Tips and Tricks
![[obsd daemon]](images/daemon.jpg)
What follows are some suggestions that new users to OpenBSD might find helpful.
Single User Mode (reset root password)
If you have forgotten root's password or have mistakenly disabled the shell you used for root and other accounts, you will need to boot into single user mode to fix these problems.
- Step 1 - Start single user mode
- Step 2 - Check file systems with fsck (file system consistency check)
- Step 3 - Mount filesystems
- Step 4 - Reset root password
1. When you restart the system wait until you see something similar to the below:
Using drive 0, partition 3. Loading... probing : pc0 com0 apm mem[634K 319M a20=on] disk: fd0 hd0+ >> OpenBSD/i386 BOOT 3.01 boot>
at this point you are going to want to enter into single user mode:
Using drive 0, partition 3.
Loading...
probing : pc0 com0 apm mem[634K 319M a20=on]
disk: fd0 hd0+
>> OpenBSD/i386 BOOT 3.01
boot> boot -s2. Now run fsck on all partitions, to make sure things are okay for changes:
Enter pathname of shell or RETURN for sh: <press enter> # fsck -p
3. Mount all filesystems:
export the TERM environmental variable only if you need to edit files:
4. Reset root's password and then reboot:
# passwd Changing local password for root. New password: ILikeMonkeys Retype new password: ILikeMonkeys # shutdown -r now
Disable Root Logins To OpenSSH
The OpenSSH server is defaulted to allow root logins. Disabling root access will help you from practicing the bad habit of using the root account as your primary account. A more secure way of using OpenBSD is to log in as a user who belongs to the group wheel and using the su command to become root whenever root privileges are needed.
- Step 1 - Add a user to the wheel group
- Step 2 - Edit the sshd configuration file to disallow root logins
1. Adding the user nathan to the wheel group:
2. Edit the entry in the /etc/ssh/sshd_config file from:
to:
now restart sshd so the changes take effect without rebooting:
Encrypt the Swap Partition
By default OpenBSD 4.3 will encrypt the swap partition. To turn this on for OpenBSD versions 3.7 and below:
- Step 1 - Enable this feature without a reboot
- Step 2 - Edit the sysctl config file, so that after a reboot the swap partition will be encrypted
1. Change the kernel state variable:
2. Edit /etc/sysctl.conf from:
to:
Installing the Bash Shell
If you did not buy your copy of OpenBSD then you won't have any packages available locally in order to install the bash shell. The below example will show how to obtain the BASH package remotely.
- Step 1 - Adding the BASH shell remotely
- Step 2 - Setting BASH as your login shell
1. Add the i386 package for the BASH shell:
2. Setting BASH as your login shell:
Formatting a Floppy Disk (3.5)
Setting up a floppy drive is slightly different than what you would do on Linux.
- Step 1 - Create a floppy directory
- Step 2 - Format the floppy
- Step 3 - Partition the floppy
- Step 4 - Create the file system
- Step 5 - Mounting the floppy drive
1. Create the /mnt/floppy directory:
make /mnt/floppy directory accessible by root only:
2. Format a floppy, red text is user input:
# fdformat fd0 Format 1440K floppy `/dev/rfd0c'? (y/n): y
3. Next we need to partition the floppy:
# disklabel -E fd0 Initial label editor (enter '?' for help at any prompt) > a a offset: [0] <press enter> size: [2880] <press enter> FS type: [4.3BSD] <press enter> > w > q No label changes.
4. Create the file system:
5. Mounting the floppy drive:
or add this line to your /etc/fstab file:
Keeping System Time with OpenNTPD
The program OpenNTPD (ntpd) is included in the base install of OpenBSD. Ntpd is both server and client side software that will connect to a time server and sync its time via the NTP (Network Time Protocol). A list of NTP servers can be found here.
What follows is setting up ntpd as a client
- Step 1 - Create the file /etc/rc.conf.local if it doesn't exist
- Step 2 - Edit rc.conf.local so ntpd will run at boot-up
- Step 3 - Setting the NTP server that will be used to check time
1. Create the file /etc/rc.conf.local if it doesn't exist:
2. Adding an entry to the /etc/rc.conf.local file so ntpd runs at startup:
3. Edit the /etc/ntpd.conf file, adding the time server to be used:
# $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $ # sample ntpd configuration file, see ntpd.conf(5) # Addresses to listen on (ntpd does not listen by default) # listen on * # sync to a single server server tick.cs.unlv.edu # use a random selection of 8 public stratum 2 servers # see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers # servers pool.ntp.org
Change the server setting to a server near you and comment out the servers line.
If your time is off by a few minutes or hours a large time change will take place during boot-up (when using the -s flag). But while your server is running, a large time change will not take place, helping to prevent abuse to the log files. Instead a time change of one second will take place over 4 minute intervals, until time has been corrected.
To check if ntpd is making those changes:
Getting FTPd (non-anonymous) Up and Running
Setting up and running ftpd for users:
- Step 1 - Edit /etc/inetd.conf
- Step 2 - Restart inetd
1. Edit (uncomment) the ftp entry in /etc/inetd.conf from:
#ftp stream tcp nowait root /usr/libexec/ftpd ftpd -US
to:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -US
2. Restart inetd so that ftp will be recognized as a service:
Users listed in the /etc/ftpusers file will not be allowed to log into ftpd. Commenting out the 'root' entry in this file will allow root to login via ftp (which is not recommended).
Getting Apache (httpd) Up and Running
Installing all the sets (base43.tgz) of OpenBSD will assure that you have Apache 1.3.29 installed. Apache 2.0 will not come with the base installation of OpenBSD due to Apache's license changes for 2.0.
- Step 1 - Location of Apache configuration file
- Step 2 - Starting httpd
- Step 3 - Having httpd run at startup
1. Configuration of Apache is done using the /var/www/conf/httpd.conf file.
2. Starting the http daemon:
A good rule of thumb is not to edit your file. Instead create then edit a file called /etc/rc.conf.local. Settings specified in rc.conf.local will take precedence over settings in the /etc/rc.conf file.
3. Edit your /etc/rc.conf.local file adding this entry:
Changing the Timezone
OpenBSD's timezone it set from the /etc/localtime binary file which will be soft linked (symbolic link) to one of the files located in the /usr/share/zoneinfo directory structure.
- Step 1 - Location of timezone file
- Step 2 - Find your timezone
- Step 3 - Removing, then adding a soft link
1. Configuring the timezone is done using the /etc/localtime file.
2. Locate your timezone file in the /usr/share/zoneinfo/ directories.
3. Changing your timezone to Los Angeles (pacific) time:
# rm /etc/localtime # ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
lsof (list open files) Command
The lsof command is a little used command. lsof will let you track down which files are open and who's using them along with open pipes and ports.
- Step 1 - Remotely add the lsof package
- Step 2 - Using lsof
1. Remotely add the lsof package:
2. Using lsof to list open ports and established connections:
![[take note]](images/note.png)
Note: The command fstat is similar to lsof, and comes with the base installation of OpenBSD. And since there's always more than one way to get things done in Unix, lsof is worth mentioning.Editing Files with Nano
An alternative to using vi when editing files.
- Step 1 - Remotely add the nano package
- Step 2 - Using nano
- Step 3 - Making nano your default editor in BASH
1. Remotely add the nano package:
2. Using nano to edit your hosts file:
3. Adding an entry to your .bash_profile file:
# cd # echo EDITOR=nano >> .bash_profile
having the changes 'take' without logging out:
# cd # source .bash_profile
Locking A User Out of Their Account
There will come a time when an administrator needs to prevent a user from using their account.
Locking the user nathan out of his account. As root:
Unlocking the user nathan from his account. As root:
A better way of locking a user out of their account is by using the userdel command which will not only change the user shell to a nologin shell but the user's password will be changed to an "impossible'' one. Also, the user's home directory will not be removed.
Locking the user nathan out of his account. As root:
Locking All Users Out of Their Accounts
There will come a time when an administrator needs to prevent all users from using their accounts. Root does not fall under the default login class and will not be locked out.
Locking all users from their accounts. As root:
Allowing logins again. As root:
The login program is controlled by /etc/login.conf and can be tweaked to meet your needs, including setting default user environmental variables and fine-tuning your system security.
Mounting a USB Flash Drive
USB drives usually show up as (emulated) SCSI drives.
- Step 1 - Plug in your USB flash drive
- Step 2 - Create a flash drive directory
- Step 3 - Mount the flash drive
1. Physically plug in your USB flash drive.
2. Create a flash drive directory:
3. Mount the flash drive:
What follows is setting up a flash drive to work with OpenBSD and Windows
- Step 1 - Plug in your USB flash drive
- Step 2 - Create a flash drive directory (if not already created)
- Step 3 - Create and format a MSDOS partition
- Step 4 - Mount the flash drive filesystem
1. Physically plug in your USB flash drive.
2. Create a flash drive directory (if not already created):
3. Create and format a MSDOS partition:
This will create the i partition on the sd0 flash device.
4. Mount the flash drive filesystem:
Note: Remember to unmount the flash filesystem before unplugging the flash device from your computer or data corruption might occur.Unmount the flash filesystem:
Now you can safely remove your USB drive.
Note: Starting with OpenBSD 4.3 filesystems on USB devices are automatically dismounted if the device is disconnected.Burning a CD-RW
To create the ISO image files that are being used in the following CD burning examples you will need to have the cdrtools package installed.
So, remotely install the i386 cdrtools package:
1st Method
The following method uses the cdio command, which comes with the base installation of OBSD.
What follows is an example of burning the home directories to a CD-RW
- Step 1 - Create an ISO image of the information targeted for the CD-RW
- Step 2 - Blank the CD-RW disk
- Step 3 - Burn the ISO image to the blank CD-RW
1. Next make an ISO image of the home directories:
2. Now blank the CD-RW disk:
3. And finally burn the ISO image to the blank CD-RW:
2nd Method
The following method uses the cdrecord command, which comes with the cdrtools package.
What follows is an example of burning the home directories to a CD-RW
- Step 1 - Create an ISO image of the information targeted for the CD-RW
- Step 2 - Blank the CD-RW disk
- Step 3 - Burn the ISO image to the blank CD-RW
1. Next make an ISO image of the home directories:
2. Now blank the CD-RW disk:
3. And finally burn the ISO image to the blank CD-RW:
How to figure out what device node is associated to the CD burner
I have a Memorex CD burner, so I will search dmesg output to see if the kernel has recognized my burner and to find out what device node the burner has been associated to.
Greping dmesg output:
# dmesg | grep Memorex cd0 at scsibus0 targ 0 lun 0: <Memorex, 48MAX 244816AJ, KWH8> SCSI0 5/cdrom removable
From the dmesg output you can see that the device node cd0 has been associated to the Memorex burner.
Mounting the CD burner
- Step 1 - Create a CD-ROM directory
- Step 2 - Mount the CD filesystem
1. Create a CD-ROM directory:
2. Mounting the CD filesystem:
Useful Commands
Adding a user
Remove a user named nathan
Checking disk usage
Restart OpenSSH without rebooting
Using netstat
Checking network usage statistics
Check disk usage of the home directories
Finding a file, searching the entire directory structure
Adding the user nathan to the wheel group
Using pkg_add's interactive mode to add pidgin (gaim)
# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.3/packages/i386/ # pkg_add -i pidgin Choose one package 0: <None> 1: pidgin-2.4.1p1 2: pidgin-2.0.1p1-gtkspell Your choice:
If you notice any errors, please let me know.
Other OpenBSD Tutorials
![[obsd daemon]](images/s_daemon.jpg)
- Installation - demonstration of a FTP installation
- Patching - patching and kernel building