We are still actively working on the spam issue.
Difference between revisions of "OpenBSD"
m |
(Full dick encryption) |
||
Line 48: | Line 48: | ||
pkg_scripts="dnscrypt_proxy tor" | pkg_scripts="dnscrypt_proxy tor" | ||
The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor. | The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor. | ||
+ | === Full disk encryption === | ||
+ | Full disk encryption in OpenBSD is achieved through the use of <tt>softraid</tt>. | ||
+ | Boot up the OpenBSD install media and wait until you come to this prompt. | ||
+ | erase ^?, werase ^W, kill ^U, intr ^C, status ^T | ||
+ | Welcome to the OpenBSD/i386 5.8 installation program. | ||
+ | (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? | ||
+ | Choose <tt>s</tt> to drop into a root shell. If you do not have any other partitions that you need on your disk, initialise the MBR of the first SATA disk with this command: | ||
+ | # fdisk -iy sd0 | ||
+ | Now proceed to partition the disk into a swap partition on partition <tt>b</tt> and a larger partition on <tt>a</tt>, maybe like this: | ||
+ | > a b | ||
+ | offset: [whatever] | ||
+ | size: [whatever] 9G | ||
+ | FS type: [swap] | ||
+ | > a a | ||
+ | offset: [whatever] | ||
+ | size: [whatever] | ||
+ | FS type: [ffs] raid | ||
+ | > w | ||
+ | > q | ||
+ | ''Blank lines signify a blank line with enter typed.'' | ||
+ | Swap needn't be on the encrypted partition, as OpenBSD has encrypted swap by default for many years. | ||
+ | To initialise the RAID partition with a passphrase, type: | ||
+ | # bioctl -c C -l /dev/sd0a softraid0 | ||
+ | Passphrase: | ||
+ | Verify passphrase: | ||
+ | You should see a dmesg message showing that the encrypted partition was mounted to sd1. Exit the shell with <tt>^D</tt> or <tt>exit</tt> and when the installer asks you for your root disk, choose <tt>sd1</tt> instead. The OpenBSD bootloader transparently handles full disk encryption and will ask you for your passphrase when loading the kernel. | ||
[[Category:BSD]] | [[Category:BSD]] | ||
[[Category:Operating systems]] | [[Category:Operating systems]] |
Revision as of 04:58, 21 December 2015
OpenBSD is a free, multi-platform 4.4BSD based Unix-like operating system, part of the BSD family. The OpenBSD project's efforts emphasize portability, correctness, proactive security and integrated cryptography, although you probably already know this by now.
Contents
Licensing
The BSD operating systems are where the BSD licence originated from, allowing free reuse of code even in non-free software, with the requirement that the original contributors' attributions are retained. Some would argue that this means that non-free software developers can take the original software, improve it and not give back contributions to the free and open source software community.
you might live in a world without morals; I don't.
Henning Brauer
The original code will always stay as free as the original developer intended it to, and improvements on the code are often returned back in good will for the unrestricted use of the software in the first place.
As for the licensing state of OpenBSD itself, this author understands that most of the OpenBSD source inherited from BSD Net/2 and 4.4BSD-Lite stays under a traditional 3-clause BSD licence, with new programs from OpenBSD generally released under the simpler ISC licence. The only programs released under the GPL included with OpenBSD are the GNU toolchain (GCC, binutils, GDB).
How To
Set up the shell
pdksh, OpenBSD's default shell, only sources .profile out of the box. Add
export ENV="${HOME}/.kshrc"
to your .profile, and then add your interactive shell customisation to .kshrc. Programs like startx and other shells will inherit $ENV from the environment, so it will continue to be sourced in all shells in the session.
Privilege escalation
sudo, the privilege escalation tool used in many Linux distributions, was replaced by doas in OpenBSD 5.8, a far simpler implementation. To set it up, you need to edit /etc/doas.conf. This is an example doas.conf:
permit keepenv { PKG_PATH } :wheel as root permit nopass root
This allows all users in the wheel group to run commands as root and pass the environment variable $PKG_PATH which is used to specify a package repository as described below. If you added your user account with the OpenBSD installer, it should have added it to the wheel group already. It also allows root to run commands without a password for all users on the system.
Package management
OpenBSD package management turns out to be easier and simpler than many Linux distributions. Instead of a system-wide repository and downloading a repository database, the OpenBSD package utilities simply pull packages from a remote server (or an official CD) specified in the environment variable $PKG_PATH and installs them. Remote repositories can be any of the mirrors listed here. For this example, we will use the ftp.openbsd.org mirror, ran by Theo in Canada. Add this to your .profile (or your .kshrc as described above):
export PKG_PATH="ftp://ftp.openbsd.org/pub/OpenBSD/packages/5.8/amd64"
where 5.8 is your version number, amd64 is your architecture and the beginning of the string replaced with whatever mirror you chose. If you set up your doas.conf to pass $PKG_PATH to root, you can begin installing programs from your normal user account like so.
$ doas pkg_add irssi Password: quirks-2.114 signed on 2015-08-09T11:57:52Z Ambiguous: choose package for irssi a 0: <None> 1: irssi-0.8.16p0 2: irssi-0.8.16p0-socks Your choice: 1 irssi-0.8.16p0: ok
Read the package management article for more on how to use the OpenBSD package management system.
Init scripts
The OpenBSD init system is configured in /etc/rc.conf.local. It is advised that you only put used entries into rc.conf.local, however it is easier to simply copy rc.conf to rc.conf.local. Any system daemon can be enabled by setting it's _flags variable to blank or to pass flags to the daemon, and can be disabled by setting it to NO. Daemons from packages/ports are specified in the pkg_scripts variable. For example, here is a configuration for starting DNSCrypt and Tor as system daemons.
# rc.d(8) packages scripts # started in the specified order and stopped in reverse order dnscrypt_proxy_flags="-R dnscrypt.eu-dk -a 127.0.0.1:40" pkg_scripts="dnscrypt_proxy tor"
The init scripts will load DNSCrypt first, passing to it the flags to choose DNS server and port, and then start Tor.
Full disk encryption
Full disk encryption in OpenBSD is achieved through the use of softraid.
Boot up the OpenBSD install media and wait until you come to this prompt.
erase ^?, werase ^W, kill ^U, intr ^C, status ^T Welcome to the OpenBSD/i386 5.8 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell?
Choose s to drop into a root shell. If you do not have any other partitions that you need on your disk, initialise the MBR of the first SATA disk with this command:
# fdisk -iy sd0
Now proceed to partition the disk into a swap partition on partition b and a larger partition on a, maybe like this:
> a b offset: [whatever] size: [whatever] 9G FS type: [swap] > a a offset: [whatever] size: [whatever] FS type: [ffs] raid > w > q
Blank lines signify a blank line with enter typed. Swap needn't be on the encrypted partition, as OpenBSD has encrypted swap by default for many years. To initialise the RAID partition with a passphrase, type:
# bioctl -c C -l /dev/sd0a softraid0 Passphrase: Verify passphrase:
You should see a dmesg message showing that the encrypted partition was mounted to sd1. Exit the shell with ^D or exit and when the installer asks you for your root disk, choose sd1 instead. The OpenBSD bootloader transparently handles full disk encryption and will ask you for your passphrase when loading the kernel.