*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> faq (8)              



NAME    [Toc]    [Back]

     afterboot - things to check after the first complete boot

DESCRIPTION    [Toc]    [Back]

   Starting Out
     This document attempts to list items for the system administrator to
     check  and  set up after the installation and first complete
boot of the
     system.  The idea is to create a list of items that  can  be
checked off so
     that  you  have  a warm fuzzy feeling that something obvious
has not been
     missed.  A basic knowledge of  UNIX  is  assumed,  otherwise

           # help

     Complete instructions for correcting and fixing items is not
     There are manual pages and other methodologies available for
doing that.
     For  example,  to  view  the man page for the ls(1) command,

           # man 1 ls

     Administrators will rapidly become more familiar with OpenBSD if they get
     used to using the high quality manual pages.

   Errata    [Toc]    [Back]
     By the time that you have installed your system, it is quite
likely that
     bugs in the release have been found.   All  significant  and
easily fixed
     problems         will         be         reported         at
http://www.openbsd.org/errata.html.  The web
     page will mention if a problem is security related.   It  is
     that you check this page regularly.

   Login    [Toc]    [Back]
     Login  as  ``root''.   You can do so on the console, or over
the network using
 ssh(1).  If you wish to deny root logins over  the  network, edit the
     /etc/ssh/sshd_config  file and set PermitRootLogin to ``no''

     Upon successful login on the console, you may see  the  message ``Don't
     login  as  root,  use su''.  For security reasons, it is bad
practice to login
 as root during regular use and maintenance of  the  system.  Instead,
     administrators are encouraged to add a ``regular'' user, add
said user to
     the ``wheel'' group, then use the su(1) and sudo(8) commands
when root
     privileges  are required.  This process is described in more
detail later.

   Root password    [Toc]    [Back]
     Change the password for the root user.  (Note that  throughout the documentation,
  the term ``superuser'' is a synonym for the root
     Choose a password that  has  numbers,  digits,  and  special
characters (not
     space)  as  well  as from the upper and lower case alphabet.
Do not choose
     any word in any language.  It is common for an  intruder  to
use dictionary
     attacks.  Type the command /usr/bin/passwd to change it.

     It  is  a good idea to always specify the full path name for
both the
     passwd(1) and su(1) commands as this inhibits the possibility of files
     placed in your execution PATH for most shells.  Furthermore,
the superuser's
  PATH  should  never  contain  the  current   directory

   System date    [Toc]    [Back]
     Check  the system date with the date(1) command.  If needed,
change the
     date, and/or change the symbolic link of  /etc/localtime  to
the correct
     time zone in the /usr/share/zoneinfo directory.


     Set the current date to January 27th, 1999 3:04pm:
           # date 199901271504

     Set the time zone to Atlantic Standard Time:
           #  ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime

   Check hostname    [Toc]    [Back]
     Use the hostname command to verify that the name of your machine is correct.
   See  the  man page for hostname(1) if it needs to be
changed.  You
     will also need to edit the /etc/myname file to have it stick
around for
     the next reboot.

   Verify network interface configuration    [Toc]    [Back]
     The  first  thing to do is an ifconfig -a to see if the network interfaces
     are    properly    configured.     Correct    by     editing
     (where  interface  is the interface name, e.g., ``le0'') and
then using
     ifconfig(8) to manually configure it if you do not  wish  to
reboot.  Read
     the hostname.if(5) man page for more information on the format of
     /etc/hostname.interface files.  The loopback interface  will
look something

           lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
                   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
                   inet6 ::1 prefixlen 128
                   inet netmask 0xff000000

     an Ethernet interface something like:

                   inet netmask 0xffffff00 broadcast
                   inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid

     and a PPP interface something like:

           ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
                   inet -->  netmask

     See  netstart(8)  for  instructions on configuring multicast

     See dhcp(8) for instructions on configuring interfaces  with

   Check routing tables    [Toc]    [Back]
     Issue a netstat -rn command.  The output will look something

           Routing tables

           Destination    Gateway           Flags   Refs      Use
Mtu  Interface
           default      UGS      0 11098028
-  le0
           127           UGRS      0         0
-  lo0
           UH       3       24
-  lo0
           192.168.4      link#1            UC        0         0
-  le0
     8:0:20:73:b8:4a    UHL      1     6707
-  le0
   0:60:3e:99:67:ea  UHL       1         0
-  le0

           Destination          Gateway        Flags   Refs   Use
Mtu  Interface
           ::/96               ::1            UGRS      0       0
32972  lo0 =>
           ::1                  ::1            UH        4      0
32972  lo0
           ::ffff:   ::1            UGRS      0       0
32972  lo0
           fc80::/10            ::1            UGRS      0      0
32972  lo0
           fe80::/10           ::1            UGRS      0       0
32972  lo0
           fe80::%le0/64        link#1         UC        0      0
1500  le0
           fe80::%lo0/64       fe80::1%lo0    U         0       0
32972  lo0
           ff01::/32            ::1            U         0      0
32972  lo0
           ff02::%le0/32       link#1         UC        0       0
1500  le0
           ff02::%lo0/32        fe80::1%lo0    UC        0      0
32972  lo0

     The default gateway address is  stored  in  the  /etc/mygate
file.  If you
     need  to  edit  this file, a painless way to reconfigure the
network afterwards
 is route flush followed by a sh -x /etc/netstart  command.  Or, you
     may prefer to manually configure using a series of route add
and route
     delete commands (see route(8)).  If you run dhclient(8)  you
will have to
     kill  it  by  running kill `cat /var/run/dhclient.pid` after
you flush the

     If you wish to route packets between interfaces, add the directive




     to  /etc/sysctl.conf.  Packets are not forwarded by default,
due to RFC

     You can add new ``virtual interfaces''  by  adding  the  required entries to

   BIND Name Server (DNS)    [Toc]    [Back]
     If   you   are   using  the  BIND  Name  Server,  check  the
/etc/resolv.conf file.
     It may look something like:

           domain nts.umn.edu
           search nts.umn.edu. umn.edu.
           lookup file bind

     If using a caching name server,  add  the  line  "nameserver"
     first.   To  get a local caching name server to run you will
need to set
     named_flags in /etc/rc.conf.local.  The same holds  true  if
the machine is
     going  to  be  a name server for your domain.  In both these
cases, make
     sure that named(8) is  running  (otherwise  there  are  long
waits for resolver

   RPC-based network services    [Toc]    [Back]
     Several  services  depend on the RPC portmapper, portmap(8),
being running
     for proper operation.  This includes  YP  and  NFS  exports,
among other services.
   To get the RPC portmapper to start automatically on
boot, you
     will need to have this line in /etc/rc.conf.local:


   YP Setup    [Toc]    [Back]
     Check the YP domain name with the domainname(1) command.  If
     correct  it  by editing the /etc/defaultdomain file (see defaultdomain(5)).
     The /etc/netstart script reads this file on bootup to determine and set
     the  domain name.  You may also set the running system's domain name with
     the domainname(1) command.  To  start  YP  client  services,
simply run
     ypbind,  then  perform  the  remaining  YP activation as described in
     passwd(5) and group(5).

     In particular, to enable YP passwd support, you'll  need  to
add the following
 line to /etc/master.passwd:


     You do this by using vipw(8).

     There are many more YP man pages available to help you.  You
can find
     more information by starting with yp(8).

   Check disk mounts    [Toc]    [Back]
     Check that the disks are mounted correctly by comparing  the
     file  against the output of the mount(8) and df(1) commands.

           # cat /etc/fstab
           /dev/sd0a / ffs rw 1 1
           /dev/sd0d /usr ffs rw,nodev 1 2
           /dev/sd0e /var ffs rw,nodev,nosuid 1 3
           /dev/sd0g /tmp ffs rw,nodev,nosuid 1 4
           /dev/sd0h /home ffs rw,nodev,nosuid 1 5

           # mount
           /dev/sd0a on / type ffs (local)
           /dev/sd0d on /usr type ffs (local, nodev)
           /dev/sd0e on /var type ffs (local, nodev, nosuid)
           /dev/sd0g on /tmp type ffs (local, nodev, nosuid)
           /dev/sd0h on /home type ffs (local, nodev, nosuid)

           # df
           Filesystem   1024-blocks      Used     Avail  Capacity
Mounted on
           /dev/sd0a         22311    14589     6606    69%    /
           /dev/sd0d          203399     150221     43008     78%
           /dev/sd0e          10447       682       9242       7%
           /dev/sd0g           18823          2     17879      0%
           /dev/sd0h           7519      5255       1888      74%

           # pstat -s
           Device        512-blocks      Used     Avail  Capacity
           swap_device     131072    84656    46416    65%    0

     Edit /etc/fstab and use the mount(8) and umount(8)  commands
as appropriate.
   Refer  to the above example and fstab(5) for information on the format
 of this file.

     You may wish to do NFS partitions now too,  or  you  can  do
them later.

   Concatenated disks (ccd)    [Toc]    [Back]
     If   you   are   using   ccd(4)   concatenated  disks,  edit
/etc/ccd.conf.  Use the
     ccdconfig -U command to unload and the ccdconfig -C  command
to create tables
 internal to the kernel for the concatenated disks.  You
     mount(8), umount(8), and edit /etc/fstab as needed.

   Automounter daemon (AMD)    [Toc]    [Back]
     If using the amd(8) package, go into the /etc/amd  directory
and set it up
     by  renaming master.sample to master and editing it and creating other
     maps as needed.  Alternatively, you can get your  maps  with

   Clock synchronisation    [Toc]    [Back]
     In  order  to  make sure the system clock is synchronised to
that of a publicly
   accessible    NTP    server,    make    sure    that
/etc/rc.conf.local contains
     the following:


     See  ntpd(8), rdate(8), and timed(8) for more information on
setting the
     system's date.

     The system should be usable now, but you may wish to do more
     such  as  adding users, etc.  Many of the following sections
may be skipped
     if you are not using that package  (for  example,  skip  the
Kerberos section
     if  you  won't  be  using Kerberos).  We suggest that you cd
/etc and edit
     most of the files in that directory.

     Note that the /etc/motd file is modified by /etc/rc whenever
the system
     is  booted.   To keep any custom message intact, ensure that
you leave two
     blank lines at the top, or your message will be overwritten.

   Add new users    [Toc]    [Back]
     Add  users.   There  is  an  adduser(8) script.  You may use
vipw(8) to add
     users to the /etc/passwd file and edit /etc/group by hand to
add new
     groups.   You may also wish to edit /etc/login.conf and tune
some of the
     limits documented in login.conf(5).   The  manual  page  for
su(1) tells you
     to make sure to put people in the `wheel' group if they need
root access
     (non-Kerberos).  For example:


     Follow instructions for login_krb5(8) if using Kerberos  for

   System command scripts    [Toc]    [Back]
     The /etc/rc.* scripts are invoked at boot time, after single
user mode
     has exited, and at shutdown.   The  whole  process  is  controlled, more or
     less,  by the master script /etc/rc.  This script should not
be changed by

     /etc/rc is in turn influenced by the configuration variables
present in
     /etc/rc.conf.   Again  this  script should not be changed by
     site-specific changes should be made to (freshly created  if

     Any  commands which should be run before the system sets its
secure level
     should be made to /etc/rc.securelevel, and  commands  to  be
run after the
     system   sets   its   secure   level   should   be  made  to
/etc/rc.local.  Commands
     to  be  run  before  system  shutdown  should  be   set   in

     For  more  information  about system startup/shutdown files,
see rc(8),
     rc.conf(8), securelevel(7), and rc.shutdown(8).

     If you've installed X, you may want to turn on xdm(1), the X
Display Manager.
   To  do  this,  change  the  value  of  xdm_flags  in

   Printers    [Toc]    [Back]
     Edit /etc/printcap and /etc/hosts.lpd to  get  any  printers
set up.  Consult
 lpd(8) and printcap(5) if needed.

   Set keyboard type    [Toc]    [Back]
     Some  architectures  permit  keyboard type control.  Use the
kbd(8) command
     to change the keyboard  encoding.   kbd  -l  will  list  all
available encodings.
   kbd xxx will select the xxx encoding.  Store the encoding in
     /etc/kbdtype to make sure it is set  automatically  at  boot

   Tighten up security    [Toc]    [Back]
     You  might  wish  to  tighten  up  security  more by editing
/etc/fbtab as when
     installing X.  In /etc/inetd.conf comment out any extra  entries you do
     not  need, and only add things that are really needed.  Note
that by default
 the telnetd(8) and ftpd(8) daemons are not enabled  in
favor of SSH
     (Secure Shell).

   Kerberos    [Toc]    [Back]
     If  you  are  going to use Kerberos (see `info heimdal') for
     and you already have a Kerberos master, change directory to
     /etc/kerberosV and configure.  Remember to get a srvtab from
the master
     so that the remote commands work.

   Mail Aliases    [Toc]    [Back]
     Edit /etc/mail/aliases and set the three standard aliases to
go to either
     a mailing list, or the system administrator.

           # Well-known aliases -- these should be filled in!
           root:           sysadm
           manager:        root
           dumper:         root

     Run newaliases(8) after changes.

   Sendmail    [Toc]    [Back]
     OpenBSD ships with  a  default  /etc/mail/localhost.cf  file
that will work
     for    simple   installations;   it   was   generated   from
openbsd-localhost.mc in
     /usr/share/sendmail/cf.              Please              see
/usr/share/sendmail/README and
     /usr/share/doc/smm/08.sendmailop/op.me  for  information  on
generating your
     own sendmail configuration files.  For the default installation, sendmail
     is configured to only accept connections from the local host
and to not
     accept connections on any external interfaces.   This  makes
it possible to
     send mail locally, but not receive mail from remote servers,
which is
     ideal if you have one central incoming mail machine and several clients.
     To  cause  sendmail  to accept external network connections,
modify the
     sendmail_flags variable in /etc/rc.conf.local to use the
     /etc/mail/sendmail.cf file in accordance with  the  comments
therein.  This
     file  was  generated from openbsd-proto.mc.  Note that sendmail now also
     listens on port 587 by default.  This is  to  implement  the
RFC 2476 message
  submission  protocol.   You  may  disable this via the
     option    in    your     sendmail     .mc     file.      See
/usr/share/sendmail/README for
     more  information.   The /etc/mail/localhost.cf file already
has this disabled.

   DHCP server    [Toc]    [Back]
     If  this  is  a  DHCP  server,  edit   /etc/dhcpd.conf   and
     as  needed.   You  will have to make sure /etc/rc.conf.local


     or run dhcpd(8) manually.

   BOOTP server    [Toc]    [Back]
     If this is a BOOTP server, edit /etc/dhcpd.conf  as  needed.
dhcpd(8) will
     have to be turned on in rc.conf.local(8).

   NFS server    [Toc]    [Back]
     If this is an NFS server make sure /etc/rc.conf.local has:


     Edit /etc/exports and get it correct.  It is probably easier
to reboot
     than to get the daemons running manually, but  you  can  get
the order correct
 by looking at /etc/rc.

   HP remote boot server    [Toc]    [Back]
     Edit  /etc/rbootd.conf if needed for remote booting.  If you
do not have
     HP computers doing remote booting, do not enable this.

   Daily, weekly, monthly scripts
     Look at and possibly edit the /etc/daily,  /etc/weekly,  and
     scripts.    Your   site   specific  things  should  go  into
     /etc/weekly.local, and /etc/monthly.local.

     These scripts have been limited so as  to  keep  the  system
running without
     filling  up  disk  space  from  normal running processes and
database updates.
     (You probably do not need to understand them.)

     The /altroot filesystem can optionally be used to provide  a
backup of the
     root  filesystem  on  a  daily  basis.  To take advantage of
this, you must
     have an entry in /etc/fstab with ``xx'' for  the  mount  option:

           /dev/wd0j /altroot ffs xx 0 0

     and you must add a line to root's crontab:


     so  that  the  /etc/daily script will make a daily backup of
the root

   Other files in /etc
     Look at the other files in /etc and  edit  them  as  needed.
(Do not edit
     files  ending in .db -- like pwd.db, spwd.db, nor localtime,
nor rmt, nor
     any directories.)

   Crontab (background running processes)    [Toc]    [Back]
     Check what is running by typing crontab -l as root  and  see
if anything
     unexpected  is  present.  Do you need anything else?  Do you
wish to change
     things?  For example, if you do not like root getting  standard output of
     the  daily  scripts, and want only the security scripts that
are mailed internally,
 you can type crontab -e and  change  some  of  the
lines to read:

           30    1    *    *    *    /bin/sh  /etc/daily  2>&1  >
           30   3   *   *   6    /bin/sh   /etc/weekly   2>&1   >
           30    5    1   *   *    /bin/sh  /etc/monthly  2>&1  >

     See crontab(5).

   Next day cleanup    [Toc]    [Back]
     After the first night's security run, change ownerships  and
     on  files,  directories,  and  devices; root should have received mail with
     subject: "<hostname> daily insecurity output.".   This  mail
contains a set
     of  security  recommendations,  presented  as a list looking
like this:

                   permissions (0755, 0775)
                   user (0, 3)

     The best bet is to follow the advice in that list.  The recommended setting
  is  the  first  item in parentheses, while the current
setting is the
     second one.   This  list  is  generated  by  mtree(8)  using
     Use chmod(1), chgrp(1), and chown(8) as needed.

   Packages    [Toc]    [Back]
     Install your own packages.  The OpenBSD ports collection includes a large
     set of third-party software.  A lot of it  is  available  as
binary packages
     that  you  can download from ftp://ftp.openbsd.org or a mirror, and install
     using pkg_add(1).  See ports(7) and packages(7) for more details.

     Copy vendor binaries and install them.  You will need to install any
     shared libraries, etc.  (Hint: man -k compat to find out how
to install
     and use compatibility mode.)

     There  is  also other third-party software that is available
in source form
     only, either because it has not been ported to OpenBSD  yet,
or because
     licensing  restrictions  make binary redistribution impossible.  Sometimes
     checking the mailing lists for  past  problems  that  people
have encountered
     will result in a fix posted.

COMPILING A KERNEL    [Toc]    [Back]

     First,  review  the system message buffer using the dmesg(8)
command to
     find out information on your system's devices as  probed  by
the kernel at
     boot.   In  particular,  note which devices were not configured.  This information
 will prove useful when editing  kernel  configuration files.

     To  compile  a  kernel inside a writable source tree, do the

           # cd /usr/src/sys/arch/somearch/conf
           # vi SOMEFILE  (to make any changes)
           # config SOMEFILE
           # cd ../compile/SOMEFILE
           # make

     where somearch is the architecture (e.g. i386), and SOMEFILE
should be a
     name indicative of a particular configuration (often that of
the hostname).
  You can also do a make depend so that you will  have
     there the next time you do a compile.

     If  you are building your kernel again, before you do a make
you should do
     a make depend after making  changes  (including  updates  or
patches) to your
     kernel  source, or a make clean after making changes to your
kernel options.

     After either of these two methods, you  can  place  the  new
kernel (called
     bsd) in / (i.e. /bsd) and the system will boot it next time.
Most people
     save their backup kernels as /bsd.1, /bsd.2, etc.

     It is not always necessary to recompile the kernel  if  only
     changes  are  required.   With config(8), you can change the
device configuration
 in the kernel file directly:

           # config -e -o bsd.new /bsd
           OpenBSD 2.7-beta (GENERIC.rz0) #0: Mon Oct  4 03:57:22
MEST 1999
           Enter 'help' for information

     Additionally, you can permanently save the changes made with
UKC during
     boot time in the kernel image.

SEE ALSO    [Toc]    [Back]

     chgrp(1),  chmod(1),  crontab(1),  date(1),  df(1),  domainname(1),
     hostname(1), ls(1), make(1), man(1), netstat(1),  passwd(1),
     ssh(1),  su(1),  xdm(1), ccd(4), aliases(5), crontab(5), defaultdomain(5),
     dhcpd.conf(5),  exports(5),  fbtab(5),  fstab(5),  group(5),
     login.conf(5),   passwd(5),   printcap(5),   resolv.conf(5),
     hostname(7), packages(7), ports(7), adduser(8), amd(8), ccdconfig(8),
     chown(8),   config(8),   dhclient(8),   dhcp(8),   dhcpd(8),
dmesg(8), ftpd(8),
     ifconfig(8), inetd(8), kbd(8), lpd(8),  mount(8),  mtree(8),
     netstart(8),  newaliases(8), ntpd(8), portmap(8), rbootd(8),
     rdate(8), rmt(8), route(8), sudo(8),  telnetd(8),  timed(8),
     vipw(8), yp(8), ypbind(8)

HISTORY    [Toc]    [Back]

     This document first appeared in OpenBSD 2.2.

OpenBSD      3.6                         October     20,     1997
[ Back ]
 Similar pages
Name OS Title
perlopentut OpenBSD tutorial on opening things in Perl
CGI::Apache IRIX Make things work with CGI.pm against Perl-Apache API
quit HP-UX Causes dtscp to complete execution
glfinish IRIX block until all GL execution is complete
biodone Tru64 General: Indicates that block I/O is complete
glFinish Tru64 block until all GL execution is complete
exit HP-UX Causes dtscp to complete execution.
tcdrain Tru64 Wait for output to complete
glflushrastersgix IRIX complete rasterization of previous GL commands
aio_suspend HP-UX wait for an asynchronous I/O operation to complete
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service