diff options
Diffstat (limited to 'static/netbsd/man8/afterboot.8 4.html')
| -rw-r--r-- | static/netbsd/man8/afterboot.8 4.html | 795 |
1 files changed, 0 insertions, 795 deletions
diff --git a/static/netbsd/man8/afterboot.8 4.html b/static/netbsd/man8/afterboot.8 4.html deleted file mode 100644 index 870e185b..00000000 --- a/static/netbsd/man8/afterboot.8 4.html +++ /dev/null @@ -1,795 +0,0 @@ -<table class="head"> - <tr> - <td class="head-ltitle">AFTERBOOT(8)</td> - <td class="head-vol">System Manager's Manual</td> - <td class="head-rtitle">AFTERBOOT(8)</td> - </tr> -</table> -<div class="manual-text"> -<section class="Sh"> -<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> -<p class="Pp"><code class="Nm">afterboot</code> — <span class="Nd">things - to check after the first complete boot</span></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> -<section class="Ss"> -<h2 class="Ss" id="Starting_Out"><a class="permalink" href="#Starting_Out">Starting - Out</a></h2> -<p class="Pp">This document attempts to list items for the system administrator - to check and set up after the installation and first complete boot of the - system. The idea is to create a list of items that can be checked off so - that you have a warm fuzzy feeling that something obvious has not been - missed. A basic knowledge of <span class="Ux">UNIX</span> is assumed.</p> -<p class="Pp">Complete instructions for correcting and fixing items is not - provided. There are manual pages and other methodologies available for doing - that. For example, to view the man page for the <a class="Xr">ls(1)</a> - command, type:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">man 1 ls</code></pre> -</div> -<p class="Pp">Administrators will rapidly become more familiar with - <span class="Ux">NetBSD</span> if they get used to using the manual - pages.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Login"><a class="permalink" href="#Login">Login</a></h2> -<p class="Pp">On a fresh install with no other user accounts, login as - “<code class="Ic">root</code>”. You can do so on the console, - or over the network using <a class="Xr">ssh(1)</a>. If you have enabled the - SSH daemon (see <a class="Xr">sshd(8)</a>) and wish to allow root logins - over the network, edit the <span class="Pa">/etc/ssh/sshd_config</span> file - and set “PermitRootLogin” to “yes” (see - <a class="Xr">sshd_config(5)</a>). The default is to not permit root logins - over the network after fresh install in <span class="Ux">NetBSD</span>.</p> -<p class="Pp">Upon successful login on the console, you may see the message - “We recommend creating a non-root account...”. For security - reasons, it is bad practice to login as root during regular use and - maintenance of the system. In fact, the system will only let you login as - root on a secure terminal. By default, only the console is considered to be - a secure terminal. Instead, administrators are encouraged to add a - “regular” user, add said user to the “wheel” - group, then use the <a class="Xr">su(1)</a> command when root privileges are - required:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">useradd -G wheel -m myuser</code> -<code class="Ic">passwd myuser</code></pre> -</div> -</section> -<section class="Ss"> -<h2 class="Ss" id="Root_password"><a class="permalink" href="#Root_password">Root - password</a></h2> -<p class="Pp">Change the password for the root user. (Note that throughout the - documentation, the term “superuser” is a synonym for the root - user.) Choose a password that has numbers, digits, and special characters - (not space) as well as from the upper and lower case alphabet. Do not choose - any word in any language. It is common for an intruder to use dictionary - attacks. Type the command <code class="Ic">/usr/bin/passwd</code> to change - it.</p> -<p class="Pp">It is a good idea to always specify the full path name for both - the <a class="Xr">passwd(1)</a> and <a class="Xr">su(1)</a> commands as this - inhibits the possibility of files placed in your execution - <code class="Ev">PATH</code> for most shells. Furthermore, the superuser's - <code class="Ev">PATH</code> should never contain the current directory - (“.”).</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="System_date"><a class="permalink" href="#System_date">System - date</a></h2> -<p class="Pp">Check the system date with the <a class="Xr">date(1)</a> command. - If needed, change the date, and/or change the symbolic link of - <span class="Pa">/etc/localtime</span> to the correct time zone in the - <span class="Pa">/usr/share/zoneinfo</span> directory.</p> -<p class="Pp">Examples:</p> -<dl class="Bl-tag"> - <dt id="date"><a class="permalink" href="#date"><code class="Cm">date - 202010051820</code></a></dt> - <dd>Set the current date to October 5th, 2020 6:20pm.</dd> - <dt id="ln"><a class="permalink" href="#ln"><code class="Cm">ln -fs - /usr/share/zoneinfo/Europe/Helsinki /etc/localtime</code></a></dt> - <dd>Set the time zone to Eastern Europe Summer Time.</dd> -</dl> -</section> -<section class="Ss"> -<h2 class="Ss" id="Console_settings"><a class="permalink" href="#Console_settings">Console - settings</a></h2> -<p class="Pp">One of the first things you will likely need to do is to set up - your keyboard map (and maybe some other aspects about the system console). - To change your keyboard layout, edit the - “<var class="Va">encoding</var>” variable found in - <span class="Pa">/etc/wscons.conf</span>.</p> -<p class="Pp"><a class="Xr">wscons.conf(5)</a> contains more information about - this file.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Security_alerts"><a class="permalink" href="#Security_alerts">Security - alerts</a></h2> -<p class="Pp">All significant and easily fixed problems will be reported at - <a class="Lk" href="https://www.NetBSD.org/support/security/">the security - advisories web page</a>. It is recommended that you check this page - regularly.</p> -<p class="Pp">Additionally, you should set - “fetch_pkg_vulnerabilities=YES” in - <span class="Pa">/etc/daily.conf</span> to allow your system to - automatically update the local database of known vulnerable packages to the - latest version available on-line. The system will later check, on a daily - basis, if any of your installed packages are vulnerable based on the - contents of this database. See <a class="Xr">daily.conf(5)</a> and - <a class="Xr">security.conf(5)</a> for more details.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Entropy"><a class="permalink" href="#Entropy">Entropy</a></h2> -<p class="Pp">If your machine does not have a hardware random number generator, - it may not be safe to use on the internet until it has enough entropy to - generate unpredictable secrets for programs like web browsers and - <a class="Xr">ssh(1)</a>. You can use <a class="Xr">rndctl(8)</a> to list - the entropy sources with <code class="Ic">rndctl -l</code>, or save entropy - from another machine running <span class="Ux">NetBSD</span> with - <code class="Ic">rndctl -S</code> and load it on this one with - <code class="Ic">rndctl -L</code> (as long as there are no eavesdroppers on - the medium between the two machines). See <a class="Xr">entropy(7)</a> for - more details.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Check_hostname"><a class="permalink" href="#Check_hostname">Check - hostname</a></h2> -<p class="Pp">Use the <code class="Ic">hostname</code> command to verify that - the name of your machine is correct. See the man page for - <a class="Xr">hostname(1)</a> if it needs to be changed. You will also need - to change the contents of the “<var class="Va">hostname</var>” - variable in <span class="Pa">/etc/rc.conf</span> or edit the - <span class="Pa">/etc/myname</span> file to have it stick around for the - next reboot. Note that “<var class="Va">hostname</var>” is - supposed include a domainname, and that this should not be confused with YP - (NIS) <a class="Xr">domainname(1)</a>. If you are using - <a class="Xr">dhcpcd(8)</a> to configure network interfaces, it might - override these local hostname settings if your DHCP server specifies - client's hostname with other network configurations.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Verify_network_interface_configuration"><a class="permalink" href="#Verify_network_interface_configuration">Verify - network interface configuration</a></h2> -<p class="Pp">The first thing to do is an <code class="Ic">ifconfig -a</code> to - see if the network interfaces are properly configured. Correct by editing - <span class="Pa">/etc/ifconfig.</span><var class="Ar">interface</var> or the - corresponding - “<var class="Va">ifconfig_</var><var class="Ar">interface</var>” - variable in <a class="Xr">rc.conf(5)</a> (where - <var class="Ar">interface</var> is the interface name, e.g., - “le0”) and then using <a class="Xr">ifconfig(8)</a> to - manually configure it if you do not wish to reboot.</p> -<p class="Pp">Alternatively, many networks allow interfaces to be configured - automatically via DHCP. To get <a class="Xr">dhcpcd(8)</a> to start - automatically on boot, you will need to have this line in - <span class="Pa">/etc/rc.conf</span>:</p> -<p class="Pp"></p> -<div class="Bd Bd-indent"><code class="Li">dhcpcd=YES</code></div> -<p class="Pp">See <a class="Xr">dhcpcd(8)</a> and - <a class="Xr">dhcpcd.conf(5)</a> for more information on setting up a DHCP - client. For information on setting up Wi-Fi, see - <a class="Sx" href="#Wireless_networking">Wireless networking</a>.</p> -<p class="Pp">You can add new “virtual interfaces” by adding the - required entries to - <span class="Pa">/etc/ifconfig.</span><var class="Ar">interface</var>. Read - the <a class="Xr">ifconfig.if(5)</a> man page for more information on the - format of - <span class="Pa">/etc/ifconfig.</span><var class="Ar">interface</var> files. - The loopback interface will look something like:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972 - inet 127.0.0.1 netmask 0xff000000 - inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 - inet6 ::1 prefixlen 128</pre> -</div> -<p class="Pp">an Ethernet interface something like:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> - inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255 - inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1</pre> -</div> -<p class="Pp">and a PPP interface something like:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> - inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000</pre> -</div> -<p class="Pp">See <a class="Xr">mrouted(8)</a> for instructions on configuring - multicast routing.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Check_routing_tables"><a class="permalink" href="#Check_routing_tables">Check - routing tables</a></h2> -<p class="Pp">Issue a <code class="Ic">netstat -rn</code> command. The output - will look something like:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>Routing tables - -Internet: -Destination Gateway Flags Refs Use Mtu Interface -default 192.168.4.254 UGS 0 11098028 - le0 -127 127.0.0.1 UGRS 0 0 - lo0 -127.0.0.1 127.0.0.1 UH 3 24 - lo0 -192.168.4 link#1 UC 0 0 - le0 -192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0 -192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0 - -Internet6: -Destination Gateway Flags Refs Use Mtu Interface -::/96 ::1 UGRS 0 0 32972 lo0 => -::1 ::1 UH 4 0 32972 lo0 -::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0 -fc80::/10 ::1 UGRS 0 0 32972 lo0 -fe80::/10 ::1 UGRS 0 0 32972 lo0 -fe80::%le0/64 link#1 UC 0 0 1500 le0 -fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0 -ff01::/32 ::1 U 0 0 32972 lo0 -ff02::%le0/32 link#1 UC 0 0 1500 le0 -ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0</pre> -</div> -<p class="Pp">The default gateway address is stored in the - “<var class="Va">defaultroute</var>” variable in - <span class="Pa">/etc/rc.conf</span>, or in the file - <span class="Pa">/etc/mygate</span>. If you need to edit this file, a - painless way to reconfigure the network afterwards is to issue</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">service network restart</code></pre> -</div> -<p class="Pp">Or, you may prefer to manually configure using a series of - <code class="Ic">route add</code> and <code class="Ic">route delete</code> - commands (see <a class="Xr">route(8)</a>). If you run - <a class="Xr">dhcpcd(8)</a> you will have to kill it by running</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">service dhcpcd stop</code></pre> -</div> -<p class="Pp">before you flush the routes.</p> -<p class="Pp">If you wish to route packets between interfaces, add one or both - of the following directives (depending on whether IPv4 or IPv6 routing is - required) to <span class="Pa">/etc/sysctl.conf</span>:</p> -<p class="Pp"></p> -<div class="Bd Bd-indent"><code class="Li">net.inet.ip.forwarding=1</code></div> -<div class="Bd - Bd-indent"><code class="Li">net.inet6.ip6.forwarding=1</code></div> -<p class="Pp">As an alternative, compile a new kernel with the - “GATEWAY” option. Packets are not forwarded by default, due to - RFC requirements.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Device_nodes"><a class="permalink" href="#Device_nodes">Device - nodes</a></h2> -<p class="Pp">By default, nodes are created in <span class="Pa">/dev</span> for - a fairly typical number of devices.</p> -<p class="Pp">However, if this system has a large number of devices connected - (e.g. for large scale storage), you may want to enable - <a class="Xr">devpubd(8)</a> to ensure a sufficient number of nodes are - available. Set “<var class="Va">devpubd=YES</var>” in - <span class="Pa">/etc/rc.conf</span> to create nodes automatically during - system runtime. You can also run the node creation script by hand:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">cd /dev && sh MAKEDEV</code></pre> -</div> -</section> -<section class="Ss"> -<h2 class="Ss" id="Secure_Shell_(SSH)"><a class="permalink" href="#Secure_Shell_(SSH)">Secure - Shell (SSH)</a></h2> -<p class="Pp">By default, all services are disabled in a fresh - <span class="Ux">NetBSD</span> installation, and SSH is no exception. You - may wish to enable it so you can remotely control your system. Set - “<var class="Va">sshd=YES</var>” in - <span class="Pa">/etc/rc.conf</span> and then starting the server with the - command</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">service sshd start</code></pre> -</div> -<p class="Pp">The first time the server is started, it will generate a new - keypair, which will be stored inside the directory - <span class="Pa">/etc/ssh</span>.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Host_names_and_DNS"><a class="permalink" href="#Host_names_and_DNS">Host - names and DNS</a></h2> -<p class="Pp">The system resolves host names according the rules for hosts in - the name service switch configuration at - <span class="Pa">/etc/nsswitch.conf</span>. By default, it will query - <span class="Pa">/etc/hosts</span> first, and then the DNS resolver - specified in <span class="Pa">/etc/resolv.conf</span>.</p> -<p class="Pp">Multicast DNS and DNS Service Discovery are usually not enabled by - default on a fresh <span class="Ux">NetBSD</span> system, and can be enabled - by setting “mdnsd=YES” in - <span class="Pa">/etc/rc.conf</span>, and either rebooting or running the - following command:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">service mdnsd start</code></pre> -</div> -<p class="Pp">You may also wish to enable mdnsd as a source for host lookups in - <span class="Pa">/etc/nsswitch.conf</span>, see - <a class="Xr">nsswitch.conf(5)</a>.</p> -<p class="Pp">If your network does not have a usable DNS resolver, e.g. one - provided by DHCP, you can run a local caching recursive resolver by setting - “named=YES” in <span class="Pa">/etc/rc.conf</span> and either - rebooting or running the following command:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">service named start</code></pre> -</div> -<p class="Pp"><a class="Xr">named(8)</a> is configured in - <span class="Pa">/etc/named.conf</span> by default to run as a local caching - recursive resolver. Then, to make the system use it, put the following in - <span class="Pa">/etc/resolv.conf</span>:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>nameserver 127.0.0.1</pre> -</div> -</section> -<section class="Ss"> -<h2 class="Ss" id="Wireless_networking"><a class="permalink" href="#Wireless_networking">Wireless - networking</a></h2> -<p class="Pp">To configure the system to connect to a Wi-Fi network with a - password using WPA:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">wpa_passphrase networkname password >> /etc/wpa_supplicant.conf</code></pre> -</div> -<p class="Pp">To configure the system to connect to an open wireless network - with no password, edit <span class="Pa">/etc/wpa_supplicant.conf</span> - instead of using <a class="Xr">wpa_passphrase(8)</a>:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>network={ - ssid="Public-WiFi" - key_mgmt=NONE - priority=100 -}</pre> -</div> -<p class="Pp">Then bring up the interface and start the necessary daemons:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">ifconfig iwm0 up</code> -<code class="Ic">service wpa_supplicant onestart</code> -<code class="Ic">service dhcpcd onestart</code></pre> -</div> -<p class="Pp">To automatically connect at boot, add the following to - <span class="Pa">/etc/rc.conf</span>:</p> -<p class="Pp"></p> -<div class="Bd - Bd-indent"><code class="Li">ifconfig_iwm0="up"</code></div> -<div class="Bd Bd-indent"><code class="Li">dhcpcd=YES</code></div> -<div class="Bd Bd-indent"><code class="Li">wpa_supplicant=YES</code></div> -<p class="Pp">While using <a class="Xr">wpa_supplicant(8)</a>, you can easily - retrieve network scan results with <a class="Xr">wpa_cli(8)</a>:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">wpa_cli scan_results</code></pre> -</div> -<p class="Pp">Or trigger a rescan:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">wpa_cli scan</code></pre> -</div> -</section> -<section class="Ss"> -<h2 class="Ss" id="RPC-based_network_services"><a class="permalink" href="#RPC-based_network_services">RPC-based - network services</a></h2> -<p class="Pp">Several services depend on the RPC portmapper - <a class="Xr">rpcbind(8)</a> - formerly known as - <code class="Ic">portmap</code> - being running for proper operation. This - includes YP (NIS) and NFS exports, among other services. To get the RPC - portmapper to start automatically on boot, you will need to have this line - in <span class="Pa">/etc/rc.conf</span>:</p> -<p class="Pp"></p> -<div class="Bd Bd-indent"><code class="Li">rpcbind=YES</code></div> -</section> -<section class="Ss"> -<h2 class="Ss" id="YP_(Network_Information_Service)_Setup"><a class="permalink" href="#YP_(Network_Information_Service)_Setup">YP - (Network Information Service) Setup</a></h2> -<p class="Pp">Check the YP domain name with the <a class="Xr">domainname(1)</a> - command. If necessary, correct it by editing the - <span class="Pa">/etc/defaultdomain</span> file or by setting the - “<var class="Va">domainname</var>” variable in - <span class="Pa">/etc/rc.conf</span>. The - <span class="Pa">/etc/rc.d/network</span> script reads this file on bootup - to determine and set the domain name. You may also set the running system's - domain name with the <a class="Xr">domainname(1)</a> command. To start YP - client services, simply run <code class="Ic">ypbind</code>, then perform the - remaining YP activation as described in <a class="Xr">passwd(5)</a> and - <a class="Xr">group(5)</a>.</p> -<p class="Pp">In particular, to enable YP passwd support, you'll need to update - <span class="Pa">/etc/nsswitch.conf</span> to include “nis” - for the “passwd” and “group” entries. A - traditional way to accomplish the same thing is to add following entry to - local passwd database via <a class="Xr">vipw(8)</a>:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Li">+:*::::::::</code></pre> -</div> -<p class="Pp">Note this entry has to be the very last one. This traditional way - works with the default <a class="Xr">nsswitch.conf(5)</a> setting of - “passwd”, which is “compat”.</p> -<p class="Pp">There are many more YP man pages available to help you. You can - find more information by starting with <a class="Xr">nis(8)</a>.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Check_disk_mounts"><a class="permalink" href="#Check_disk_mounts">Check - disk mounts</a></h2> -<p class="Pp">Check that the disks are mounted correctly by comparing the - <span class="Pa">/etc/fstab</span> file against the output of the - <a class="Xr">mount(8)</a> and <a class="Xr">df(1)</a> commands. - Example:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Li">#</code> <code class="Ic">cat /etc/fstab</code> -/dev/sd0a / ffs rw 1 1 -/dev/sd0b none swap sw -/dev/sd0e /usr ffs rw 1 2 -/dev/sd0f /var ffs rw 1 3 -/dev/sd0g /tmp ffs rw 1 4 -/dev/sd0h /home ffs rw 1 5 - -<code class="Li">#</code> <code class="Ic">mount</code> -/dev/sd0a on / type ffs (local) -/dev/sd0e on /usr type ffs (local) -/dev/sd0f on /var type ffs (local) -/dev/sd0g on /tmp type ffs (local) -/dev/sd0h on /home type ffs (local) - -<code class="Li">#</code> <code class="Ic">df</code> -Filesystem 1024-blocks Used Avail Capacity Mounted on -/dev/sd0a 22311 14589 6606 69% / -/dev/sd0e 203399 150221 43008 78% /usr -/dev/sd0f 10447 682 9242 7% /var -/dev/sd0g 18823 2 17879 0% /tmp -/dev/sd0h 7519 5255 1888 74% /home - -<code class="Li">#</code> <code class="Ic">pstat -s</code> -Device 512-blocks Used Avail Capacity Priority -/dev/sd0b 131072 84656 46416 65% 0</pre> -</div> -<p class="Pp">Edit <span class="Pa">/etc/fstab</span> and use the - <a class="Xr">mount(8)</a> and <a class="Xr">umount(8)</a> commands as - appropriate. Refer to the above example and <a class="Xr">fstab(5)</a> for - information on the format of this file.</p> -<p class="Pp">You may wish to do NFS mounts now too, or you can do them - later.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Clock_synchronization"><a class="permalink" href="#Clock_synchronization">Clock - synchronization</a></h2> -<p class="Pp">In order to make sure the system clock is synchronized to that of - a publicly accessible NTP server, make sure that - <span class="Pa">/etc/rc.conf</span> contains the following:</p> -<p class="Pp"></p> -<div class="Bd Bd-indent"><code class="Li">ntpdate=YES</code></div> -<div class="Bd Bd-indent"><code class="Li">ntpd=YES</code></div> -<p class="Pp">See <a class="Xr">date(1)</a>, <a class="Xr">ntpdate(8)</a>, - <a class="Xr">ntpd(8)</a>, <a class="Xr">rdate(8)</a>, and - <a class="Xr">timed(8)</a> for more information on setting the system's - date.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Installing_packages"><a class="permalink" href="#Installing_packages">Installing - packages</a></h2> -<p class="Pp">The <span class="Ux">NetBSD</span> packages collection, pkgsrc, - includes a large set of third-party software. A lot of it is available as - binary packages that you can download from - <a class="Lk" href="https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/">https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/</a> - or a mirror.</p> -<p class="Pp">For most users, using pkgin to manage binary packages is - recommended.</p> -<p class="Pp">To install pkgin, if it was not done by the installer:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">PKG_PATH=https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/[...]</code> -<code class="Ic">export PKG_PATH</code> -<code class="Ic">pkg_add pkgin</code> -<code class="Ic">pkgin update</code> -<code class="Ic">pkgin install bash mpg123 fluxbox ...</code></pre> -</div> -<p class="Pp">See - <a class="Lk" href="https://www.pkgsrc.org/">https://www.pkgsrc.org/</a> and - <span class="Pa">pkgsrc/doc/pkgsrc.txt</span> for more details.</p> -</section> -</section> -<section class="Sh"> -<h1 class="Sh" id="CHANGING_/etc_FILES"><a class="permalink" href="#CHANGING_/etc_FILES">CHANGING - /etc FILES</a></h1> -<p class="Pp">The system should be usable now, but you may wish to do more - customizing, such as adding users, etc. Many of the following sections may - be skipped if you are not using that package (for example, skip the - <a class="Sx" href="#Kerberos">Kerberos</a> section if you won't be using - Kerberos). We suggest that you <code class="Ic">cd /etc</code> and edit most - of the files in that directory.</p> -<p class="Pp">Note that the <span class="Pa">/etc/motd</span> file is modified - by <span class="Pa">/etc/rc.d/motd</span> whenever the system is booted. To - keep any custom message intact, ensure that you leave two blank lines at the - top, or your message will be overwritten.</p> -<section class="Ss"> -<h2 class="Ss" id="Add_new_users"><a class="permalink" href="#Add_new_users">Add - new users</a></h2> -<p class="Pp">To add new users and groups, there are - <a class="Xr">useradd(8)</a> and <a class="Xr">groupadd(8)</a>; see also - <a class="Xr">user(8)</a> for further programs for user and group - manipulation. You may use <a class="Xr">vipw(8)</a> to add users to the - <span class="Pa">/etc/passwd</span> file and edit - <span class="Pa">/etc/group</span> by hand to add new groups. The manual - page for <a class="Xr">su(1)</a>, tells you to make sure to put people in - the ‘wheel’ group if they need root access (non-Kerberos). For - example:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>wheel:*:0:root,myself</pre> -</div> -<p class="Pp">Follow instructions for <a class="Xr">kerberos(8)</a> if using - Kerberos for authentication.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="System_boot_scripts_and_/etc/rc.local"><a class="permalink" href="#System_boot_scripts_and_/etc/rc.local">System - boot scripts and /etc/rc.local</a></h2> -<p class="Pp"><span class="Pa">/etc/rc</span> and the - <span class="Pa">/etc/rc.d/*</span> scripts are invoked at boot time after - single user mode has exited, and at shutdown. The whole process is - controlled by the master script <span class="Pa">/etc/rc</span>. This script - should not be changed by administrators.</p> -<p class="Pp">The directory <span class="Pa">/etc/rc.d</span> contains a series - of scripts used at startup/shutdown, called by - <span class="Pa">/etc/rc</span>. <span class="Pa">/etc/rc</span> is in turn - influenced by the configuration variables present in - <span class="Pa">/etc/rc.conf</span>.</p> -<p class="Pp">The script <span class="Pa">/etc/rc.local</span> is run as the - last thing during multiuser boot, and is provided to allow any other local - hooks necessary for the system.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="rc.conf"><a class="permalink" href="#rc.conf">rc.conf</a></h2> -<p class="Pp">To enable or disable various services on system startup, - corresponding entries can be made in <span class="Pa">/etc/rc.conf</span>. - You can take a look at <span class="Pa">/etc/defaults/rc.conf</span> to see - a list of default system variables, which you can override in - <span class="Pa">/etc/rc.conf</span>. Note you are - <a class="permalink" href="#not"><i class="Em" id="not">not</i></a> supposed - to change <span class="Pa">/etc/defaults/rc.conf</span> directly, edit only - <span class="Pa">/etc/rc.conf</span>. See <a class="Xr">rc.conf(5)</a> for - further information.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Automounter_daemon_(AMD)"><a class="permalink" href="#Automounter_daemon_(AMD)">Automounter - daemon (AMD)</a></h2> -<p class="Pp">To use the <a class="Xr">amd(8)</a> automounter, create the - <span class="Pa">/etc/amd</span> directory, copy example config files from - <span class="Pa">/usr/share/examples/amd</span> to - <span class="Pa">/etc/amd</span> and customize them as needed. - Alternatively, you can get your maps with YP.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Concatenated_disks_(ccd)"><a class="permalink" href="#Concatenated_disks_(ccd)">Concatenated - disks (ccd)</a></h2> -<p class="Pp">If you are using <a class="Xr">ccd(4)</a> concatenated disks, edit - <span class="Pa">/etc/ccd.conf</span>. You may wish to take a look to - <a class="Xr">ccdconfig(8)</a> for more information about this file. Use the - <code class="Ic">ccdconfig -U</code> command to unload and the - <code class="Ic">ccdconfig -C</code> command to create tables internal to - the kernel for the concatenated disks. You then <a class="Xr">mount(8)</a>, - <a class="Xr">umount(8)</a>, and edit <span class="Pa">/etc/fstab</span> as - needed.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="NetBSD_Packet_Filter"><a class="permalink" href="#NetBSD_Packet_Filter"><span class="Ux">NetBSD - Packet</span> Filter</a></h2> -<p class="Pp"><a class="Xr">npf(7)</a> is the default firewall used on - <span class="Ux">NetBSD</span>. You may wish to enable it if your machine is - connected directly to the internet. To do this, edit - <span class="Pa">/etc/npf.conf</span> and set “npf=YES” in - <span class="Pa">/etc/rc.conf</span>. Configuration examples for NPF can be - found in <span class="Pa">/usr/share/examples/npf</span>. Before installing - a configuration, you can validate it with <a class="Xr">npfctl(8)</a>.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="X_Display_Manager"><a class="permalink" href="#X_Display_Manager">X - Display Manager</a></h2> -<p class="Pp">If you've installed X, you may want to turn on - <a class="Xr">xdm(1)</a>, the X Display Manager. To do this, set - “xdm=YES” in <span class="Pa">/etc/rc.conf</span>.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Printers"><a class="permalink" href="#Printers">Printers</a></h2> -<p class="Pp">Edit <span class="Pa">/etc/printcap</span> and - <span class="Pa">/etc/hosts.lpd</span> to get any printers set up. Consult - <a class="Xr">lpd(8)</a> and <a class="Xr">printcap(5)</a> if needed.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Internet_Services_(inetd)"><a class="permalink" href="#Internet_Services_(inetd)">Internet - Services (inetd)</a></h2> -<p class="Pp">Various internet services can be enabled in - <span class="Pa">/etc/inetd.conf</span>, including - <a class="Xr">httpd(8)</a> and <a class="Xr">finger(1)</a>. Note that by - default all services are disabled for security reasons. Only add things that - are really needed.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Kerberos"><a class="permalink" href="#Kerberos">Kerberos</a></h2> -<p class="Pp">If you are going to use Kerberos for authentication, see - <a class="Xr">kerberos(8)</a> and “info heimdal” for more - information. If you already have a Kerberos master, change directory to - <span class="Pa">/etc/kerberosV</span> and configure. Remember to get a - <span class="Pa">srvtab</span> from the master so that the remote commands - work.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Mail_Aliases"><a class="permalink" href="#Mail_Aliases">Mail - Aliases</a></h2> -<p class="Pp">Check <span class="Pa">/etc/mail/aliases</span> and update - appropriately if you want e-mail to be routed to non-local addresses or to - different users.</p> -<p class="Pp">Run <a class="Xr">newaliases(1)</a> after changes.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Postfix"><a class="permalink" href="#Postfix">Postfix</a></h2> -<p class="Pp"><span class="Ux">NetBSD</span> uses Postfix as its Mail Transfer - Agent. Postfix is started by default, but its initial configuration does not - cause it to listen on the network for incoming connections. To configure - Postfix, see <span class="Pa">/etc/postfix/main.cf</span> and - <span class="Pa">/etc/postfix/master.cf</span>. If you wish to use a - different MTA (e.g., sendmail), install your MTA of choice and edit - <span class="Pa">/etc/mailer.conf</span> to point to the proper - binaries.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="DHCP_server"><a class="permalink" href="#DHCP_server">DHCP - server</a></h2> -<p class="Pp">If this is a DHCP server, edit - <span class="Pa">/etc/dhcpd.conf</span> and - <span class="Pa">/etc/dhcpd.interfaces</span> as needed. You will have to - make sure <span class="Pa">/etc/rc.conf</span> has “dhcpd=YES” - or run <a class="Xr">dhcpd(8)</a> manually.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Bootparam_server"><a class="permalink" href="#Bootparam_server">Bootparam - server</a></h2> -<p class="Pp">If this is a Bootparam server, edit - <span class="Pa">/etc/bootparams</span> as needed. You will have to turn it - on in <span class="Pa">/etc/rc.conf</span> by adding - “bootparamd=YES”.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="NFS_server"><a class="permalink" href="#NFS_server">NFS - server</a></h2> -<p class="Pp">If this is an NFS server, make sure - <span class="Pa">/etc/rc.conf</span> has:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>nfs_server=YES -mountd=YES -rpcbind=YES</pre> -</div> -<p class="Pp">Edit <span class="Pa">/etc/exports</span> and get it correct. - After this, you can start the server by issuing:</p> -<div class="Bd Pp Bd-indent Li"> -<pre><code class="Ic">service rpcbind start</code> -<code class="Ic">service mountd start</code> -<code class="Ic">service nfsd start</code></pre> -</div> -which will also start dependencies. -</section> -<section class="Ss"> -<h2 class="Ss" id="HP_remote_boot_server"><a class="permalink" href="#HP_remote_boot_server">HP - remote boot server</a></h2> -<p class="Pp">Edit <span class="Pa">/etc/rbootd.conf</span> if needed for remote - booting. If you do not have HP computers doing remote booting, do not enable - this.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Daily,_weekly,_monthly_scripts"><a class="permalink" href="#Daily,_weekly,_monthly_scripts">Daily, - weekly, monthly scripts</a></h2> -<p class="Pp">Look at and possibly edit the - <span class="Pa">/etc/daily.conf</span>, - <span class="Pa">/etc/weekly.conf</span>, and - <span class="Pa">/etc/monthly.conf</span> configuration files. You can check - which values you can set by looking to their matching files in - <span class="Pa">/etc/defaults</span>. Your site specific things should go - into <span class="Pa">/etc/daily.local</span>, - <span class="Pa">/etc/weekly.local</span>, and - <span class="Pa">/etc/monthly.local</span>.</p> -<p class="Pp">These scripts have been limited so as to keep the system running - without filling up disk space from normal running processes and database - updates. (You probably do not need to understand them.)</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Other_files_in_/etc"><a class="permalink" href="#Other_files_in_/etc">Other - files in /etc</a></h2> -<p class="Pp">Look at the other files in <span class="Pa">/etc</span> and edit - them as needed. (Do not edit files ending in <span class="Pa">.db</span> - — like <span class="Pa">pwd.db</span>, - <span class="Pa">spwd.db</span>, nor <span class="Pa">localtime</span>, nor - <span class="Pa">rmt</span>, nor any directories.)</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Crontab_(background_running_processes)"><a class="permalink" href="#Crontab_(background_running_processes)">Crontab - (background running processes)</a></h2> -<p class="Pp">Check what is running by typing <code class="Ic">crontab -l</code> - as root and see if anything unexpected is present. Do you need anything - else? Do you wish to change things? For example, if you do not like root - getting standard output of the daily scripts, and want only the security - scripts that are mailed internally, you can type <code class="Ic">crontab - -e</code> and change some of the lines to read:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out -30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out -30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out</pre> -</div> -<p class="Pp">See <a class="Xr">crontab(5)</a>.</p> -</section> -<section class="Ss"> -<h2 class="Ss" id="Next_day_cleanup"><a class="permalink" href="#Next_day_cleanup">Next - day cleanup</a></h2> -<p class="Pp">After the first night's security run, change ownerships and - permissions on files, directories, and devices; root should have received - mail with subject: "<hostname> daily insecurity output.". - This mail contains a set of security recommendations, presented as a list - looking like this:</p> -<div class="Bd Pp Bd-indent Li"> -<pre>var/mail: - permissions (0755, 0775) -etc/daily: - user (0, 3)</pre> -</div> -<p class="Pp">The best bet is to follow the advice in that list. The recommended - setting is the first item in parentheses, while the current setting is the - second one. This list is generated by <a class="Xr">mtree(8)</a> using - <span class="Pa">/etc/mtree/special</span>. Use <a class="Xr">chmod(1)</a>, - <a class="Xr">chgrp(1)</a>, and <a class="Xr">chown(8)</a> as needed.</p> -</section> -</section> -<section class="Sh"> -<h1 class="Sh" id="SYSTEM_TESTING"><a class="permalink" href="#SYSTEM_TESTING">SYSTEM - TESTING</a></h1> -<p class="Pp">At this point, the system should be fully configured to your - liking. It is now a good time to ensure that the system behaves according to - its specifications and that it is stable on your hardware. Please refer to - <a class="Xr">tests(7)</a> for details on how to do so.</p> -<p class="Pp">You can use <a class="Xr">ps(1)</a>, <a class="Xr">netstat(1)</a>, - and <a class="Xr">fstat(1)</a> to check on running processes, network - connections, and opened files, respectively. Other tools you may find useful - are <a class="Xr">systat(1)</a> and <a class="Xr">top(1)</a>.</p> -</section> -<section class="Sh"> -<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE - ALSO</a></h1> -<p class="Pp"><a class="Xr">chgrp(1)</a>, <a class="Xr">chmod(1)</a>, - <a class="Xr">config(1)</a>, <a class="Xr">crontab(1)</a>, - <a class="Xr">date(1)</a>, <a class="Xr">df(1)</a>, - <a class="Xr">domainname(1)</a>, <a class="Xr">fstat(1)</a>, - <a class="Xr">hostname(1)</a>, <a class="Xr">make(1)</a>, - <a class="Xr">man(1)</a>, <a class="Xr">netstat(1)</a>, - <a class="Xr">newaliases(1)</a>, <a class="Xr">passwd(1)</a>, - <a class="Xr">pkg_add(1)</a>, <a class="Xr">ps(1)</a>, - <a class="Xr">ssh(1)</a>, <a class="Xr">su(1)</a>, - <a class="Xr">systat(1)</a>, <a class="Xr">top(1)</a>, - <a class="Xr">xdm(1)</a>, <a class="Xr">ccd(4)</a>, - <a class="Xr">aliases(5)</a>, <a class="Xr">crontab(5)</a>, - <a class="Xr">dhcpcd.conf(5)</a>, <a class="Xr">exports(5)</a>, - <a class="Xr">fstab(5)</a>, <a class="Xr">group(5)</a>, - <a class="Xr">hosts(5)</a>, <a class="Xr">ifconfig.if(5)</a>, - <a class="Xr">mailer.conf(5)</a>, <a class="Xr">named.conf(5)</a>, - <a class="Xr">nsswitch.conf(5)</a>, <a class="Xr">passwd(5)</a>, - <a class="Xr">printcap(5)</a>, <a class="Xr">rc.conf(5)</a>, - <a class="Xr">resolv.conf(5)</a>, <a class="Xr">sshd_config(5)</a>, - <a class="Xr">wpa_supplicant.conf(5)</a>, <a class="Xr">wscons.conf(5)</a>, - <a class="Xr">hier(7)</a>, <a class="Xr">hostname(7)</a>, - <a class="Xr">pkgsrc(7)</a>, <a class="Xr">tests(7)</a>, - <a class="Xr">amd(8)</a>, <a class="Xr">ccdconfig(8)</a>, - <a class="Xr">chown(8)</a>, <a class="Xr">devpubd(8)</a>, - <a class="Xr">dhcpcd(8)</a>, <a class="Xr">dhcpd(8)</a>, - <a class="Xr">dmesg(8)</a>, <a class="Xr">groupadd(8)</a>, - <a class="Xr">ifconfig(8)</a>, <a class="Xr">inetd(8)</a>, - <a class="Xr">kerberos(8)</a>, <a class="Xr">lpd(8)</a>, - <a class="Xr">mdnsd(8)</a>, <a class="Xr">mount(8)</a>, - <a class="Xr">mrouted(8)</a>, <a class="Xr">mtree(8)</a>, - <a class="Xr">named(8)</a>, <a class="Xr">nis(8)</a>, - <a class="Xr">ntpd(8)</a>, <a class="Xr">ntpdate(8)</a>, - <a class="Xr">rbootd(8)</a>, <a class="Xr">rc(8)</a>, - <a class="Xr">rdate(8)</a>, <a class="Xr">rmt(8)</a>, - <a class="Xr">route(8)</a>, <a class="Xr">rpc.bootparamd(8)</a>, - <a class="Xr">rpcbind(8)</a>, <a class="Xr">sshd(8)</a>, - <a class="Xr">timed(8)</a>, <a class="Xr">umount(8)</a>, - <a class="Xr">useradd(8)</a>, <a class="Xr">vipw(8)</a>, - <a class="Xr">wpa_cli(8)</a>, <a class="Xr">wpa_supplicant(8)</a>, - <a class="Xr">yp(8)</a>, <a class="Xr">ypbind(8)</a></p> -</section> -<section class="Sh"> -<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> -<p class="Pp">This document first appeared in <span class="Ux">OpenBSD - 2.2</span>. It has been adapted to <span class="Ux">NetBSD</span> and first - appeared in <span class="Ux">NetBSD 2.0</span>.</p> -</section> -</div> -<table class="foot"> - <tr> - <td class="foot-date">June 4, 2021</td> - <td class="foot-os">NetBSD 10.1</td> - </tr> -</table> |