OpenBSD has a fantastic install guide available, but it only covers the basic system installation, not any post-install configuration and hardening.
This document is meant as an easy guide to post-installation configuration. You can use other mirrors for both packages and cvs, and use your text-editor of choice -- these examples are meant to simply work without having to do any additional research or decision-making. Also, it has been tested with OpenBSD 4.1, though it should work for other versions. You can get the current official recommendations via:
$ man afterbootAfter you've finished your installation, create a user account (only root is created by default) and give them sudo access:
# useradd -m username # passwd username # usermod -G wheel username # pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/pico-4.10p0 # pico /etc/sudoers
# Same thing without a password %wheel ALL=(ALL) NOPASSWD: ALL# pico /etc/ssh/sshd_confNow let's disable remote root login. In the same file, locate this line:#Protocol 2,1
to
Protocol 2
#PermitRootLogin yesand change it to:
PermitRootLogin noNow let's disable root login over ssh. In the same file, look for the authentication section:
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
$ pico ~/.profile
PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386 export PKG_PATH
CVSROOT=anoncvs@anoncvs3.usa.openbsd.org:/cvs export CVSROOT $ cd /usr
$ sudo cvs checkout -P -rOPENBSD_4_1 src
$ sudo cp /usr/src/sys/arch/i386/conf/GENERIC \
> /usr/src/sys/arch/i386/conf/GENERIC.old
$ cd /usr/src/sys/arch/i386/conf/
$ sudo config GENERIC $ cd /usr/src/sys/arch/i386/compile/GENERIC
$ sudo make clean
$ sudo make depend
$ sudo make
$ sudo cp /bsd /bsd.old
$ sudo install -o root -g wheel -m 644 bsd /
$ sudo rm -rf /usr/obj/*
$ cd /usr/src
$ sudo make obj
$ cd /usr/src/etc && sudo env DESTDIR=/ make distrib-dirs
$ cd /usr/src
$ sudo make build
Never use useradd, use adduser. It is better to use nano than pico if you must use that kind of editor, because nano requires less dependancies. Never directly edit the /etc/sudoers file, ever, for any reason. Use visudo, it has safety checks to make sure you've not made the file unusable.
You shouldn't force random people to register in order to correct you, try using a captcha instead, since it's less of a hassel.
Posted by: asdf | 10/23/2007 at 05:33 AM
I turned on word-based gatekeeper, so registration should no longer be necessary.
Correct is a very strong term, however. Visudo requires proficiency with vi. Text editor preferences are a bit of a religious discussion, so I intentionally chose the simplest possible editor. The safety checks are a good feature, but it complicates things for a user that may need this document (it's content is obvious to anyone who uses OpenBSD regularly).
Pico vs. nano is another text-editor preference choice. Nano does have a more permissive license and is generally considered to be a cleaner code base. I use pico simply because I'm employed by it's authors. Again, choice of text editors is a personal thing.
I can understand your choices for those two, but I don't understand the adduser vs. useradd admonishment.
Adduser is an interactive dialogue (a text version of a wizard). I may be old-fashioned, but I'd rather use a couple of quick, non-interactive commands than complete a dialog of questions.
$ sudo useradd -m username
$ sudo passwd username
$ sudo usermod -G group username
accomplishes exactly the same thing as using adduser.
Posted by: dankney | 10/23/2007 at 06:19 AM
Proficiency with vi is a requirement of unix, no ifs, ands or buts about it. OpenBSD is a unix system, and while some may like to modify their EDITOR env, it's not going to change the fact that if you don't know vi, you don't know ed, and if you don't know ed, in the end, you're going to be in trouble.
nano doesn't need pine is my biggest point pro-nano.
adduser is a script that handles everything, rather than leaving the possibilty of half-made user accounts, which can cause problems in a system.
Posted by: Nat | 10/23/2007 at 11:07 AM
And now pine is no longer being built as an OpenBSD package, because of the licence.
Posted by: Nat | 10/31/2007 at 06:26 AM
OpenBSD is a unix system, and while some may like to modify their EDITOR env, it's not going to change the fact that if you don't know vi, you don't know ed, and if you don't know ed, in the end, you're going to be in trouble.
nano doesn't need pine is my biggest point pro-nano.
Posted by: ice age 4 toys | 06/17/2012 at 11:31 PM