutdown. After the kernel is booted. /etc/rc is started. * Filesystems checked. This will always be bypassed if the file /etc/fastboot exists. This is certainly not a good idea though. * Configuration Variables are read in from /etc/rc.conf * Filesystems are mounted * Clears out /tmp and preserves any editor files * Configures the network via /etc/netstart + Configures your interfaces up. + Sets your hostname, domainname, etc. * Starts system daemons * Does various checks. (quota's, savecore, etc) * Local daemons are run, ala /etc/rc.local ---------- ----- init When init spawns a process, it sets the process priority, umask and resource limits based on /etc/login.conf ---------- ----- Logs /var/run/utmp - record of users currently logged in /var/log/wtmp - record of all logins and logouts ---------- ----- Crash If the system crashes, it will display a message like : panic : why i gave up the ghost On the console and enters the kernel debugger ddb(4), then type : boot dump Either this or if the kernel was not compiled with the debugger support, or if had been disable by sysctl, the physical memory will be dumped to mass storage as specified by the 'dumps on' directive specified in the config file used to build the kernel. After the dump has been written the system will initiate an automatic- reboot. If auto-reboot is disabled, the system will simply halt. Upon rebooting, the system will copy the previously written dump into /var/crash using savecore before resuming multi-user operations. Utilities like vmstat, iostat, netstat, fstat, nfsstat, ps, systat, w, dmesg, kgmon, pstat, slstats, trpt, trsp can be used with : /var/crash/bsd.0 - kernel image /var/crash/bsd.0.core - memory image to perform a post-mortem after a crash. They usually take the following arguments : -N: kernel system image. this is where the symbolic information is gotten from, so it can't be stripped -M: normally, this is an image gotten by savecore but it can be /dev/mem too. eg: ps -N /var/crash/bsd.0 -M /var/crash/bsd.0.core -O paddr vmstat -N /var/crash/bsd.0 -M /var/crash/bsd.0.core -m read crash(8) ---------- ----- Power down Edit /etc/rc.conf and edit the powerdown flag to make the system shutdown if apm is enabled. ---------- ----- OpenSSl Certificates are stored in /etc/ssl/private. openssl genrsa -out /etc/ssl/private/server.key 1024 openssl genrsa -des3 -out /etc/ssl/private/server.key 1024 openssl req -new -key /etc/ssl/private/server.key \ -out /etc/ssl/private/server.csr The server.csr should then be given to a certification authority who will then sign the key. If you can't afford it, you can sign your own key by openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \ -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt With /etc/ssl/server.crt and /etc/ssl/private/server.key in place you should be able to start httpd with the -DSSL flag. ---------- ----- Password files /etc/master.passwd current password file /etc/passwd a Version 7 format password file /etc/pwd.db insecure password database file /etc/pwd.db.tmp temporary file /etc/spwd.db secure password database file /etc/spwd.db.tmp temporary file Just editing /etc/passwd won't do, you need to run pwd_mkdb(8). The main password file is /etc/master.passwd. If you really want to edit the password file, you can use the vipw(8) command. It will automatically regenerate the password databases. To learn more about adding users to the system, see the adduser(8) and adduser_proc(8) man pages. The rmuser(8) script can be used to remove all traces of any user, their crontab entries, files, entries in password files etc ---------- ----- Disk quotas Firstly, QUOTA should be enabled in the kernel. Next the relevant options have to be added to /etc/fstab. /dev/wd0a / ffs rw,userquota=/var/quotas/quota.user 1 1 Then, use 'edquota ' to actually allocate quotas for users. Once this is done, you can turn on quotas by 'quotaon -a'. You can view quota information of a user by 'quota '. To turn off quotas do a 'quotaoff -a' ---------- ----- Kerberos Server: Time has to be synchronized in order for this to work correctly. edit /etc/kerberosIV/krb.conf and /etc/kerberosIV/krb.realms and do a 'kbd_init' and a 'kstash'. also look into 'kbd_edit', 'ext_srvtab'. Then, either reboot, or: [root@avalanche /] kill -HUP `cat /var/run/inetd.pid` [root@avalanche /] /usr/libexec/kerberos >> /var/log/kerberos.log & [root@avalanche /] /usr/libexec/kadmind -n >> /var/log/kadmind.log & Client: Edit krb.conf and krb.realms. obtain a ticket using kinit(8). To get rid of any tickets, just do a 'kdestroy'. ---------- ----- FTP Needs an account for 'ftp'. Shouldn't have a usable password. Login directory will be /home/ftp. If using anonymous ftp, the daemon will chroot itself to home directory. Read more on ftp(8) and chroot(2). Make sure /usr/bin/false is in /etc/shells. Add the user using 'adduser'. /home/ftp: owned by root. perms 555. /home/ftp/etc: cp /etc/pwd.db, /etc/group. dir perms 511. file perms 444 /home/ftp/pub: owned by root, perm 555. All the files in /home/ftp and recursively should be chowned root:ftp, the directory /home/ftp should be chown root:wheel. ftp stream tcp nowait root /usr/libexec/ftpd ftpd -US In /etc/inetd.conf will setup and log anonymous ftp sessions to /var/log/ftpd and concurrent sessions to /var/run/utmp. This will allow sessions to be seen when using who. If you want to setup only anonymous ftp facilities and not allow user ftp sessions you need to specify the -A switch and -ll to use logging facilities. ftp stream tcp nowait root /usr/libexec/tcpd ftpd -llUSA For people with high traffic demands should run ftp in daemon mode. This can be done by editing /etc/rc.conf ftpd_flags="-DllUSA" # for non-inetd use: ftpd_flags="-D" Take ftp out of inetd.conf first though. /etc/ftpwelcome lets you customize the welcome message. /etc/motd holds the message that people who successfully log in gets to see. .message can be placed in any directory and will be seen when the user enters that directory. To chroot an ftp account to the home directory, place the username in /etc/ftpchroot. ---------- ----- Patching An example : cd /usr/src patch -p0 < 026_talkd.patch cd libexec/talkd make obj && make depend && make && make install ---------- ----- CCD - concatenated disk driver Its a bit like LVM (Logical Volume Management) in other UNIX flavours. In the generic kernel, CCD is enabled. See ccd(4). If not, you need to add the following line to your kernel configuration : pseudo-device ccd 4 # concatenated disk devices Next figure out which partitions you are going to use for your all encompassing logical drive by editing /etc/ccd.conf, also take a look at ccdconfig (8). # ccd ileave flags component devices ccd0 16 none /dev/sd2e /dev/sd3e To make your changes take effect : ccdconfig -C As long as /etc/ccd.conf exists, ccd will automatically configure itself upon reboot. the new disk is now called ccd0. just use disklabel it customize it to your hearts content. ---------- ----- RAID Another solution is raid(4) which will have you use raidctl(8) to control your raid devices. OpenBSD's RAID is based upon Greg Oster's NetBSD port of the CMU RAIDframe software. OpenBSD has support for RAID levels of 0, 1, 4, and 5. With raid, as with CCD, support must be in the KERNEL. Unlike CCD, support for RAID is not found in GENERIC, it must be compiled into your kernel (RAID support adds some 500K to the size of an i386 kernel!) pseudo-device raid 4 # RAIDframe disk device Setting up RAID on some operating systems is confusing and painful to say the least. Not so with RAIDframe. Read the raid(4) and raidctl(8) man pages to get full details. There are many options and possible configurations, a detailed explanation is beyond the scope of this document. ---------- ----- boot To boot the kernel without the initial 5 second delay : echo "boot" > /etc/boot.conf To use the serial port by connecting it to a terminal using a null modem cable (mainly for debugging purposes) : set tty com0 or echo "set tty com0" >> /etc/boot.conf Boot the kernel from the second IDE disk in user kernel configuration mode which allows explicit enabling and disabling of devices during the current boot sequence, as well as the modification of device parameters : boot wd1a:/bsd -c /usr/mdec : /usr/mdec/mbr : system mbr image /usr/mdec/biosboot : primary stage bootstrap (PBR) /usr/mdec/boot, /boot : system second stage bootstrap /usr/mdec/installboot : install bootstrap code To install the primary and secondary bootstrap : cp /usr/mdec/boot /boot /usr/mdec/installboot -v -n /boot /usr/mdec/biosboot sd0 If it looks ok : /usr/mdec/installboot -v /boot /usr/mdec/biosboot sd0 biosboot --> boot --> kernel ---------- ----- boot commands boot [[image] [-acds]] eg. boot wd0a:/bsd -c -a : kernel asks for the root device -c : kernel goes into boot_config before going into autoconfig procs -d : kernel drops into ddb at the earliest convenient point =s : single user mode echo [args] display args on the console device help machine [command] diskinfo memory regs ls [directory] reboot set [varname [value]] if only set is invoked, it will print all vars if only varname is specified, it will print the value of the var if both are specified, it assigns value to the varname addr - address at which to load the kernel debug - debug flag if boot was compiled with DEBUG defined device - boot device name howto - options to pass to the loaded kernel image - file name containing the kernel image timeout - # of seconds boot will wait before booting default image tty - active console device name stty [device [speed]] default baudrate is 9600bps time ---------- ----- System statistics To see the status of open files : fstat Diplay system statistics on a CRT : systat Report I/O statistics : iostat Display system data structures : pstat Report virtual memory statistics : vmstat Display nfs statistics : nfsstat Show network status : netstat Report SLIP statistics : slstats Generate a dump of OS profile buffers : kgmon ---------- ----- man To view manpages directly : nroff -mdoc command.8 | less To view a man page without the non-printable characters : man command.8 | col -b | less To get the postscript version of a man page : groff -mdoc -Tps [man_src_file] > outfile.ps This will work only if the manpages are formatted with the mdoc macro package, which is what is used in openbsd. but some of the ports are not there the following will have to be used : groff -mandoc -Tps [man_src_file] > outfile.ps ---------- ----- Boot floppy Unix : fdformat /dev/fd0a dd if=floppy28.fs of=/dev/rfd0c bs=126b cmp /dev/rfd0c floppy28.fs MsDOS/Win95/98 : rawrite NT/2000 : fdimage -q floppy28.fs a: or ntrw floppy28.fs a: ---------- ----- Kernel modules All operations involving loadable kernel modules is handled by : modload modunload modstat Which performs its tasks via ioctl on the LKM interface /dev/lkm. ---------- ----- IPsec IP Security Protocol IPsec is enabled with the following sysctl variables in /etc/sysctl.conf net.inet.esp.enable : enable ESP ipsec protocol net.inet.ah.enable : enable AH ipsec protocol IPSec is a pair of protocols : ESP - Encapsulating Security Payload AH - Authentication Header Main objectives of IPsec Confidentiality Integrity Authenticity Replay Protection ESP provides authenticity, integrity, replay protection and confidentiality. AH provides authenticity, integrity and replay protection, but not confidentiality. These protocols require certain parameters. They are: Encryption algorithm Hash algorithm Encryption key Authentication key etc. Together, they are known as SA (Security Association). For secure communication to happen, the two peers need to have the same SA. Manual SA establishment is done using : ipsecadm(8) The two key management daemons are : photurisd(8) isakmpd(8) IPsec can operate in two modes : transport tunnel In transport mode, an ordinary IP header gives the destination. In tunnel mode the ordinary IP header gives the location of a Gateway that is capable of decoding the encrypted payload and routing it to the necessary machine based on an encrypted destination. tunnel mode is used to establish VPNs (Virtual Private Networks). Typical TCP packet : [ IP HEADER ] [ TCP HEADER ] [ Data.... ] ESP in Transport Mode : [ IP HEADER ] [ ESP HEADER ] [ TCP HEADER ] [ Data.... ] ESP in Tunnel Mode : [ IP HEADER ] [ ESP HEADER ] [ IP HEADER ] [ TCP HEADER ] [ Data.... ] The implementation can make use of a virtual interface 'enc0', which can be used in packet filters. ifconfig enc0 up tcpdump -i enc0 see ipsec(4), enc(4), vpn(8), photurisd(8), isakmpd(8) ---------- ----- ifconfig Examples : ifconfig fxp0 inet 192.168.0.1 netmask 255.255.255.0 ifconfig xl0 media 10baseT ifconfig xl0 media 100baseTX mediaopt full-duplex ifconfig vlan0 192.168.254.1 vlan 4 vlandev fxp0 configures the vlan0 interface for IP address 192.168.254.1, vlan tag 4, and vlan parent device fxp0 ----------