hello friends! new(ish)!
OpenBSD: Difference between revisions
>Morpheus m (Added category) |
>Grodzio1 (Added a disclaimer about installation with full disk encryption in the installer) |
||
(18 intermediate revisions by 9 users not shown) | |||
Line 1: | Line 1: | ||
[[File:Puf200X172.gif|thumb|Mascot of OpenBSD, Puffy the Pufferfish]] | |||
[[ | '''OpenBSD''' is a free, multi-platform 4.4BSD based Unix-like operating system, part of the [[BSD]] family. The OpenBSD project's efforts emphasize portability, correctness, proactive security and integrated cryptography, although you probably already know this by now. | ||
'''OpenBSD''' | == Why? == | ||
'''Why might I want to use OpenBSD?''' Here are some reasons why: | |||
* It's not Linux: OpenBSD can claim to be, for the most part, safe from many of the freedesktop.org cancers like [[systemd]] that are deservedly unpopular amongst Linux users. It also promotes portability, so that a program can run on more operating systems than just Linux (or OpenBSD for that matter). | |||
* Stuck in the mud: OpenBSD tries to stick to being a faithful evolution of 4.4BSD-Lite, and instead of having Google Groups mailing lists and forums and wikis, OpenBSD has mailing lists with a [http://marc.info blessed archive] and a website that's straight out of the 90s. | |||
* The right way: You may come to a point at one time or another where you may realise that choice is bad. Choice is bad, because it places us in a position where we must make a choice. Many things in OpenBSD have only one way of having it done and most of the time it is the best way of having it done. The example given is apmd - when enabled, it transparently manages CPU frequency and power states and handles suspend and hibernation seamlessly without any hassle. | |||
* Sane defaults: OpenBSD doesn't do stupid shit and tries to do whatever you wanted it to do out of the box first time, instead of having to fiddle around with configuration; this has a security impact as well, since if you have to do it yourself you're more likely to fuck it up. Most, if not all daemons in the base system and even in ports and packages follow best practices like chroots, priv-drop and priv-sep by default. | |||
* Integration: OpenBSD is developed in a single CVS tree ''(whine whine whine... they use C... V... S...)'', which means that the developers can work with a totally integrated codebase instead of having to accommodate bits and pieces from various projects that might not work together immediately and might even have upstreams that are hostile to each other, leading Linux distributions to heavily patch packages to get things working. Again, look at apmd, which works very well because the daemon and the kernel are developed concurrently and by the same group of developers. | |||
* Proactive security: OpenBSD's policy is "don't do stupid shit". Doing the right thing with regards to security has led the project to a record of only two holes in the default installation in over 20 years. When upstream fucks up or licensing becomes a problem, the project takes it into their own hands to roll their own quality solution according to the mantra of "shut up and hack": OpenSSH, the preeminent SSH server and client implementation was borne out of the original SSH becoming non-free; LibreSSL came from years of shit coding standards, enmity with upstream and stupid vulnerabilities (Heartbleed being the one that pushed them over the edge) in OpenSSL. | |||
* Networking software: OpenBSD has an extensive suite of networking software: PF firewall, Relayd reverse proxy, OpenSMTP mail server, OpenBSD httpd, and appropriate routing daemons for most commonly used routing protocols. | |||
== Licensing == | == Licensing == | ||
The BSD operating systems are where the [[Licenses|BSD licence]] originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community. | The BSD operating systems are where the [[Licenses|BSD licence]] originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community. | ||
As for the licensing state of OpenBSD itself, | The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned in good will for the unrestricted use of the software in the first place. | ||
As for the licensing state of OpenBSD itself, most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, while new programs from OpenBSD generally released under the simpler ISC licence, which excludes a clause made unneccesary by the Berne convention. The only programs released under the GPL included with OpenBSD are the GNU toolchain (GCC, binutils, GDB). | |||
== | == Tips == | ||
The following sections assume you are using a relatively recent release of OpenBSD which should be the latest release or at least released within the last year. | |||
=== Set up the shell === | === Set up the shell === | ||
pdksh, OpenBSD's default shell, only sources {{ic|.profile}} out of the box. Add | |||
export ENV="${HOME}/.kshrc" | export ENV="${HOME}/.kshrc" | ||
to your | to your {{ic|.profile}}, and then add your interactive shell customisation to {{ic|.kshrc}}. Descendant shells will inherit {{ic|$ENV}} from the environment, so it will continue to be sourced in all shells in the session including those in an X session. | ||
pdksh supports most of the {{ic|$PS1}} escapes from bash, so add | |||
PS1="\W \$ " | |||
to your {{ic|.kshrc}} to show your current directory. | |||
=== Privilege escalation === | === Privilege escalation === | ||
sudo, the privilege escalation tool used in many Linux distributions, was replaced by doas in OpenBSD 5.8, a far smaller tool; the rationale being that most sudo users don't use 99% of it's features and therefore, it was decreed that a simpler and smaller tool be written. | |||
This is an example | |||
To set doas up, you need to edit {{ic|/etc/doas.conf}}. This is an example {{ic|doas.conf}}: | |||
{{bc|permit :wheel as root | |||
This allows all users in the | permit nopass root}} | ||
=== | You can check the {{ic|doas.conf}} like this: | ||
# doas -C /etc/doas.conf | |||
Remote repositories can be any of the mirrors listed here. For this example, we will use the | This allows all users in the wheel group to run commands as root. If you added a user account with the OpenBSD installer, it will have added it to the wheel group already. It also allows root to run commands without a password for all users on the system. | ||
Add this to | === Setting up package management === | ||
Instead of downloading a repository database, the OpenBSD package utilities consult a remote mirror or local package store specified either in {{ic|/etc/pkg.conf}} or alternatively in the environment variable {{ic|$PKG_PATH}} for every request. | |||
where | Remote repositories can be any of the mirrors listed [https://www.openbsd.org/ftp.html here]. For this example, we will use the ftp.openbsd.org mirror, ran by Theo in Canada. | ||
Add this to {{ic|/etc/pkg.conf}}: | |||
installpath = http://ftp.openbsd.org/pub/OpenBSD/packages/6.0/amd64 | |||
where 6.0 is your version number, amd64 is your architecture and the beginning of the path replaced with whatever mirror you chose. If you [[#Privilege escalation|set up doas]], you can begin installing programs from your normal user account like so: {{bc|$ doas pkg_add irssi | |||
doas (me@machine.lan) password: | |||
quirks-2.241 signed on 2016-07-26T16:56:10Z | |||
Ambiguous: choose package for irssi | |||
a 0: <None> | |||
1: irssi-0.8.19 | |||
2: irssi-0.8.19-socks | |||
Your choice: 1 | |||
irssi-0.8.19: ok}} | |||
Read the [[Package manager#OpenBSD|package management]] article for more on how to use the OpenBSD package management system. | Read the [[Package manager#OpenBSD|package management]] article for more on how to use the OpenBSD package management system. | ||
=== Init scripts === | === Init scripts === | ||
The OpenBSD init system is configured in | The OpenBSD init system is configured in the file {{ic|/etc/rc.conf.local}}. It is advised that you only put '''used''' entries into {{ic|rc.conf.local}}, however it is easier to simply copy {{ic|rc.conf}} to {{ic|rc.conf.local}} and edit it there. | ||
Any system daemon can be enabled by setting it's <tt>_flags</tt> variable to blank or to pass flags to the daemon, and can be disabled by setting it to <tt>NO</tt>. | Any system daemon can be enabled by setting it's <tt>_flags</tt> variable to blank or to pass flags to the daemon, and can be disabled by setting it to <tt>NO</tt>. | ||
Daemons from packages/ports are specified in the <tt>pkg_scripts</tt> variable. For example, here is a configuration for starting [[DNSCrypt]] and [[Tor]] as system daemons. | Daemons from packages/ports are specified in the <tt>pkg_scripts</tt> variable. For example, here is a configuration for starting [[DNSCrypt]] and [[Tor]] as system daemons.{{bc|<nowiki># rc.d(8) packages scripts | ||
# started in the specified order and stopped in reverse order | |||
dnscrypt_proxy_flags="-R dnscrypt.eu-dk -a 127.0.0.1:40" | |||
pkg_scripts="dnscrypt_proxy tor"</nowiki>}} | |||
The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor. | The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor. | ||
=== Full disk encryption === | |||
Full disk encryption in OpenBSD is achieved through the use of <tt>softraid</tt>. | |||
''Starting with OpenBSD 7.3, the installer now has an option for guided installation with full disk encryption.'' | |||
Boot up the OpenBSD install media and wait until you come to this prompt. {{bc|erase ^?, werase ^W, kill ^U, intr ^C, status ^T | |||
Welcome to the OpenBSD/amd64 6.0 installation program. | |||
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?}} | |||
Choose {{ic|s}} to drop into a root shell. If you do not have any other partitions that you need on your disk, initialise the MBR of the first SATA disk with this command: | |||
# fdisk -iy sd0 | |||
You'll need to look at the {{ic|wd?}} disks | |||
Now proceed to partition the disk and create a RAID type partition on {{ic|a}}, perhaps like this: {{bc|> a a | |||
offset: [whatever] | |||
size: [whatever] | |||
FS type: [4.2BSD] RAID | |||
> w | |||
> q}} | |||
''Blank lines signify a blank line with enter typed.'' | |||
To initialise the RAID partition with a passphrase, type: {{bc|# bioctl -c C -r auto -l sd0a softraid0 | |||
Passphrase: | |||
Verify passphrase:}} | |||
{{ic|-r auto}} is a surefire way to increase the iterations of the PBKDF2 key derivation function which should increase it's resilience against brute-forcing. | |||
You should see a dmesg message showing that a new disk with your encrypted partition was attached to the system. Exit the shell with {{ic|^D}} or {{ic|exit}}, enter the installer with {{ic|i}} and when the installer asks you for your root disk, choose that disk instead (if you type {{ic|?}}, the disk should be listed as {{ic|SOFTRAID}}). The OpenBSD bootloader transparently handles full disk encryption and will ask you for your passphrase when loading the kernel. | |||
== Performance Tweaks == | |||
=== enable multithreating === | |||
If you want to enable hyperthreating tempoary, do: | |||
doas sysctl hw.smt=1 | |||
if you want to make it permanent edit your <code>/etc/sysctl.conf</code> and paste the following at the end: | |||
hw.smt=1 | |||
<b>notice:</b> without rebooting you have once to enable it manually, after the fist reboot, it will be active | |||
sysctl hw.smt=1 | |||
you can check that hyperthreating is active, with programs like <code>top</code> or <code>htop</code> | |||
=== raise ulimit: === | |||
put the following into your <pre>~/.profile</pre> | |||
ulimit -d 4096*1024 | |||
If you haven't relogged, the command is not active yet. Raise ulimit for your active shell with: | |||
ulimit -d 4096*1024 | |||
== Compiling Pandoc == | |||
* [[How to Compile Pandoc in OpenBSD 6.7]] | |||
== External links == | |||
* The [https://www.openbsd.org/faq OpenBSD FAQ]. Read it. | |||
[[Category:BSD]] | [[Category:BSD]] | ||
[[Category:Operating systems]] | [[Category:Operating systems]] |
Latest revision as of 19:43, 21 May 2023
OpenBSD is a free, multi-platform 4.4BSD based Unix-like operating system, part of the BSD family. The OpenBSD project's efforts emphasize portability, correctness, proactive security and integrated cryptography, although you probably already know this by now.
Why?
Why might I want to use OpenBSD? Here are some reasons why:
- It's not Linux: OpenBSD can claim to be, for the most part, safe from many of the freedesktop.org cancers like systemd that are deservedly unpopular amongst Linux users. It also promotes portability, so that a program can run on more operating systems than just Linux (or OpenBSD for that matter).
- Stuck in the mud: OpenBSD tries to stick to being a faithful evolution of 4.4BSD-Lite, and instead of having Google Groups mailing lists and forums and wikis, OpenBSD has mailing lists with a blessed archive and a website that's straight out of the 90s.
- The right way: You may come to a point at one time or another where you may realise that choice is bad. Choice is bad, because it places us in a position where we must make a choice. Many things in OpenBSD have only one way of having it done and most of the time it is the best way of having it done. The example given is apmd - when enabled, it transparently manages CPU frequency and power states and handles suspend and hibernation seamlessly without any hassle.
- Sane defaults: OpenBSD doesn't do stupid shit and tries to do whatever you wanted it to do out of the box first time, instead of having to fiddle around with configuration; this has a security impact as well, since if you have to do it yourself you're more likely to fuck it up. Most, if not all daemons in the base system and even in ports and packages follow best practices like chroots, priv-drop and priv-sep by default.
- Integration: OpenBSD is developed in a single CVS tree (whine whine whine... they use C... V... S...), which means that the developers can work with a totally integrated codebase instead of having to accommodate bits and pieces from various projects that might not work together immediately and might even have upstreams that are hostile to each other, leading Linux distributions to heavily patch packages to get things working. Again, look at apmd, which works very well because the daemon and the kernel are developed concurrently and by the same group of developers.
- Proactive security: OpenBSD's policy is "don't do stupid shit". Doing the right thing with regards to security has led the project to a record of only two holes in the default installation in over 20 years. When upstream fucks up or licensing becomes a problem, the project takes it into their own hands to roll their own quality solution according to the mantra of "shut up and hack": OpenSSH, the preeminent SSH server and client implementation was borne out of the original SSH becoming non-free; LibreSSL came from years of shit coding standards, enmity with upstream and stupid vulnerabilities (Heartbleed being the one that pushed them over the edge) in OpenSSL.
- Networking software: OpenBSD has an extensive suite of networking software: PF firewall, Relayd reverse proxy, OpenSMTP mail server, OpenBSD httpd, and appropriate routing daemons for most commonly used routing protocols.
Licensing
The BSD operating systems are where the BSD licence originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community.
The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned in good will for the unrestricted use of the software in the first place.
As for the licensing state of OpenBSD itself, most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, while new programs from OpenBSD generally released under the simpler ISC licence, which excludes a clause made unneccesary by the Berne convention. The only programs released under the GPL included with OpenBSD are the GNU toolchain (GCC, binutils, GDB).
Tips
The following sections assume you are using a relatively recent release of OpenBSD which should be the latest release or at least released within the last year.
Set up the shell
pdksh, OpenBSD's default shell, only sources .profile
out of the box. Add
export ENV="${HOME}/.kshrc"
to your .profile
, and then add your interactive shell customisation to .kshrc
. Descendant shells will inherit $ENV
from the environment, so it will continue to be sourced in all shells in the session including those in an X session.
pdksh supports most of the $PS1
escapes from bash, so add
PS1="\W \$ "
to your .kshrc
to show your current directory.
Privilege escalation
sudo, the privilege escalation tool used in many Linux distributions, was replaced by doas in OpenBSD 5.8, a far smaller tool; the rationale being that most sudo users don't use 99% of it's features and therefore, it was decreed that a simpler and smaller tool be written.
To set doas up, you need to edit /etc/doas.conf
. This is an example doas.conf
:
permit :wheel as root permit nopass root
You can check the doas.conf
like this:
# doas -C /etc/doas.conf
This allows all users in the wheel group to run commands as root. If you added a user account with the OpenBSD installer, it will have added it to the wheel group already. It also allows root to run commands without a password for all users on the system.
Setting up package management
Instead of downloading a repository database, the OpenBSD package utilities consult a remote mirror or local package store specified either in /etc/pkg.conf
or alternatively in the environment variable $PKG_PATH
for every request.
Remote repositories can be any of the mirrors listed here. For this example, we will use the ftp.openbsd.org mirror, ran by Theo in Canada.
Add this to /etc/pkg.conf
:
installpath = http://ftp.openbsd.org/pub/OpenBSD/packages/6.0/amd64
where 6.0 is your version number, amd64 is your architecture and the beginning of the path replaced with whatever mirror you chose. If you set up doas, you can begin installing programs from your normal user account like so:
$ doas pkg_add irssi doas (me@machine.lan) password: quirks-2.241 signed on 2016-07-26T16:56:10Z Ambiguous: choose package for irssi a 0: <None> 1: irssi-0.8.19 2: irssi-0.8.19-socks Your choice: 1 irssi-0.8.19: ok
Read the package management article for more on how to use the OpenBSD package management system.
Init scripts
The OpenBSD init system is configured in the file /etc/rc.conf.local
. It is advised that you only put used entries into rc.conf.local
, however it is easier to simply copy rc.conf
to rc.conf.local
and edit it there.
Any system daemon can be enabled by setting it's _flags variable to blank or to pass flags to the daemon, and can be disabled by setting it to NO.
Daemons from packages/ports are specified in the pkg_scripts variable. For example, here is a configuration for starting DNSCrypt and Tor as system daemons.
# rc.d(8) packages scripts # started in the specified order and stopped in reverse order dnscrypt_proxy_flags="-R dnscrypt.eu-dk -a 127.0.0.1:40" pkg_scripts="dnscrypt_proxy tor"
The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor.
Full disk encryption
Full disk encryption in OpenBSD is achieved through the use of softraid.
Starting with OpenBSD 7.3, the installer now has an option for guided installation with full disk encryption.
Boot up the OpenBSD install media and wait until you come to this prompt.
erase ^?, werase ^W, kill ^U, intr ^C, status ^T Welcome to the OpenBSD/amd64 6.0 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell?
Choose s
to drop into a root shell. If you do not have any other partitions that you need on your disk, initialise the MBR of the first SATA disk with this command:
# fdisk -iy sd0
You'll need to look at the wd?
disks
Now proceed to partition the disk and create a RAID type partition on a
, perhaps like this:
> a a offset: [whatever] size: [whatever] FS type: [4.2BSD] RAID > w > q
Blank lines signify a blank line with enter typed.
To initialise the RAID partition with a passphrase, type:
# bioctl -c C -r auto -l sd0a softraid0 Passphrase: Verify passphrase:
-r auto
is a surefire way to increase the iterations of the PBKDF2 key derivation function which should increase it's resilience against brute-forcing.
You should see a dmesg message showing that a new disk with your encrypted partition was attached to the system. Exit the shell with ^D
or exit
, enter the installer with i
and when the installer asks you for your root disk, choose that disk instead (if you type ?
, the disk should be listed as SOFTRAID
). The OpenBSD bootloader transparently handles full disk encryption and will ask you for your passphrase when loading the kernel.
Performance Tweaks
enable multithreating
If you want to enable hyperthreating tempoary, do:
doas sysctl hw.smt=1
if you want to make it permanent edit your /etc/sysctl.conf
and paste the following at the end:
hw.smt=1
notice: without rebooting you have once to enable it manually, after the fist reboot, it will be active
sysctl hw.smt=1
you can check that hyperthreating is active, with programs like top
or htop
raise ulimit:
put the following into your
~/.profile
ulimit -d 4096*1024
If you haven't relogged, the command is not active yet. Raise ulimit for your active shell with:
ulimit -d 4096*1024
Compiling Pandoc
External links
- The OpenBSD FAQ. Read it.