man/man8/afterboot.8

.\"	$OpenBSD: afterboot.8,v 1.61 2001/03/11 05:56:43 aaron Exp $
.Dd October 20, 1997
.Dt AFTERBOOT 8
\!\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu
.Os
.Sh NAME
.Nm afterboot
.Nd things to check after the first complete boot
.Sh DESCRIPTION
.Ss Starting Out
This document attempts to list items for the system administrator
to check and set up after the installation and first complete boot of the
system.
The idea is to create a list of items that can be checked off so that you have
a warm fuzzy feeling that something obvious has not been missed.
A basic knowledge of
.Ux
is assumed, otherwise type
.Pp
.Dl Ic # help
.Pp
Complete instructions for correcting and fixing items is not provided.
There are manual pages and other methodologies available for doing that.
For example, to view the man page for the
.Xr ls 1
command, type:
.Pp
.Dl Ic man 1 ls
.Pp
Administrators will rapidly become more familiar with
.Ox
if they get used to using the high quality manual pages.
.Pp
.Ss Errata
By the time that you have installed your system, it is quite likely that
bugs in the release have been found.
All significant and easily fixed problems will be reported at
.Pa http://www.openbsd.org/errata.html .
The web page will mention if a problem is security related.
It is recommended that you check this page regularly.
.Ss Login
Login as
.Dq Ic root .
You can do so on the console, or over the network using
.Xr ssh 1 .
If you wish to deny root logins over the network, edit the
.Pa /etc/sshd_config
file and set
.Cm PermitRootLogin
to
.Dq no
(see
.Xr sshd 8 ) .
.Pp
Upon successful login on the console, you may see the message
.Dq Don't login as root, use su .
For security reasons, it is bad practice to login as root during regular use
and maintenance of the system.
Instead, administrators are encouraged to add a
.Dq regular
user, add said user to the
.Dq wheel
group, then use the
.Ic su
and
.Ic sudo
commands when root privileges are required.
This process is described in more detail later.
.Ss Root password
Change the password for the root user.
(Note that throughout the documentation, the term
.Dq superuser
is a synonym for the root user.)
Choose a password that has numbers, digits, and special characters (not space)
as well as from the upper and lower case alphabet.
Do not choose any word in any language.
It is common for an intruder to use dictionary attacks.
Type the command
.Ic /usr/bin/passwd
to change it.
.Pp
It is a good idea to always specify the full path name for both the
.Xr passwd 1
and
.Xr su 1
commands as this inhibits the possibility of files placed in your execution
.Ev PATH
for most shells.
Furthermore, the superuser's
.Ev PATH
should never contain the current directory
.Po Dq \&.
.Pc .
.Ss System date
Check the system date with the
.Xr date 1
command.
If needed, change the date, and/or change the symbolic link of
.Pa /etc/localtime
to the correct time zone in the
.Pa /usr/share/zoneinfo
directory.
.Pp
Examples:
.Bl -tag -width date
.It Cm date 199901271504
Set the current date to January 27th, 1999 3:04pm.
.It Cm ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime
Set the time zone to Atlantic Standard Time.
.El
.Ss Check hostname
Use the
.Ic hostname
command to verify that the name of your machine is correct.
See the man page for
.Xr hostname 1
if it needs to be changed.
You will also need to edit the
.Pa /etc/myname
file to have it stick around for the next reboot.
.Ss Verify network interface configuration
The first thing to do is an
.Ic ifconfig -a
to see if the network interfaces are properly configured.
Correct by editing
.Pa /etc/hostname. Ns Ar interface
(where
.Ar interface
is the interface name, e.g.,
.Dq le0 )
and then using
.Xr ifconfig 8
to manually configure it
if you do not wish to reboot.
Read the
.Xr hostname.if 5
man page for more information on the format of
.Pa /etc/hostname. Ns Ar interface
files.
The loopback interface will look something like:
.Bd -literal -offset indent
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
	inet6 ::1 prefixlen 128
	inet 127.0.0.1 netmask 0xff000000
.Ed
.Pp
an Ethernet interface something like:
.Bd -literal -offset indent
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
	inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
	inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1
.Ed
.Pp
and, a PPP interface something like:
.Bd -literal -offset indent
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
        inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000
.Ed
.Pp
If you wish to turn on multicast routing, see the section titled
.Dq Multicast routing.
in
.Pa /etc/netstart .
.Pp
See
.Xr dhcp 8
for instructions on configuring interfaces with DHCP.
.Ss Check routing tables
Issue a
.Ic netstat -rn
command.
The output will look something like:
.Bd -literal -offset indent
Routing tables

Internet:
Destination    Gateway           Flags  Refs     Use  Mtu  Interface
default        192.168.4.254     UGS      0 11098028    -  le0
127            127.0.0.1         UGRS     0        0    -  lo0
127.0.0.1      127.0.0.1         UH       3       24    -  lo0
192.168.4      link#1            UC       0        0    -  le0
192.168.4.52   8:0:20:73:b8:4a   UHL      1     6707    -  le0
192.168.4.254  0:60:3e:99:67:ea  UHL      1        0    -  le0

Internet6:
Destination        Gateway       Flags  Refs  Use     Mtu  Interface
::/96              ::1           UGRS     0     0   32972  lo0 =>
::1                ::1           UH       4     0   32972  lo0
::ffff:0.0.0.0/96  ::1           UGRS     0     0   32972  lo0
fc80::/10          ::1           UGRS     0     0   32972  lo0
fe80::/10          ::1           UGRS     0     0   32972  lo0
fe80::%le0/64      link#1        UC       0     0    1500  le0
fe80::%lo0/64      fe80::1%lo0   U        0     0   32972  lo0
ff01::/32          ::1           U        0     0   32972  lo0
ff02::%le0/32      link#1        UC       0     0    1500  le0
ff02::%lo0/32      fe80::1%lo0   UC       0     0   32972  lo0

.Ed
.Pp
The default gateway address is stored in the
.Pa /etc/mygate
file.
If you need to edit this file, a painless way to reconfigure the network
afterwards is
.Ic route flush
followed by a
.Ic sh -x /etc/netstart
command.
Or, you may prefer to manually configure using a series of
.Ic route add
and
.Ic route delete
commands (see
.Xr route 8 ) .
.Pp
If you wish to route packets between interfaces, add the directive
.Bd -literal -offset indent
net.inet.ip.forwarding=1
.Ed
.Pp
or
.Bd -literal -offset indent
net.inet6.ip6.forwarding=1
.Ed
.Pp
to
.Pa /etc/sysctl.conf ,
or by compiling a new kernel with the
.Cm GATEWAY
option.
Packets are not forwarded by default, due to RFC requirements.
.Pp
You can add new
.Dq virtual interfaces
by adding the required entries to
.Pa /etc/hostname.if .
.Ss BIND Name Server (DNS)
If you are using the BIND Name Server, check the
.Pa /etc/resolv.conf
file.
It may look something like:
.Bd -literal -offset indent
domain nts.umn.edu
nameserver 128.101.101.101
nameserver 134.84.84.84
search nts.umn.edu. umn.edu.
lookup file bind
.Ed
.Pp
If using a caching name server add the line "nameserver 127.0.0.1" first.
To get a local caching name server to run
you will need to set "named_flags" in
.Pa /etc/rc.conf
and create the
.Pa named.boot
file in the appropriate place for
.Xr named 8 .
The same holds true if the machine is going to be a
name server for your domain.
In both these cases, make sure that
.Xr named 8
is running
(otherwise there are long waits for resolver timeouts).
.Ss YP Setup
Check the YP domain name with the
.Xr domainname 1
command.
If necessary, correct it by editing the
.Pa /etc/defaultdomain
file.
The
.Pa /etc/netstart
script reads this file on bootup to determine and set the domain name.
You may also set the running system's domain name with the
.Xr domainname 1
command.
To start YP client services, simply run
.Ic ypbind ,
then perform the remaining
YP activation as described in
.Xr passwd 5
and
.Xr group 5 .
.Pp
In particular, to enable YP passwd support, you'll need to add the following
line to
.Pa /etc/master.passwd :
.Pp
+:*::::::::
.Pp
You do this by using
.Xr vipw 8 ,
once this is done, you'll need to run
.Ic pwd_mkdb /etc/master.passwd
to regenerate the password databases.
.Pp
There are many more YP man pages available to help you.
You can find more information by starting with
.Xr yp 8 .
.Ss Check disk mounts
Check that the disks are mounted correctly by
comparing the
.Pa /etc/fstab
file against the output of the
.Xr mount 8
and
.Xr df 1
commands.
Example:
.Bd -literal -offset indent
.Li # Ic cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0b none swap sw 0 0
/dev/sd0d /usr ffs rw 1 2
/dev/sd0e /var ffs rw 1 3
/dev/sd0g /tmp ffs rw 1 4
/dev/sd0h /home ffs rw 1 5
.Li # Ic mount
/dev/sd0a on / type ffs (local)
/dev/sd0d on /usr type ffs (local)
/dev/sd0e on /var type ffs (local)
/dev/sd0g on /tmp type ffs (local)
/dev/sd0h on /home type ffs (local)
.Li # Ic df
Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a         22311    14589     6606    69%    /
/dev/sd0d        203399   150221    43008    78%    /usr
/dev/sd0e         10447      682     9242     7%    /var
/dev/sd0g         18823        2    17879     0%    /tmp
/dev/sd0h          7519     5255     1888    74%    /home
.Li # Ic pstat -s
Device      512-blocks     Used    Avail Capacity  Priority
/dev/sd0b       131072    84656    46416    65%    0
.Ed
.Pp
Edit
.Pa /etc/fstab
and use the
.Xr mount 8
and
.Xr umount 8
commands as appropriate.
Refer to the above example and
.Xr fstab 5
for information on the format of this file.
.Pp
You may wish to do NFS partitions now too, or you can do them later.
.Ss Concatenated disks (ccd)
If you are using
.Xr ccd 4
concatenated disks, edit
.Pa /etc/ccd.conf .
Use the
.Ic ccdconfig -U
command to unload and the
.Ic ccdconfig -C
command to create tables internal to the kernel for the concatenated disks.
You then
.Xr mount 8 ,
.Xr umount 8 ,
and edit
.Pa /etc/fstab
as needed.
.Ss Automounter daemon (AMD)
If using the
.Xr amd 8
package,
go into the
.Pa /etc/amd
directory and set it up by
renaming
.Pa master.sample
to
.Pa master
and editing it and creating other maps as needed.
Alternatively, you can get your maps with YP.
.Sh CHANGING /ETC FILES
The system should be usable now, but you may wish to do more customizing,
such as adding users, etc.
Many of the following sections may be skipped
if you are not using that package (for example, skip the
.Sx Kerberos
section if you won't be using Kerberos).
We suggest that you
.Ic cd /etc
and edit most of the files in that directory.
.Pp
Note that the
.Pa /etc/motd
file is modified by
.Pa /etc/rc
whenever the system is booted. To keep any custom message intact, ensure
that you leave two blank lines at the top, or your message will be
overwritten.
.Ss Add new users
Add users.
There is an
.Xr adduser 8
script.
You may use
.Xr vipw 8
to add users to the
.Pa /etc/passwd
file
and edit
.Pa /etc/group
by hand to add new groups.
The manual page for
.Xr su 1 ,
tells you to make sure to put people in
the
.Sq wheel
group if they need root access (non-Kerberos).
For example:
.Bd -literal -offset indent
wheel:*:0:root,myself
.Ed
.Pp
Follow instructions for
.Xr kerberos 1
if using
Kerberos
for authentication.
.Ss rc.conf, rc.local, rc.securelevel, rc.shutdown
Check for any local changes needed in the files
.Pa /etc/rc.conf ,
.Pa /etc/rc.local ,
.Pa rc.securelevel ,
and
.Pa rc.shutdown.
Turning on something like the Network Time Protocol in
.Pa /etc/rc.conf
requires making sure the package is installed.
.Pp
If you've installed X, you may want to turn on
.Xr xdm 1 ,
the X Display Manager.
To do this, change the value of xdm_flags in
.Pa /etc/rc.conf .
.Ss Printers
Edit
.Pa /etc/printcap
and
.Pa /etc/hosts.lpd
to get any printers set up.
Consult
.Xr lpd 8
and
.Xr printcap 5
if needed.
.Ss Tighten up security
You might wish to tighten up security more by editing
.Pa /etc/fbtab
as when installing X.
In
.Pa /etc/inetd.conf
comment out any extra entries you do not need,
and only add things that are really needed.
Note that by default the
.Xr telnetd 8
and
.Xr ftpd 8
daemons are not enabled in favor of SSH (Secure Shell).
.Ss Kerberos
If you are going to use
.Xr kerberos 1
for authentication, and you already have a
Kerberos
master, change directory to
.Pa /etc/kerberosIV
and configure.
Remember to get a
.Pa srvtab
from the master so that the remote commands work.
.Ss Mail Aliases
Edit
.Pa /etc/mail/aliases
and set the three standard aliases to go to either a mailing list, or
the system administrator.
.Bd -literal -offset indent
# Well-known aliases -- these should be filled in!
root:		sysadm
manager:	sysadm
dumper:		sysadm
.Ed
.Pp
Run
.Xr newaliases 8
after changes.
.Ss Sendmail
.Ox
ships with a default
.Pa /etc/mail/sendmail.cf
file that will work for simple installations; it was generated from
.Pa openbsd-proto.mc
in
.Pa /usr/share/sendmail/cf .
Please see
.Pa /usr/share/sendmail/README
and
.Pa /usr/share/doc/smm/08.sendmailop/op.me
for information on generating your own sendmail configuration files.
For the default installation, sendmail is configured to only process
jobs that have been the queued and to not accept messages over the network.
This makes it possible to send mail locally, but not receive mail from remote
servers, which is ideal if you have one central incoming mail machine and
several clients.
To cause sendmail to accept network connections, modify the
.Dq sendmail_flags
variable in
.Pa /etc/rc.conf
in accordance with the comments therein.
Note that sendmail now also listens on port 587 by default.  This
is to implement the RFC2476 message submission protocol.  You may
disable this via the
.Dq no_default_msa
option in your sendmail .mc file.  See
.Pa /usr/share/sendmail/README
for more information.
.Ss DHCP server
If this is a
DHCP
server, edit
.Pa /etc/dhcpd.conf
and
.Pa /etc/dhcpd.interfaces
as needed.
You will have to make sure
.Pa /etc/rc.conf
has:
.Bd -literal -offset indent
dhcpd_flags=-q
.Ed
.Pp
or run
.Xr dhcpd 8
manually.
.Ss BOOTP server
If this is a
BOOTP
server, edit
.Pa /etc/bootptab
as needed.
You will have to turn it on in
.Pa /etc/inetd.conf
or run
.Xr bootpd 8
in its standalone mode.
.Ss NFS server
If this is an NFS server
make sure
.Pa /etc/rc.conf
has:
.Bd -literal -offset indent
nfs_server=YES
.Ed
.Pp
Edit
.Pa /etc/exports
and get it correct.
It is probably easier to reboot than to get the daemons running manually,
but you can get the order correct by looking at
.Pa /etc/netstart .
.Ss HP remote boot server
Edit
.Pa /etc/rbootd.conf
if needed for remote booting.
If you do not have HP computers doing remote booting, do not enable this.
.Ss Daily, weekly, monthly scripts
Look at and possibly edit the
.Pa /etc/daily , /etc/weekly ,
and
.Pa /etc/monthly
scripts.
Your site specific things should go into
.Pa /etc/daily.local , /etc/weekly.local ,
and
.Pa /etc/monthly.local .
.Pp
These scripts have been limited so as to keep the system running without
filling up disk space from normal running processes and database updates.
(You probably do not need to understand them.)
.Pp
The /altroot filesystem can optionally be used to provide a backup of the
root filesystem on a daily basis.  To take advantage of this, you must
have an entry in /etc/fstab with 'xx' for the mount option:
.Bd -literal -offset indent
/dev/wd0j /altroot ffs xx 0 0
.Ed
.Pp
and you must add a line to root's crontab:
.Bd -literal -offset indent
ROOTBACKUP=1
.Ed
.Pp
so that the /etc/daily script will make a daily backup of the root filesystem.
.Ss Other files in /etc
Look at the other files in
.Pa /etc
and edit them as needed.
(Do not edit files ending in
.Pa .db
\(em like
.Pa pwd.db , spwd.db ,
nor
.Pa localtime ,
nor
.Pa rmt ,
nor any directories.)
.Ss Crontab (background running processes)
Check what is running by typing
.Ic crontab -l
as root
and see if anything unexpected is present.
Do you need anything else?
Do you wish to change things?
e.g., if you do not
like root getting standard output of the daily scripts, and want only
the security scripts that are mailed internally, you can type
.Ic crontab -e
and change some of the lines to read:
.Bd -literal -offset indent
30  1  *  *  *   /bin/sh /etc/daily 2>&1 > /var/log/daily.out
30  3  *  *  6   /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
30  5  1  *  *   /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
.Ed
.Pp
See
.Xr crontab 5 .
.Ss Next day cleanup
After the first night's security run, change ownerships and permissions
on files, directories, and devices; root should have received mail
with subject: "<hostname> daily insecurity output.".
This mail contains
a set of security recommendations, presented as a list looking like this:
.Bd -literal -offset indent
var/mail:
        permissions (0755, 0775)
etc/daily:
        user (0, 3)
.Ed
.Pp
The best bet is to follow the advice in that list.
The recommended setting is the first item in parentheses, while
the current setting is the second one.
This list is generated by
.Xr mtree 8
using
.Pa /etc/mtree/special .
Use
.Xr chmod 1 ,
.Xr chgrp 1 ,
and
.Xr chown 8
as needed.
.Ss Packages
Install your own packages.
The
.Ox
ports collection includes a large set of Third-Party software.
A lot of it is available as binary packages, that you can download from
.Pa ftp://ftp.openbsd.org/
or a mirror, and install using
.Xr pkg_add 1 .
See
.Pa http://www.openbsd.org/ports.html
and
.Xr packages 7
for more details.
.Pp
Copy vendor binaries and install them.
You will need to install any shared libraries, etc.
(Hint:
.Ic man -k compat
to find out how to install and use compatibility mode.)
.Pp
There is also other Third-Party Software that is available
in source form only, either because it has not been ported to
.Ox
yet, or because licensing restrictions make binary redistribution
impossible.
Sometimes checking the mailing lists for
past problems that people have encountered will result in a fix posted.
.Sh COMPILING A KERNEL
First, review the system message buffer using the
.Xr dmesg 8
command to find out information on your system's devices as probed by the
kernel at boot.
In particular, note which devices were not configured.
This information will prove useful when editing kernel configuration files.
.Pp
To compile a kernel inside a writable source tree, do the following:
.Sm off
.Bd -literal -offset indent
.Li #\  Xo
.Ic cd\ /usr/src/sys/arch/
.Ar somearch
.Ic /conf
.Xc
.Li #\  Xo
.Ic vi\ \&
.Ar SOMEFILE
.No \ \ \ (to\ make\ any\ changes)
.Xc
.Li #\  Xo
.Ic config\ \&
.Ar SOMEFILE
.Xc
.Li #\  Xo
.Ic cd\ ../compile/
.Ar SOMEFILE
.Xc
.Li #\  Xo
.Ic make
.Xc
.Ed
.Sm on
.Pp
where
.Ar somedir
is a writable directory,
.Ar somearch
is the architecture (e.g.
.Ic i386 ) ,
and
.Ar SOMEFILE
should be a name indicative of a particular configuration (often
that of the hostname).
You can also do a
.Ic make depend
so that you will have dependencies there the next time you do a compile.
.Pp
If you are building your kernel again, before you do a
.Ic make
you should do a
.Ic make depend
after making changes (including updates or patches) to your kernel source,
or a
.Ic make clean
after making changes to your kernel options.
.Pp
After either of these two methods, you can place the new kernel (called
.Pa bsd )
in
.Pa /
(i.e.
.Pa /bsd )
and the system will boot it next time.
Most people save their backup kernels as
.Pa /bsd.1 ,
.Pa /bsd.2 ,
etc.
.Pp
It is not always necessary to recompile the kernel if only
configuration changes are required.
With
.Xr config 8 ,
you can change the device configuration in the kernel file directly:
.Bd -literal
.Li #\  Ic config Fl e o Ar bsd.new /bsd
OpenBSD 2.7-beta (GENERIC.rz0) #0: Mon Oct  4 03:57:22 MEST 1999
    root@winona:/usr/src/sys/arch/pmax/compile/GENERIC.rz0
Enter 'help' for information
ukc>
.Pp
Additionally, you can permanently save the changes made with UKC during
boot time in the kernel image.
.Ed
.Sh SEE ALSO
.Xr chgrp 1 ,
.Xr chmod 1 ,
.Xr crontab 1 ,
.Xr date 1 ,
.Xr df 1 ,
.Xr domainname 1 ,
.Xr hostname 1 ,
.Xr kerberos 1 ,
.Xr make 1 ,
.Xr man 1 ,
.Xr netstat 1 ,
.Xr passwd 1 ,
.Xr su 1 ,
.Xr ccd 4 ,
.Xr aliases 5 ,
.Xr bootptab 5 ,
.Xr crontab 5 ,
.Xr exports 5 ,
.Xr fbtab 5 ,
.Xr fstab 5 ,
.Xr group 5 ,
.Xr krb.conf 5 ,
.Xr krb.realms 5 ,
.Xr passwd 5 ,
.Xr resolv.conf 5 ,
.Xr hostname 7 ,
.Xr packages 7 ,
.Xr adduser 8 ,
.Xr amd 8 ,
.Xr bootpd 8 ,
.Xr ccdconfig 8 ,
.Xr chown 8 ,
.Xr config 8 ,
.Xr dhcp 8 ,
.Xr dhcpd 8 ,
.Xr ext_srvtab 8 ,
.Xr ifconfig 8 ,
.Xr inetd 8 ,
.Xr mtree 8 ,
.Xr mount 8 ,
.Xr named 8 ,
.Xr newaliases 8 ,
.Xr rbootd 8 ,
.Xr rc 8 ,
.Xr rmt 8 ,
.Xr route 8 ,
.Xr umount 8 ,
.Xr vipw 8 ,
.Xr ypbind 8
.Sh HISTORY
This document first appeared in
.Ox 2.2 .