Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OpenBSD-3.6)
Apropos / Subsearch:
optional field

AFTERBOOT(8)            OpenBSD System Manager's Manual           AFTERBOOT(8)

     afterboot - things to check after the first complete boot

   Starting Out
     This document attempts to list items for the system administrator to
     check and set up after the installation and first complete boot of the
     system.  The idea is to create a list of items that can be checked off so
     that you have a warm fuzzy feeling that something obvious has not been
     missed.  A basic knowledge of UNIX is assumed, otherwise type

           # help

     Complete instructions for correcting and fixing items is not provided.
     There are manual pages and other methodologies available for doing that.
     For example, to view the man page for the ls(1) command, type:

           # man 1 ls

     Administrators will rapidly become more familiar with OpenBSD if they get
     used to using the high quality manual pages.

     By the time that you have installed your system, it is quite likely that
     bugs in the release have been found.  All significant and easily fixed
     problems will be reported at http://www.openbsd.org/errata.html.  The web
     page will mention if a problem is security related.  It is recommended
     that you check this page regularly.

     Login as ``root''.  You can do so on the console, or over the network us-
     ing ssh(1).  If you wish to deny root logins over the network, edit the
     /etc/ssh/sshd_config file and set PermitRootLogin to ``no'' (see

     Upon successful login on the console, you may see the message ``Don't
     login as root, use su''.  For security reasons, it is bad practice to lo-
     gin as root during regular use and maintenance of the system.  Instead,
     administrators are encouraged to add a ``regular'' user, add said user to
     the ``wheel'' group, then use the su(1) and sudo(8) commands when root
     privileges are required.  This process is described in more detail later.

   Root password
     Change the password for the root user.  (Note that throughout the docu-
     mentation, the term ``superuser'' is a synonym for the root user.)
     Choose a password that has numbers, digits, and special characters (not
     space) as well as from the upper and lower case alphabet.  Do not choose
     any word in any language.  It is common for an intruder to use dictionary
     attacks.  Type the command /usr/bin/passwd to change it.

     It is a good idea to always specify the full path name for both the
     passwd(1) and su(1) commands as this inhibits the possibility of files
     placed in your execution PATH for most shells.  Furthermore, the superus-
     er's PATH should never contain the current directory (``.'').

   System date
     Check the system date with the date(1) command.  If needed, change the
     date, and/or change the symbolic link of /etc/localtime to the correct
     time zone in the /usr/share/zoneinfo directory.


     Set the current date to January 27th, 1999 3:04pm:
           # date 199901271504

     Set the time zone to Atlantic Standard Time:
           # ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime

   Check hostname
     Use the hostname command to verify that the name of your machine is cor-
     rect.  See the man page for hostname(1) if it needs to be changed.  You
     will also need to edit the /etc/myname file to have it stick around for
     the next reboot.

   Verify network interface configuration
     The first thing to do is an ifconfig -a to see if the network interfaces
     are properly configured.  Correct by editing /etc/hostname.interface
     (where interface is the interface name, e.g., ``le0'') and then using
     ifconfig(8) to manually configure it if you do not wish to reboot.  Read
     the hostname.if(5) man page for more information on the format of
     /etc/hostname.interface files.  The loopback interface will look some-
     thing like:

           lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
                   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
                   inet6 ::1 prefixlen 128
                   inet netmask 0xff000000

     an Ethernet interface something like:

                   inet netmask 0xffffff00 broadcast
                   inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1

     and a PPP interface something like:

           ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
                   inet --> netmask 0xffff0000

     See netstart(8) for instructions on configuring multicast routing.

     See dhcp(8) for instructions on configuring interfaces with DHCP.

   Check routing tables
     Issue a netstat -rn command.  The output will look something like:

           Routing tables

           Destination    Gateway           Flags  Refs     Use  Mtu  Interface
           default     UGS      0 11098028    -  le0
           127           UGRS     0        0    -  lo0
          UH       3       24    -  lo0
           192.168.4      link#1            UC       0        0    -  le0
    8:0:20:73:b8:4a   UHL      1     6707    -  le0
   0:60:3e:99:67:ea  UHL      1        0    -  le0

           Destination        Gateway       Flags  Refs  Use     Mtu  Interface
           ::/96              ::1           UGRS     0     0   32972  lo0 =>
           ::1                ::1           UH       4     0   32972  lo0
           ::ffff:  ::1           UGRS     0     0   32972  lo0
           fc80::/10          ::1           UGRS     0     0   32972  lo0
           fe80::/10          ::1           UGRS     0     0   32972  lo0
           fe80::%le0/64      link#1        UC       0     0    1500  le0
           fe80::%lo0/64      fe80::1%lo0   U        0     0   32972  lo0
           ff01::/32          ::1           U        0     0   32972  lo0
           ff02::%le0/32      link#1        UC       0     0    1500  le0
           ff02::%lo0/32      fe80::1%lo0   UC       0     0   32972  lo0

     The default gateway address is stored in the /etc/mygate file.  If you
     need to edit this file, a painless way to reconfigure the network after-
     wards is route flush followed by a sh -x /etc/netstart command.  Or, you
     may prefer to manually configure using a series of route add and route
     delete commands (see route(8)).  If you run dhclient(8) you will have to
     kill it by running kill `cat /var/run/dhclient.pid` after you flush the

     If you wish to route packets between interfaces, add the directive




     to /etc/sysctl.conf.  Packets are not forwarded by default, due to RFC

     You can add new ``virtual interfaces'' by adding the required entries to

   BIND Name Server (DNS)
     If you are using the BIND Name Server, check the /etc/resolv.conf file.
     It may look something like:

           domain nts.umn.edu
           search nts.umn.edu. umn.edu.
           lookup file bind

     If using a caching name server, add the line "nameserver"
     first.  To get a local caching name server to run you will need to set
     named_flags in /etc/rc.conf.local.  The same holds true if the machine is
     going to be a name server for your domain.  In both these cases, make
     sure that named(8) is running (otherwise there are long waits for re-
     solver timeouts).

   RPC-based network services
     Several services depend on the RPC portmapper, portmap(8), being running
     for proper operation.  This includes YP and NFS exports, among other ser-
     vices.  To get the RPC portmapper to start automatically on boot, you
     will need to have this line in /etc/rc.conf.local:


   YP Setup
     Check the YP domain name with the domainname(1) command.  If necessary,
     correct it by editing the /etc/defaultdomain file (see defaultdomain(5)).
     The /etc/netstart script reads this file on bootup to determine and set
     the domain name.  You may also set the running system's domain name with
     the domainname(1) command.  To start YP client services, simply run
     ypbind, then perform the remaining YP activation as described in
     passwd(5) and group(5).

     In particular, to enable YP passwd support, you'll need to add the fol-
     lowing line to /etc/master.passwd:


     You do this by using vipw(8).

     There are many more YP man pages available to help you.  You can find
     more information by starting with yp(8).

   Check disk mounts
     Check that the disks are mounted correctly by comparing the /etc/fstab
     file against the output of the mount(8) and df(1) commands.  Example:

           # cat /etc/fstab
           /dev/sd0a / ffs rw 1 1
           /dev/sd0d /usr ffs rw,nodev 1 2
           /dev/sd0e /var ffs rw,nodev,nosuid 1 3
           /dev/sd0g /tmp ffs rw,nodev,nosuid 1 4
           /dev/sd0h /home ffs rw,nodev,nosuid 1 5

           # mount
           /dev/sd0a on / type ffs (local)
           /dev/sd0d on /usr type ffs (local, nodev)
           /dev/sd0e on /var type ffs (local, nodev, nosuid)
           /dev/sd0g on /tmp type ffs (local, nodev, nosuid)
           /dev/sd0h on /home type ffs (local, nodev, nosuid)

           # df
           Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
           /dev/sd0a         22311    14589     6606    69%    /
           /dev/sd0d        203399   150221    43008    78%    /usr
           /dev/sd0e         10447      682     9242     7%    /var
           /dev/sd0g         18823        2    17879     0%    /tmp
           /dev/sd0h          7519     5255     1888    74%    /home

           # pstat -s
           Device      512-blocks     Used    Avail Capacity  Priority
           swap_device     131072    84656    46416    65%    0

     Edit /etc/fstab and use the mount(8) and umount(8) commands as appropri-
     ate.  Refer to the above example and fstab(5) for information on the for-
     mat of this file.

     You may wish to do NFS partitions now too, or you can do them later.

   Concatenated disks (ccd)
     If you are using ccd(4) concatenated disks, edit /etc/ccd.conf.  Use the
     ccdconfig -U command to unload and the ccdconfig -C command to create ta-
     bles internal to the kernel for the concatenated disks.  You then
     mount(8), umount(8), and edit /etc/fstab as needed.

   Automounter daemon (AMD)
     If using the amd(8) package, go into the /etc/amd directory and set it up
     by renaming master.sample to master and editing it and creating other
     maps as needed.  Alternatively, you can get your maps with YP.

   Clock synchronisation
     In order to make sure the system clock is synchronised to that of a pub-
     licly accessible NTP server, make sure that /etc/rc.conf.local contains
     the following:


     See ntpd(8), rdate(8), and timed(8) for more information on setting the
     system's date.

     The system should be usable now, but you may wish to do more customizing,
     such as adding users, etc.  Many of the following sections may be skipped
     if you are not using that package (for example, skip the Kerberos section
     if you won't be using Kerberos).  We suggest that you cd /etc and edit
     most of the files in that directory.

     Note that the /etc/motd file is modified by /etc/rc whenever the system
     is booted.  To keep any custom message intact, ensure that you leave two
     blank lines at the top, or your message will be overwritten.

   Add new users
     Add users.  There is an adduser(8) script.  You may use vipw(8) to add
     users to the /etc/passwd file and edit /etc/group by hand to add new
     groups.  You may also wish to edit /etc/login.conf and tune some of the
     limits documented in login.conf(5).  The manual page for su(1) tells you
     to make sure to put people in the `wheel' group if they need root access
     (non-Kerberos).  For example:


     Follow instructions for login_krb5(8) if using Kerberos for authentica-

   System command scripts
     The /etc/rc.* scripts are invoked at boot time, after single user mode
     has exited, and at shutdown.  The whole process is controlled, more or
     less, by the master script /etc/rc.  This script should not be changed by

     /etc/rc is in turn influenced by the configuration variables present in
     /etc/rc.conf.  Again this script should not be changed by administrators:
     site-specific changes should be made to (freshly created if necessary)

     Any commands which should be run before the system sets its secure level
     should be made to /etc/rc.securelevel, and commands to be run after the
     system sets its secure level should be made to /etc/rc.local.  Commands
     to be run before system shutdown should be set in /etc/rc.shutdown.

     For more information about system startup/shutdown files, see rc(8),
     rc.conf(8), securelevel(7), and rc.shutdown(8).

     If you've installed X, you may want to turn on xdm(1), the X Display Man-
     ager.  To do this, change the value of xdm_flags in /etc/rc.conf.local.

     Edit /etc/printcap and /etc/hosts.lpd to get any printers set up.  Con-
     sult lpd(8) and printcap(5) if needed.

   Set keyboard type
     Some architectures permit keyboard type control.  Use the kbd(8) command
     to change the keyboard encoding.  kbd -l will list all available encod-
     ings.  kbd xxx will select the xxx encoding.  Store the encoding in
     /etc/kbdtype to make sure it is set automatically at boot time.

   Tighten up security
     You might wish to tighten up security more by editing /etc/fbtab as when
     installing X.  In /etc/inetd.conf comment out any extra entries you do
     not need, and only add things that are really needed.  Note that by de-
     fault the telnetd(8) and ftpd(8) daemons are not enabled in favor of SSH
     (Secure Shell).

     If you are going to use Kerberos (see `info heimdal') for authentication,
     and you already have a Kerberos master, change directory to
     /etc/kerberosV and configure.  Remember to get a srvtab from the master
     so that the remote commands work.

   Mail Aliases
     Edit /etc/mail/aliases and set the three standard aliases to go to either
     a mailing list, or the system administrator.

           # Well-known aliases -- these should be filled in!
           root:           sysadm
           manager:        root
           dumper:         root

     Run newaliases(8) after changes.

     OpenBSD ships with a default /etc/mail/localhost.cf file that will work
     for simple installations; it was generated from openbsd-localhost.mc in
     /usr/share/sendmail/cf.  Please see /usr/share/sendmail/README and
     /usr/share/doc/smm/08.sendmailop/op.me for information on generating your
     own sendmail configuration files.  For the default installation, sendmail
     is configured to only accept connections from the local host and to not
     accept connections on any external interfaces.  This makes it possible to
     send mail locally, but not receive mail from remote servers, which is
     ideal if you have one central incoming mail machine and several clients.
     To cause sendmail to accept external network connections, modify the
     sendmail_flags variable in /etc/rc.conf.local to use the
     /etc/mail/sendmail.cf file in accordance with the comments therein.  This
     file was generated from openbsd-proto.mc.  Note that sendmail now also
     listens on port 587 by default.  This is to implement the RFC 2476 mes-
     sage submission protocol.  You may disable this via the no_default_msa
     option in your sendmail .mc file.  See /usr/share/sendmail/README for
     more information.  The /etc/mail/localhost.cf file already has this dis-

   DHCP server
     If this is a DHCP server, edit /etc/dhcpd.conf and /etc/dhcpd.interfaces
     as needed.  You will have to make sure /etc/rc.conf.local has:


     or run dhcpd(8) manually.

   BOOTP server
     If this is a BOOTP server, edit /etc/dhcpd.conf as needed.  dhcpd(8) will
     have to be turned on in rc.conf.local(8).

   NFS server
     If this is an NFS server make sure /etc/rc.conf.local has:


     Edit /etc/exports and get it correct.  It is probably easier to reboot
     than to get the daemons running manually, but you can get the order cor-
     rect by looking at /etc/rc.

   HP remote boot server
     Edit /etc/rbootd.conf if needed for remote booting.  If you do not have
     HP computers doing remote booting, do not enable this.

   Daily, weekly, monthly scripts
     Look at and possibly edit the /etc/daily, /etc/weekly, and /etc/monthly
     scripts.  Your site specific things should go into /etc/daily.local,
     /etc/weekly.local, and /etc/monthly.local.

     These scripts have been limited so as to keep the system running without
     filling up disk space from normal running processes and database updates.
     (You probably do not need to understand them.)

     The /altroot filesystem can optionally be used to provide a backup of the
     root filesystem on a daily basis.  To take advantage of this, you must
     have an entry in /etc/fstab with ``xx'' for the mount option:

           /dev/wd0j /altroot ffs xx 0 0

     and you must add a line to root's crontab:


     so that the /etc/daily script will make a daily backup of the root

   Other files in /etc
     Look at the other files in /etc and edit them as needed.  (Do not edit
     files ending in .db -- like pwd.db, spwd.db, nor localtime, nor rmt, nor
     any directories.)

   Crontab (background running processes)
     Check what is running by typing crontab -l as root and see if anything
     unexpected is present.  Do you need anything else?  Do you wish to change
     things?  For example, if you do not like root getting standard output of
     the daily scripts, and want only the security scripts that are mailed in-
     ternally, you can type crontab -e and change some of the lines to read:

           30  1  *  *  *   /bin/sh /etc/daily 2>&1 > /var/log/daily.out
           30  3  *  *  6   /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
           30  5  1  *  *   /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out

     See crontab(5).

   Next day cleanup
     After the first night's security run, change ownerships and permissions
     on files, directories, and devices; root should have received mail with
     subject: "<hostname> daily insecurity output.".  This mail contains a set
     of security recommendations, presented as a list looking like this:

                   permissions (0755, 0775)
                   user (0, 3)

     The best bet is to follow the advice in that list.  The recommended set-
     ting is the first item in parentheses, while the current setting is the
     second one.  This list is generated by mtree(8) using /etc/mtree/special.
     Use chmod(1), chgrp(1), and chown(8) as needed.

     Install your own packages.  The OpenBSD ports collection includes a large
     set of third-party software.  A lot of it is available as binary packages
     that you can download from ftp://ftp.openbsd.org or a mirror, and install
     using pkg_add(1).  See ports(7) and packages(7) for more details.

     Copy vendor binaries and install them.  You will need to install any
     shared libraries, etc.  (Hint: man -k compat to find out how to install
     and use compatibility mode.)

     There is also other third-party software that is available in source form
     only, either because it has not been ported to OpenBSD yet, or because
     licensing restrictions make binary redistribution impossible.  Sometimes
     checking the mailing lists for past problems that people have encountered
     will result in a fix posted.

     First, review the system message buffer using the dmesg(8) command to
     find out information on your system's devices as probed by the kernel at
     boot.  In particular, note which devices were not configured.  This in-
     formation will prove useful when editing kernel configuration files.

     To compile a kernel inside a writable source tree, do the following:

           # cd /usr/src/sys/arch/somearch/conf
           # vi SOMEFILE  (to make any changes)
           # config SOMEFILE
           # cd ../compile/SOMEFILE
           # make

     where somearch is the architecture (e.g. i386), and SOMEFILE should be a
     name indicative of a particular configuration (often that of the host-
     name).  You can also do a make depend so that you will have dependencies
     there the next time you do a compile.

     If you are building your kernel again, before you do a make you should do
     a make depend after making changes (including updates or patches) to your
     kernel source, or a make clean after making changes to your kernel op-

     After either of these two methods, you can place the new kernel (called
     bsd) in / (i.e. /bsd) and the system will boot it next time.  Most people
     save their backup kernels as /bsd.1, /bsd.2, etc.

     It is not always necessary to recompile the kernel if only configuration
     changes are required.  With config(8), you can change the device configu-
     ration in the kernel file directly:

           # config -e -o bsd.new /bsd
           OpenBSD 2.7-beta (GENERIC.rz0) #0: Mon Oct  4 03:57:22 MEST 1999
           Enter 'help' for information

     Additionally, you can permanently save the changes made with UKC during
     boot time in the kernel image.

     chgrp(1), chmod(1), crontab(1), date(1), df(1), domainname(1),
     hostname(1), ls(1), make(1), man(1), netstat(1), passwd(1), pkg_add(1),
     ssh(1), su(1), xdm(1), ccd(4), aliases(5), crontab(5), defaultdomain(5),
     dhcpd.conf(5), exports(5), fbtab(5), fstab(5), group(5), hostname.if(5),
     login.conf(5), passwd(5), printcap(5), resolv.conf(5), ssh_config(5),
     hostname(7), packages(7), ports(7), adduser(8), amd(8), ccdconfig(8),
     chown(8), config(8), dhclient(8), dhcp(8), dhcpd(8), dmesg(8), ftpd(8),
     ifconfig(8), inetd(8), kbd(8), lpd(8), mount(8), mtree(8), named(8),
     netstart(8), newaliases(8), ntpd(8), portmap(8), rbootd(8), rc(8),
     rdate(8), rmt(8), route(8), sudo(8), telnetd(8), timed(8), umount(8),
     vipw(8), yp(8), ypbind(8)

     This document first appeared in OpenBSD 2.2.

OpenBSD 3.6                    October 20, 1997                              8