- I’m assuming you followed the Installation guide in this post. And now you want to set up the system!
Pro Tip: We will be editing some files! Neither
vim
nornano
are installed by default (onlyvi
). So if you can’t survivevi
, Go ahead and download your editor!
# Run as Root
pkg_add vim # or nano
The first thing you have to do is add a user. So instead of using root, it’s much more secure to use a user with doas permissions instead.
Create a user and add it to the wheel group.
-m
is used to create a home directory for it! /home/MyNewUser/
## Run as root
# Create the user demo & add it to the wheel group
useradd -m -G wheel demo
# Give a password to demo
passwd demo
Accidentally added a user? Delete it with userdel instead of useradd.
Note: Make sure the password for root is very strong! You can change it with:
# Run as Root
passwd root
Doas Setup
Doas is the OpenBSD equivalent of sudo (in Linux) but much simpler.
Some basic doas options:
permit
: The user have to enter their password once, then not have to enter it for a short period of time.nopass
: The user don’t have to enter their password.
## Run as root
## change demo to the user you have added
echo "permit persist :wheel" > /etc/doas.conf
- Now you should be able to change to that user and do privileged tasks
# Change to the user demo
su demo
# Update the installed packages
doas pkg_add -Uu
SSH Configuration
Unless you are installing on the Cloud or a laptop to which you will be SSH-ing, you can safely jump to to the System Administration section.
Here is what we will be changing:
# Change the default SSH port (Optional)
# This is useful against automated SSH scanning tools
Port 2222
# Disable password authentication for better security
PasswordAuthentication no
# Replace 'demo' with the actual username you want to allow SSH access to
AllowUsers demo # Important to allow SSH login!
# Do not allow root login for security reasons
PermitRootLogin no
# Disable the Message of the Day (MOTD) for a cleaner output
PrintMotd no
# Set the maximum number of client alive messages that can be sent
# without receiving a response before disconnecting the session
ClientAliveCountMax 2
Note: By default, OpenBSD ships the ssh config file with secure options! So we haven’t touched the other configurations!
Now change the /etc/ssh/sshd_config
# Run as root
# TIP
# > press ZZ to save and quit the file
# > press ZQ to quit without saving the file
vim /etc/ssh/sshd_config
# or
vi /etc/ssh/sshd_config
There is still one more thing we have to do! Adding your ssh public key
On your computer:
Generate some ssh keys with:
-t
for the algorithm (ed25519 is the most secure one)-C
to add a comment in the key (If not specified, your hostname will be used instead)-f
where to store the generated keys
# As a normal user
ssh-keygen -t ed25519 -C "OpenBSD" -f ~/.ssh/openbsd
You will be prompted for a password!
- Then copy the generated ssh public key
# As a normal user
# ~/.ssh/openbsd is your private key!! Don't touch that
# ~/.ssh/openbsd.pub is your public key! That's the one we will be using
cat ~/.ssh/openbsd.pub
It will look something like this:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICq8qLYF0NOVG5/rNSNUwWJPtIPO7M7XBc9M1ppcfXgw OpenBSD
Back to the server:
Add the copied ssh public key to the ssh user directory you have added:
For example, for the user demo
# Run as demo
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICq8qLYF0NOVG5/rNSNUwWJPtIPO7M7XBc9M1ppcfXgw OpenBSD" > /home/demo/.ssh/authorized_keys
# Make sure to change the file permissions if the above command was run as root
chown -R demo:demo /home/demo/.ssh/authorized_keys
Finally, restart the sshd daemon
rcctl restart sshd
Note: If you haven’t enabled ssh in the installation phase! Make sure you start it first
rcctl start sshd
Test the SSH configuration
Before logging out! Open up a new terminal and see if you can login with the added user
On your computer:
# for user demo and IPv4 e.g.: 1.2.3.4
# This should work
ssh demo@1.2.3.4 -p 2222 -i ~/.ssh/openbsd
# These shouldn't work
ssh root@1.2.3.4 -p 2222 -i ~/.ssh/openbsd
ssh root@1.2.3.4 -p 2222
ssh cs@1.2.3.4 -p 2222
If any of the last 3 options did work! That means you have configured something in the wrong way!
Go to the SSH configuration section and see what you have missed & reload the sshd daemon.
- Are you able to log in? Perfect!
Update the installed packages
doas pkg_add -Uu
# You will be prompted for the user password!
Pro Tip:
Instead of typing:
ssh demo@1.2.3.4 -p 2222 -i ~/.ssh/openbsd
On your computer:
add this to
~/.ssh/config
## Make sure you change the User, Public IPv4 and Path to your ssh private key Host openbsd HostName 1.2.3.4 IdentitiesOnly yes User cschad Port 2222 IdentityFile /home/cschad/.ssh/openbsd
You can use this instead
ssh demo@openbsd
System administration
I highly recommend you to read the afterboot
man page
man afterboot
You can also read it in the OpenBSD website: https://man.openbsd.org/afterboot
For New users (Basic Commands):
help
Software
OpenBSD is packed with thoroughly tested tools, so check if there’s already a native way to do what you need before installing anything new.
- Additional software is available through Ports.
“ The ports & packages collection does NOT go through the thorough security audit that the OpenBSD base system does. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security as in the base OS. ” Openbsd.org
Additional packages can be installed using the pkg_add
command
For example:
## Install git
doas pkg_add git
To uninstall use the pkg_delete
command
doas pkg_delete git
If git had some dependencies, those won’t be automatically uninstalled
To uninstall those dependencies use the -a
option:
doas pkg_delete -a
- To update or patch the System use the
syspatch
command
# List the available patches
doas syspatch -c
# Patch the system
doas syspatch
For example:
cschad$ doas syspatch -c
001_xserver
003_libcrypto
cschad$ doas syspatch
Get/Verify syspatch75-001_xserver... 100% |********************| 4308 KB 00:00
Installing patch 001_xserver
Get/Verify syspatch75-003_libcryp... 100% |********************| 12910 KB 00:00
Installing patch 003_libcrypto
Errata can be reviewed under /var/syspatch
Upgrade to a new OpenBSD release. Usually releases are every 6 month.
- Upgrade with
sysupgrade
doas sysupgrade
To update the packages you have installed (Ports) Use:
doas pkg_add -Uu
Monitoring
Commands | Description |
---|---|
systat | Displaying system statistics in fullscreen mode using ncurses/curses The systat command offers several useful views. |
top | Display informations about the CPU Processes |
dmesg | Display the OpenBSD system message buffer including boot time info. |
sysctl | Display or set the OpenBSD system sysctl (kernel) variables. |
Checkout the man pages for more informations
man systat
man top
man dmesg
man sysctl
Daemons & system services
Configure and control daemons and services with the rcctl
utility
Let’s take the native OpenBSD http server: httpd
rcctl start httpd # Start it
rcctl enable httpd # Enable it at boot
rcctl reload httpd # Reloads config file. Doesn't restart
rcctl stop httpd # Stop it
rcctl disable httpd # Disable
List running services with:
rcctl ls on
I hope this post provided some useful insights into securing and administrating your OpenBSD system.
😌 Expect future posts diving deeper into utilizing OpenBSD for server and hosting environments.
If I missed anything or got something wrong, please feel free to correct me in the comments below!