hello friends! new(ish)!

OpenBSD: Difference between revisions

From InstallGentoo Wiki v2
Jump to navigation Jump to search
>Keboler
(muh progress)
 
>Grodzio1
(Added a disclaimer about installation with full disk encryption in the installer)
 
(23 intermediate revisions by 9 users not shown)
Line 1: Line 1:
{{stub}}
[[File:Puf200X172.gif|thumb|Mascot of OpenBSD, Puffy the Pufferfish]]


'''OpenBSD''' is a free, multi-platform 4.4BSD based Unix-like operating system, part of the [[BSD]] family. The OpenBSD project's efforts emphasize portability, correctness, proactive security and integrated cryptography, although you probably already know this by now.
'''OpenBSD''' is a free, multi-platform 4.4BSD based Unix-like operating system, part of the [[BSD]] family. The OpenBSD project's efforts emphasize portability, correctness, proactive security and integrated cryptography, although you probably already know this by now.
== Why? ==
'''Why might I want to use OpenBSD?''' Here are some reasons why:
* It's not Linux: OpenBSD can claim to be, for the most part, safe from many of the freedesktop.org cancers like [[systemd]] that are deservedly unpopular amongst Linux users. It also promotes portability, so that a program can run on more operating systems than just Linux (or OpenBSD for that matter).
* Stuck in the mud: OpenBSD tries to stick to being a faithful evolution of 4.4BSD-Lite, and instead of having Google Groups mailing lists and forums and wikis, OpenBSD has mailing lists with a [http://marc.info blessed archive] and a website that's straight out of the 90s.
* The right way: You may come to a point at one time or another where you may realise that choice is bad. Choice is bad, because it places us in a position where we must make a choice. Many things in OpenBSD have only one way of having it done and most of the time it is the best way of having it done. The example given is apmd - when enabled, it transparently manages CPU frequency and power states and handles suspend and hibernation seamlessly without any hassle.
* Sane defaults: OpenBSD doesn't do stupid shit and tries to do whatever you wanted it to do out of the box first time, instead of having to fiddle around with configuration; this has a security impact as well, since if you have to do it yourself you're more likely to fuck it up. Most, if not all daemons in the base system and even in ports and packages follow best practices like chroots, priv-drop and priv-sep by default.
* Integration: OpenBSD is developed in a single CVS tree ''(whine whine whine... they use C... V... S...)'', which means that the developers can work with a totally integrated codebase instead of having to accommodate bits and pieces from various projects that might not work together immediately and might even have upstreams that are hostile to each other, leading Linux distributions to heavily patch packages to get things working. Again, look at apmd, which works very well because the daemon and the kernel are developed concurrently and by the same group of developers.
* Proactive security: OpenBSD's policy is "don't do stupid shit". Doing the right thing with regards to security has led the project to a record of only two holes in the default installation in over 20 years. When upstream fucks up or licensing becomes a problem, the project takes it into their own hands to roll their own quality solution according to the mantra of "shut up and hack": OpenSSH, the preeminent SSH server and client implementation was borne out of the original SSH becoming non-free; LibreSSL came from years of shit coding standards, enmity with upstream and stupid vulnerabilities (Heartbleed being the one that pushed them over the edge) in OpenSSL.
* Networking software: OpenBSD has an extensive suite of networking software: PF firewall, Relayd reverse proxy, OpenSMTP mail server, OpenBSD httpd, and appropriate routing daemons for most commonly used routing protocols.


== Licensing ==
== Licensing ==
The BSD operating systems are where the [[Licenses|BSD licence]] originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community.
The BSD operating systems are where the [[Licenses|BSD licence]] originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community.
<blockquote>you might live in a world without morals; I don't.<br>
''Henning Brauer</blockquote>
The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned back in good will for the unrestricted use of the software in the first place.


As for the licensing state of OpenBSD itself, this author understands that most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, with new programs from OpenBSD generally released under the simpler ISC licence. The only programs released under the GPL included with OpenBSD are the GNU toolchain (GCC, binutils, GDB).
The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned in good will for the unrestricted use of the software in the first place.


== How To ==
As for the licensing state of OpenBSD itself, most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, while new programs from OpenBSD generally released under the simpler ISC licence, which excludes a clause made unneccesary by the Berne convention. The only programs released under the GPL included with OpenBSD are the GNU toolchain (GCC, binutils, GDB).
 
== Tips ==
The following sections assume you are using a relatively recent release of OpenBSD which should be the latest release or at least released within the last year.
=== Set up the shell ===
=== Set up the shell ===
<tt>pdksh</tt>, OpenBSD's default shell, only sources <tt>.profile</tt> out of the box. Add
pdksh, OpenBSD's default shell, only sources {{ic|.profile}} out of the box. Add
  export ENV="${HOME}/.kshrc"
  export ENV="${HOME}/.kshrc"
to your <tt>.profile</tt>, and then add your interactive shell customisation to <tt>.kshrc</tt>. Programs like <tt>startx</tt> and other shells will inherit <tt>$ENV</tt> from the environment, so it will continue to be sourced in all shells in the session.
to your {{ic|.profile}}, and then add your interactive shell customisation to {{ic|.kshrc}}. Descendant shells will inherit {{ic|$ENV}} from the environment, so it will continue to be sourced in all shells in the session including those in an X session.
 
pdksh supports most of the {{ic|$PS1}} escapes from bash, so add
PS1="\W \$ "
to your {{ic|.kshrc}} to show your current directory.
=== Privilege escalation ===
=== Privilege escalation ===
<tt>sudo</tt>, the privilege escalation tool used in many Linux distributions, was replaced by <tt>doas</tt> in OpenBSD 5.8, a far simpler implementation. To set it up, you need to edit <tt>/etc/doas.conf</tt>.
sudo, the privilege escalation tool used in many Linux distributions, was replaced by doas in OpenBSD 5.8, a far smaller tool; the rationale being that most sudo users don't use 99% of it's features and therefore, it was decreed that a simpler and smaller tool be written.  
This is an example <tt>doas.conf</tt>:
 
permit keepenv { PKG_PATH } :wheel as root
To set doas up, you need to edit {{ic|/etc/doas.conf}}. This is an example {{ic|doas.conf}}:
permit nopass root
{{bc|permit :wheel as root
This allows all users in the <tt>wheel</tt> group to run commands as root and pass the environment variable <tt>$PKG_PATH</tt> which is used to specify a package repository as described below. If you added your user account with the OpenBSD installer, it should have added it to the <tt>wheel</tt> group already. It also allows root to run commands without a password for all users on the system.
permit nopass root}}
=== Package management ===
You can check the {{ic|doas.conf}} like this:
OpenBSD package management turns out to be easier and simpler than many Linux distributions. Instead of a system-wide repository and downloading a repository database, the OpenBSD package utilities simply pull packages from a remote server (or an official CD) specified in the environment variable <tt>$PKG_PATH</tt> and installs them.
# doas -C /etc/doas.conf
This allows all users in the wheel group to run commands as root. If you added a user account with the OpenBSD installer, it will have added it to the wheel group already. It also allows root to run commands without a password for all users on the system.
=== Setting up package management ===
Instead of downloading a repository database, the OpenBSD package utilities consult a remote mirror or local package store specified either in {{ic|/etc/pkg.conf}} or alternatively in the environment variable {{ic|$PKG_PATH}} for every request.
Remote repositories can be any of the mirrors listed [https://www.openbsd.org/ftp.html here]. For this example, we will use the ftp.openbsd.org mirror, ran by Theo in Canada.
Add this to {{ic|/etc/pkg.conf}}:
installpath = http://ftp.openbsd.org/pub/OpenBSD/packages/6.0/amd64
where 6.0 is your version number, amd64 is your architecture and the beginning of the path replaced with whatever mirror you chose. If you [[#Privilege escalation|set up doas]], you can begin installing programs from your normal user account like so: {{bc|$ doas pkg_add irssi
doas (me@machine.lan) password:
quirks-2.241 signed on 2016-07-26T16:56:10Z
Ambiguous: choose package for irssi
a      0: <None>
        1: irssi-0.8.19
        2: irssi-0.8.19-socks
Your choice: 1
irssi-0.8.19: ok}}
Read the [[Package manager#OpenBSD|package management]] article for more on how to use the OpenBSD package management system.
=== Init scripts ===
The OpenBSD init system is configured in the file {{ic|/etc/rc.conf.local}}. It is advised that you only put '''used''' entries into {{ic|rc.conf.local}}, however it is easier to simply copy {{ic|rc.conf}} to {{ic|rc.conf.local}} and edit it there.
Any system daemon can be enabled by setting it's <tt>_flags</tt> variable to blank or to pass flags to the daemon, and can be disabled by setting it to <tt>NO</tt>.
Daemons from packages/ports are specified in the <tt>pkg_scripts</tt> variable. For example, here is a configuration for starting [[DNSCrypt]] and [[Tor]] as system daemons.{{bc|<nowiki># rc.d(8) packages scripts
# started in the specified order and stopped in reverse order
dnscrypt_proxy_flags="-R dnscrypt.eu-dk -a 127.0.0.1:40"
pkg_scripts="dnscrypt_proxy tor"</nowiki>}}
The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor.
=== Full disk encryption ===
Full disk encryption in OpenBSD is achieved through the use of <tt>softraid</tt>.
 
''Starting with OpenBSD 7.3, the installer now has an option for guided installation with full disk encryption.''
Boot up the OpenBSD install media and wait until you come to this prompt. {{bc|erase ^?, werase ^W, kill ^U, intr ^C, status ^T
Welcome to the OpenBSD/amd64 6.0 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?}}
Choose {{ic|s}} to drop into a root shell. If you do not have any other partitions that you need on your disk, initialise the MBR of the first SATA disk with this command:
# fdisk -iy sd0
You'll need to look at the {{ic|wd?}} disks
Now proceed to partition the disk and create a RAID type partition on {{ic|a}}, perhaps like this: {{bc|> a a
offset: [whatever]
size: [whatever]
FS type: [4.2BSD] RAID
> w
> q}}
''Blank lines signify a blank line with enter typed.''
To initialise the RAID partition with a passphrase, type: {{bc|# bioctl -c C -r auto -l sd0a softraid0
Passphrase:
Verify passphrase:}}
{{ic|-r auto}} is a surefire way to increase the iterations of the PBKDF2 key derivation function which should increase it's resilience against brute-forcing.
You should see a dmesg message showing that a new disk with your encrypted partition was attached to the system. Exit the shell with {{ic|^D}} or {{ic|exit}}, enter the installer with {{ic|i}} and when the installer asks you for your root disk, choose that disk instead (if you type {{ic|?}}, the disk should be listed as {{ic|SOFTRAID}}). The OpenBSD bootloader transparently handles full disk encryption and will ask you for your passphrase when loading the kernel.
 
== Performance Tweaks ==
 
=== enable multithreating ===
 
If you want to enable hyperthreating tempoary, do:
 
doas sysctl hw.smt=1
 
if you want to make it permanent edit your <code>/etc/sysctl.conf</code> and paste the following at the end:
 
hw.smt=1
 
<b>notice:</b> without rebooting you have once to enable it manually, after the fist reboot, it will be active
 
sysctl hw.smt=1
 
you can check that hyperthreating is active, with programs like <code>top</code> or <code>htop</code>
 
=== raise ulimit: ===
 
put the following into your <pre>~/.profile</pre>
 
ulimit -d 4096*1024
 
If you haven't relogged, the command is not active yet. Raise ulimit for your active shell with:
 
ulimit -d 4096*1024
 
== Compiling Pandoc ==
 
* [[How to Compile Pandoc in OpenBSD 6.7]]
 
== External links ==
* The [https://www.openbsd.org/faq OpenBSD FAQ]. Read it.
[[Category:BSD]]
[[Category:Operating systems]]

Latest revision as of 19:43, 21 May 2023

Mascot of OpenBSD, Puffy the Pufferfish

OpenBSD is a free, multi-platform 4.4BSD based Unix-like operating system, part of the BSD family. The OpenBSD project's efforts emphasize portability, correctness, proactive security and integrated cryptography, although you probably already know this by now.

Why?

Why might I want to use OpenBSD? Here are some reasons why:

  • It's not Linux: OpenBSD can claim to be, for the most part, safe from many of the freedesktop.org cancers like systemd that are deservedly unpopular amongst Linux users. It also promotes portability, so that a program can run on more operating systems than just Linux (or OpenBSD for that matter).
  • Stuck in the mud: OpenBSD tries to stick to being a faithful evolution of 4.4BSD-Lite, and instead of having Google Groups mailing lists and forums and wikis, OpenBSD has mailing lists with a blessed archive and a website that's straight out of the 90s.
  • The right way: You may come to a point at one time or another where you may realise that choice is bad. Choice is bad, because it places us in a position where we must make a choice. Many things in OpenBSD have only one way of having it done and most of the time it is the best way of having it done. The example given is apmd - when enabled, it transparently manages CPU frequency and power states and handles suspend and hibernation seamlessly without any hassle.
  • Sane defaults: OpenBSD doesn't do stupid shit and tries to do whatever you wanted it to do out of the box first time, instead of having to fiddle around with configuration; this has a security impact as well, since if you have to do it yourself you're more likely to fuck it up. Most, if not all daemons in the base system and even in ports and packages follow best practices like chroots, priv-drop and priv-sep by default.
  • Integration: OpenBSD is developed in a single CVS tree (whine whine whine... they use C... V... S...), which means that the developers can work with a totally integrated codebase instead of having to accommodate bits and pieces from various projects that might not work together immediately and might even have upstreams that are hostile to each other, leading Linux distributions to heavily patch packages to get things working. Again, look at apmd, which works very well because the daemon and the kernel are developed concurrently and by the same group of developers.
  • Proactive security: OpenBSD's policy is "don't do stupid shit". Doing the right thing with regards to security has led the project to a record of only two holes in the default installation in over 20 years. When upstream fucks up or licensing becomes a problem, the project takes it into their own hands to roll their own quality solution according to the mantra of "shut up and hack": OpenSSH, the preeminent SSH server and client implementation was borne out of the original SSH becoming non-free; LibreSSL came from years of shit coding standards, enmity with upstream and stupid vulnerabilities (Heartbleed being the one that pushed them over the edge) in OpenSSL.
  • Networking software: OpenBSD has an extensive suite of networking software: PF firewall, Relayd reverse proxy, OpenSMTP mail server, OpenBSD httpd, and appropriate routing daemons for most commonly used routing protocols.

Licensing

The BSD operating systems are where the BSD licence originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community.

The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned in good will for the unrestricted use of the software in the first place.

As for the licensing state of OpenBSD itself, most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, while new programs from OpenBSD generally released under the simpler ISC licence, which excludes a clause made unneccesary by the Berne convention. The only programs released under the GPL included with OpenBSD are the GNU toolchain (GCC, binutils, GDB).

Tips

The following sections assume you are using a relatively recent release of OpenBSD which should be the latest release or at least released within the last year.

Set up the shell

pdksh, OpenBSD's default shell, only sources .profile out of the box. Add

export ENV="${HOME}/.kshrc"

to your .profile, and then add your interactive shell customisation to .kshrc. Descendant shells will inherit $ENV from the environment, so it will continue to be sourced in all shells in the session including those in an X session.

pdksh supports most of the $PS1 escapes from bash, so add

PS1="\W \$ "

to your .kshrc to show your current directory.

Privilege escalation

sudo, the privilege escalation tool used in many Linux distributions, was replaced by doas in OpenBSD 5.8, a far smaller tool; the rationale being that most sudo users don't use 99% of it's features and therefore, it was decreed that a simpler and smaller tool be written.

To set doas up, you need to edit /etc/doas.conf. This is an example doas.conf:

permit :wheel as root
permit nopass root

You can check the doas.conf like this:

# doas -C /etc/doas.conf

This allows all users in the wheel group to run commands as root. If you added a user account with the OpenBSD installer, it will have added it to the wheel group already. It also allows root to run commands without a password for all users on the system.

Setting up package management

Instead of downloading a repository database, the OpenBSD package utilities consult a remote mirror or local package store specified either in /etc/pkg.conf or alternatively in the environment variable $PKG_PATH for every request. Remote repositories can be any of the mirrors listed here. For this example, we will use the ftp.openbsd.org mirror, ran by Theo in Canada. Add this to /etc/pkg.conf:

installpath = http://ftp.openbsd.org/pub/OpenBSD/packages/6.0/amd64

where 6.0 is your version number, amd64 is your architecture and the beginning of the path replaced with whatever mirror you chose. If you set up doas, you can begin installing programs from your normal user account like so:

$ doas pkg_add irssi
doas (me@machine.lan) password:
quirks-2.241 signed on 2016-07-26T16:56:10Z
Ambiguous: choose package for irssi
a       0: <None>
        1: irssi-0.8.19
        2: irssi-0.8.19-socks
Your choice: 1
irssi-0.8.19: ok

Read the package management article for more on how to use the OpenBSD package management system.

Init scripts

The OpenBSD init system is configured in the file /etc/rc.conf.local. It is advised that you only put used entries into rc.conf.local, however it is easier to simply copy rc.conf to rc.conf.local and edit it there. Any system daemon can be enabled by setting it's _flags variable to blank or to pass flags to the daemon, and can be disabled by setting it to NO.

Daemons from packages/ports are specified in the pkg_scripts variable. For example, here is a configuration for starting DNSCrypt and Tor as system daemons.

# rc.d(8) packages scripts
# started in the specified order and stopped in reverse order
dnscrypt_proxy_flags="-R dnscrypt.eu-dk -a 127.0.0.1:40"
pkg_scripts="dnscrypt_proxy tor"

The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor.

Full disk encryption

Full disk encryption in OpenBSD is achieved through the use of softraid.

Starting with OpenBSD 7.3, the installer now has an option for guided installation with full disk encryption.

Boot up the OpenBSD install media and wait until you come to this prompt.

erase ^?, werase ^W, kill ^U, intr ^C, status ^T
Welcome to the OpenBSD/amd64 6.0 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?

Choose s to drop into a root shell. If you do not have any other partitions that you need on your disk, initialise the MBR of the first SATA disk with this command:

# fdisk -iy sd0

You'll need to look at the wd? disks

Now proceed to partition the disk and create a RAID type partition on a, perhaps like this:

> a a
offset: [whatever] 
size: [whatever] 
FS type: [4.2BSD] RAID
> w
> q

Blank lines signify a blank line with enter typed.

To initialise the RAID partition with a passphrase, type:

# bioctl -c C -r auto -l sd0a softraid0
Passphrase:
Verify passphrase:

-r auto is a surefire way to increase the iterations of the PBKDF2 key derivation function which should increase it's resilience against brute-forcing. You should see a dmesg message showing that a new disk with your encrypted partition was attached to the system. Exit the shell with ^D or exit, enter the installer with i and when the installer asks you for your root disk, choose that disk instead (if you type ?, the disk should be listed as SOFTRAID). The OpenBSD bootloader transparently handles full disk encryption and will ask you for your passphrase when loading the kernel.

Performance Tweaks

enable multithreating

If you want to enable hyperthreating tempoary, do:

doas sysctl hw.smt=1

if you want to make it permanent edit your /etc/sysctl.conf and paste the following at the end:

hw.smt=1

notice: without rebooting you have once to enable it manually, after the fist reboot, it will be active

sysctl hw.smt=1

you can check that hyperthreating is active, with programs like top or htop

raise ulimit:

put the following into your

~/.profile
ulimit -d 4096*1024

If you haven't relogged, the command is not active yet. Raise ulimit for your active shell with:

ulimit -d 4096*1024

Compiling Pandoc

External links