QODS ec

Saturday, July 10, 2004

UNIX: OpenBSD - For Your Eyes Only

DistroWatch.com: Put the fun back into computing. Use Linux.

Introduction
Not a week goes by without a new computer security bulletin being issued. Most of the big publicity is given to Windows viruses, worms and Trojans, but take a peek under the sheets and you'll find that open source software is not immune to security compromises. The problem is particularly acute on servers, and diligent system administrators face an endless (and often thankless) task watching for security alerts and downloading the relevant patches as soon as these become available. Not surprisingly, a lot of sysadmins would kill for an operating system in which the code was carefully audited in advance so that vulnerabilities were squashed before they could be exploited. In the following article, we explore OpenBSD, an operating system built from the ground up with security in mind. Though not suitable for every taste, OpenBSD will no doubt save many system administrators gray hairs. Even for those not running a server, this is a very stable and powerful OS and you don't necessarily need to be paranoid (though it helps) to enjoy using it.

Content
• Only The Paranoid Survive
• OpenBSD - Like Wearing Suspenders Plus A Belt
• How Do They Do It?
• Obtaining OpenBSD
• Installation
• The Morning After
• X Windows
• Configuring PPP
• Configuring PPPoE
• The PF Firewall
• The Ports Collection
• Tips, Tricks and Hints
• It's Not Paranoia If They're Really Out To Get You

Review
Only The Paranoid Survive

As Benjamin Franklin once said, the only way for three people to keep a secret is if two of them are dead. While it's doubtful that Ben was referring to computer security, many PC users have lots of little secrets stored on their hard drives. Things such as credit card numbers, a personal address book, and perhaps a few naughty photos from the New Year's Eve party.

Unfortunately, the grim reality is that with most operating systems, "security" is just a slogan. The situation is made worse by the fact that not only is your current data just a password-hack away, but in many cases creative crackers can even recover the data that you deleted long ago! That's because when you hit the delete button, you are (usually) just deleting a file name but not the actual data itself. Furthermore, journaling file systems such as ext3 and ReiserFS preserve data, and ditto for the swap partition. Are you sure that those embarrassing letters from an "old flame" are gone for good, or might they come back to haunt you?

Maybe you think that there is nothing nasty on your hard drive that you need to keep secret. Perhaps, like me, you are morally pure as the driven snow. Nevertheless, there may be some sinister surprises lurking in all those ones and zeroes. What about all that spam you received with file attachments containing gif images of Paris Hilton's video, or the promised results of body-part enlargement drugs? You might delete that stuff without even looking at it, but you can rest assured that the Thought Police will still find it when they come and haul away your computer for forensic analysis.

Andy Grove - the former CEO of Intel Corporation - famously said "Only the paranoid survive." Though he was probably referring to business competitors rather than operating system security, devout paranoiacs such as myself have taken Andy's wise words to heart. Whether you fear overzealous Thought Police, script kiddies, data thieves, a nosy spouse, or other riffraff, the fact is that there are many nasty people out there who are determined to violate your sacred hard drive. If you value your privacy, not to mention your bank account, it behooves you to secure your computer against various lower life-forms whose intentions are less than honorable.

OpenBSD - Like Wearing Suspenders Plus A Belt

In a previous review I discussed the history and open-source philosophy of the BSDs. To briefly reiterate, there are three major "flavors" of BSD - FreeBSD, NetBSD and OpenBSD. FreeBSD is renowned for its high-performance networking capabilities, NetBSD is notable for its portability (runs on over 50 different platforms), while OpenBSD claims to be the world's most secure operating system.

Devout cynics will claim that a "secure network operating system" is an oxymoron. No matter how good you make it, somebody will find a way to break it. Nevertheless, the OpenBSD developers can claim (with considerable justification) that they've worked harder and longer than anyone else to make sure that their OS is secure. The record speaks for itself - in the nearly nine years of OpenBSD's existence, only one remote security hole in the default install has been discovered (and that hole was immediately closed).

Given this admirable record, why doesn't everybody immediately run out and install OpenBSD? After all, you can hardly beat the price (free download). Unfortunately, though OpenBSD is free, it does come with a cost. Running an ultra-secure operating system can be a bit of work, and OpenBSD doesn't expend much effort at being user-friendly. In other words, don't expect a point-and-click paradise - OpenBSD will exercise your Unix geek skills more than the typical Linux distro. Indeed, even FreeBSD (which is decidedly not for wimps) strives to be much less user-hostile. That having been said, if you've gained some experience at Unix-style system administration, OpenBSD is definitely worth a look.

How Do They Do It?

OpenBSD is the brainchild of 36-year-old Theo de Raadt, now based in Calgary, Canada (since 1977), but originally from South Africa. You can visit Theo's home page and see a photo of him. You can also read his December 2000 interview on Slashdot, and his (much better) November 2001 interview on KernelTrap.

Needless to say, OpenBSD is not a solo project. Working with Theo are about 15 core developers who do the lion's share of the work, plus another 50 active contributors (the exact number fluctuates). Software developers tend to be very opinionated, and the OpenBSD hierarchy deals with the inevitable personality conflicts by making Theo the "benign dictator" - Theo has the final word about what does and does not go into the operating system. As a result, you will rarely find OpenBSD being "indecisive", and most of the developers see this as a strength. This is in sharp contrast to some other open source projects where a core team of programmers tries to do things by consensus.

Aside from the daily routine of coding, there is also an annual "hackathon" (by invitation only) which typically attracts about 40 to 50 participants. Much of the action takes place in Theo's house which, by all accounts, is cluttered from floor-to-ceiling with a wide selection of computers. A new version of OpenBSD gets released twice a year, with target release dates of May 1 and November 1.

There are several important "ingredients" that help make OpenBSD secure. One is encryption, which is used whenever possible. The OpenBSD project created OpenSSH (as a free derivative of Tatu Ylonen's original ssh-1.2.12 when later releases of that original package became encumbered with a non-free license). OpenSSH has subsequently been ported to Linux and Windows and is now the standard for secure logins and file transfer. OpenSSH employs the Blowfish encryption algorithm, which has now been adopted as the OpenBSD logo (the previous logo was very similar to Beastie, the FreeBSD daemon, but with a halo around his head).

The Daemon

The old OpenBSD logo

Though encryption is important, the real key to OpenBSD's success is "code auditing." Quite simply, this means the process of manually hunting down bugs in the source code. Not just bugs in the OpenBSD kernel or userland, but in essential third-party packages (such as the Apache web server). Cleaning up the coding mistakes of others is a time-consuming and endless task, but it pays big dividends. Aside from enhanced security, the code auditing seems to improve stability. I can truthfully say that I have not experienced a single crash since I installed OpenBSD.

Obtaining OpenBSD

There are two basic methods of obtaining OpenBSD - purchasing a set of CDs or doing an FTP install over the Internet.

With most free operating systems, it is possible to download ISO files and burn them to CD-Rs, but this is not the case with OpenBSD. The project depends on the sale of CDs (as well as T-shirts and posters) to pay the bills, therefore users are (strongly) encouraged to purchase the 3-CD sets at US$40. These can be ordered online - check the openbsd.org web site for details. Alternatively, you can order from BSD Mall or other authorized resellers. It should be mentioned that although you get three CDs in a set, you are unlikely to need more than two - the first CD supports i386 and VAX machines, the second is for MacPPC and AMD64 while the last is for Sparc and Sparc64.

A special note about CD No. 2 - it contains a file named song35.mp3 (or song35.ogg if you prefer). This is an entertaining parody of the Monty Python "cat license" skit, only in this case it's a "CARP license" (Common Address Redundancy Protocol). You can download this (and previous OpenBSD songs) from here. You can also obtain the lyrics. If you want to know more about this CARP issues, there's a good explanation here.

If you plan to do an FTP install, try to find a download mirror rather than the overburdened main OpenBSD web site. Those who FTP install OpenBSD, like it and continue to use it, are encouraged to support the project through purchases or donations (money and equipment both accepted).

Installation

Before attempting installation and post-install configuration, it would be wise to download and read through the OpenBSD FAQ. Largely thanks to this FAQ I probably needn't go into a detailed blow-by-blow description of the installation process. Nevertheless, there are a few important points to keep in mind:

1) OpenBSD (like the other BSDs) must be installed on a primary partition. On x86-based computers, you can create a maximum of four primary partitions on one hard drive (or three primary partitions and one extended partition). Do not attempt to install OpenBSD in the extended partition - it will not work.

2) All the BSDs use the term "slice" to refer to what Linux users call "partitions." Furthermore, using the OpenBSD "disklabel" command, you can (indeed, you must) create sub-partitions within the slice. The sub-partitions are simply referred to as "partitions," which is somewhat confusing for Linux users. Note that Linux does not (indeed, cannot) create sub-partitions within a primary partition - this is purely a BSD convention. But Linux can create numerous sub-partitions (called "logical" partitions) within the extended partition.

3) A lot of the printed documentation you'll find says that OpenBSD wants the root partition installed entirely in the first eight gigabytes of the hard drive. This effectively means that in a multi-boot setup, you'd want to install OpenBSD in the first slice of the hard drive. The good news is that this is no longer true - from version 3.5 onwards you can ignore this warning.

4) In the Linux world, ATA (IDE) hard drives are designated /dev/hda for the first one, /dev/hdb for the next, etc, while SCSI drives are /dev/sda, /dev/sdb, and so on. The OpenBSD equivalents are /dev/wd0, /dev/wd1, etc, and /dev/sd0, /dev/sd1. Sub-partitions are labeled like this: /dev/wd0a, /dev/wd0d, all way up to /dev/wd0p. By convention, /dev/wd0a is the root partition, /dev/wd0b is swap, /dev/wd0c actually represents the entire hard disk (don't ever attempt to delete it!), and the others can be whatever you like. Linux users typically install a distro with just two partitions, / and swap, but this is actually a bad idea. Security is enhanced by creating separate partitions for /, swap, /home, /tmp, /usr and /var. It can be a tough call deciding how much space to allocate for each partition, so as a rough guide I offer below the output of "df -h" on my newly installed OpenBSD slice:

bob@sonic:/dev> df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 147M 87.3M 52.5M 62% /
/dev/wd0f 1.4G 281M 1.1G 20% /home
/dev/wd0d 489M 1006K 464M 0% /tmp
/dev/wd0g 3.5G 1.6G 1.8G 47% /usr
/dev/wd0e 489M 15.9M 449M 3% /var

As you can see, it's wise to leave a lot of empty space in the /usr partition, at least a few gigs.

5) The OpenBSD installer is pure text-mode, without the benefit of the relatively user-friendly ncurses text-menus that FreeBSD uses. Furthermore, the first part of the installation deals with creating partitions with the user-hostile "fdisk" program, followed by the even murkier "disklabel" trauma. Fdisk is a dangerous tool in the wrong hands and it can easily wipe out your existing partition table. Disklabel is somewhat less dangerous but its interface is even more opague. Not surprisingly, fdisk plus disklabel is a terrifying operation for newbies and tends to scare off potential OpenBSD recruits. The only advice I can give about this is to back up your existing data before you start, read the OpenBSD FAQ, drink some coffee, take a cold shower, and then just plunge in. A final tip - fdisk tends to present you with more data than can fit on the screen, but you can use Shift-PgUp to scroll upwards.

Using fdisk and disklabel is about as much fun as having a root canal, but if you survive this the rest of the installation is safe and relatively straightforward. At the end of the installation, you'll be told to type "halt", remove the CD, and reboot (note that in OpenBSD you cannot reboot with ctrl-alt-del). If all goes well, you'll be rewarded with an OpenBSD login prompt and a warm fuzzy feeling.

The Morning After

The OpenBSD FAQ advises that after installation, you should read "man afterboot".

The basic installation is very lean and you'll almost certainly want to add some packages. The package collection consists of third-party software (KDE, Mozilla, Python, etc) that most Linux users will be familiar with. The OpenBSD 3.5 CD comes with 181 packages - for an i386 machine you'll find these in the CD directory 3.5/packages/i386. In order to gain access to these packages, first make a directory for mounting the CD drive and then go to the proper directory and install, like so:

mkdir /cdrom
mount /dev/cd0a /cdrom
cd /cdrom/3.5/packages/i386
pkg_add *.tgz

It should be noted that the pkg_add command resolves dependencies automatically. For more details about how the BSD packaging commands work, see the man pages for pkg_add, pkg_delete and pkg_info.

Due to space limitations on the CD-set, there are a lot of additional packages on the OpenBSD FTP site (and mirrors). You can take a look at the offerings here.

Probably the next thing you'll want to do is add a user with the "adduser" command. You might think that this would be the very first post-installation thing to do, but there is one good reason to install the above-mentioned packages first: OpenBSD's default shell for root is csh, and for users it's sh, but most Linux users prefer Bash. However, Bash will not be available to you until you've installed the packages, so you might as well do that first. You can always change a user's login shell with the "chsh" command. You can see which shells are available with the command "cat /etc/shells". For example, to change the shell for user "aardvark", do the following:

chsh -s /usr/local/bin/bash aardvark

If you want to use the Z Shell (zsh), you have to manually add a line to /etc/shells saying "/usr/local/bin/zsh".

At least one of your users should be invited into group "wheel" - this is required if that user wishes to run the "su" command to become root. As a security precaution, the OpenBSD folks advise you to never log in as root - using the su command is considered safer.

The Daemon

X Windows

If you wish to run OpenBSD as a desktop system, the next item on your agenda should be to install X. During the installation, you were asked a question, "Do you expect to run the X Window System?" Presumably, you answered "yes", but if you answered "no," you will have to edit file /etc/sysctl.conf and set the following parameter:

machdep.allowaperture=2

This enables X Windows to access the aperture driver. Never mind what the aperture driver is, just take it on faith that it needs to be accessible if you want to run X. This might be a good time to mention that if you DID NOT install the packages, the only two editors you will have at your disposal will be vi and mg (a lightweight emacs clone). If you did install the packages, additional editors on hand will include vim, emacs, nano and (once you have X running) kate.

There are two utilities available for configuring X, xf86cfg (which is a graphical configuration utility) and xf86config (text-mode) - most people prefer xf86cfg, but the choice is yours. Most graphics cards are supported, and if the configuration goes smoothly you should be able to start X Windows with the command "startx". Well, actually it won't start because by default /usr/X11R6/bin is not in the path (edit hidden file .profile in the directory of all users who need to run X, log out, log back in, and "startx" should work).

If you want to make the addition of /usr/X11R6/bin to the path automatic for all new users created in the future, edit also hidden file ".profile" in /etc/skel.

Configuring PPP
OpenBSD was built for networking, so there wouldn't be much point in running it if you aren't connected to the Internet.

If you are one of the deprived majority still stuck with a dial-up modem, the way to get online is with "user ppp". To set this up, first use your editor to create a file /etc/resolv.conf - the contents should look something like this:

domain seed.net.tw
nameserver 139.175.55.244
nameserver 139.175.252.16

What is all this "nameserver" stuff? This is DNS (domain name service) information which you should be able to get by calling your ISP's customer support number. Since the customer support folks are most familiar with Windows, they probably are used to the terms "primary DNS" and "secondary DNS" rather than "nameserver". It's a common practice to list two nameservers for each domain (in case one fails), but one is usually adequate.

The other major thing you have to do is create file /etc/ppp/ppp.conf (OpenBSD offers file /etc/ppp/ppp.conf.sample for your perusal).

Below is a copy of my file ppp.conf which you can cut and paste, but you'll have to edit five settings. In particular:

1) MODEM_DEVICE_NAME
2) ANY_WORD
3) PHONE_NO
4) USER_NAME
5) ISP_LOGIN_NAME
6) MY_PASSWORD

Explanation:

1) MODEM_DEVICE_NAME - This should be either /dev/cua00 (the first serial port) or /dev/cua01 (the second serial port). These days few computers come with more than one serial port, so it's most likely you'll be using /dev/cua00.

2) ANY_WORD - Choose any word you like, "aardvark" would be fine. This is the name you are giving to this connection.

3) PHONE_NO - The phone number for dialing your ISP.

4) ISP_LOGIN_NAME - Could be joesixpack, or whatever.

5) MY_PASSWORD - The password you use to login at your ISP.

6) USER_NAME - Your user login name for this computer, NOT the name you use to login at the ISP. You can have more than one user name here, separated by spaces, for example: tom bob sally jane - in other words, all the users who are authorized to dial the modem.

#################################################################
# PPP Sample Configuration File
# Originally written by Toshiharu OHNO
# Simplified 5/14/1999 by wself@cdrom.com
#
# See /usr/share/examples/ppp/ for some examples
#
# $FreeBSD: src/etc/ppp/ppp.conf,v 1.8 2001/06/21 15:42:26 brian Exp $
#################################################################

default:
set log Phase Chat LCP IPCP CCP tun command
ident user-ppp VERSION (built COMPILATIONDATE)

# Ensure that "device" references the correct serial port
# for your modem. (cua00 = COM1, cua01 = COM2)
#
set device MODEM_DEVICE_NAME

set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
set timeout 600 # 3 minute idle timer (the default)
enable dns # request DNS info (for resolv.conf)

papchap:
#
# edit the next three lines and replace the items in caps with
# the values which have been assigned by your ISP.
#

ANY_WORD:
set phone PHONE_NO
set authname ISP_LOGIN_NAME
set authkey MY_PASSWORD

set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR # Add a (sticky) default route
allow users USER_NAME

#################################################################

In order to allow your users (tom bob sally jane) to dial the modem, they must be added to groups "dialer" and "network" (group "dialer" is needed for access to the serial ports, and group "network" is needed to be able to execute the "ppp" command). This is accomplished by editing file /etc/group (first back up the file - it's an important one).

network:*:69:tom,bob,sally,jane
dialer:*:117:tom,bob,sally,jane

Or if you don't want to risk messing up /etc/group, you could instead use the "usermod" command:

usermod -G dialer,network tom
usermod -G dialer,network bob
usermod -G dialer,network sally
usermod -G dialer,network jane

Any of the authorized users can dial the modem by typing the following on the command line:

ppp -background ANY_WORD

Of course, substitute the name you assigned in /etc/ppp/ppp.conf for ANY_WORD, so if it was "aardvark," then type:

ppp -background aardvark

You can hang up the modem by typing this:

kill -1 `cat /var/run/tun0.pid`

Of course, it's a bit awkward to type all that every time you want to dial or hang up. The best thing to do is put these two commands in script files, perhaps named "pppup" for dialing and "pppdown" for hanging up. Make those scripts executable with "chmod 755" and put them some place in the user's path.

Configuring PPPoE

The instructions for setting up PPPoE are almost identical as the above procedure for PPP. Again, start out by creating /etc/resolv.conf, and then /etc/ppp/ppp.conf. The only difference will be in the content of /etc/ppp/ppp.conf. The specific differences are below:

1) For the line that says "set device", instead of specifying a MODEM_DEVICE_NAME like "/dev/cua00", you will need something like this:

set device PPPoE:vr0

The last part of this line ("vr0" in my case) is the name of the Ethernet port. In Linux, your first Ethernet port is called "eth0" but in BSD the name varies according to the chip set. Run the "ifconfig -a" (or "netstat -i") command to see what devices you have.

2) Comment out the following three lines:

set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"


3) Comment out the line that says:

set phone PHONE_NO

4) A note about the line that says:

set authname ISP_LOGIN_NAME

The usual practice (but not engraved in stone) is that ISP's expect you to login with a name like "joesixpack" when you're dialing in with a modem, but "joesixpack@example.org" when using PPPoE.

5) Comment out the line that says...

set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0

...and change it to this:

set ifaddr 0 0

That ought to do it. Again, you start PPPoE with this command:

ppp -background aardvark

(Of course, substitute whatever word for "aardvark" you set in ppp.conf).

The PF Firewall

Originally, OpenBSD used Darren Reed's IPFilter as a firewall. However, in 2001 the license was changed, forbidding other developers from making modifications to the code. Restrictive software licenses of any kind are anathema to OpenBSD developers, and thus there was a mad scramble to find an alternative to IPFilter.

OpenBSD now uses Daniel Hartmeier's excellent PF ("packet filter") firewall. Aside from being free of licensing restrictions and patents, many geeks consider PF to be the best open source firewall around - it's so good that FreeBSD will also start using it with the next (version 5.3) release. In knowledgeable hands, PF can do some amazing things. One truly unique feature is "OS fingerprinting" which could be used, for example, to block all attempts by Windows users to access your server (that would be sweet revenge against all those web sites "Best viewed with Internet Explorer").

The Daemon


The only disappointing thing about PF is that there is not, as yet, a GUI utility for configuring it. Therefore, you must write the firewall rules with a text editor, a less-than-joyous task for the typical computer user. However, the good news is that PF's rules are actually human readable (at least compared to Linux's IPTABLES, or FreeBSD's IPFW). It does help a great deal that PF is well-documented and that the sample rules are heavily commented. You'd be well-advised to visit ftp://ftp.openbsd.org/pub/OpenBSD/doc and download the PF FAQ.

By default, firewall rules are stored in file /etc/pf.conf. This is a file you have to write yourself, but I will offer below, free of charge, a copy of mine (shamelessly ripped off from the PF man page). My rules were specifically designed for a client machine with a dial-up modem, and I have a small internal network (that is, a LAN). By way of explanation, my "ext_if" (external interface) is "tun0" - the dial-up modem. My "int_if" (internal interface) is "vr0" - my Ethernet card (use "ifconfig" to find out the name of your card). My "lan_net" (LAN) has static addresses, configured 192.168.0.0/24. If none of the above makes sense, you probably aren't quite ready for OpenBSD just yet.

So without further ado...

ext_if = "tun0"
int_if = "vr0"
lan_net = "192.168.0.0/24"

# scrub incoming packets
scrub in all

# setup a default deny policy
block in all
block out all

# pass traffic on the loopback interface in either direction
pass quick on lo0 all

# activate spoofing protection for the internal interface.
antispoof quick for $int_if inet

# only allow ssh connections from the local network if it's from the
# trusted computer, 192.168.0.3. use "block return" so that a TCP RST is
# sent to close blocked connections right away. use "quick" so that this
# rule is not overridden by the "pass" rules below.
block return in quick on $int_if proto tcp from ! 192.168.0.3 to $int_if port ssh flags S/SA

# pass all traffic to and from the local network
pass in on $int_if from $lan_net to any
pass out on $int_if from any to $lan_net

# pass tcp, udp, and icmp out on the external (Internet) interface.
# keep state on udp and icmp and modulate state on tcp.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state


Once you've got these rules written, you need to enable the firewall. The first thing you must do is edit file /etc/sysctl.conf and uncomment the following two lines:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

It will require a reboot for these settings to go into effect. Once you've rebooted, you can enable and disable PF on-the-fly like so:

pfctl -e
pfctl -d

If you want to see the rules, use the "show rules" option:

pfctl -sr

Once you are satisfied that your rules are working, you can set up OpenBSD so that PF's rules are started at boot time. You do this by editing file /etc/rc.conf and adding a line like this:

pf=YES

(Note: Actually, many experienced OpenBSD users suggest that you create a new file /etc/rc.conf.local and put your changes in there. These settings will override /etc/rc.conf and the advantage is that it will be easy for you to see at a glance what modifications you've made to the standard setup).

The Ports Collection

The ports collection is just what the name implies - a collection of non-BSD software ported to BSD. The ports concept originated with FreeBSD and has been adopted by OpenBSD with various modifications. The OpenBSD ports collection (about 2500 ports) is smaller than FreeBSD's collection (about 10,000 ports), but you'll still find plenty of great toys here to play with.

The ports collection resides on your hard disk in the directory /usr/ports, but it's not there by default - you have to install it. To do this, put CD No. 3 in the drive and do the following:

mount /dev/cd0a /cdrom
tar -C /usr -zxvf /cdrom/ports.tar.gz

Now that you've got the ports collection installed, you might be wondering how it differs from "packages" (which we installed earlier). There are two major differences: packages are in binary format while ports are compiled from source. Another significant difference is that after you've installed the ports collection, you've still got to go online to download the actual source code (the ports collection is really just a set of instructions for downloading and compiling).

The best way to learn is by doing. Let's say we want to install the port "vomit". (There really is such a program, and fans of music trivia might recall that there used to be a Russian punk rock band named Vomit). First, you must be online, connected to the Internet. Next, as root, issue the following commands:

cd /usr/ports/security/vomit
make
make install
make clean

The "make" command will cause OpenBSD to download the source code tarball and compile it. Then "make install" will install the now compiled program. The last command, "make clean", is optional, but will get rid of unnecessary object files and thus free up some space on your hard disk.

Note: You don't actually need to be root to run the "make" command, but you will need root privileges for "make install" and "make clean". The ports system does understand the SUDO make variable, so you could also do the following (if you have sudo set up:

cd /usr/ports/security/vomit
make
make SUDO=sudo install clean

With over 2500 ports buried on your hard drive, it can be difficult to find them. For example, to find vomit:

cd /usr/ports
make search key=vomit

Tips, Tricks and Hints

For performance reasons, the swap partition is not encrypted by default. However, the ultra-paranoid will want to enable this feature. This can be done by root with the following command:

sysctl -w vm.swapencrypt.enable=1

That's fine until you reboot. If you'd like to preserve swap encryption during reboots, remove the comment sign from the line in /etc/sysctl.conf, which reads:

#vm.swapencrypt.enable=1


If you run the command "netstat -an | more", you'll be able to clearly see which ports are in a "listen" state. If you do this while in X, you'll see port 6000 (X Window server) in the output. Since there have been many X Window exploits in the past, you might want to close port 6000. Doing this will not kill X, but you won't be able to use X as a server (which for a typical user is no big deal).

The simplest way to close port 6000 is to edit /usr/X11R6/bin/startx. Search for the line that says this:

serverargs=""

and change it to say this:

serverargs="-nolisten tcp"

Next time you start X and run netstat, you should find that port 6000 is closed.


OpenBSD can mount Linux partitions that were formatted in the ext2 and ext3 file systems. It will mount ext3 as ext2 (that is, without journaling turned on), but that is perfectly OK. Once mounted, you can read and write the Linux partition, which can be useful for transferring data.

The only tricky part is figuring out the name that OpenBSD assigns to the Linux partition. Look in the /dev directory - you might still have to engage in some trial and error before you find the correct partition. On my machine, I figured out that the Linux partition known as /dev/hda5 is seen by OpenBSD as /dev/wd0j. I was able to mount it thus:

mkdir /shared
mount_ext2fs /dev/wd0j /shared

But there is a catch. Regarding mounting "foreign" file systems (such as ext2),
if the foreign file system is on the disk BEFORE OpenBSD is installed, disklabel will assign a partition letter to it for you (and show you willingly if you ask). But if you add partitions later (as you might if you install Linux after OpenBSD) you will have to manually add these with the disklabel command.

One final caveat - mounting an ext3 partition as an ext2 one should only be done for CLEAN ext3 systems. If the ext3 system did not come down clean (that is, it crashed while Linux was running) and you mount it as ext2, modify stuff, then reboot under Linux and it flushes the ext3 log...OOPS!


When logging in as root, I'm always asked this question:

Terminal type? [vt220]

This gets tiresome after awhile. The cure is as follows: if you log in with the C shell (csh), edit the hidden file /root/.login and comment out these two lines:

#set tterm='?'$TERM
#eval `tset -s -Q $tterm`

If you use the Bash shell, edit file /root/.profile and comment out these three lines:

#if [ -x /usr/bin/tset ]; then
# eval `/usr/bin/tset -sQ \?$TERM`
#fi


Speaking of terminal type vt220, quite frankly it sucks. For one thing, it screws up Emacs (I'm unable to use the Alt key as an Emacs Meta key). Also, it will not allow me to install "most" as my pager (see the next tip). These problems can be solved thus:

edit file /etc/ttys
ttyC0-ttyC5
change vt220 to pcvt25

Next time I login, my Alt key does the right thing in Emacs. By the way, in OpenBSD, you switch between virtual terminal (ttyC0-ttyC5) with Ctrl-Alt-Fx, not Alt-Fx as in Linux.


In the previous tip, I mentioned the pager "most". Normally, you've got two pagers installed, "more" and "less". Pagers display files for you - for example, you could type "less filename.txt" to view the file. Pagers also are used to display man pages.

The pager "most" will display your man pages in beautiful color. You can install "most" from the ports collection:

cd /usr/ports/misc/most
make
make install

Users who want to use "most" need to place one line in the hidden file .profile saying this:

PAGER=most

there also needs to be an export statement in .profile:

export PAGER

Log out and log back in - now your man pages will be displayed in beautiful colors.


I find the key rate setting (that is to say, cursor speed, typematic repeat rate) feels a little too slow for my tastes, and I'd like to speed it up. That's true for both the console (text mode) and when using an Xterm in X Windows.

At the console, the solution:

Edit /etc/wsconsctl.conf, and try the following settings:

keyboard.repeat.del1=300 # change keyboard repeat/delay
keyboard.repeat.deln=40

For X Windows, for each user, edit (or create) hidden file ~.xinitrc with this content:

xset r rate 400 40 &
exec startkde

(Note: in this example, it's assumed you're running KDE as the window manager)


When a program crashes (a rare occurrence in OpenBSD), the default behavior is to create a "core dump." That is to say, the kernel dumps its memory into a (usually very big) file and saves it on the hard disk. The file will include the extension "core" - for example, if Gimp crashes, you'll find a file named "gimp.core" somewhere in the directory of the user who suffered the crash.

Core dumps are useful for programmers trying to diagnose problems, but are pretty useless to the masses who just want to get work done. For any user of the Bash shell, core dumps can be disabled by editing hidden file .profile and inserting a line that says the following:

ulimit -c 0


True paranoiacs might want to encrypt data by creating a virtual encrypted file system. Rather than explain this somewhat complex procedure myself, I'll refer readers to an excellent little how-to written by Kyle Amon. You can find that information here.


The "locate" command is damn useful for finding a lot of things. For it to work, first build the locate database by issuing the following command:

/usr/libexec/locate.updatedb

It's worth knowing that the locate database is re-populated every Saturday morning by the /etc/weekly script. However, that doesn't do squat for you if your machine is off or running another OS at that time.


In Linux, when you want to shut down and have the power turn off automatically, the command would be:

shutdown -h now

In OpenBSD, it's this:

shutdown -ph now

or you could use:

halt -p now

It's Not Paranoia If They're Really Out To Get You

The world owes a debt of gratitude to Theo and his crew for creating OpenBSD. Even if you personally never use this operating system, you will nevertheless benefit from its existence. The OpenSSH spin-off project has been a boon for the entire Internet community. And we can all probably sleep just a little bit better at night knowing that banks, universities, and government agencies are deploying OpenBSD, even if only as a firewall.

OpenBSD is secure, stable and fast. Though not the most user-friendly OS on the market, it's one of the most interesting. Many a geek has spent entertaining days, weeks and months playing with this marvelous tool, as their long-neglected spouses will attest. Note that not all computer widows/widowers consider this to be a hardship.

The first OpenBSD memento I ever saw was a T-shirt with a picture of a cop chasing a script kiddie. That image remained etched in my mind for well over a year before I finally got my hands on a copy of this fine OS. Now that I have it installed on my machine, I only wonder what took me so long.


The Daemon
Copyright Notice
Copyright (C) 2004 Robert Storey
Verbatim copying and distribution of this article is permitted in any medium, provided this copyright notice is preserved.

0 Comments:

Post a Comment

<< Home


Get Firefox!