OpenBSD

OpenBSD is a UNIX-like operating system.

Package management

See: https://cdn.openbsd.org/pub/OpenBSD

The common programs that you'll use to manage packages are:

Common package tasks:

Storage

Disk partitions

Disk partitions are treated slightly differently on OpenBSD (or any other BSDs for that matter) compared to Linux. Recall that MBR disks can have only up to 4 primary partitions and any additional partitions can only be made as extended partitions. In OpenBSD, partitions are generally created as subdivisions of one of the primary partitions using something called a BSD disklabel.

The term 'partition' and 'slice' comes up when dealing with storage in BSD. To be clear, they refer to the following:

• A partition refers to the subdivisions of a primary partition (a slice)
• A slice refers to the primary partitions, of which there can only be a maximum of 4 per MBR disk.

In OpenBSD, we create a primary partition of type 0xA6 (the ID for the OpenBSD disklabel) and then partition this primary partition out using the disklabel utility into individual partitions that are visible on the system.

Partitions in OpenBSD are named with letters (such as wd0a, wd0b) and differs from FreeBSD (which uses s# like ada0s1, ada0s2) or Linux (which uses numbers like sda1, sda2). Up to 15 partitions can be created. For the disk containing the operating system, the first partition (a) must be the root partition from which the system is bootstrapped from and the second partition (b) should be used for swap. The third partition (c) overlaps the entire disk

Creating disk partitions and disk labels

Primary partitions can be created using OpenBSD's version of fdisk. fdisk supports both MBR and GPT disks, but the example below is for a MBR disk. Running fdisk on a MBR disk will list all four primary partitions as shown below. To be able to use BSD disk labels, you will have to create a primary partition using OpenBSD's disk label type (0xA6). For more info, refer to OpenBSD's FAQ.

A blank MBR disk looks like the following:

# fdisk wd1
Disk: wd1       geometry: 1305/255/63 [20971520 Sectors]
Offset: 0       Signature: 0x0
            Starting         Ending         LBA Info:
 #: id      C   H   S -      C   H   S [       start:        size ]
-------------------------------------------------------------------------------
 0: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
 1: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
 2: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
 3: 00      0   0   0 -      0   0   0 [           0:           0 ] unused

To create a new primary partition, edit one of the entries using the edit command and specify a start and end size. Specify the type as 0xA6. The start and end values can be specified in other units such as 1G for 1 gigabyte. You will typically want to make this partition span the entire disk and then partition it out further with a disk label.

Each disk can only have one primary partition of the OpenBSD partition type. If you specify more than one, you'll get a warning from fdisk when you try to write. If you do continue, the first OpenBSD partition will be used by disklabel.

## Create a new primary partition
# fdisk -e wd1
wd1*: 1> edit 3
            Starting         Ending         LBA Info:
 #: id      C   H   S -      C   H   S [       start:        size ]
-------------------------------------------------------------------------------
 3: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
Partition id ('0' to disable) [01 - FF]: [00] (? for help) A6
Do you wish to edit in CHS mode? [n]
Partition offset [0 - 20971519]: [0]
Partition size [1 - 20971520]: [1] 1G
wd1*: 1> print
Disk: wd1       geometry: 1305/255/63 [20971520 Sectors]
Offset: 0       Signature: 0x0
            Starting         Ending         LBA Info:
 #: id      C   H   S -      C   H   S [       start:        size ]
-------------------------------------------------------------------------------
 0: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
 1: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
 2: 00      0   0   0 -      0   0   0 [           0:           0 ] unused
 3: A6      0   0   1 -    130 138   8 [           0:     2097152 ] OpenBSD

With the OpenBSD partition created, you can then partition out the space with the disklabel utility. Recall that the first partition (a) must be the root partition from which the system is bootstrapped from and the second partition (b) should be used for swap. The third partition (c) always exists and should overlap the entire disk. Leave the 'c' partition alone. Take special care that your partitions do not overlap with each other because nothing will stop you from doing so.

## Create a new secondary partition
# disklabel -e wd1

## In the editor, add a new entry after 'c:'
16 partitions:
#                size           offset  fstype [fsize bsize   cpg]
  c:         20971520                0  unused
  d:           102400                0  4.2BSD   2048 16384 12960

With wd1d defined now, we can then go ahead and create a new filesystem on wd1d using newfs.

# newfs wd1d
/dev/rwd1d: 50.0MB in 102400 sectors of 512 bytes
4 cylinder groups of 12.50MB, 800 blocks, 1600 inodes each
super-block backups (for fsck -b #) at:
 160, 25760, 51360, 76960,

We can then mount.

# mount /dev/wd1d /mnt
# mount
/dev/wd1d on /mnt type ffs (local)

Tasks

System update

To update a OpenBSD system, run:

# syspatch
# pkg_add -Uu
# sysmerge -d

Finding all available disks

There is no utility that does this similar to lsblk. Rather, you can find all disks using sysctl | grep disk.

# sysctl -a | grep -i disk
hw.disknames=wd0:94a4943e88c9a60f,wd1:,cd0:,fd0:
hw.diskcount=4
machdep.bios.diskinfo.128=bootdev = 0xa0000200, cylinders = 1023, heads = 255, sectors = 63
machdep.bios.diskinfo.129=bootdev = 0xa0010200, cylinders = 1023, heads = 255, sectors = 63

Disks are named either wd* (IDE, SATA, flash devices) or sd* (SCSI devices, USB drives via the ahci interface, or disks via a RAID controller).

Disabling library ASLR

rcctl disable library_aslr

Boot into system rescue

Enter the boot shell and run: boot bsd.rd. When given a prompt, select (S)hell.

Integrating with FreeIPA

There is no FreeIPA client for OpenBSD. You will need to set everything up manually and rely on the underlying Kerberos and OpenLDAP services for authentication.

Unfortunately, OpenBSD also doesn't come with sssd or MIT Kerberos. This means you'll have to rely on Heimdal Kerberos for authentication and YP LDAP for identity. There is a guide that covers this at: http://webcache.googleusercontent.com/search?q=cache:doxRDxKdvAoJ:https://www.whatsmykarma.com/blog/?p%3D685&hl=en&gl=ca&strip=1&vwsrc=0

Setting up Kerberos

Setup Heimdal

# pkg_add heimdal heimdal-libs login_krb5

Tweak your PATH to include the Heimdal binaries. PATH=$PATH:/usr/local/heimdal/bin.

Edit /etc/rc.conf.local to include shlib_dirs=/usr/local/heimdal/lib

Edit /etc/heimdall/krb5.conf with your krb5 confs. I ripped this off from my Linux clients and it looks like this:

# See krb5.conf(5) and the heimdal info(1) page for more information.

[libdefaults]
        # local realm(s)
        default_realm = HOME.STEAMR.COM

[realms]
  HOME.STEAMR.COM = {
    kdc = ipa.home.steamr.com:88
    master_kdc = ipa.home.steamr.com:88
    admin_server = ipa.home.steamr.com:749
    kpasswd_server = ipa.home.steamr.com:464
    default_domain = home.steamr.com
    # pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    # pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }


[kadmin]
        # default salt string
        default_keys = v5

[logging]
        # log to syslog(3)
        kdc = SYSLOG:INFO:DAEMON
        kpasswdd = SYSLOG:INFO:AUTH
        default = SYSLOG:INFO:DAEMON

At this point, kinit should now work. You should be able to get a ticket as a user.

# kinit leo
leo@HOME.STEAMR.COM's Password:

# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: leo@HOME.STEAMR.COM

  Issued                Expires               Principal
Apr 26 22:08:35 2022  Apr 27 21:09:39 2022  krbtgt/HOME.STEAMR.COM@HOME.STEAMR.COM

Set up the OpenBSD server to use Kerberos as an authentication mechanism. Edit /etc/login.conf and add :auth=-krb5-or-pwd:\ above tc=auth-defaults:\ . At this point, you should be able to authenticate as a user using your FreeIPA password, provided that the account exists on the local machine.

YP LDAP uses a host keytab file for some reason (this isn't required when using sssd on Linux). Without the host keytab file, you'll see this error in /var/log/authlog whenever someone tries to login: openbsd -krb5-or-pwd: verify: keytab /etc/heimdal/krb5.keytab open failed: No such file or directory. The host keytab file will need to be generated from the FreeIPA server and transferred over to the OpenBSD host under /etc/heimdal/krb5.keytab.

• On the FreeIPA server, add the host via web UI
• On FreeIPA server, run ipa-getkeytab -s ipa.home.steamr.com -p host/openbsd.home.steamr.com@HOME.STEAMR.COM -k output.keytab. If you want to do this manually, use kadmin: kadmin -p admin. Then get the keytab file by running ktadd -k /tmp/output.keytab  host/openbsd.home.steamr.com@HOME.STEAMR.COM
• Copy that keytab file into the openbsd server at /etc/heimdal/krb5.keytab
• chown root:wheel /etc/heimdal/krb5.keytab and chmod 600 /etc/heimdal/krb5.keytab

LDAP

At this point, you could just manage the user accounts locally and call it a day. If you want to make your users and groups appear using LDAP, you'll need to set up YP LDAP by doing the following:

# cp /etc/examples/ypldap.conf /etc/ypldap.conf

Edit the ypldap.conf file and change the directory to point to your FreeIPA server and define a bind account. It should look something like this:

# $OpenBSD: ypldap.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $

domain          "home.steamr.com"
interval        60
provide map     "passwd.byname"
provide map     "passwd.byuid"
provide map     "group.byname"
provide map     "group.bygid"
provide map     "netid.byname"

directory "ipa.home.steamr.com" {
        # directory options
        binddn "uid=admin,cn=users,cn=accounts,dc=home,dc=steamr,dc=com"
        bindcred "***************"
        basedn "cn=compat,dc=home,dc=steamr,dc=com"
        # starting point for groups directory search, default to basedn
        #groupdn "ou=Groups,dc=example,dc=com"

        # passwd maps configuration (RFC 2307 posixAccount object class)
        passwd filter "(objectClass=posixAccount)"

        attribute name maps to "uid"
        fixed attribute passwd "*"
        attribute uid maps to "uidNumber"
        attribute gid maps to "gidNumber"
        attribute gecos maps to "cn"
        attribute home maps to "homeDirectory"
        attribute shell maps to "loginShell"
        fixed attribute change "0"
        fixed attribute expire "0"
        fixed attribute class ""

        # group maps configuration (RFC 2307 posixGroup object class)
        group filter "(objectClass=posixGroup)"

        attribute groupname maps to "cn"
        fixed attribute grouppasswd "*"
        attribute groupgid maps to "gidNumber"
        # memberUid returns multiple group members
        list groupmembers maps to "memberUid"
}

You'll need to set up the YP LDAP client to point to ourselves. We then need to set up portmap which is required by YP LDAP client as it needs to make RPC calls to the server.

# echo home.steamr.com > /etc/defaultdomain
# domainname home.steamr.com
# mkdir /etc/yp
# echo 127.0.0.1 > /etc/yp/home.steamr.com
# rcctl enable portmap
# rcctl start portmap

Enable YP by tweaking the master passwd file to include YP maps and update the passwd file with pwd_mkdb. Enable YP mapping to the group file.

# echo '+:*::::::::' >> /etc/master.passwd
# pwd_mkdb -p /etc/master.passwd
# echo '+:*::' >> /etc/group

Start the YP server and binding.

# rcctl enable ypldap
# rcctl start ypldap
# rcctl enable ypbind
# rcctl start ypbind

At this point, you should be seeing the ypldap server and client running.

# ps aux | grep yp
_ypldap  27707  0.0  0.1   860  1864 ??  Sp     11:19PM    0:00.09 ypldap: parent (ypldap)
_ypldap  80759  0.0  0.1   908  1856 ??  Spc    11:19PM    0:00.04 ypldap: ldap client (ypldap)
_ypldap  56692  0.0  0.1   824  1740 ??  Sp     11:19PM    0:00.02 ypldap: dns engine (ypldap)

Mounting NFS

When trying to mount an export, I kept on getting this:

# mount -t nfs dnas:/nas/home /mnt
NFS Portmap: RPC: Program not registered

Portmap seems to be working:

# rpcinfo -p dnas
   program vers proto   port
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100005    1   udp  20048  mountd
    100005    1   tcp  20048  mountd
    100005    2   udp  20048  mountd
    100005    2   tcp  20048  mountd
    100005    3   udp  20048  mountd
    100005    3   tcp  20048  mountd
    100024    1   udp  45652  status
    100024    1   tcp  60213  status
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049
    100021    1   udp  60560  nlockmgr
    100021    3   udp  60560  nlockmgr
    100021    4   udp  60560  nlockmgr
    100021    1   tcp  44643  nlockmgr
    100021    3   tcp  44643  nlockmgr
    100021    4   tcp  44643  nlockmgr

The 'fix' was to force TCP as an option.

# mount -t nfs -o tcp dnas:/nas/home /mnt
## or
# mount_nfs -T dnas:/nas/home /mnt

Add this to /etc/fstab to make it mount on startup:

dnas:/nas/home /home nfs rw,tcp,nodev,nosuid 0 0