or use tar(1):# cd /SRC && dump 0f - . | (cd /DST && restore -rf - )
# cd /SRC && tar cf - . | (cd /DST && tar xpf - )
This shows that httpd(8) is not to be started from rc(8) at boot time. Each line has a comment showing you the flags for common usage of that daemon or service.httpd_flags=NO
Do not alter rc.conf(8) directly. Instead, use the rcctl(8) utility to maintain the /etc/rc.conf.local file. This makes future upgrades easier -- all the changes are in the one file that isn't touched during upgrade.
For example, to start the apmd(8) daemon for CPU scaling, you might do:
# rcctl enable apmd # rcctl set apmd flags -A # rcctl start apmd
If the daemon does not automatically detach on startup, remember to add "&" at the end of the command-line.if [ -x /usr/local/sbin/daemonx ]; then echo 'Starting daemonx' && /usr/local/sbin/daemonx fi
From now on, this daemon will be started at boot. You will be able to see any errors on boot.
These scripts, one per daemon, are invoked by rc. The order for system daemons is coded into rc, and the order for packages is managed by the pkg_scripts environment variable, which would be set in /etc/rc.conf.local. Note that simply placing a script in this directory does not cause it to be run on boot; the name of the script must be specified in the pkg_scripts variable to start on boot.
The starting of system scripts is determined by entries in the /etc/rc.conf.local file. For example, /etc/rc.d/httpd does not start httpd(8) unless /etc/rc.conf or /etc/rc.conf.local contains a line defining the httpd_flags variable.
Note that rather than having each script in rc.d managing the entire startup, shutdown, reload, restart, and check operations, most rc.d scripts can be reduced to specifying very few variables, and invoking the rc.subr(8) script, which manages most of the standard way of doing these tasks.
For example, our above daemonx application could be started with a /etc/rc.d/daemonx file consisting of:
and adding the daemon name to the pkg_scripts variable in /etc/rc.conf.local.#!/bin/sh daemon="/usr/local/sbin/daemonx" . /etc/rc.d/rc.subr rc_cmd $1
For example, if appropriately configured, the following command would display root's crontab(5) file:
Check the doas.conf(5) manual for configuration examples.$ doas crontab -l -u root
The doas(1) utility is designed to be a modern, simple replacement for sudo. If you need features specific to sudo, an up-to-date version is available as a package.
Always use vipw(8) to edit your /etc/master.passwd file. vipw(8) will invoke your $EDITOR to edit a copy of /etc/master.passwd. After you are done editing, vipw(8) will first sanity check your changes, then it will re-create /etc/passwd and the password databases, and finally it will install the copy in place of the original /etc/master.passwd file. vipw(8) also takes care of locking these files, so that only one user can make changes at a time.
Use the keywords userquota and groupquota to mark each filesystem in fstab(5) on which you want to enforce quotas. By default, the files quota.user and quota.group will be created at the root of those filesystems. Here is an example /etc/fstab line:
To set the users' quotas, use edquota(8). For example, issue0123456789abcdef.k /home ffs rw,nodev,nosuid,userquota 1 1
and edit the soft and hard limits:# edquota ericj
In this example, the soft limit is set to 1000000k, and the hard limit is set to 1500000k. No limits on the number of inodes will be enforced, since the corresponding soft and hard limits are set to 0. Users who exceed their soft limit are warned and are given a grace period to get their disk usage below their limits. Grace periods can be set by using the -t option on edquota(8). After the grace period is over, the soft limit is handled as a hard limit. This usually results in an allocation failure.Quotas for user ericj: /home: KBytes in use: 62, limits (soft = 1000000, hard = 1500000) inodes in use: 25, limits (soft = 0, hard = 0)
Use quotaon(8) to enable quotas:
This will scan through fstab(5) and enable quotas on the filesystems with quota options. View quota statistics with quota(1).# quotaon -a
WARNING: One-time password systems only protect authentication information. They do not prevent network eavesdroppers from gaining access to private information. Furthermore, if you are accessing a secure system A, it is recommended that you do this from another trusted system B, to ensure nobody is gaining access to system A by logging your keystrokes or by capturing and/or forging input and output on your terminal devices.
Then use skeyinit(1) to initialize your S/Key. You will first be prompted for your login password, then you will be asked for your S/Key secret passphrase, which must be at least 10 characters long:# skeyinit -E
Notice the information in the last two lines. The program used to create your S/Key password is otp-md5(1), the sequence number is 100 and the secret key is oshi45820. The six small words HAUL BUS JAKE DING HOT HOG constitute the S/Key password with sequence number 100.$ skeyinit Reminder - Only use this method if you are directly connected or have an encrypted channel. If you are using telnet, exit with no password and use skeyinit -s. Password: [Adding ericj with md5] Enter new secret passphrase: Again secret passphrase: ID ericj skey is otp-md5 100 oshi45820 Next login password: HAUL BUS JAKE DING HOT HOG
In order to generate a list of S/Key passwords, do:$ skeyinfo -v otp-md5 95 oshi45820 $ otp-md5 95 oshi45820 Reminder - Do not use this program while logged in via telnet. Enter secret passphrase: NOOK CHUB HOYT SAC DOLE FUME
$ otp-md5 -n 5 95 oshi45820 Reminder - Do not use this program while logged in via telnet. Enter secret passphrase: 91: SHIM SET LEST HANS SMUG BOOT 92: SUE ARTY YAW SEED KURD BAND 93: JOEY SOOT PHI KYLE CURT REEK 94: WIRE BOGY MESS JUDE RUNT ADD 95: NOOK CHUB HOYT SAC DOLE FUME
Similarly, for ssh(1):$ ftp localhost Connected to localhost. 220 oshibana.shin.ms FTP server (Version 6.5/OpenBSD) ready. Name (localhost:ericj): ericj:skey 331- otp-md5 93 oshi45820 331 S/Key Password: JOEY SOOT PHI KYLE CURT REEK [...] 230 User ericj logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye.
$ ssh -l ericj:skey localhost otp-md5 91 oshi45821 S/Key Password: SHIM SET LEST HANS SMUG BOOT Last login: Thu Apr 7 12:21:48 on ttyp1 from 220.127.116.11 $
YP is a directory service compatible with Sun Microsystems NIS (Network Information System). See yp(8) for an overview of the available manual pages. Be careful, some operating systems contain directory services bearing similar names but all the same being incompatible, for example NIS+.
To use other directory services except YP, you either need to populate local configuration files from the directory, or you need a YP frontend to the directory. For example, you can use the sysutils/login_ldap port when you choose the former, while the ypldap(8) daemon provides the latter.
For some applications, simply synchronizing a small number of configuration files among a group of machines using tools like cron(8), scp(1) or rsync (available from ports) constitutes an easy and robust alternative to a full-blown directory service.
Thus, before setting up any YP server, you should consider whether these inherent security flaws are acceptable in your context. In particular, YP is inadequate if potential attackers have physical access to your network. Anybody gaining root access to any computer connected to your network segments carrying YP traffic can bind your YP domain and retrieve its data. In some cases, passing YP traffic through SSL or IPSec tunnels might be an option.
Use the domainname(1) utility to set the domain name, and put it into the defaultdomain(5) file to have it automatically set at system startup time.
# echo "puffynet" > /etc/defaultdomain # domainname `cat /etc/defaultdomain`
At this point, it is not necessary to specify slave servers yet. To add slave servers, you can rerun ypinit(8) later, using the -u option. Setting up at least one slave server for each domain is useful to avoid service interruptions. For example, should the master server ever go down or lose network connectivity, client processes trying to access YP maps block indefinitely until they receive the requested information. Thus, YP service interruptions typically render the client hosts completely unusable until YP is back to service.# ypinit -m
The only inconvenience caused by changing the source directory is that you will not be able to add, remove and modify users and groups in the YP domain using utilities like user(8) and group(8). Instead, you will have to edit the configuration files with a text editor.
To define the source directory, edit the file /var/yp/`domainname`/Makefile and change the DIR variable, e.g.
For example, even in case you use the default source directory /etc, you do not usually need all accounts and groups existing on the server on all your client hosts. In particular, not serving the root account and thus keeping root's password hash confidential is often beneficial to security. Review the values of MINUID, MAXUID, MINGID and MAXGID and adjust them to you needs.
If all your YP clients run OpenBSD or FreeBSD, exclude the encrypted passwords from the passwd maps by setting UNSECURE="" in /var/yp/`domainname`/Makefile.
The former practice of editing the template file /var/yp/Makefile.yp is no longer recommended. Changes to that file affect all domains initialized after the change, but do not affect domains initialized before the change, so this is error-prone either way: You both risk that the intended changes do not take effect, and you risk to forget about them and have them affect other domains later which they were never intended for.
Do not worry about error messages from yppush(8) right now. The YP server is not yet running.# cd /var/yp # make
# rcctl enable portmap # portmap
It will automatically be restarted at boot time as long as the directory /var/yp/`domainname` continues to exist.# ypserv
# pkill ypbind # rm -rf /var/yp/binding
If you left the source directory at the default /etc, just use rcctl enable yppasswdd.# rcctl set yppasswdd flags -d /etc/yp/src/puffynet # rpc.yppasswdd
This updates all database files in /var/yp/`domainname`, with one exception: The file ypservers.db, listing all YP master and slave servers associated with the domain, is created directly from ypinit -m and modified exclusively by ypinit -u. In case you accidentally delete it, run ypinit -u to recreate it from scratch.# cd /var/yp # make
# echo "puffynet" > /etc/defaultdomain # domainname `cat /etc/defaultdomain` # rcctl enable portmap # portmap
Other useful tools for debugging your YP setup include ypmatch(1) and yptest(8).# ypcat passwd bob:*:5001:5000:Bob Nuggets:/home/bob:/usr/local/bin/zsh ...
For a list of standard YP maps and their standard usage, see Makefile.yp(8). The most common use cases include:
For details on selective inclusion and exclusion of user accounts, see passwd(5). To test whether inclusion actually works, use the id(1) utility.# echo '+:*::::::::' >> /etc/master.passwd # pwd_mkdb -p /etc/master.passwd
For details on selective group inclusion, see group(5).# echo '+:*::' >> /etc/group
For the OpenBSD base system, there are three options:
For third party software installed via packages, there are two options:
Whether you download and untar the source trees or fetch them from CVS, it's best to avoid using root where possible. Installing the new binaries will be the only step that requires it.
For our example here, we will look at patch 011 for OpenBSD 5.6, dealing with pppoe(4) connections. Each patch is cryptographically signed with the signify(1) tool and contains instructions on how to apply it properly. We will assume you have put this patch into your current working directory.
Note the "Hunk #1 succeeded" message above - this indicates the patch was applied successfully. Many patches are more complex than this and will involve multiple hunks and multiple files, in which case you should verify that all hunks succeeded on all the files. Patches are very sensitive to "white space" - copying and pasting from your browser will often change tab characters into spaces or otherwise alter the white space of a file, making it not apply.$ signify -Vep /etc/signify/openbsd-56-base.pub -x 011_pppoe.patch.sig \ -m - | (cd /usr/src && patch -p0) Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- | |OpenBSD 5.6 errata 11, Dec 5, 2014: | |An incorrect memcpy call would result in corrupted MAC addresses when |using PPPOE. | |Apply patch using: | | signify -Vep /etc/signify/openbsd-56-base.pub -x 011_pppoe.patch.sig \ | -m - | (cd /usr/src && patch -p0) | |Then build and install a new kernel. | |Index: sys/net/if_ethersubr.c |=================================================================== |RCS file: /cvs/src/sys/net/if_ethersubr.c,v |retrieving revision 1.174 |diff -u -p -r1.174 if_ethersubr.c |--- sys/net/if_ethersubr.c 12 Jul 2014 18:44:22 -0000 1.174 |+++ sys/net/if_ethersubr.c 1 Dec 2014 17:48:55 -0000 -------------------------- Patching file sys/net/if_ethersubr.c using Plan A... Hunk #1 succeeded at 673. <-- Look for this message! done
At this point, you would build and install the new kernel and reboot the system.
Not all patches are for the kernel. In some cases, you will have to rebuild individual utilities. At other times, will require recompiling all utilities statically linked to a patched library.