Back to the sea ; the OpenBSD installation, episode II

  2011-01-03      768 words, 4 minutes

• dhcp
• install
• openbsd
• openssh

OpenBSD is really easy to install.
It’s not shinning, but it asks for a few questions and only takes a couple of minutes to get a working system.

Installation

Grab the install48.iso file that corresponds to your version and CPU architecture. Burn it to a CD or use it to boot a VM.

The installation is straight forward, no big deal.
It’ll ask for the keyboard layout you want to use.
It’ll propose you to configure a DHCP (or fixed) network configuration.
It’ll configure the root password, create a basic user, configure SSH and NTP and set your time zone.

The disk configuration might be a bit tricky.
But just read the FAQ and you’ll be able to handle this.

If you downloaded the install*.iso file, every archives will be provided on the CD (emulation). So you’ll choose cd as the “Location of sets?”. If not, you may use http or ftp ; if you have a network access.

When asked for the “Set name(s)?”, I choose all then done. This might not be the safest installation for a server but there are packages that might require X stuff latter and I don’t really want to fight with those latter. Then, I consider that a non running service doesn’t harm. I know it’s not quite true, but that’s the level of security I want to afford.

Let the installation proceed, auto-configure a few other things and you’re ready to reboot.

First boot

Here we are. The system has rebooted and the login prompt is ready for me.

As I configured a user and SSH, I won’t use the console. I’ll do everything via a remote SSH connexion.

From DHCP to fixed IP

I installed the system with a DHCP configuration. It’s just easier for a start ; and I don’t remember what the default network range inside a VMware Fusion NAT ;-)

There are only a few steps to switch to fixed IP:

# vi /etc/hostname.em0
inet 192.168.12.144 255.255.255.0 192.168.12.255
# vi /etc/myname
eddie.tumfatig.net
# vi /etc/mygate
192.168.12.2
# vi /etc/hosts
192.168.12.144  eddie.tumfatig.net eddie
# vi /etc/resolv.conf
search tumfatig.net carnat.net free.fr
nameserver 192.168.12.2
lookup file bind

Reboot the server to apply the name and network configuration.

OpenSSH service

I want to use long SSH keys and deny SSH access via password.

Create the server keys:

# ssh-keygen -t rsa1 -f ssh_host_key -N '' -C "tumfatig.net" -b 4096
# ssh-keygen -t dsa -f ssh_host_dsa_key -N '' -C "tumfatig.net" -b 1024
# ssh-keygen -t rsa -f ssh_host_rsa_key -N '' -C "tumfatig.net" -b 4096
# cp -p ssh*key* /etc/ssh/

Create the personal keys:

# ssh-keygen -t rsa -C "jca@tumfatig.net" -b 4096

Deny password authentication:

# vi /etc/ssh/sshd_config
PasswordAuthentication no
# kill -HUP `cat /var/run/sshd.pid`

Execute a command as another user

Your normal user is no admin ; or at least, it shouldn’t. So to do big guy things, you need to be granted the ultimate mighty power. sudo is the tool that enables you to run a single command as Zeus.

Configure sudo:

# visudo
%wheel  ALL=(ALL) SETENV: ALL

If your user was created during installation, it already is in the wheel group. If not, add it and relog to apply the changes. And remember:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

User environment

The default user environment is perfect for administration. Fast, silent, efficient. But I like to add a bit of color in my terminals.

# vi ~/.profile

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/
local/sbin:/usr/games:.
export PATH HOME TERM

export EDITOR="/usr/local/bin/vim"
export EXINIT='set autoindent'
export PAGER="/usr/bin/less"
export VISUAL=$EDITOR

HISTFILE=$HOME/.history
HISTSIZE=4096

alias ls="/bin/ls -aF" 
      ll="ls -lh"

set -o emacs
umask 022

_U="`whoami`"
_H="`hostname -s`"
_V="`uname -sr`"

BLANK='^[[0m'

DRED='^[[0;31m'
DGREEN='^[[0;32m'
DYELLOW='^[[0;33m'
DBLUE='^[[0;34m'
DPURPLE='^[[0;35m'
DCYAN='^[[0;36m'
DWHITE='^[[0;37m'

case $TERM in
xterm*|*rxvt*)
#       PS1='^[]0;[ $_U@$_H:$(pwd) ]^G
#$DRED-($DCYAN$_U$BLANK@$DCYAN$_H$DRED)-($DWHITE$_V$DRED)-($DYELLOW$(date +"%Y-%
m-%d")$DRED)-
#$DRED-($DYELLOW$(date +"%H:%M")$DRED)-($DGREEN$(pwd)$DRED)- $BLANK'
        PS1='^[]0;[ $_U@$_H:$(pwd) ]^G
$DRED-($DCYAN$_U$BLANK@$DCYAN$_H$DRED)-($DWHITE$_V$DRED)-($DYELLOW$(date +"%Y-%m
-%d %H:%M")$DRED)-
$DRED-($DGREEN$(pwd)$DRED)-$BLANK
# '
        ;;

*)
        PS1='[ $_U@$_H:$(pwd) ] '
        ;;
esac

The mighty editor

I like to use vim as my system editor:

# pkg\_add http://ftp.fr.openbsd.org/pub/OpenBSD/4.8/packages/amd64/vim-7.2.444-no\_x11.tgz  
# pkg_add http://ftp.fr.openbsd.org/pub/OpenBSD/4.8/packages/amd64/vim-spell-fr-7.2.tgz  
# vi ~/.vimrc  
set nocompatible  
set backspace=indent,eol,start  
set nobackup  
set history=50  
set ruler  
set showcmd  
set incsearch

syntax on 

Last step

It’s time for a remote backup:

# ssh 192.168.12.144 "sudo tar czpf - /" > eddie.obsd48amd64.01basics.tar.gz  
tar: Removing leading / from absolute path names in the archive  
tar: Ustar cannot archive a socket /dev/log  
tar: Ustar cannot archive a socket /var/cron/tabs/.sock  
tar: Ustar cannot archive a socket /var/empty/dev/log  
tar: Ustar cannot archive a socket /var/www/dev/log 

That’s All Folks!