Back to the sea ; the OpenBSD installation, episode II

OpenBSD is really easy to install.
It’s not shinning, but it asks for a few questions and only takes a couple of minutes to get a working system.


Grab the install48.iso file that corresponds to your version and CPU architecture. Burn it to a CD or use it to boot a VM.

The installation is straight forward, no big deal.
It’ll ask for the keyboard layout you want to use.
It’ll propose you to configure a DHCP (or fixed) network configuration.
It’ll configure the root password, create a basic user, configure SSH and NTP and set your time zone.

The disk configuration might be a bit tricky.
But just read the FAQ and you’ll be able to handle this.

If you downloaded the install*.iso file, every archives will be provided on the CD (emulation). So you’ll choose cd as the “Location of sets?”. If not, you may use http or ftp ; if you have a network access.

When asked for the “Set name(s)?”, I choose all then done. This might not be the safest installation for a server but there are packages that might require X stuff latter and I don’t really want to fight with those latter. Then, I consider that a non running service doesn’t harm. I know it’s not quite true, but that’s the level of security I want to afford.

Let the installation proceed, auto-configure a few other things and you’re ready to reboot.

First boot

Here we are. The system has rebooted and the login prompt is ready for me.

As I configured a user and SSH, I won’t use the console. I’ll do everything via a remote SSH connexion.

From DHCP to fixed IP

I installed the system with a DHCP configuration. It’s just easier for a start ; and I don’t remember what the default network range inside a VMware Fusion NAT 😉

There are only a few steps to switch to fixed IP:

# vi /etc/hostname.em0
# vi /etc/myname
# vi /etc/mygate
# vi /etc/hosts bagheera
# vi /etc/resolv.conf
lookup file bind

Reboot the server to apply the name and network configuration.

OpenSSH service

I want to use long SSH keys and deny SSH access via password.

Create the server keys:

# ssh-keygen -t rsa1 -f ssh_host_key -N '' -C "" -b 4096
# ssh-keygen -t dsa -f ssh_host_dsa_key -N '' -C "" -b 1024
# ssh-keygen -t rsa -f ssh_host_rsa_key -N '' -C "" -b 4096
# cp -p ssh*key* /etc/ssh/

Create the personal keys:

# ssh-keygen -t rsa -C "" -b 4096

Deny password authentication:

# vi /etc/ssh/sshd_config
PasswordAuthentication no
# kill -HUP `cat /var/run/`

Execute a command as another user

Your normal user is no admin ; or at least, it shouldn’t. So to do big guy things, you need to be granted the ultimate mighty power. sudo is the tool that enables you to run a single command as Zeus.

Configure sudo:

# visudo

If your user was created during installation, it already is in the wheel group. If not, add it and relog to apply the changes. And remember:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

User environment

The default user environment is perfect for administration. Fast, silent, efficient. But I like to add a bit of color in my terminals.

# vi ~/.profile


export EDITOR="/usr/local/bin/vim"
export EXINIT='set autoindent'
export PAGER="/usr/bin/less"


alias ls="/bin/ls -aF" 
      ll="ls -lh"

set -o emacs
umask 022

_H="`hostname -s`"
_V="`uname -sr`"



case $TERM in
#       PS1='^[]0;[ $_U@$_H:$(pwd) ]^G
#$DRED-($DYELLOW$(date +"%H:%M")$DRED)-($DGREEN$(pwd)$DRED)- $BLANK'
        PS1='^[]0;[ $_U@$_H:$(pwd) ]^G
-%d %H:%M")$DRED)-
# '

        PS1='[ $_U@$_H:$(pwd) ] '

The mighty editor

I like to use vim as my system editor:

# pkg_add
# pkg_add
# vi ~/.vimrc
set nocompatible
set backspace=indent,eol,start
set nobackup
set history=50
set ruler
set showcmd
set incsearch

syntax on

Last step

It’s time for a remote backup:

# ssh “sudo tar czpf – /” > bagheera.obsd48amd64.01basics.tar.gz
tar: Removing leading / from absolute path names in the archive
tar: Ustar cannot archive a socket /dev/log
tar: Ustar cannot archive a socket /var/cron/tabs/.sock
tar: Ustar cannot archive a socket /var/empty/dev/log
tar: Ustar cannot archive a socket /var/www/dev/log

That’s All Folks!

1 Comment

  • Back to the sea ; the OpenBSD services, episode I | TuM'Fatig Fri, 14 Jan 2011 21:47:59 +0000 Reply

    […] the OpenBSD installation […]

Leave a Reply

%d bloggers like this: