OpenBSD jumpstart

Learn to tame OpenBSD quickly.

June 06, 2016, proudly hosted by ARP Networks.

History

Forked from NetBSD. Theo de Raadt is the founder and leader of the OpenBSD project. The first OpenBSD release (1.1/CVS) appear on October 18, 1995.

Why use OpenBSD

  • UNIX-like
  • Get the latest version of OpenSSH, OpenSMTPD, OpenNTPD, OpenIKED, OpenBGPD, LibreSSL, mandoc
  • Get the latest PF (Packet Filter) features
  • Security focused Operating System
  • Thorough documentation
  • Cryptography

OpenBSD innovations

Software developed or maintained by the OpenBSD project:
http://www.openbsd.org/innovations.html

OpenBSD manual pages (web)

http://man.openbsd.org

OpenBSD Version numbers

  • Biannual release cycle
  • New release is incremented by 0.1

OpenBSD's Flavors

  • -release: The version of OpenBSD shipped every six months
  • -stable: Release, plus patches (support ~ 1 year)
  • -current: Development branch

Installation

Really simple, ready in 5 minutes (KISS).

Get more information: http://www.openbsd.org/faq/faq4.html

Networking (Files)

File Contain
/etc/myname Default hostname.
/etc/hostname.if Configuration for each network interface, for example: /etc/hostname.bge0
/etc/mygate Default gateway.
/etc/resolv.conf Resolver (DNS).
/etc/hosts Known hosts on the network.

Networking


# Display the current configuration of network interfaces:
/sbin/ifconfig
					

# Perform network (re)initialisation:
/bin/sh /etc/netstart
					

# Set DHCP for 're0' interface, on the fly:
/sbin/dhclient re0
					

Networking (Routing)


# Show the routing table (ipv4):
/sbin/route -n show -inet

# Show the routing table (ipv6):
/sbin/route -n show -inet6
					

# Delete all gateway entries from the routing table:
/sbin/route -n flush
					

Networking (set at startup)

Example 1: configure static IP address for re0


## file: /etc/hostname.re0
inet 192.168.0.58 255.255.255.0

# For more information, read the manual: hostname.if(5)
					

Don't forget to run 'sh /etc/netstart re0' to apply changes to running system.

Networking (set at startup)

Example 2: configure DHCP for bge0


## file: /etc/hostname.bge0
dhcp

# For more information, read the manual: hostname.if(5)
					

Don't forget to run 'sh /etc/netstart bge0' to apply changes to running system.

Networking (set at startup)

Example 3: configure wireless


# First, see a list of available wireless networks: 
ifconfig iwn0 scan
					
## Configure 'iwn0' using the file: /etc/hostname.iwn0
nwid ACCESS_POINT_NAME
wpakey THE_SECRET_KEY
dhcp

# For more information, read the manual: hostname.if(5)
					

Don't forget to run 'sh /etc/netstart iwn0' to apply changes to running system.

PF (Packet Filter)

Ruleset: /etc/pf.conf

Useful commands


# Disable PF:
/sbin/pfctl -d

# Enable PF and load the rules:
/sbin/pfctl -ef /etc/pf.conf

# Just load the rules (apply changes):
/sbin/pfctl -f /etc/pf.conf

# View the loaded rules:
/sbin/pfctl -s rules
				

For more information, read the manual: pfctl(8)

PF ruleset sample


## file: /etc/pf.conf
# Protect a laptop (allow only ping/ssh from anywhere)
set skip on lo
set fingerprints "/dev/null"
block log all
pass in on egress inet proto icmp all icmp-type echoreq
pass in on egress inet proto tcp from any to any port ssh
pass out

# For more information, read the manual: pf.conf(5)
					

Debug PF with tcpdump(8)


/usr/sbin/tcpdump -nettti pflog0
					

Manage users

Manually


/usr/sbin/user [add|del|info|mod] foobar
					

The interactive way


# Add users
/usr/sbin/adduser

# Remove users
/usr/sbin/rmuser
					

For more information, read the manual: adduser(8)

Manage Groups

File: /etc/group


/usr/sbin/group [add|del|info|mod] foobar
					

Members in 'wheel' group can use su(1) to become 'root'.

For more information, read the manual: group(8,5)

sudo replaced with doas(1)


## file: /etc/doas.conf
# Permit the user 'Marc' to reboot the box
permit nopass marc as root cmd reboot
					

Marc can now reboot the box:


$ doas reboot
					

For more information, read the manual: doas.conf(5)

Install Packages


export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/5.8/packages/amd64/

## OR use 'installpath' variable within /etc/pkg.conf:
installpath = ftp.openbsd.org

# Find package name adding the tool 'package manager':
/usr/sbin/pkg_add pkg_mgr

# Add 'sudo' package:
/usr/sbin/pkg_add sudo
					

Some packages provide configuration and other information in the folder '/usr/local/share/doc/pkg-readmes/'.

For more information, read the manual: pkg_add(1)

Packages


# List packages installed:
/usr/sbin/pkg_info

# View install-message for a specific package:
/usr/sbin/pkg_info -M foobar

# Remove a Package:
/usr/sbin/pkg_delete foobar

# Delete unused dependencies:
/usr/sbin/pkg_delete -a
					

For more information, read the manual: packages(7)

Install non-free firmware packages

/usr/sbin/fw_update

Firmware is downloaded from release-specific directories at: http://firmware.openbsd.org/firmware/

Manage daemons, services

File: /etc/rc.conf.local


/usr/sbin/rcctl [enable|disable|start|stop|reload|restart] foobar
					

# Examples
/usr/sbin/rcctl enable ipsec
/usr/sbin/rcctl enable isakmpd
/usr/sbin/rcctl set isakmpd flags -K
/usr/sbin/rcctl start isakmpd
					

For more information, read the manual: rcctl(8)

Run a script at startup

File: /etc/rc.local

For more information, read the manual: rc.local(8)

Update OpenBSD

Any security or reliability fixes can be found at:
http://www.openbsd.org/errata.html

You can also use the openup tool from M:tier.

Upgrade OpenBSD

To upgrade 5.7 to 5.9, you need to follow instructions:

http://www.openbsd.org/faq/upgrade58.html
&
http://www.openbsd.org/faq/upgrade59.html

OpenBSD Filesystem

The most important:

/ Root directory.
/home User home directories.
/root Default home directory for the superuser.
/mnt A temporary mount point.

OpenBSD Filesystem (continued)

/etc System configuration files and scripts.
/etc/examples Example configuration files for base system daemons.
/etc/skel (dot) files for new accounts.
/etc/signify Key files used for signify(1).

OpenBSD Filesystem (continued)

/tmp Cleaned after a reboot.
/var/tmp Symbolic link to the system /tmp.
/var/log Log files.
/var/run pid, socket files, utmp, dmesg.boot

OpenBSD Filesystem (continued)

/var/db Database files.
/var/www Configuration files for httpd(8).
/usr/local Used for third packages installed.
/usr/src BSD and/or local source files.

For more information, read the manual: hier(7)

OpenBSD Kernels

/bsd
Pure kernel executable (the operating system loaded into memory at boot-time).

OpenBSD Kernels (continued)

/bsd.mp
Pure kernel executable for multiprocessor machines.

OpenBSD Kernels (continued)

/bsd.rd
Installation kernel. The built-in RAM disk contains utilities which can be run without an external file system, so this kernel is useful for limited system maintenance too.

Tune the system

sysctl(8) get or set kernel state
config(8) modify a kernel

Maintenance

Displays the contents of the system message buffer: dmesg
Review rc(8) system startup messages: dmesg -s

Need more help

FAQ: http://www.openbsd.org/faq/
Manual page: afterboot(8)
Mailing list: misc@

Presentations & Papers

http://www.openbsd.org/papers/

Supporting OpenBSD

Donations

OpenBSD Foundation

OpenBSD Store

Thank you.

Feedback: contact@