Getting these fixes can be done in a few different ways:
-u
flag to get the new files.
/usr/ports/infrastructure/bin/pkg_outdated
script to
list any packages in need of rebuilding, and issue make update
in the affected port directory.
In some cases, existing ports will need to be uninstalled before
rebuilding.
Most daemons and services that come with OpenBSD are controlled on boot by variables defined in /etc/rc.conf. You'll see lines similar to this:
httpd_flags=NOThis shows that httpd(8) is not to be started from rc(8) at boot time. Each line has a comment showing you the flags for common usage of that daemon or service.
Do not alter rc.conf(8) directly.
Instead, use the rcctl(8) utility
to maintain the /etc/rc.conf.local
file.
This makes future upgrades easier as all the changes are in the one file that
isn't touched during upgrade.
For example, to start the apmd(8) daemon for CPU scaling, one might do:
# rcctl enable apmd # rcctl set apmd flags -A # rcctl start apmd
For example, if appropriately configured, the following command would display root's crontab(5) file:
$ doas -u root crontab -lCommands invoked by doas(1) are logged to
/var/log/secure
by default.
Check the doas.conf(5) manual
for configuration examples.
/etc/master.passwd
and
is only readable by root.
The pwd_mkdb(8) tool generates
the world-readable /etc/passwd
and the password databases
(/etc/pwd.db
and /etc/spwd.db
) from the main file.
The format is described in
passwd(5).
Always use vipw(8) to edit the
password file.
After you are done editing, it will first sanity check the changes, then
recreate /etc/passwd
and the password databases, and finally
install the copy in place of the original /etc/master.passwd
file.
/
and /usr
partitions, and run passwd(1)
to change the root password.
-s
flag can be passed to
boot(8):
probing: pc0 com0 com1 mem[638K 1918M a20=on] disk: hd0+ hd1+ >> OpenBSD/amd64 BOOT 3.33 boot> boot -s
/
and /usr
will need to be mounted
read-write.
# fsck -p / && mount -uw / # fsck -p /usr && mount /usr
# passwd
reboot
.
ntpd
will only jump the clock forward.
If your clock has to be moved backward, manually set the clock using
date(1).
To use OpenNTPD as a server, add a listen on *
line to
ntpd.conf(5) file and restart
the daemon.
You can also instruct it to only listen on a specific address or interface.
When you have ntpd(8) listening,
other machines may not be able to synchronize their clocks right away.
This is because time information won't be served until the local clock
is synced with a reasonable level of stability.
Once this level is reached, a "clock now synced" message will appear in
/var/log/daemon
.
If having the hardware clock set to UTC is a problem, you can change the
default behavior of OpenBSD via
sysctl.conf(5).
For example, put the following in /etc/sysctl.conf
to
configure OpenBSD to use a hardware clock set to US Eastern Standard
Time (5 hours behind UTC, so minus 300 minutes):
kern.utc_offset=-300See sysctl(2) for more information.
Note that the hardware clock must already be running at the desired offset before booting OpenBSD with the above configuration or the system time will be incorrectly adjusted at boot.
Normally, the time zone is set during install.
If you have need to change the time zone, you can create a new symbolic
link to the appropriate time zone file in /usr/share/zoneinfo
.
For example, to set the machine to use EST5EDT as the new local time zone:
# ln -fs /usr/share/zoneinfo/EST5EDT /etc/localtimeAlso see the date(1) manual.
To use the Unicode character set in UTF-8 encoding wherever supported, set the
LC_CTYPE
environment variable to the value
en_US.UTF-8
:
export LC_CTYPE="en_US.UTF-8"
to your
~/.xsession
before starting the window manager.
See customizing X for more details.
export LC_CTYPE="en_US.UTF-8"
to your ~/.profile
.
The text console's UTF-8 support is a work in progress, and some non-ASCII
characters may not display properly.
LC_CTYPE
environment variable is not propagated, and you have to make sure that the
local terminal is set to the character encoding used by the remote server
before connecting.
If that encoding is unknown or unsupported by OpenBSD, make sure you use the
default xterm(1) configuration and
set LC_CTYPE=en_US.UTF-8
in the remote shell after connecting.
The OpenBSD base system completely ignores all locale-related environment
variables except LC_CTYPE
; even LC_ALL
and
LANG
only affect the character encoding.
Some ports may respect other LC_*
variables,
but using them or setting LC_CTYPE
to any value other than
C
, POSIX
or en_US.UTF-8
is not recommended.
WARNING: One-time password systems only protect authentication information. They do not prevent network eavesdroppers from gaining access to private information. Furthermore, if you are accessing a secure system A, it is recommended that you do this from another trusted system B, to ensure nobody is gaining access to system A by logging your keystrokes or by capturing and/or forging input and output on your terminal devices.
/etc/skey
must exist.
If this directory doesn't exist, have the superuser create it by doing:
# skeyinit -EThen use skeyinit(1) to initialize your S/Key. You will first be prompted for your login password, then you will be asked for your S/Key secret passphrase, which must be at least 10 characters long:
$ skeyinit Password: [Adding ericj with md5] Enter new secret passphrase: Again secret passphrase: ID ericj skey is otp-md5 100 oshi45820 Next login password: HAUL BUS JAKE DING HOT HOGNotice the information in the last two lines. The program used to create your S/Key password is otp-md5(1), the sequence number is
100
and the secret key is
oshi45820
.
The six small words HAUL BUS JAKE DING HOT HOG
constitute the S/Key
password with sequence number 100
.
$ skeyinfo -v otp-md5 95 oshi45820 $ otp-md5 95 oshi45820 Enter secret passphrase: NOOK CHUB HOYT SAC DOLE FUMEIn order to generate a list of S/Key passwords, do:
$ otp-md5 -n 5 95 oshi45820 Enter secret passphrase: 91: SHIM SET LEST HANS SMUG BOOT 92: SUE ARTY YAW SEED KURD BAND 93: JOEY SOOT PHI KYLE CURT REEK 94: WIRE BOGY MESS JUDE RUNT ADD 95: NOOK CHUB HOYT SAC DOLE FUME
localhost
.
To perform an S/Key login, you append :skey
to your login name.
$ ftp localhost Connected to localhost. 220 oshibana.shin.ms FTP server (Version 6.5/OpenBSD) ready. Name (localhost:ericj): ericj:skey 331- otp-md5 93 oshi45820 331 S/Key Password: JOEY SOOT PHI KYLE CURT REEK [...] 230 User ericj logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye.Similarly, for ssh(1):
$ ssh -l ericj:skey localhost otp-md5 91 oshi45821 S/Key Password: SHIM SET LEST HANS SMUG BOOT Last login: Thu Apr 7 12:21:48 on ttyp1 from 156.63.248.77 $
Of course, you could use various directory services on OpenBSD. But YP is the only one that can be accessed directly using standard C-library functions like getpwent(3), getgrent(3), gethostbyname(3) and so on. Thus, if you keep your data in a YP database, you do not need to copy it to local configuration files like master.passwd(5) before you can use it, for example to authenticate system users.
YP is a directory service compatible with Sun Microsystems NIS (Network Information System). See yp(8) for an overview of the available manual pages. Be careful, some operating systems contain directory services bearing similar names but all the same being incompatible, for example NIS+.
To use directory services other than YP, you either need to populate local
configuration files from the directory, or you need a YP frontend to
the directory.
For example, you can use the sysutils/login_ldap
port when you
choose the former,
while the ypldap(8)
daemon provides the latter.
For some applications, simply synchronizing a small number of configuration
files among a group of machines using tools like
rdist(1),
cron(8),
scp(1) or
rsync
(available from ports) constitutes an easy and robust
alternative to a full-blown directory service.
Thus, before setting up any YP server, you should consider whether these inherent security flaws are acceptable in your context. In particular, YP is inadequate if potential attackers have physical access to your network. Anybody gaining root access to any computer connected to your network segments carrying YP traffic can bind your YP domain and retrieve its data. In some cases, passing YP traffic through SSL or IPsec tunnels might be an option.
Use the domainname(1) utility to set the domain name, and put it into the defaultdomain(5) file to have it automatically set at system startup time.
# echo "puffynet" > /etc/defaultdomain # domainname `cat /etc/defaultdomain`Initialize the YP server using the interactive command:
# ypinit -mAt this point, it is not necessary to specify slave servers yet. To add slave servers, you can rerun ypinit(8) later, using the
-u
option.
Setting up at least one slave server for each domain is useful to avoid
service interruptions.
For example, should the master server ever go down or lose network
connectivity, client processes trying to access YP maps block indefinitely
until they receive the requested information.
Thus, YP service interruptions typically render the client hosts completely
unusable until YP is back to service.
Decide where to store the source files to generate your YP maps from.
Keeping the server configuration separate from the served configuration
helps to control which information will be served and which won't, so the
default /etc
often isn't the best choice.
The only inconvenience caused by changing the source directory is that you will not be able to add, remove and modify users and groups in the YP domain using utilities like user(8) and group(8). Instead, you will have to edit the configuration files with a text editor.
To define the source directory, edit the file
/var/yp/`domainname`/Makefile
and change the DIR
variable, e.g.
DIR=/etc/yp/src/puffynetConsider customizing other variables in
/var/yp/`domainname`/Makefile
.
See Makefile.yp(8)
for details.
For example, even in case you use the default source directory
/etc
, you do not usually need all accounts and groups existing
on the server on all your client hosts.
In particular, not serving the root account and thus keeping root's password
hash confidential is often beneficial to security.
Review the values of MINUID
, MAXUID
,
MINGID
and MAXGID
and adjust them to you needs.
If all your YP clients run OpenBSD or FreeBSD, exclude the encrypted
passwords from the passwd
maps by setting UNSECURE=""
in /var/yp/`domainname`/Makefile
.
The former practice of editing the template file
/var/yp/Makefile.yp
is no longer recommended.
Changes to that file affect all domains initialized after the change, but
do not affect domains initialized before the change, so this is error-prone
either way:
You both risk that the intended changes do not take effect, and you risk to
forget about them and have them affect other domains later which they were
never intended for.
Create the source directory and populate it with the configuration files
you need.
See Makefile.yp(8)
to learn which YP maps require which source files.
For the format of the individual configuration files, refer to
passwd(5),
group(5),
hosts(5)
and so on, and look at the examples in /etc
.
Create the initial version of your YP maps using the commands
# cd /var/yp # makeDo not worry about error messages from yppush(8) right now. The YP server is not yet running.
YP uses rpc(3) (remote procedure calls) to communicate with clients, so it is necessary to enable portmap(8). To do so, use rcctl(8).
# rcctl enable portmap # rcctl start portmapConsider using either the securenet(5) or the ypserv.acl(5) security feature of the YP server daemon. But be aware that both of these only provide IP based access control. Thus, they only help as long as potential attackers have neither physical access to the hardware of the network segments carrying your YP traffic nor root access to any host connected to those network segments.
Finally, start the YP server daemon:
# rcctl enable ypserv # rcctl start ypservTo test the new server, consider making it its own client, following the instructions in the first part of the next section. In case you don't want the server to use its own maps, you can disable the client part after the test with the following commands:
# rcctl stop ypbind # rcctl disable ypbindRemember that each time you change a file sourced by a YP map, you must regenerate your YP maps.
# cd /var/yp # makeThis updates all database files in
/var/yp/`domainname`
, with
one exception: The file ypservers.db
, listing all YP master
and slave servers associated with the domain, is created directly
from ypinit -m
and modified exclusively by ypinit -u
.
In case you accidentally delete it, run ypinit -u
to recreate
it from scratch.
Like on the server, you must set the domain name and enable the portmapper:
# echo "puffynet" > /etc/defaultdomain # domainname `cat /etc/defaultdomain` # rcctl enable portmap # rcctl start portmapIt is recommended to provide a list of YP servers in the configuration file
/etc/yp/`domainname`
.
Otherwise, the YP client daemon will use network broadcasts to find
YP servers for its domain.
Explicitly specifying the servers is both more robust and marginally
less open to attack.
If you have not set up any slave servers, just put the host name
of the master server into /etc/yp/`domainname`
.
Enable and start the YP client daemon, ypbind(8).
# rcctl enable ypbind # rcctl start ypbindIf all went well you should be able to query the YP server using ypcat(1) and see your passwd map returned.
# ypcat passwd bob:*:5001:5000:Bob Nuggets:/home/bob:/usr/local/bin/zsh ...Another useful tool for debugging your YP setup is ypmatch(1).
The second part of configuring a YP client involves editing local configuration files such that certain YP maps get used by various system facilities. Not all servers serve all standard maps supported by the operating system, some servers serve additional non-standard maps, and you are by no means compelled to use all those maps. Which of the available maps shall or shall not be used, and for which purposes they shall be used, is fully at the discretion of the client host's system administrator.
For a list of standard YP maps and their standard usage, see Makefile.yp(8).
If you want to include all user accounts from the YP domain, append the default YP marker to the master password file and rebuild the password database:
# echo '+:*::::::::' >> /etc/master.passwd # pwd_mkdb -p /etc/master.passwdFor details on selective inclusion and exclusion of user accounts, see passwd(5). To test whether inclusion actually works, use the id(1) utility.
If you want to include all groups from the YP domain, append the default YP marker to the group file:
# echo '+:*::' >> /etc/groupFor details on selective group inclusion, see group(5).