« Tunneling AFP over SSH | Main | Parallels Server for XServe and Mac Pro »

10/23/2007

OpenBSD Post-install Configuration

OpenBSD has a fantastic install guide available, but it only covers the basic system installation, not any post-install configuration and hardening. This document is meant as an easy guide to post-installation configuration. You can use other mirrors for both packages and cvs, and use your text-editor of choice -- these examples are meant to simply work without having to do any additional research or decision-making. Also, it has been tested with OpenBSD 4.1, though it should work for other versions. You can get the current official recommendations via:

$ man afterboot
After you've finished your installation, create a user account (only root is created by default) and give them sudo access:

 # useradd -m username
 # passwd username
 # usermod -G wheel username
 # pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/pico-4.10p0
 # pico /etc/sudoers
Remove a # symbol from the sudoers file to allow wheel members to sudo. The file should now contain this text: 

# Same thing without a password
 %wheel ALL=(ALL)    NOPASSWD: ALL
Now you need to edit the /etc/ssh/sshd_conf file so that it only uses SSHv2 (v1 is cryptographically flawed): 
# pico /etc/ssh/sshd_conf
Change this line: 
#Protocol 2,1 
 to 
 Protocol 2
Now let's disable remote root login. In the same file, locate this line: 
#PermitRootLogin  yes
and change it to: 
PermitRootLogin no
Now let's disable root login over ssh. In the same file, look for the authentication section: 
# Authentication: 
 #LoginGraceTime 2m 
 #PermitRootLogin yes 
 #StrictModes yes 
 #MaxAuthTries 6
Change this section so that it reads: 
# Authentication: 
 #LoginGraceTime 2m 
 PermitRootLogin no 
 #StrictModes yes 
 #MaxAuthTries 6
Save the configuration. That's everything that you need to do as root. Reboot the machine then ssh into the server with the user account you just created. Reboot instead of logging out so that the new sshd configuration takes effect. Now edit your profile: 

 $ pico ~/.profile
and add the following lines: 

 PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386 export PKG_PATH 
 CVSROOT=anoncvs@anoncvs3.usa.openbsd.org:/cvs export CVSROOT
This sets system variables to simplify patching and package management. Now, lets checkout source from CVS and update everything from the release code-base to the stable (patched) code base:

 $ cd /usr 
 $ sudo cvs checkout -P -rOPENBSD_4_1 src 
 $ sudo cp /usr/src/sys/arch/i386/conf/GENERIC \ 
 > /usr/src/sys/arch/i386/conf/GENERIC.old 
 $ cd /usr/src/sys/arch/i386/conf/ 
 $ sudo config GENERIC
Now we're ready to complile the new kernel. Move into the compilation directory and compile it:

 $ cd /usr/src/sys/arch/i386/compile/GENERIC 
 $ sudo make clean 
 $ sudo make depend 
 $ sudo make
Finally, backup your old kernel and activate the new one by installing it at the root level: 
 
 $ sudo cp /bsd /bsd.old 
 $ sudo install -o root -g wheel -m 644 bsd /
The flags set the owner (-o) group (-g) and permissions of the new binary. Finally, you need to rebuild the userland: 

 $ sudo rm -rf /usr/obj/* 
 $ cd /usr/src 
 $ sudo make obj 
 $ cd /usr/src/etc && sudo env DESTDIR=/ make distrib-dirs 
 $ cd /usr/src 
 $ sudo make build
Now reboot the machine to start using the new kernel.

Posted at 11:33 AM in Systems |

|

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

asdf

Never use useradd, use adduser. It is better to use nano than pico if you must use that kind of editor, because nano requires less dependancies. Never directly edit the /etc/sudoers file, ever, for any reason. Use visudo, it has safety checks to make sure you've not made the file unusable.

You shouldn't force random people to register in order to correct you, try using a captcha instead, since it's less of a hassel.

Posted by: asdf | 10/23/2007 at 05:33 AM

dankney

I turned on word-based gatekeeper, so registration should no longer be necessary.

Correct is a very strong term, however. Visudo requires proficiency with vi. Text editor preferences are a bit of a religious discussion, so I intentionally chose the simplest possible editor. The safety checks are a good feature, but it complicates things for a user that may need this document (it's content is obvious to anyone who uses OpenBSD regularly).

Pico vs. nano is another text-editor preference choice. Nano does have a more permissive license and is generally considered to be a cleaner code base. I use pico simply because I'm employed by it's authors. Again, choice of text editors is a personal thing.

I can understand your choices for those two, but I don't understand the adduser vs. useradd admonishment.

Adduser is an interactive dialogue (a text version of a wizard). I may be old-fashioned, but I'd rather use a couple of quick, non-interactive commands than complete a dialog of questions.

$ sudo useradd -m username
$ sudo passwd username
$ sudo usermod -G group username

accomplishes exactly the same thing as using adduser.

Posted by: dankney | 10/23/2007 at 06:19 AM

Nat

Proficiency with vi is a requirement of unix, no ifs, ands or buts about it. OpenBSD is a unix system, and while some may like to modify their EDITOR env, it's not going to change the fact that if you don't know vi, you don't know ed, and if you don't know ed, in the end, you're going to be in trouble.

nano doesn't need pine is my biggest point pro-nano.

adduser is a script that handles everything, rather than leaving the possibilty of half-made user accounts, which can cause problems in a system.

Posted by: Nat | 10/23/2007 at 11:07 AM

Nat

And now pine is no longer being built as an OpenBSD package, because of the licence.

Posted by: Nat | 10/31/2007 at 06:26 AM

ice age 4 toys

OpenBSD is a unix system, and while some may like to modify their EDITOR env, it's not going to change the fact that if you don't know vi, you don't know ed, and if you don't know ed, in the end, you're going to be in trouble.

nano doesn't need pine is my biggest point pro-nano.

Posted by: ice age 4 toys | 06/17/2012 at 11:31 PM

The comments to this entry are closed.