• I’m assuming you followed the Installation guide in this post. And now you want to set up the system!

Pro Tip: We will be editing some files! Neither vim nor nano are installed by default (only vi). So if you can’t survive vi, Go ahead and download your editor!

# Run as Root
pkg_add vim # or nano

The first thing you have to do is add a user. So instead of using root, it’s much more secure to use a user with doas permissions instead.

Create a user and add it to the wheel group.

-m is used to create a home directory for it! /home/MyNewUser/

## Run as root
# Create the user demo & add it to the wheel group
useradd -m -G wheel demo

# Give a password to demo
passwd demo

Accidentally added a user? Delete it with userdel instead of useradd.

Note: Make sure the password for root is very strong! You can change it with:

# Run as Root
passwd root

Doas Setup

Doas is the OpenBSD equivalent of sudo (in Linux) but much simpler.

Some basic doas options:

  • permit: The user have to enter their password once, then not have to enter it for a short period of time.
  • nopass: The user don’t have to enter their password.
## Run as root
## change demo to the user you have added
echo "permit persist :wheel" > /etc/doas.conf
  • Now you should be able to change to that user and do privileged tasks
# Change to the user demo
su demo

# Update the installed packages
doas pkg_add -Uu

SSH Configuration

Unless you are installing on the Cloud or a laptop to which you will be SSH-ing, you can safely jump to to the System Administration section.

Here is what we will be changing:

# Change the default SSH port (Optional)
# This is useful against automated SSH scanning tools
Port 2222
# Disable password authentication for better security
PasswordAuthentication no
# Replace 'demo' with the actual username you want to allow SSH access to
AllowUsers demo # Important to allow SSH login!
# Do not allow root login for security reasons
PermitRootLogin no
# Disable the Message of the Day (MOTD) for a cleaner output
PrintMotd no
# Set the maximum number of client alive messages that can be sent
# without receiving a response before disconnecting the session
ClientAliveCountMax 2

Note: By default, OpenBSD ships the ssh config file with secure options! So we haven’t touched the other configurations!

Now change the /etc/ssh/sshd_config

# Run as root

#  TIP
#  > press ZZ to save and quit the file
#  > press ZQ to quit without saving the file
vim /etc/ssh/sshd_config
# or
vi /etc/ssh/sshd_config

There is still one more thing we have to do! Adding your ssh public key

On your computer:

Generate some ssh keys with:

  • -t for the algorithm (ed25519 is the most secure one)
  • -C to add a comment in the key (If not specified, your hostname will be used instead)
  • -f where to store the generated keys
# As a normal user
ssh-keygen -t ed25519 -C "OpenBSD" -f ~/.ssh/openbsd

You will be prompted for a password!

  • Then copy the generated ssh public key
# As a normal user
# ~/.ssh/openbsd is your private key!! Don't touch that
# ~/.ssh/openbsd.pub is your public key! That's the one we will be using

cat ~/.ssh/openbsd.pub

It will look something like this:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICq8qLYF0NOVG5/rNSNUwWJPtIPO7M7XBc9M1ppcfXgw OpenBSD

Back to the server:

Add the copied ssh public key to the ssh user directory you have added:

For example, for the user demo

# Run as demo
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICq8qLYF0NOVG5/rNSNUwWJPtIPO7M7XBc9M1ppcfXgw OpenBSD" > /home/demo/.ssh/authorized_keys

# Make sure to change the file permissions if the above command was run as root
chown -R demo:demo /home/demo/.ssh/authorized_keys

Finally, restart the sshd daemon

rcctl restart sshd

Note: If you haven’t enabled ssh in the installation phase! Make sure you start it first

rcctl start sshd

Test the SSH configuration

Before logging out! Open up a new terminal and see if you can login with the added user

On your computer:

# for user demo and IPv4 e.g.: 1.2.3.4
# This should work
ssh demo@1.2.3.4 -p 2222 -i ~/.ssh/openbsd
# These shouldn't work
ssh root@1.2.3.4 -p 2222 -i ~/.ssh/openbsd
ssh root@1.2.3.4 -p 2222
ssh cs@1.2.3.4 -p 2222

If any of the last 3 options did work! That means you have configured something in the wrong way!

Go to the SSH configuration section and see what you have missed & reload the sshd daemon.

  • Are you able to log in? Perfect!

Update the installed packages

doas pkg_add -Uu
# You will be prompted for the user password!

Pro Tip:

Instead of typing:

ssh demo@1.2.3.4 -p 2222 -i ~/.ssh/openbsd

On your computer:

add this to ~/.ssh/config

## Make sure you change the User, Public IPv4 and Path to your ssh private key
Host openbsd
  HostName 1.2.3.4
  IdentitiesOnly yes
  User cschad
  Port 2222
  IdentityFile /home/cschad/.ssh/openbsd

You can use this instead

ssh demo@openbsd

System administration

I highly recommend you to read the afterboot man page

man afterboot

You can also read it in the OpenBSD website: https://man.openbsd.org/afterboot

For New users (Basic Commands):

help

Software

OpenBSD is packed with thoroughly tested tools, so check if there’s already a native way to do what you need before installing anything new.

  • Additional software is available through Ports.

    “ The ports & packages collection does NOT go through the thorough security audit that the OpenBSD base system does. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security as in the base OS. ” Openbsd.org

Additional packages can be installed using the pkg_add command

For example:

## Install git
doas pkg_add git

To uninstall use the pkg_delete command

doas pkg_delete git

If git had some dependencies, those won’t be automatically uninstalled To uninstall those dependencies use the -a option:

doas pkg_delete -a
  • To update or patch the System use the syspatch command
# List the available patches
doas syspatch -c

# Patch the system
doas syspatch

For example:

cschad$ doas syspatch -c
001_xserver
003_libcrypto

cschad$ doas syspatch
Get/Verify syspatch75-001_xserver... 100% |********************|  4308 KB    00:00
Installing patch 001_xserver
Get/Verify syspatch75-003_libcryp... 100% |********************| 12910 KB    00:00
Installing patch 003_libcrypto
Errata can be reviewed under /var/syspatch

Upgrade to a new OpenBSD release. Usually releases are every 6 month.

  • Upgrade with sysupgrade
doas sysupgrade

To update the packages you have installed (Ports) Use:

doas pkg_add -Uu

Monitoring

CommandsDescription
systatDisplaying system statistics in fullscreen mode using ncurses/curses The systat command offers several useful views.
topDisplay informations about the CPU Processes
dmesgDisplay the OpenBSD system message buffer including boot time info.
sysctlDisplay or set the OpenBSD system sysctl (kernel) variables.

Checkout the man pages for more informations

man systat
man top
man dmesg
man sysctl

Daemons & system services

Configure and control daemons and services with the rcctl utility

Let’s take the native OpenBSD http server: httpd

rcctl start httpd     # Start it
rcctl enable httpd    # Enable it at boot
rcctl reload httpd    # Reloads config file. Doesn't restart
rcctl stop httpd      # Stop it
rcctl disable httpd   # Disable

List running services with:

rcctl ls on

I hope this post provided some useful insights into securing and administrating your OpenBSD system.

😌 Expect future posts diving deeper into utilizing OpenBSD for server and hosting environments.

If I missed anything or got something wrong, please feel free to correct me in the comments below!

If you have any insights or suggestions, I would love to hear them 🙂.