OpenBSD
OpenBSD is a UNIX-like operating system.
Package management[edit | edit source]
See: https://cdn.openbsd.org/pub/OpenBSD
The common programs that you'll use to manage packages are:
| Command | Description |
|---|---|
pkg_add
|
installing and upgrading packages |
pkg_check
|
checking the consistency of installed packages |
pkg_delete
|
removing installed packages |
pkg_info
|
display and search for information about packages |
Common package tasks:
| Task | Command | Example |
|---|---|---|
| Search for a package | pkg_info -Q <search>
|
pkg_info -Q unzip
|
Find out what package provides a specific file. Eg. like yum whatprovides
|
pkglocate <file/path>
|
pkglocate vim
|
| Install a new package | pkg_add <package>
|
pkg_add vim
|
| Update a package and its dependencies | pkg_add -u <package>
|
pkg_add -u vim
|
| Remove a package | pkg_delete <package>
|
pkg_delete vim
|
Get a list of packages installed on the system. Like rpm -qa
|
pkg_info -mz
|
Storage[edit | edit source]
Disk partitions[edit | edit source]
Disk partitions are treated slightly differently on OpenBSD (or any other BSDs for that matter) compared to Linux. Recall that MBR disks can have only up to 4 primary partitions and any additional partitions can only be made as extended partitions. In OpenBSD, partitions are generally created as subdivisions of one of the primary partitions using something called a BSD disklabel.
The term 'partition' and 'slice' comes up when dealing with storage in BSD. To be clear, they refer to the following:
- A partition refers to the subdivisions of a primary partition (a slice)
- A slice refers to the primary partitions, of which there can only be a maximum of 4 per MBR disk.
In OpenBSD, we create a primary partition of type 0xA6 (the ID for the OpenBSD disklabel) and then partition this primary partition out using the disklabel utility into individual partitions that are visible on the system.
Partitions in OpenBSD are named with letters (such as wd0a, wd0b) and differs from FreeBSD (which uses s# like ada0s1, ada0s2) or Linux (which uses numbers like sda1, sda2). Up to 15 partitions can be created. For the disk containing the operating system, the first partition (a) must be the root partition from which the system is bootstrapped from and the second partition (b) should be used for swap. The third partition (c) overlaps the entire disk
Creating disk partitions and disk labels[edit | edit source]
Primary partitions can be created using OpenBSD's version of fdisk. fdisk supports both MBR and GPT disks, but the example below is for a MBR disk. Running fdisk on a MBR disk will list all four primary partitions as shown below. To be able to use BSD disk labels, you will have to create a primary partition using OpenBSD's disk label type (0xA6). For more info, refer to OpenBSD's FAQ.
A blank MBR disk looks like the following:
# fdisk wd1
Disk: wd1 geometry: 1305/255/63 [20971520 Sectors]
Offset: 0 Signature: 0x0
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
To create a new primary partition, edit one of the entries using the edit command and specify a start and end size. Specify the type as 0xA6. The start and end values can be specified in other units such as 1G for 1 gigabyte. You will typically want to make this partition span the entire disk and then partition it out further with a disk label.
Each disk can only have one primary partition of the OpenBSD partition type. If you specify more than one, you'll get a warning from fdisk when you try to write. If you do continue, the first OpenBSD partition will be used by disklabel.
## Create a new primary partition
# fdisk -e wd1
wd1*: 1> edit 3
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
Partition id ('0' to disable) [01 - FF]: [00] (? for help) A6
Do you wish to edit in CHS mode? [n]
Partition offset [0 - 20971519]: [0]
Partition size [1 - 20971520]: [1] 1G
wd1*: 1> print
Disk: wd1 geometry: 1305/255/63 [20971520 Sectors]
Offset: 0 Signature: 0x0
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
3: A6 0 0 1 - 130 138 8 [ 0: 2097152 ] OpenBSD
With the OpenBSD partition created, you can then partition out the space with the disklabel utility. Recall that the first partition (a) must be the root partition from which the system is bootstrapped from and the second partition (b) should be used for swap. The third partition (c) always exists and should overlap the entire disk. Leave the 'c' partition alone. Take special care that your partitions do not overlap with each other because nothing will stop you from doing so.
## Create a new secondary partition
# disklabel -e wd1
## In the editor, add a new entry after 'c:'
16 partitions:
# size offset fstype [fsize bsize cpg]
c: 20971520 0 unused
d: 102400 0 4.2BSD 2048 16384 12960
With wd1d defined now, we can then go ahead and create a new filesystem on wd1d using newfs.
# newfs wd1d
/dev/rwd1d: 50.0MB in 102400 sectors of 512 bytes
4 cylinder groups of 12.50MB, 800 blocks, 1600 inodes each
super-block backups (for fsck -b #) at:
160, 25760, 51360, 76960,
We can then mount.
# mount /dev/wd1d /mnt
# mount
/dev/wd1d on /mnt type ffs (local)
Tasks[edit | edit source]
System update[edit | edit source]
To update a OpenBSD system, run:
# syspatch
# pkg_add -Uu
# sysmerge -d
Finding all available disks[edit | edit source]
There is no utility that does this similar to lsblk. Rather, you can find all disks using sysctl | grep disk.
# sysctl -a | grep -i disk
hw.disknames=wd0:94a4943e88c9a60f,wd1:,cd0:,fd0:
hw.diskcount=4
machdep.bios.diskinfo.128=bootdev = 0xa0000200, cylinders = 1023, heads = 255, sectors = 63
machdep.bios.diskinfo.129=bootdev = 0xa0010200, cylinders = 1023, heads = 255, sectors = 63
Disks are named either wd* (IDE, SATA, flash devices) or sd* (SCSI devices, USB drives via the ahci interface, or disks via a RAID controller).
Disabling library ASLR[edit | edit source]
rcctl disable library_aslr
Boot into system rescue[edit | edit source]
Enter the boot shell and run: boot bsd.rd. When given a prompt, select (S)hell.
Integrating with FreeIPA[edit | edit source]
There is no FreeIPA client for OpenBSD. You will need to set everything up manually and rely on the underlying Kerberos and OpenLDAP services for authentication.
Unfortunately, OpenBSD also doesn't come with sssd or MIT Kerberos. This means you'll have to rely on Heimdal Kerberos for authentication and YP LDAP for identity. There is a guide that covers this at: http://webcache.googleusercontent.com/search?q=cache:doxRDxKdvAoJ:https://www.whatsmykarma.com/blog/?p%3D685&hl=en&gl=ca&strip=1&vwsrc=0
Setting up Kerberos[edit | edit source]
Setup Heimdal
# pkg_add heimdal heimdal-libs login_krb5
Tweak your PATH to include the Heimdal binaries. PATH=$PATH:/usr/local/heimdal/bin.
Edit /etc/rc.conf.local to include shlib_dirs=/usr/local/heimdal/lib
Edit /etc/heimdall/krb5.conf with your krb5 confs. I ripped this off from my Linux clients and it looks like this:
# See krb5.conf(5) and the heimdal info(1) page for more information.
[libdefaults]
# local realm(s)
default_realm = HOME.STEAMR.COM
[realms]
HOME.STEAMR.COM = {
kdc = ipa.home.steamr.com:88
master_kdc = ipa.home.steamr.com:88
admin_server = ipa.home.steamr.com:749
kpasswd_server = ipa.home.steamr.com:464
default_domain = home.steamr.com
# pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
# pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[kadmin]
# default salt string
default_keys = v5
[logging]
# log to syslog(3)
kdc = SYSLOG:INFO:DAEMON
kpasswdd = SYSLOG:INFO:AUTH
default = SYSLOG:INFO:DAEMON
At this point, kinit should now work. You should be able to get a ticket as a user.
# kinit leo
leo@HOME.STEAMR.COM's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: leo@HOME.STEAMR.COM
Issued Expires Principal
Apr 26 22:08:35 2022 Apr 27 21:09:39 2022 krbtgt/HOME.STEAMR.COM@HOME.STEAMR.COM
Set up the OpenBSD server to use Kerberos as an authentication mechanism. Edit /etc/login.conf and add :auth=-krb5-or-pwd:\ above tc=auth-defaults:\ . At this point, you should be able to authenticate as a user using your FreeIPA password, provided that the account exists on the local machine.
YP LDAP uses a host keytab file for some reason (this isn't required when using sssd on Linux). Without the host keytab file, you'll see this error in /var/log/authlog whenever someone tries to login: openbsd -krb5-or-pwd: verify: keytab /etc/heimdal/krb5.keytab open failed: No such file or directory. The host keytab file will need to be generated from the FreeIPA server and transferred over to the OpenBSD host under /etc/heimdal/krb5.keytab.
- On the FreeIPA server, add the host via web UI
- On FreeIPA server, run
ipa-getkeytab -s ipa.home.steamr.com -p host/openbsd.home.steamr.com@HOME.STEAMR.COM -k output.keytab. If you want to do this manually, usekadmin: kadmin -p admin. Then get the keytab file by runningktadd -k /tmp/output.keytab host/openbsd.home.steamr.com@HOME.STEAMR.COM - Copy that keytab file into the openbsd server at
/etc/heimdal/krb5.keytab chown root:wheel /etc/heimdal/krb5.keytabandchmod 600 /etc/heimdal/krb5.keytab
LDAP[edit | edit source]
At this point, you could just manage the user accounts locally and call it a day. If you want to make your users and groups appear using LDAP, you'll need to set up YP LDAP by doing the following:
# cp /etc/examples/ypldap.conf /etc/ypldap.conf
Edit the ypldap.conf file and change the directory to point to your FreeIPA server and define a bind account. It should look something like this:
# $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
domain "home.steamr.com"
interval 60
provide map "passwd.byname"
provide map "passwd.byuid"
provide map "group.byname"
provide map "group.bygid"
provide map "netid.byname"
directory "ipa.home.steamr.com" {
# directory options
binddn "uid=admin,cn=users,cn=accounts,dc=home,dc=steamr,dc=com"
bindcred "***************"
basedn "cn=compat,dc=home,dc=steamr,dc=com"
# starting point for groups directory search, default to basedn
#groupdn "ou=Groups,dc=example,dc=com"
# passwd maps configuration (RFC 2307 posixAccount object class)
passwd filter "(objectClass=posixAccount)"
attribute name maps to "uid"
fixed attribute passwd "*"
attribute uid maps to "uidNumber"
attribute gid maps to "gidNumber"
attribute gecos maps to "cn"
attribute home maps to "homeDirectory"
attribute shell maps to "loginShell"
fixed attribute change "0"
fixed attribute expire "0"
fixed attribute class ""
# group maps configuration (RFC 2307 posixGroup object class)
group filter "(objectClass=posixGroup)"
attribute groupname maps to "cn"
fixed attribute grouppasswd "*"
attribute groupgid maps to "gidNumber"
# memberUid returns multiple group members
list groupmembers maps to "memberUid"
}
You'll need to set up the YP LDAP client to point to ourselves. We then need to set up portmap which is required by YP LDAP client as it needs to make RPC calls to the server.
# echo home.steamr.com > /etc/defaultdomain
# domainname home.steamr.com
# mkdir /etc/yp
# echo 127.0.0.1 > /etc/yp/home.steamr.com
# rcctl enable portmap
# rcctl start portmap
Enable YP by tweaking the master passwd file to include YP maps and update the passwd file with pwd_mkdb. Enable YP mapping to the group file.
# echo '+:*::::::::' >> /etc/master.passwd
# pwd_mkdb -p /etc/master.passwd
# echo '+:*::' >> /etc/group
Start the YP server and binding.
# rcctl enable ypldap
# rcctl start ypldap
# rcctl enable ypbind
# rcctl start ypbind
At this point, you should be seeing the ypldap server and client running.
# ps aux | grep yp
_ypldap 27707 0.0 0.1 860 1864 ?? Sp 11:19PM 0:00.09 ypldap: parent (ypldap)
_ypldap 80759 0.0 0.1 908 1856 ?? Spc 11:19PM 0:00.04 ypldap: ldap client (ypldap)
_ypldap 56692 0.0 0.1 824 1740 ?? Sp 11:19PM 0:00.02 ypldap: dns engine (ypldap)
Mounting NFS[edit | edit source]
When trying to mount an export, I kept on getting this:
# mount -t nfs dnas:/nas/home /mnt
NFS Portmap: RPC: Program not registered
Portmap seems to be working:
# rpcinfo -p dnas
program vers proto port
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 20048 mountd
100005 1 tcp 20048 mountd
100005 2 udp 20048 mountd
100005 2 tcp 20048 mountd
100005 3 udp 20048 mountd
100005 3 tcp 20048 mountd
100024 1 udp 45652 status
100024 1 tcp 60213 status
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049
100021 1 udp 60560 nlockmgr
100021 3 udp 60560 nlockmgr
100021 4 udp 60560 nlockmgr
100021 1 tcp 44643 nlockmgr
100021 3 tcp 44643 nlockmgr
100021 4 tcp 44643 nlockmgr
The 'fix' was to force TCP as an option.
# mount -t nfs -o tcp dnas:/nas/home /mnt
## or
# mount_nfs -T dnas:/nas/home /mnt
Add this to /etc/fstab to make it mount on startup:
dnas:/nas/home /home nfs rw,tcp,nodev,nosuid 0 0