A Quick one on OpenBSD

Once OpenBSD is installed you should update it immediately.

cvsup xenoncara version from: 15.05.2012:

X.Org X Server 1.11.4 Release Date: 2012-01-27 X Protocol Version 11, Revision 0 Build Operating System: OpenBSD 5.1 i386 Current Operating System: OpenBSD builder.local 5.1 GENERIC#160 i386 Build Date: 15 May 2012 11:02:20AM

Current version of pixman: 0.22.2

Kernel Version vanilla 5.1: OpenBSD foo.lan 5.1 GENERIC#0 i386

This is done through CVSup and takes time.

OpenBSD is not meant to be set up in 5 minutes and your done. It aims at System Administrators that are actually interested in their Systems security.

cvsup is not installed by default do this now:

# pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/5.1/packages/i386/cvsup-16.1hp2-no_x11.tgz

Add a cvsup file like:

cat < EOF > /etc/cvsupfile
# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs3.usa.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_5_1

# If your network link is a T1 or faster, comment out the following line.
# *default compress

OpenBSD-ports
#OpenBSD-all
OpenBSD-src
#OpenBSD-www
OpenBSD-xenocara
EOF

Change anoncvs3.usa.openbsd.org to a server near you. http://www.openbsd.org/cvsup.html#CVSROOT mirrors.osn.de for example

Run cvsup:

# cvsup -g -L 2 /etc/cvsupfile

Installing cvsup from source/ports without X11

cd /usr/ports/net/cvsup ; export FLAVOR=no_x11 ; make

Following sizes are known:

OpenBSD-all
    All available OpenBSD collections (~3.8GB)
OpenBSD-src
    The source distribution (~1.5GB)
OpenBSD-ports
    The ports distribution (~390MB)
OpenBSD-www
    The OpenBSD web pages (~375MB)
OpenBSD-xenocara
    The current X.Org v7 tree (~676MB)
OpenBSD-xf4
    The previous X.Org v6 tree (~564MB)
OpenBSD-x11
    The old XFree86-3 distribution (~200MB) 

Compile a new Kernel and build a new world:

# cp -i /bsd /bsd.old
# cd /usr/src/sys/arch/i386/conf/
# config GENERIC
Don't forget to run "make depend"
# cd ../compile/GENERIC
# make clean && make depend && make && make install
# reboot
# rm -rf /usr/obj/*
# cd /usr/src
# make obj
# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
# cd /usr/src
# make build
# rm -rf /usr/obj/*

Total time for make build on a 2.60GHz processor was 75 minutes.

Once done reboot and verify your ports are up-to-date:

# cd /usr/ports/infrastructure/bin/
# ./out-of-date
Collecting installed packages: ok                                                                                                                                 
Collecting port versions: ok                                                                                                                                      
Collecting port signatures: ok 
Outdated ports:
www/mozilla-firefox         # 3.0.6 -> 3.0.7
#

Firefox seem out-of-date to update:

# find /usr/ports/ -name mozilla-firefox
# cd /usr/ports/www/mozilla-firefox/
# make update

Now update your X if you use it:

# rm -rf /usr/xobj/*
# cd /usr/xenocara
# make bootstrap
# make obj
# make build
# rm -rf /usr/xobj/*

Total time for make build on a p4 2.60GHz processor was 75 minutes.

When Kernel Building Goes Bad

If the newly installed kernel will not boot then boot into a previous bootable kernel.

When you restart the system wait until you see something similar to the below:

Using drive 0, partition 3. Loading... probing : pc0 com0 apm mem[634K 319M a20=on] disk: fd0 hd0+ >> OpenBSD/i386 BOOT 3.01 boot>

at this point boot into a previous bootable kernel:

Using drive 0, partition 3. Loading... probing : pc0 com0 apm mem[634K 319M a20=on] disk: fd0 hd0+ >> OpenBSD/i386 BOOT 3.01 boot> bsd.old

Some more tips:

To go into single user mode and recover a root password:

1. When you restart the system wait until you see something similar to the below

Using drive 0, partition 3. Loading... probing : pc0 com0 apm mem[634K 319M a20=on] disk: fd0 hd0+ >> OpenBSD/i386 BOOT 3.01 boot>

at this point you are going to want to enter into single user mode:

Using drive 0, partition 3. Loading... probing : pc0 com0 apm mem[634K 319M a20=on] disk: fd0 hd0+ >> OpenBSD/i386 BOOT 3.01 boot> boot -s

2. Now run fsck on all partitions, to make sure things are okay for changes

Enter pathname of shell or RETURN for sh: <press enter>

# fsck -p

3. Mount all filesystems

# mount -a

export the TERM environmental variable only if you need to edit files:

# export TERM=vt220

4. Reset root's password and then reboot

# passwd
Changing local password for root.
New password: ILikeMonkeys
Retype new password: ILikeMonkeys
# shutdown -r now

Disable root logins on SSH first add a regular user and his SSH keys:

# useradd -v -m -G wheel steve
# vi /home/steve/.ssh/authorized_keys

2. Edit the entry in the /etc/ssh/sshd_config file from

#PermitRootLogin yes

to:

PermitRootLogin no

now restart sshd so the changes take effect without rebooting:

# kill -HUP `cat /var/run/sshd.pid`

Encrypting swap: (is by default set to 1 in 4.5)

# sysctl -w vm.swapencrypt.enable=1

2. Edit /etc/sysctl.conf from

#vm.swapencrypt.enable=1

to:

vm.swapencrypt.enable=1

Adding packages, bash for instance:

# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.1/packages/i386/

1. Add the i386 package for the BASH shell via pkg_add as a binary

# pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/5.1/packages/i386/bash-4.2.10.tgz

2. Setting BASH as your login shell

# chsh -s bash

via the ports system:

# cd /usr/ports/shells/bash
# make install clean

Locking A User Out of Their Account

There will come a time when an administrator needs to prevent a user from using their account.

Locking the user nathan out of his account. As root

# chsh -s nologin nathan

Unlocking the user nathan from his account. As root # chsh -s sh nathan

A better way of locking a user out of their account is by using the userdel command which will not only change the user shell to a nologin shell but the user's password will be changed to an "impossible one. Also, the user's home directory will not be removed.

Locking the user nathan out of his account. As root

# userdel -p true nathan Locking All Users Out of Their Accounts

There will come a time when an administrator needs to prevent all users from using their accounts. Root does not fall under the default login class and will not be locked out.

Locking all users from their accounts. As root

# touch /etc/nologin

Allowing logins again. As root # rm /etc/nologin

The login program is controlled by /etc/login.conf and can be tweaked to meet your needs, including setting default user environmental variables and fine-tuning your system security.

If you end up with a /usr/src with files that end in ,v you have done a cvsup without a checkout. Make sure to either add a tag or place your cvs tree in a separate directory.