OpenBSD FAQ - System Management [FAQ Index]



When I try to su to root it says I'm in the wrong group

On OpenBSD, users who are in the wheel group are allowed to use su(1) to become root. Otherwise, the user will receive an error.

If you are creating new users with adduser(8), you can add them to the wheel group by answering wheel at the Invite user into other groups: prompt. Existing users must be added to the wheel group by hand. Here is an example of a /etc/group entry which has had the user ericj added to the wheel group:

wheel:*:0:root,ericj
If you want to give access to superuser privileges without adding users to the wheel group, you can use doas(1).

Duplicating filesystems with dump and restore

To duplicate your filesystem, use dump(8) and restore(8). For example, to duplicate everything under directory SRC to directory DST, do:
# cd /SRC && dump 0f - . | (cd /DST && restore -rf - )
dump(8) is designed to give you plenty of backup capabilities, and it may be an overkill if you just want to duplicate part of a (or an entire) filesystem. The command tar(1) may be faster for this operation. The format looks very similar:
# cd /SRC && tar cf -  . | (cd /DST && tar xpf - )

The rc system startup script

OpenBSD itself uses an rc(8) style startup. This uses a few key files for startup.

How does rc(8) work?

The main files a system administrator should concentrate on are /etc/rc.conf (for guidance), /etc/rc.conf.local (for changes), /etc/rc.local and /etc/rc.shutdown. To get a look of how the rc(8) procedure works, here is the flow:

After the kernel is booted, /etc/rc is started:

Starting daemons and services that come with OpenBSD

Most daemons and services that come with OpenBSD are controlled on boot by variables defined in /etc/rc.conf. You'll see lines similar to this:
httpd_flags=NO
This shows that httpd(8) is not to be started from rc(8) at boot time. Each line has a comment showing you the flags for common usage of that daemon or service. This doesn't mean that you must run that daemon or service with those flags. Read the relevant man page to see how you can have that daemon or service start up in any way you like.

We strongly suggest you do not alter /etc/rc.conf directly. Instead, use the rcctl(8) utility to maintain the /etc/rc.conf.local file. This makes future upgrades easier -- all the changes are in the one file that isn't touched during upgrade.

For example, to start the apmd(8) daemon for CPU scaling, you might do:

# rcctl enable apmd
# rcctl set apmd flags -A
# rcctl start apmd

Starting up local daemons and configuration

For other daemons which you might install on the system via packages or other ways, you could use the /etc/rc.local file. For example, say you installed a daemon located at /usr/local/sbin/daemonx. If you want it to start at boot time, put an entry into /etc/rc.local like this:
if [ -x /usr/local/sbin/daemonx ]; then
	echo 'Starting daemonx' && /usr/local/sbin/daemonx
fi
If the daemon does not automatically detach on startup, remember to add "&" at the end of the command-line.

From now on, this daemon will be started at boot. You will be able to see any errors on boot. A normal boot with no errors would show a line like this:

Starting daemonx

The /etc/rc.d directory

OpenBSD's system daemons ("services") are started, stopped and controlled by rc.d(8). All system daemons are handled by these scripts, and most add-on packages are as well.

These scripts, one per daemon, are invoked by rc. The order for system daemons is coded into rc, and the order for add-in packages is managed by the pkg_scripts environment variable, which would be set in /etc/rc.conf.local. Note that simply placing a script in this directory does not cause it to be run on boot; the name of the script must be specified in the pkg_scripts variable to start on boot.

The starting of system scripts is determined by entries in the /etc/rc.conf.local file. For example, /etc/rc.d/httpd does not start httpd(8) unless /etc/rc.conf or /etc/rc.conf.local contains a line defining the httpd_flags variable. To help make sure your system will come up as expected on the next boot, the rc.d scripts will not run their daemon if the appropriate variable is not defined. You can, of course, manually invoke /usr/sbin/httpd directly with whatever options you wish, if you wish to run the program manually.

Note that rather than having each script in rc.d managing the entire startup, shutdown, reload, restart, and check operations, most rc.d scripts can be reduced to specifying very few variables, and invoking the rc.subr(8) script, which manages most of the standard way of doing these tasks.

For example, our above daemonx application could be started with a /etc/rc.d/daemonx file consisting of:

#!/bin/sh

daemon="/usr/local/sbin/daemonx"

. /etc/rc.d/rc.subr

rc_cmd $1
and adding the daemon name to the pkg_scripts variable in /etc/rc.conf.local.

rc.shutdown

/etc/rc.shutdown is a script that is run at shutdown. Anything you want done before the system shuts down should be added to this file.

OpenBSD's sudo replacement, doas

What is doas(1)?

doas(1) allows a user to temporarily run commands as another user. For example, if appropriately configured,
$ doas fdisk sd1
allows you to run the command fdisk(8) as if you were root. Key words there are "appropriately configured" of course. You don't want average users to be able to get root privileges for any command they wish to run! Typically, though certainly not required, users in the "wheel" group are given permission to run commands with doas.

Why doas(1)?

One common challenge system administrators face is the contradictory requirement of multiple people managing machines using logins that shouldn't be shared. doas(1) solves this problem by permitting a certain subset of your users (for example, members of the wheel group) to run predetermined (often all) commands as another user (often root). Now, anyone can run administrative commands, only needing to authenticate as themselves. They do not need to use the root account or know the root password.

An added advantage of "doas" is all activity is logged. It is possible to find out who ran an application.

Using a properly configured doas(1) on OpenBSD, one can completely disable the root account, eliminating all root password management issues.

It is also considered good practice by many to use doas when absolutely necessary to run a command as root, rather than sitting at a root console prompt. This way, an erroneously typed command is less likely to have catastrophic results. However, this is subject to some debate. It is possible to cause as much chaos and havoc with a "finger-memory" (or just incorrect command) invocation of doas as it is when logged in as root. For this reason, we do not blindly side with those that chant "always use doas, never use root!" or spend hours making things happen without root. Notably, if you set doas to not require confirmation of your password, any script or application running as you can invoke doas(1) to make any changes to your system as root. For this reason, for personal systems, it is probably better to either just use su(1) to elevate oneself to root status, or use doas(1) with the password option.

"Sounds like sudo!"

Yes, doas(1) was inspired by sudo. It is OpenBSD's replacement for the sudo command.

The complexity of sudo had prevented the importing of the most current versions, and the complexity of the sudoers config file has discouraged many users from doing anything other than uncomment one line in the conf file. In short, sudo's code is too complicated for the way most users use it, and its configuration is too difficult for more advanced uses.

doas(1) is intended to have a simpler, and thus hopefully more secure, code base and configuration file. From a user standpoint, the two are very similar.

For those needing the functionality of sudo, it's available as a package.

Using doas(1) -- basic doas.conf(5)

A very basic doas.conf(5) might look like this:
permit keepenv { PKG_PATH ENV PS1 SSH_AUTH_SOCK } :wheel
This file gives users in the wheel group root-level access to all commands, with the environment variables PKG_PATH, ENV, PS1 and SSH_AUTH_SOCK passed through to the program they are invoking. The user will be asked to verify their password before the command is run.

A more sophisticated doas.conf(5) file which would permit you to build OpenBSD from source using doas(1) without entering your password every time might be:

permit nopass keepenv { PKG_PATH ENV PS1 SSH_AUTH_SOCK } :wheel
permit nopass keepenv { \
    FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \
    DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \
    MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \
    PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \
    SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
While the nopass option makes using doas(1) very easy, it can also be invoked by any script or program, without the user's knowledge or permission. For this reason, systems used as general purpose workstations should probably not use the nopass option, if using doas(1) at all. The alternative is using su(1) and the root password to use the root account.

If you don't like the idea of any script or program you run being able to silently invoke doas(1) to run something as root, but you find typing your password over and over annoying, you may want to create a user for administrative tasks, such as "admin," and have a configuration file like this:

permit :wheel as admin
permit nopass admin
Now, anyone who is in the wheel group can become "admin" with just one entry of their password, and then admin can run the commands they wish without a password until they drop back to their normal user.

Changing a user's password

If you edit /etc/passwd directly, your changes will be lost. OpenBSD generates /etc/passwd dynamically with pwd_mkdb(8). The main password file in OpenBSD is /etc/master.passwd. According to the man page,
FILES
     /etc/master.passwd  current password file
     /etc/passwd         a 6th Edition-style password file
     /etc/pwd.db         insecure password database file
     /etc/pwd.db.tmp     temporary file
     /etc/spwd.db        secure password database file
     /etc/spwd.db.tmp    temporary file
In a traditional Unix password file, such as /etc/passwd, everything including the user's encrypted password is available to anyone on the system and is a prime target for password cracking programs. 4.4BSD introduced the master.passwd file, which has an extended format. It has additional options beyond those provided by /etc/passwd, and is only readable by root. For faster access to data, the library calls which access this data normally read /etc/pwd.db and /etc/spwd.db.

OpenBSD does come with a tool with which you should edit your password file. It is called vipw(8). vipw will use vi (or your favorite editor defined per $EDITOR) to edit /etc/master.passwd. After you are done editing, it will re-create /etc/passwd, /etc/pwd.db and /etc/spwd.db as per your changes. vipw also takes care of locking these files, so that if anyone else attempts to change them at the same time, they will be denied access.

Adding and deleting users

OpenBSD provides two commands for easily adding users to the system: You can also add users by hand, using vipw(8), but this is more difficult for most operations.

The easiest way to add a user in OpenBSD is to use the adduser(8) script. You can configure adduser(8) by editing /etc/adduser.conf. adduser(8) allows for consistency checks on /etc/passwd, /etc/group and shell databases. It will create the entries and $HOME directories for you. It can even send a message to the user welcoming them. Here is an example user, testuser, being added to a system. They will be given the $HOME directory /home/testuser, made a member of the group guest, and given the shell /bin/ksh.

# adduser
Use option ``-silent'' if you don't want to see all warnings and questions.

Reading /etc/shells
Check /etc/master.passwd
Check /etc/group

Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: testuser
Enter full name []: Test FAQ User
Enter shell csh ksh nologin sh [ksh]: ksh
Uid [1002]:
Login group testuser [testuser]: guest
Login group is ``guest''. Invite testuser into other groups: guest no
[no]: no
Login class authpf daemon default staff [default]:
Enter password []:
Enter password again []:

Name:        testuser
Password:    ****
Fullname:    Test FAQ User
Uid:         1002
Gid:         31 (guest)
Groups:      guest
Login Class: default
HOME:        /home/testuser
Shell:       /bin/ksh
OK? (y/n) [y]: y
Added user ``testuser''
Copy files from /etc/skel to /home/testuser
Add another user? (y/n) [y]: n
Goodbye!
To delete users you should use the rmuser(8) utility. This will remove all existence of a user. It will remove any crontab(1) entries, their $HOME dir (if it is owned by the user), and their mail. Of course it will also remove their /etc/passwd and /etc/group entries. Next is an example of removing the user that was added above. Notice you are prompted for the name, and whether or not to remove the user's home directory.
# rmuser
Enter login name for user to remove: testuser
Matching password entry:

testuser:$2a$07$ZWnBOsbqMJ.ducQBfsTKUe3PL97Ve1AHWJ0A4uLamniLNXLeYrEie:1002
:31::0:0:Test FAQ User:/home/testuser:/bin/ksh

Is this the entry you wish to remove? y
Remove user's home directory (/home/testuser)? y
Updating password file, updating databases, done.
Updating group file: done.
Removing user's home directory (/home/testuser): done.

Adding users via user(8)

These tools are less interactive than the adduser(8) command, which makes them easier to use in scripts.

The full set of tools is:

Actually adding users

The command /usr/sbin/user is just a frontend to the rest of the /usr/sbin/user* commands. Therefore, the following commands can be added by using user add or useradd. Whichever form you chose doesn't change the results at all. Remember, since user(8) is not interactive, the easiest way to add users is with adduser(8).

useradd(8) is less daunting to use if you know the default settings beforehand. These settings are located in usermgmt.conf(5) and can be viewed by doing:

$ user add -D
group           users
base_dir        /home
skel_dir        /etc/skel
shell           /bin/csh
inactive        0
expire          Null (unset)
range           1000..60000
These defaults will be used unless you specify alternatives with the command-line options. For example, we want the user to be added to the group guest, not users. One more little hurdle with adding users is that passwords must be specified on the command-line. Importantly, the passwords must be encrypted, so you need to use the encrypt(1) utility. For example: OpenBSD's passwords use the Blowfish algorithm with 8 rounds by default. Here is an example to create an encrypted password to give to useradd(8).
$ encrypt -p -b 8
Enter string:
$2b$08$pvin31BFNxR.qiPTAfizFeeCxrlmBhsZLsAajCwAB1rgFFvl8PRXq
Now that we have an encrypted password, we are ready to add the user. We will add the same user with the same specifications as the user we added above, via adduser(8).
# user add -p '$2b$08$pvin31BFNxR.qiPTAfizFeeCxrlmBhsZLsAajCwAB1rgFFvl8PRXq' \
> -u 1002 -s /bin/ksh -c "Test FAQ User" -m -g guest testuser
Note: Make sure to use ' ' (single quotes) around the password string, not " " (double quotes) as the shell will interpret these before sending it to user(8). In addition to that, make sure you specify the -m option if you want the user's home directory created and the files from /etc/skel copied over.

To see that the user was created correctly, we can use many different utilities. Below are a few commands you can use to quickly check that everything was created correctly.

$ ls -la /home
total 14
drwxr-xr-x   5 root      wheel   512 May 12 14:29 .
drwxr-xr-x  15 root      wheel   512 Apr 25 20:52 ..
drwxr-xr-x  24 ericj     wheel  2560 May 12 13:38 ericj
drwxr-xr-x   2 testuser  guest   512 May 12 14:28 testuser
$ id testuser
uid=1002(testuser) gid=31(guest) groups=31(guest)
$ finger testuser
Login: testuser                         Name: Test FAQ User
Directory: /home/testuser               Shell: /bin/ksh
Last login Sat Apr 22 16:05 (EDT) on ttyC2
No Mail.
No Plan.
In addition to these commands, user(8) provides its own utility to show user characteristics, called userinfo(8).
$ userinfo testuser
login   testuser
passwd  *
uid     1002
groups  guest
change  Wed Dec 31 19:00:00 1969
class
gecos   Test FAQ User
dir     /home/testuser
shell   /bin/ksh
expire  Wed Dec 31 19:00:00 1969

Removing users

To remove users with the user(8) hierarchy of commands, you will use userdel(8). This is a very simple yet usable command. To remove the user created in the last example, simply run:
# userdel -r testuser
Notice the -r option, which must be specified if you want the users home directory to be deleted as well. Alternatively, you can specify -p rather than -r and this will lock the user's account, but not remove any information.

Setting up user disk quotas

Quotas are used to limit user's space that they have available to them on your disk drives. It can be very helpful in situations where you have limited resources. Quotas can be set by user and/or by group.

This option is in the GENERIC kernel. After this, you need to mark in fstab(5) the filesystems which will have quotas enabled. The keywords userquota and groupquota should be used to mark each filesystem that you will be using quotas on. By default, the files quota.user and quota.group will be created at the root of that filesystem to hold the quota information. This default can be overridden by specifying the file name with the quota option in /etc/fstab, such as userquota=/var/quotas/quota.user. Here is an example /etc/fstab that has one filesystem with userquotas enabled, and the quota file in a non-standard location:

/dev/wd0a / ffs rw,userquota=/var/quotas/quota.user 1 1
Now it's time to set the user's quotas. To do so, use edquota(8), which will invoke vi(1) or $EDITOR to edit the quotas. For example:
# edquota ericj
This will give you output similar to this:
Quotas for user ericj:
/: KBytes in use: 62, limits (soft = 0, hard = 0)
        inodes in use: 25, limits (soft = 0, hard = 0)
To add limits, edit it to give results like this:
Quotas for user ericj:
/: KBytes in use: 62, limits (soft = 1000, hard = 1050)
        inodes in use: 25, limits (soft = 0, hard = 0)
Note that the quota allocation is in 1k blocks. In this case, the softlimit is set to 1000k, and the hardlimit is set to 1050k. A softlimit is a limit where the user is just warned when they cross it and have until their grace period is up to get their disk usage below their limit. Grace periods can be set by using the -t option on edquota(8). After the grace period is over, the softlimit is handled as a hardlimit. This usually results in an allocation failure.

Now that the quotas are set, you need to turn the quotas on. To do this, use quotaon(8). For example:

# quotaon -a
This will go through /etc/fstab to turn on the filesystems with quota options. Now that quotas are up and running, you can view them using quota(1). Using a command of "quota <user>" will give that user's information. When called with no arguments, the quota(1) command will give your quota statistics. For example:
# quota ericj
Will result in output similar to this:
Disk quotas for user ericj (uid 1001):
     Filesystem  blocks   quota   limit   grace   files   quota   limit   grace
              /      62    1000    1050              27       0       0
By default, quotas set in /etc/fstab will be started on boot. To turn them off, use
# quotaoff -a

Applying errata patches

Even with OpenBSD, bugs happen. Some bugs may lead to reliability issues, i.e., something may cause the system to stop functioning as desired. Other bugs may lead to security vulnerabilities that may allow others to "use" your computer in unintended and unauthorized ways. When a critical bug is found, the fix will be committed to the -current source tree, and patches will be released for the supported releases of OpenBSD. These patches appear on the errata web page, and are separated into "common" errata that impact all platforms, and errata that impact only one or more, but not all, platforms.

Note, however, that patches aren't released for new features or additional hardware support for OpenBSD, and are only published for important reliability fixes or security problems that should be addressed right away on impacted systems (which is often NOT all systems, depending on their purpose).

There are three ways to update your system with patched code:

Again, patching individual files is not always simple, so give serious thought to following the -stable (or "patch") branch of OpenBSD. Mixing and matching of patching solutions can be done if you understand how everything works, but new users should pick one method and stick with it.

How are "errata" patches different from what is in the CVS tree?

All patches posted to the errata web page are patches directly against the indicated release's source tree. Patches against the latest CVS tree might also include other changes that wouldn't be wanted on a release system. This is important: If you have installed a snapshot, checked out the source trees at the time you obtained that snapshot and attempt to patch it using a published patch, you may well find the patch doesn't apply, as that code may have changed.

Applying patches

Patches for OpenBSD are distributed as unified diffs, which are text files that hold differences to the original source code. They are NOT distributed in binary form. This means that, to apply a patch, you must have the source code from the -release version of your system available. In general, it is advisable to acquire the entire source tree before applying a patch. If you are running a release from an official CD-ROM, the source trees are available as files on disk three, but these can also be obtained from the mirrors.

Whether you download and untar the source trees or fetch them from CVS, it's best to avoid using root where possible. Installing the new binaries will be the only step that requires it.

For our example here, we will look at patch 011 for OpenBSD 5.6, dealing with pppoe(4) connections. Each patch is cryptographically signed with the signify(1) tool and contains instructions on how to apply it properly. We will assume you have put this patch into your current working directory.

$ signify -Vep /etc/signify/openbsd-56-base.pub -x 011_pppoe.patch.sig \
  -m - | (cd /usr/src && patch -p0)

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|
|OpenBSD 5.6 errata 11, Dec 5, 2014:
|
|An incorrect memcpy call would result in corrupted MAC addresses when
|using PPPOE.
|
|Apply patch using:
|
|    signify -Vep /etc/signify/openbsd-56-base.pub -x 011_pppoe.patch.sig \
|        -m - | (cd /usr/src && patch -p0)
|
|Then build and install a new kernel.
|
|Index: sys/net/if_ethersubr.c
|===================================================================
|RCS file: /cvs/src/sys/net/if_ethersubr.c,v
|retrieving revision 1.174
|diff -u -p -r1.174 if_ethersubr.c
|--- sys/net/if_ethersubr.c     12 Jul 2014 18:44:22 -0000      1.174
|+++ sys/net/if_ethersubr.c     1 Dec 2014 17:48:55 -0000
--------------------------
Patching file sys/net/if_ethersubr.c using Plan A...
Hunk #1 succeeded at 673.              <-- Look for this message!
done
Note the "Hunk #1 succeeded" message above. This indicates the patch was applied successfully. Many patches are more complex than this one, and will involve multiple hunks and multiple files, in which case you should verify that all hunks succeeded on all files. If they did not, it normally means your source tree was different in some way from the release source tree the patch was created from, or you didn't follow instructions carefully, or your patch was mangled. Patches are very sensitive to "white space" -- copying and pasting from your browser will often change tab characters into spaces or otherwise alter the white space of a file, making it not apply.

At this point, you can build and install the new kernel, then reboot the system as normal.

Not all patches are for the kernel. In some cases, you will have to rebuild individual utilities. At other times, will require recompiling all utilities statically linked to a patched library.

Directory services

OpenBSD can be used for both servers and clients of databases containing user credentials, group information and other network-related data.

Which directory services are available?

Of course, you could use various directory services on OpenBSD. But YP is the only one that can be accessed directly using standard C-library functions like getpwent(3), getgrent(3), gethostbyname(3) and so on. Thus, if you keep your data in a YP database, you do not need to copy it to local configuration files like master.passwd(5) before you can use it, for example to authenticate system users.

YP is a directory service compatible with Sun Microsystems NIS (Network Information System). See yp(8) for an overview of the available manual pages. Be careful, some operating systems contain directory services bearing similar names but all the same being incompatible, for example NIS+.

To use other directory services except YP, you either need to populate local configuration files from the directory, or you need a YP frontend to the directory. For example, you can use the sysutils/login_ldap port when you choose the former, while the ypldap(8) daemon provides the latter.

For some applications, simply synchronizing a small number of configuration files among a group of machines using tools like cron(8), scp(1) or rsync (available from ports) constitutes an easy and robust alternative to a full-blown directory service.

YP security considerations

For compatibility reasons, all security features built into the OpenBSD implementation of YP are switched off by default. Even when they are all switched on, the NIS protocol is still inherently insecure for two reasons: All data, including sensitive data like password hashes, is transmitted unencrypted across the network, and neither the client nor the server can reliably verify each other's identity.

Thus, before setting up any YP server, you should consider whether these inherent security flaws are acceptable in your context. In particular, YP is inadequate if potential attackers have physical access to your network. Anybody gaining root access to any computer connected to your network segments carrying YP traffic can bind your YP domain and retrieve its data. In some cases, passing YP traffic through SSL or IPSec tunnels might be an option.

Setting up a YP server

  1. A YP server serves a group of clients called a "domain." You should first select a domain name; it can be an arbitrary string and need not be related in any way to DNS domain names. Choosing a random name like "Eepoo5vi" can marginally improve security, though the effect is mostly in security by obscurity. In case you need to maintain several distinct YP domains, it's probably better to choose descriptive names like "sales," "marketing" and "research" in order to forestall system administration errors caused by obscurity. Also note that some versions of SunOS require using the host's DNS domain name, so your choice might be restricted in a network including such hosts.

    Use the domainname(1) utility to set the domain name, and put it into the defaultdomain(5) file to have it automatically set at system startup time.

        # echo "puffynet" > /etc/defaultdomain
        # domainname `cat /etc/defaultdomain`
        
  2. Initialise the YP server using the interactive command
        # ypinit -m
        
    At this point, it is not necessary to specify slave servers yet. To add slave servers, you can rerun ypinit(8) later, using the -u option. Setting up at least one slave server for each domain is useful to avoid service interruptions. For example, should the master server ever go down or lose network connectivity, client processes trying to access YP maps block indefinitely until they receive the requested information. Thus, YP service interruptions typically render the client hosts completely unusable until YP is back to service.
  3. Decide where to store the source files to generate your YP maps from. Keeping the server configuration separate from the served configuration helps to control which information will be served and which won't, so the default /etc often isn't the best choice.

    The only inconvenience caused by changing the source directory is that you will not be able to add, remove and modify users and groups in the YP domain using utilities like user(8) and group(8). Instead, you will have to edit the configuration files with a text editor.

    To define the source directory, edit the file /var/yp/`domainname`/Makefile and change the DIR variable, e.g.

        DIR=/etc/yp/src/puffynet
        
  4. Consider customizing other variables in /var/yp/`domainname`/Makefile. See Makefile.yp(8) for details.

    For example, even in case you use the default source directory /etc, you do not usually need all accounts and groups existing on the server on all your client hosts. In particular, not serving the root account and thus keeping root's password hash confidential is often beneficial to security. Review the values of MINUID, MAXUID, MINGID and MAXGID and adjust them to you needs.

    If all your YP clients run OpenBSD or FreeBSD, exclude the encrypted passwords from the passwd maps by setting UNSECURE="" in /var/yp/`domainname`/Makefile.

    The former practice of editing the template file /var/yp/Makefile.yp is no longer recommended. Changes to that file affect all domains initialized after the change, but do not affect domains initialized before the change, so this is error-prone either way: You both risk that the intended changes do not take effect, and you risk to forget about them and have them affect other domains later which they were never intended for.

  5. Create the source directory and populate it with the configuration files you need. See Makefile.yp(8) to learn which YP maps require which source files. For the format of the individual configuration files, refer to passwd(5), group(5), hosts(5) and so on, and look at the examples in /etc.
  6. Create the initial version of your YP maps using the commands
        # cd /var/yp
        # make
        
    Do not worry about error messages from yppush(8) right now. The YP server is not yet running.
  7. YP uses rpc(3) (remote procedure calls) to communicate with clients, so it is necessary to enable portmap(8). To do so, use rcctl(8).
        # rcctl enable portmap
        # portmap
        
  8. Consider using either the securenet(5) or the ypserv.acl(5) security feature of the YP server daemon. But be aware that both of these only provide IP based access control. Thus, they only help as long as potential attackers have neither physical access to the hardware of the network segments carrying your YP traffic nor root access to any host connected to those network segments.
  9. Finally, start the YP server daemon:
        # ypserv
        
    It will automatically be restarted at boot time as long as the directory /var/yp/`domainname` continues to exist.
  10. To test the new server, consider making it its own client, following the instructions in the first part of the next section. In case you don't want the server to use its own maps, you can disable the client part after the test with the following commands:
        # pkill ypbind
        # rm -rf /var/yp/binding
        
  11. If you wish to allow users to change their passwords from client machines, then you must enable yppasswdd(8):
        # rcctl set yppasswdd flags -d /etc/yp/src/puffynet
        # rpc.yppasswdd
        
    If you left the source directory at the default /etc, just use rcctl enable yppasswdd.
  12. Remember that each time you change a file sourced by a YP map, you must regenerate your YP maps.
        # cd /var/yp
        # make
        
    This updates all database files in /var/yp/`domainname`, with one exception: The file ypservers.db, listing all YP master and slave servers associated with the domain, is created directly from ypinit -m and modified exclusively by ypinit -u. In case you accidentally delete it, run ypinit -u to recreate it from scratch.

Setting up a YP client

Setting up a YP client involves two distinct parts. First, you must get the YP client daemon running, binding your client host to a YP server. Completing the following steps will allow you to retrieve data from the YP server, but that data will not yet be used by the system:
  1. Like on the server, you must set the domain name and enable the portmapper:
        # echo "puffynet" > /etc/defaultdomain
        # domainname `cat /etc/defaultdomain`
        # rcctl enable portmap
        # portmap
        
  2. It is recommended to provide a list of YP servers in the configuration file /etc/yp/`domainname`. Otherwise, the YP client daemon will use network broadcasts to find YP servers for its domain. Explicitly specifying the servers is both more robust and marginally less open to attack. If you have not set up any slave servers, just put the host name of the master server into /etc/yp/`domainname`.
  3. The YP client daemon is called ypbind(8). Starting it manually will create the directory /var/yp/binding, such that it will be automatically restarted at boot time.
        # ypbind
        
  4. If all went well you should be able to query the YP server using ypcat(1) and see your passwd map returned.
        # ypcat passwd
        bob:*:5001:5000:Bob Nuggets:/home/bob:/usr/local/bin/zsh
        ...
        
    Other useful tools for debugging your YP setup include ypmatch(1) and yptest(8).
The second part of configuring a YP client involves editing local configuration files such that certain YP maps get used by various system facilities. Not all servers serve all standard maps supported by the operating system, some servers serve additional non-standard maps, and you are by no means compelled to use all those maps. Which of the available maps shall or shall not be used, and for which purposes they shall be used, is fully at the discretion of the client host's system administrator.

For a list of standard YP maps and their standard usage, see Makefile.yp(8). The most common use cases include:

Character sets and localization

OpenBSD uses the ASCII character set by default. It also supports the Unicode (UTF-8) character set.

Configuring the active character set

To use the UTF-8 character set, the LC_CTYPE environment variable must be set to the name of a supported locale. Note that LC_CTYPE will only affect the character set available to applications; it will not change the language used for application messages.

The list of supported locales can be obtained by running the command:

$ locale -a
The LC_CTYPE environment variable can be set in one of the following ways: A growing number of utilities in the base system support UTF-8. Those that don't will use ASCII in the UTF-8 locale.

When logging into remote systems with ssh(1), the LC_CTYPE environment variable is not propagated and will need to be manually set to the same value used by the local terminal.

Changing the language used in application messages

The language used for application messages can be changed by setting the LC_MESSAGES environment variable to the name of a supported locale. This can be done in the same way as described for LC_CTYPE above. Both LC_MESSAGES and LC_CTYPE should be set to the same value.

Few utilities in the base system support languages other than English at this time. However, many programs from the ports collection support localized messages in various languages. They will fall back to English if the desired language is not available.

Converting your Linux password file to BSD-style

First, figure out if your Linux password file is shadowed or not. If it is, install John the Ripper from packages or ports (security/john) and use the "unshadow" utility that comes with it to merge your passwd and shadow files into one Sixth Edition-style file.

Using your Linux password file, we'll call it linux_passwd, you need to add in ::0:0 between fields four and seven. awk(1) does this for you.

# awk -F : '{printf("%s:%s:%s:%s::0:0:%s:%s:%s\n", \
> $1,$2,$3,$4,$5,$6,$7); }' linux_passwd > new_passwd
At this point, you want to edit the new_passwd file and remove the root and other system entries that are already present in your OpenBSD password file or aren't applicable with OpenBSD (all of them). Also, make sure there are no duplicate usernames or user IDs between new_passwd and your OpenBSD box's /etc/passwd. The easiest way to do this is to start with a fresh /etc/passwd.
# cat new_passwd >> /etc/master.passwd
# pwd_mkdb -p /etc/master.passwd
The last step, pwd_mkdb is necessary to rebuild the /etc/spwd.db and /etc/pwd.db files. It also creates a Sixth Edition-style password file (minus encrypted passwords) at /etc/passwd for programs which use it. OpenBSD uses a stronger encryption for passwords, blowfish, which is very unlikely to be found on any system which uses full Sixth Edition-style password files. To switch over to this stronger encryption, simply have the users run passwd and change their password. The new password they enter will be encrypted with your default setting (usually blowfish unless you've edited /etc/login.conf). Or, as root, you can run passwd username.