summaryrefslogtreecommitdiff
path: root/static/netbsd/man8/afterboot.8
diff options
context:
space:
mode:
Diffstat (limited to 'static/netbsd/man8/afterboot.8')
-rw-r--r--static/netbsd/man8/afterboot.81095
1 files changed, 1095 insertions, 0 deletions
diff --git a/static/netbsd/man8/afterboot.8 b/static/netbsd/man8/afterboot.8
new file mode 100644
index 00000000..b6bdb2d2
--- /dev/null
+++ b/static/netbsd/man8/afterboot.8
@@ -0,0 +1,1095 @@
+.\" $NetBSD: afterboot.8,v 1.83 2023/03/19 17:26:12 kre Exp $
+.\" $OpenBSD: afterboot.8,v 1.72 2002/02/22 02:02:33 miod Exp $
+.\"
+.\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu
+.\" Adapted to NetBSD by Julio Merino -- 2002-05-10, jmmv@NetBSD.org
+.\"
+.\"
+.\" Copyright (c) 2002-2008 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\"
+.\" Copyright (c) 1997 Marshall M. Midden
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\" must display the following acknowledgement:
+.\" This product includes software developed by Marshall M. Midden.
+.\" 4. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd June 4, 2021
+.Dt AFTERBOOT 8
+.Os
+.Sh NAME
+.Nm afterboot
+.Nd things to check after the first complete boot
+.Sh DESCRIPTION
+.Ss Starting Out
+This document attempts to list items for the system administrator
+to check and set up after the installation and first complete boot of the
+system.
+The idea is to create a list of items that can be checked off so that you have
+a warm fuzzy feeling that something obvious has not been missed.
+A basic knowledge of
+.Ux
+is assumed.
+.Pp
+Complete instructions for correcting and fixing items is not provided.
+There are manual pages and other methodologies available for doing that.
+For example, to view the man page for the
+.Xr ls 1
+command, type:
+.Bd -literal -offset indent
+.Ic man 1 ls
+.Ed
+.Pp
+Administrators will rapidly become more familiar with
+.Nx
+if they get used to using the manual pages.
+.Ss Login
+On a fresh install with no other user accounts, login as
+.Dq Ic root .
+You can do so on the console, or over the network using
+.Xr ssh 1 .
+If you have enabled the SSH daemon (see
+.Xr sshd 8 )
+and wish to allow root logins over the network, edit the
+.Pa /etc/ssh/sshd_config
+file and set
+.Dq PermitRootLogin
+to
+.Dq yes
+(see
+.Xr sshd_config 5 ) .
+The default is to not permit root logins over the network
+after fresh install in
+.Nx .
+.Pp
+Upon successful login on the console, you may see the message
+.Dq We recommend creating a non-root account... .
+For security reasons, it is bad practice to login as root during
+regular use and maintenance of the system.
+In fact, the system will only let you login as root on a secure
+terminal.
+By default, only the console is considered to be a secure terminal.
+Instead, administrators are encouraged to add a
+.Dq regular
+user, add said user to the
+.Dq wheel
+group, then use the
+.Xr su 1
+command when root privileges are required:
+.Bd -literal -offset indent
+.Ic useradd -G wheel -m myuser
+.Ic passwd myuser
+.Ed
+.Ss Root password
+Change the password for the root user.
+(Note that throughout the documentation, the term
+.Dq superuser
+is a synonym for the root user.)
+Choose a password that has numbers, digits, and special characters (not space)
+as well as from the upper and lower case alphabet.
+Do not choose any word in any language.
+It is common for an intruder to use dictionary attacks.
+Type the command
+.Ic /usr/bin/passwd
+to change it.
+.Pp
+It is a good idea to always specify the full path name for both the
+.Xr passwd 1
+and
+.Xr su 1
+commands as this inhibits the possibility of files placed in your execution
+.Ev PATH
+for most shells.
+Furthermore, the superuser's
+.Ev PATH
+should never contain the current directory
+.Po Dq \&.
+.Pc .
+.Ss System date
+Check the system date with the
+.Xr date 1
+command.
+If needed, change the date, and/or change the symbolic link of
+.Pa /etc/localtime
+to the correct time zone in the
+.Pa /usr/share/zoneinfo
+directory.
+.Pp
+Examples:
+.Bl -tag -width date
+.It Cm date 202010051820
+Set the current date to October 5th, 2020 6:20pm.
+.It Cm ln -fs /usr/share/zoneinfo/Europe/Helsinki /etc/localtime
+Set the time zone to Eastern Europe Summer Time.
+.El
+.Ss Console settings
+One of the first things you will likely need to do is to set up your
+keyboard map (and maybe some other aspects about the system console).
+To change your keyboard layout, edit the
+.Dq Va encoding
+variable found in
+.Pa /etc/wscons.conf .
+.Pp
+.Xr wscons.conf 5
+contains more information about this file.
+.Ss Security alerts
+All significant and easily fixed problems will be reported at
+.Lk https://www.NetBSD.org/support/security/ the security advisories web page .
+It is recommended that you check this page regularly.
+.Pp
+Additionally, you should set
+.Dq fetch_pkg_vulnerabilities=YES
+in
+.Pa /etc/daily.conf
+to allow your system to automatically update the local database of known
+vulnerable packages to the latest version available on-line.
+The system will later check, on a daily basis, if any of your installed
+packages are vulnerable based on the contents of this database.
+See
+.Xr daily.conf 5
+and
+.Xr security.conf 5
+for more details.
+.Ss Entropy
+If your machine does not have a hardware random number generator, it
+may not be safe to use on the internet until it has enough entropy to
+generate unpredictable secrets for programs like web browsers and
+.Xr ssh 1 .
+You can use
+.Xr rndctl 8
+to list the entropy sources with
+.Ic rndctl -l ,
+or save entropy from another machine running
+.Nx
+with
+.Ic rndctl -S
+and load it on this one with
+.Ic rndctl -L
+(as long as there are no eavesdroppers on the medium between the two
+machines).
+See
+.Xr entropy 7
+for more details.
+.Ss Check hostname
+Use the
+.Ic hostname
+command to verify that the name of your machine is correct.
+See the man page for
+.Xr hostname 1
+if it needs to be changed.
+You will also need to change the contents of the
+.Dq Va hostname
+variable in
+.Pa /etc/rc.conf
+or edit the
+.Pa /etc/myname
+file to have it stick around for the next reboot.
+Note that
+.Dq Va hostname
+is supposed include a domainname, and that this should
+not be confused with YP (NIS)
+.Xr domainname 1 .
+If you are using
+.Xr dhcpcd 8
+to configure network interfaces, it might override these local hostname
+settings if your DHCP server specifies client's hostname with other network
+configurations.
+.Ss Verify network interface configuration
+The first thing to do is an
+.Ic ifconfig -a
+to see if the network interfaces are properly configured.
+Correct by editing
+.Pa /etc/ifconfig. Ns Ar interface
+or the corresponding
+.Dq Va ifconfig_ Ns Ar interface
+variable in
+.Xr rc.conf 5
+(where
+.Ar interface
+is the interface name, e.g.,
+.Dq le0 )
+and then using
+.Xr ifconfig 8
+to manually configure it
+if you do not wish to reboot.
+.Pp
+Alternatively, many networks allow interfaces to be configured
+automatically via DHCP.
+To get
+.Xr dhcpcd 8
+to start automatically on boot,
+you will need to have this line in
+.Pa /etc/rc.conf :
+.Pp
+.Dl dhcpcd=YES
+.Pp
+See
+.Xr dhcpcd 8
+and
+.Xr dhcpcd.conf 5
+for more information on setting up a DHCP client.
+For information on setting up Wi-Fi, see
+.Sx Wireless networking .
+.Pp
+You can add new
+.Dq virtual interfaces
+by adding the required entries to
+.Pa /etc/ifconfig. Ns Ar interface .
+Read the
+.Xr ifconfig.if 5
+man page for more information on the format of
+.Pa /etc/ifconfig. Ns Ar interface
+files.
+The loopback interface will look something like:
+.Bd -literal -offset indent
+lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
+ inet 127.0.0.1 netmask 0xff000000
+ inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
+ inet6 ::1 prefixlen 128
+.Ed
+.Pp
+an Ethernet interface something like:
+.Bd -literal -offset indent
+le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
+ inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
+ inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1
+.Ed
+.Pp
+and a PPP interface something like:
+.Bd -literal -offset indent
+ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
+ inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000
+.Ed
+.Pp
+See
+.Xr mrouted 8
+for instructions on configuring multicast routing.
+.Ss Check routing tables
+Issue a
+.Ic netstat -rn
+command.
+The output will look something like:
+.Bd -literal -offset indent
+Routing tables
+
+Internet:
+Destination Gateway Flags Refs Use Mtu Interface
+default 192.168.4.254 UGS 0 11098028 - le0
+127 127.0.0.1 UGRS 0 0 - lo0
+127.0.0.1 127.0.0.1 UH 3 24 - lo0
+192.168.4 link#1 UC 0 0 - le0
+192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0
+192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0
+
+Internet6:
+Destination Gateway Flags Refs Use Mtu Interface
+::/96 ::1 UGRS 0 0 32972 lo0 =>
+::1 ::1 UH 4 0 32972 lo0
+::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0
+fc80::/10 ::1 UGRS 0 0 32972 lo0
+fe80::/10 ::1 UGRS 0 0 32972 lo0
+fe80::%le0/64 link#1 UC 0 0 1500 le0
+fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0
+ff01::/32 ::1 U 0 0 32972 lo0
+ff02::%le0/32 link#1 UC 0 0 1500 le0
+ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0
+.Ed
+.Pp
+The default gateway address is stored in the
+.Dq Va defaultroute
+variable in
+.Pa /etc/rc.conf ,
+or in the file
+.Pa /etc/mygate .
+If you need to edit this file, a painless way to reconfigure the network
+afterwards is to issue
+.Bd -literal -offset indent
+.Ic service network restart
+.Ed
+.Pp
+Or, you may prefer to manually configure using a series of
+.Ic route add
+and
+.Ic route delete
+commands (see
+.Xr route 8 ) .
+If you run
+.Xr dhcpcd 8
+you will have to kill it by running
+.Bd -literal -offset indent
+.Ic service dhcpcd stop
+.Ed
+.Pp
+before you flush the routes.
+.Pp
+If you wish to route packets between interfaces, add one or both
+of the following directives (depending on whether IPv4 or IPv6 routing
+is required) to
+.Pa /etc/sysctl.conf :
+.Pp
+.Dl net.inet.ip.forwarding=1
+.Dl net.inet6.ip6.forwarding=1
+.Pp
+As an alternative, compile a new kernel with the
+.Dq GATEWAY
+option.
+Packets are not forwarded by default, due to RFC requirements.
+.Ss Device nodes
+By default, nodes are created in
+.Pa /dev
+for a fairly typical number of devices.
+.Pp
+However, if this system has a large number of devices connected
+(e.g. for large scale storage), you may want to enable
+.Xr devpubd 8
+to ensure a sufficient number of nodes are available.
+Set
+.Dq Va devpubd=YES
+in
+.Pa /etc/rc.conf
+to create nodes automatically during system runtime.
+You can also run the node creation script by hand:
+.Bd -literal -offset indent
+.Ic cd /dev && sh MAKEDEV
+.Ed
+.Ss Secure Shell (SSH)
+By default, all services are disabled in a fresh
+.Nx
+installation, and SSH is no exception.
+You may wish to enable it so you can remotely control your system.
+Set
+.Dq Va sshd=YES
+in
+.Pa /etc/rc.conf
+and then starting the server with the command
+.Bd -literal -offset indent
+.Ic service sshd start
+.Ed
+.Pp
+The first time the server is started, it will generate a new keypair,
+which will be stored inside the directory
+.Pa /etc/ssh .
+.Ss Host names and DNS
+The system resolves host names according the rules for hosts in the
+name service switch configuration at
+.Pa /etc/nsswitch.conf .
+By default, it will query
+.Pa /etc/hosts
+first, and then the DNS resolver specified in
+.Pa /etc/resolv.conf .
+.Pp
+Multicast DNS and DNS Service Discovery are usually not enabled by
+default on a fresh
+.Nx
+system, and can be enabled by setting
+.Dq mdnsd=YES
+in
+.Pa /etc/rc.conf ,
+and either rebooting or running the following command:
+.Bd -literal -offset indent
+.Ic service mdnsd start
+.Ed
+.Pp
+You may also wish to enable mdnsd as a source for host lookups
+in
+.Pa /etc/nsswitch.conf ,
+see
+.Xr nsswitch.conf 5 .
+.Pp
+If your network does not have a usable DNS resolver, e.g. one provided
+by DHCP, you can run a local caching recursive resolver by setting
+.Dq named=YES
+in
+.Pa /etc/rc.conf
+and either rebooting or running the following command:
+.Bd -literal -offset indent
+.Ic service named start
+.Ed
+.Pp
+.Xr named 8
+is configured in
+.Pa /etc/named.conf
+by default to run as a local caching recursive resolver.
+Then, to make the system use it, put the following in
+.Pa /etc/resolv.conf :
+.Bd -literal -offset indent
+nameserver 127.0.0.1
+.Ed
+.Ss Wireless networking
+To configure the system to connect to a Wi-Fi network with a password
+using WPA:
+.Bd -literal -offset indent
+.Ic wpa_passphrase networkname password >> /etc/wpa_supplicant.conf
+.Ed
+.Pp
+To configure the system to connect to an open wireless network with
+no password, edit
+.Pa /etc/wpa_supplicant.conf
+instead of using
+.Xr wpa_passphrase 8 :
+.Bd -literal -offset indent
+network={
+ ssid="Public-WiFi"
+ key_mgmt=NONE
+ priority=100
+}
+.Ed
+.Pp
+Then bring up the interface and start the necessary daemons:
+.Bd -literal -offset indent
+.Ic ifconfig iwm0 up
+.Ic service wpa_supplicant onestart
+.Ic service dhcpcd onestart
+.Ed
+.Pp
+To automatically connect at boot, add the following to
+.Pa /etc/rc.conf :
+.Pp
+.Dl ifconfig_iwm0="up"
+.Dl dhcpcd=YES
+.Dl wpa_supplicant=YES
+.Pp
+While using
+.Xr wpa_supplicant 8 ,
+you can easily retrieve network scan results with
+.Xr wpa_cli 8 :
+.Bd -literal -offset indent
+.Ic wpa_cli scan_results
+.Ed
+.Pp
+Or trigger a rescan:
+.Bd -literal -offset indent
+.Ic wpa_cli scan
+.Ed
+.Ss RPC-based network services
+Several services depend on the RPC portmapper
+.Xr rpcbind 8
+- formerly known as
+.Ic portmap
+- being running for proper operation.
+This includes YP (NIS) and NFS exports, among other services.
+To get the RPC portmapper to start automatically on boot,
+you will need to have this line in
+.Pa /etc/rc.conf :
+.Pp
+.Dl rpcbind=YES
+.Ss YP (Network Information Service) Setup
+Check the YP domain name with the
+.Xr domainname 1
+command.
+If necessary, correct it by editing the
+.Pa /etc/defaultdomain
+file or by setting the
+.Dq Va domainname
+variable in
+.Pa /etc/rc.conf .
+The
+.Pa /etc/rc.d/network
+script reads this file on bootup to determine and set the domain name.
+You may also set the running system's domain name with the
+.Xr domainname 1
+command.
+To start YP client services, simply run
+.Ic ypbind ,
+then perform the remaining
+YP activation as described in
+.Xr passwd 5
+and
+.Xr group 5 .
+.Pp
+In particular, to enable YP passwd support, you'll need to update
+.Pa /etc/nsswitch.conf
+to include
+.Dq nis
+for the
+.Dq passwd
+and
+.Dq group
+entries.
+A traditional way to accomplish the same thing is to
+add following entry to local passwd database via
+.Xr vipw 8 :
+.Bd -literal -offset indent
+.Li +:*::::::::
+.Ed
+.Pp
+Note this entry has to be the very last one.
+This traditional way works with the default
+.Xr nsswitch.conf 5
+setting of
+.Dq passwd ,
+which is
+.Dq compat .
+.Pp
+There are many more YP man pages available to help you.
+You can find more information by starting with
+.Xr nis 8 .
+.Ss Check disk mounts
+Check that the disks are mounted correctly by
+comparing the
+.Pa /etc/fstab
+file against the output of the
+.Xr mount 8
+and
+.Xr df 1
+commands.
+Example:
+.Bd -literal -offset indent
+.Li # Ic cat /etc/fstab
+/dev/sd0a / ffs rw 1 1
+/dev/sd0b none swap sw
+/dev/sd0e /usr ffs rw 1 2
+/dev/sd0f /var ffs rw 1 3
+/dev/sd0g /tmp ffs rw 1 4
+/dev/sd0h /home ffs rw 1 5
+
+.Li # Ic mount
+/dev/sd0a on / type ffs (local)
+/dev/sd0e on /usr type ffs (local)
+/dev/sd0f on /var type ffs (local)
+/dev/sd0g on /tmp type ffs (local)
+/dev/sd0h on /home type ffs (local)
+
+.Li # Ic df
+Filesystem 1024-blocks Used Avail Capacity Mounted on
+/dev/sd0a 22311 14589 6606 69% /
+/dev/sd0e 203399 150221 43008 78% /usr
+/dev/sd0f 10447 682 9242 7% /var
+/dev/sd0g 18823 2 17879 0% /tmp
+/dev/sd0h 7519 5255 1888 74% /home
+
+.Li # Ic pstat -s
+Device 512-blocks Used Avail Capacity Priority
+/dev/sd0b 131072 84656 46416 65% 0
+.Ed
+.Pp
+Edit
+.Pa /etc/fstab
+and use the
+.Xr mount 8
+and
+.Xr umount 8
+commands as appropriate.
+Refer to the above example and
+.Xr fstab 5
+for information on the format of this file.
+.Pp
+You may wish to do NFS mounts now too, or you can do them later.
+.Ss Clock synchronization
+In order to make sure the system clock is synchronized
+to that of a publicly accessible NTP server,
+make sure that
+.Pa /etc/rc.conf
+contains the following:
+.Pp
+.Dl ntpdate=YES
+.Dl ntpd=YES
+.Pp
+See
+.Xr date 1 ,
+.Xr ntpdate 8 ,
+.Xr ntpd 8 ,
+.Xr rdate 8 ,
+and
+.Xr timed 8
+for more information on setting the system's date.
+.Ss Installing packages
+The
+.Nx
+packages collection, pkgsrc, includes a large set of third-party software.
+A lot of it is available as binary packages that you can download from
+.Lk https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/
+or a mirror.
+.Pp
+For most users, using pkgin to manage binary packages is recommended.
+.Pp
+To install pkgin, if it was not done by the installer:
+.Bd -literal -offset indent
+.Ic PKG_PATH=https://cdn.NetBSD.org/pub/pkgsrc/packages/NetBSD/[...]
+.Ic export PKG_PATH
+.Ic pkg_add pkgin
+.Ic pkgin update
+.Ic pkgin install bash mpg123 fluxbox ...
+.Ed
+.Pp
+See
+.Lk https://www.pkgsrc.org/
+and
+.Pa pkgsrc/doc/pkgsrc.txt
+for more details.
+.Sh CHANGING /etc FILES
+The system should be usable now, but you may wish to do more customizing,
+such as adding users, etc.
+Many of the following sections may be skipped
+if you are not using that package (for example, skip the
+.Sx Kerberos
+section if you won't be using Kerberos).
+We suggest that you
+.Ic cd /etc
+and edit most of the files in that directory.
+.Pp
+Note that the
+.Pa /etc/motd
+file is modified by
+.Pa /etc/rc.d/motd
+whenever the system is booted.
+To keep any custom message intact, ensure that you leave two blank lines
+at the top, or your message will be overwritten.
+.Ss Add new users
+To add new users and groups, there are
+.Xr useradd 8
+and
+.Xr groupadd 8 ;
+see also
+.Xr user 8
+for further programs for user and group manipulation.
+You may use
+.Xr vipw 8
+to add users to the
+.Pa /etc/passwd
+file
+and edit
+.Pa /etc/group
+by hand to add new groups.
+The manual page for
+.Xr su 1 ,
+tells you to make sure to put people in
+the
+.Sq wheel
+group if they need root access (non-Kerberos).
+For example:
+.Bd -literal -offset indent
+wheel:*:0:root,myself
+.Ed
+.Pp
+Follow instructions for
+.Xr kerberos 8
+if using
+Kerberos
+for authentication.
+.Ss System boot scripts and /etc/rc.local
+.Pa /etc/rc
+and the
+.Pa /etc/rc.d/*
+scripts are invoked at boot time after single user mode has exited,
+and at shutdown.
+The whole process is controlled by the master script
+.Pa /etc/rc .
+This script should not be changed by administrators.
+.Pp
+The directory
+.Pa /etc/rc.d
+contains a series of scripts used at startup/shutdown, called by
+.Pa /etc/rc .
+.Pa /etc/rc
+is in turn influenced by the configuration variables present in
+.Pa /etc/rc.conf .
+.Pp
+The script
+.Pa /etc/rc.local
+is run as the last thing during multiuser boot, and is provided
+to allow any other local hooks necessary for the system.
+.Ss rc.conf
+To enable or disable various services on system startup,
+corresponding entries can be made in
+.Pa /etc/rc.conf .
+You can take a look at
+.Pa /etc/defaults/rc.conf
+to see a list of default system variables, which you can override in
+.Pa /etc/rc.conf .
+Note you are
+.Em not
+supposed to change
+.Pa /etc/defaults/rc.conf
+directly, edit only
+.Pa /etc/rc.conf .
+See
+.Xr rc.conf 5
+for further information.
+.Ss Automounter daemon (AMD)
+To use the
+.Xr amd 8
+automounter, create the
+.Pa /etc/amd
+directory, copy example config files from
+.Pa /usr/share/examples/amd
+to
+.Pa /etc/amd
+and customize them as needed.
+Alternatively, you can get your maps with YP.
+.Ss Concatenated disks (ccd)
+If you are using
+.Xr ccd 4
+concatenated disks, edit
+.Pa /etc/ccd.conf .
+You may wish to take a look to
+.Xr ccdconfig 8
+for more information about this file.
+Use the
+.Ic ccdconfig -U
+command to unload and the
+.Ic ccdconfig -C
+command to create tables internal to the kernel for the concatenated disks.
+You then
+.Xr mount 8 ,
+.Xr umount 8 ,
+and edit
+.Pa /etc/fstab
+as needed.
+.Ss Nx Packet Filter
+.Xr npf 7
+is the default firewall used on
+.Nx .
+You may wish to enable it if your machine is connected directly to the
+internet.
+To do this, edit
+.Pa /etc/npf.conf
+and set
+.Dq npf=YES
+in
+.Pa /etc/rc.conf .
+Configuration examples for NPF can be found in
+.Pa /usr/share/examples/npf .
+Before installing a configuration, you can validate it with
+.Xr npfctl 8 .
+.Ss X Display Manager
+If you've installed X, you may want to turn on
+.Xr xdm 1 ,
+the X Display Manager.
+To do this, set
+.Dq xdm=YES
+in
+.Pa /etc/rc.conf .
+.Ss Printers
+Edit
+.Pa /etc/printcap
+and
+.Pa /etc/hosts.lpd
+to get any printers set up.
+Consult
+.Xr lpd 8
+and
+.Xr printcap 5
+if needed.
+.Ss Internet Services (inetd)
+Various internet services can be enabled in
+.Pa /etc/inetd.conf ,
+including
+.Xr httpd 8
+and
+.Xr finger 1 .
+Note that by default all services are disabled for security reasons.
+Only add things that are really needed.
+.Ss Kerberos
+If you are going to use Kerberos for authentication,
+see
+.Xr kerberos 8
+and
+.Dq info heimdal
+for more information.
+If you already have a Kerberos master, change directory to
+.Pa /etc/kerberosV
+and configure.
+Remember to get a
+.Pa srvtab
+from the master so that the remote commands work.
+.Ss Mail Aliases
+Check
+.Pa /etc/mail/aliases
+and update appropriately if you want e-mail to be routed
+to non-local addresses or to different users.
+.Pp
+Run
+.Xr newaliases 1
+after changes.
+.Ss Postfix
+.Nx
+uses Postfix as its Mail Transfer Agent.
+Postfix is started by default, but its initial configuration does not
+cause it to listen on the network for incoming connections.
+To configure Postfix, see
+.Pa /etc/postfix/main.cf
+and
+.Pa /etc/postfix/master.cf .
+If you wish to use a different MTA (e.g., sendmail), install your MTA of
+choice and edit
+.Pa /etc/mailer.conf
+to point to the proper binaries.
+.Ss DHCP server
+If this is a
+DHCP
+server, edit
+.Pa /etc/dhcpd.conf
+and
+.Pa /etc/dhcpd.interfaces
+as needed.
+You will have to make sure
+.Pa /etc/rc.conf
+has
+.Dq dhcpd=YES
+or run
+.Xr dhcpd 8
+manually.
+.Ss Bootparam server
+If this is a
+Bootparam
+server, edit
+.Pa /etc/bootparams
+as needed.
+You will have to turn it on in
+.Pa /etc/rc.conf
+by adding
+.Dq bootparamd=YES .
+.Ss NFS server
+If this is an NFS server, make sure
+.Pa /etc/rc.conf
+has:
+.Bd -literal -offset indent
+nfs_server=YES
+mountd=YES
+rpcbind=YES
+.Ed
+.Pp
+Edit
+.Pa /etc/exports
+and get it correct.
+After this, you can start the server by issuing:
+.Bd -literal -offset indent
+.Ic service rpcbind start
+.Ic service mountd start
+.Ic service nfsd start
+.Ed
+which will also start dependencies.
+.Ss HP remote boot server
+Edit
+.Pa /etc/rbootd.conf
+if needed for remote booting.
+If you do not have HP computers doing remote booting, do not enable this.
+.Ss Daily, weekly, monthly scripts
+Look at and possibly edit the
+.Pa /etc/daily.conf , /etc/weekly.conf ,
+and
+.Pa /etc/monthly.conf
+configuration files.
+You can check which values you can set by looking
+to their matching files in
+.Pa /etc/defaults .
+Your site specific things should go into
+.Pa /etc/daily.local , /etc/weekly.local ,
+and
+.Pa /etc/monthly.local .
+.Pp
+These scripts have been limited so as to keep the system running without
+filling up disk space from normal running processes and database updates.
+(You probably do not need to understand them.)
+.Ss Other files in /etc
+Look at the other files in
+.Pa /etc
+and edit them as needed.
+(Do not edit files ending in
+.Pa .db
+\(em like
+.Pa pwd.db , spwd.db ,
+nor
+.Pa localtime ,
+nor
+.Pa rmt ,
+nor any directories.)
+.Ss Crontab (background running processes)
+Check what is running by typing
+.Ic crontab -l
+as root
+and see if anything unexpected is present.
+Do you need anything else?
+Do you wish to change things?
+For example, if you do not
+like root getting standard output of the daily scripts, and want only
+the security scripts that are mailed internally, you can type
+.Ic crontab -e
+and change some of the lines to read:
+.Bd -literal -offset indent
+30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out
+30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
+30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
+.Ed
+.Pp
+See
+.Xr crontab 5 .
+.Ss Next day cleanup
+After the first night's security run, change ownerships and permissions
+on files, directories, and devices; root should have received mail
+with subject: "<hostname> daily insecurity output.".
+This mail contains
+a set of security recommendations, presented as a list looking like this:
+.Bd -literal -offset indent
+var/mail:
+ permissions (0755, 0775)
+etc/daily:
+ user (0, 3)
+.Ed
+.Pp
+The best bet is to follow the advice in that list.
+The recommended setting is the first item in parentheses, while
+the current setting is the second one.
+This list is generated by
+.Xr mtree 8
+using
+.Pa /etc/mtree/special .
+Use
+.Xr chmod 1 ,
+.Xr chgrp 1 ,
+and
+.Xr chown 8
+as needed.
+.Sh SYSTEM TESTING
+At this point, the system should be fully configured to your liking.
+It is now a good time to ensure that the system behaves according to
+its specifications and that it is stable on your hardware.
+Please refer to
+.Xr tests 7
+for details on how to do so.
+.Pp
+You can use
+.Xr ps 1 ,
+.Xr netstat 1 ,
+and
+.Xr fstat 1
+to check on running processes, network connections, and opened files,
+respectively.
+Other tools you may find useful are
+.Xr systat 1
+and
+.Xr top 1 .
+.Sh SEE ALSO
+.Xr chgrp 1 ,
+.Xr chmod 1 ,
+.Xr config 1 ,
+.Xr crontab 1 ,
+.Xr date 1 ,
+.Xr df 1 ,
+.Xr domainname 1 ,
+.Xr fstat 1 ,
+.Xr hostname 1 ,
+.Xr make 1 ,
+.Xr man 1 ,
+.Xr netstat 1 ,
+.Xr newaliases 1 ,
+.Xr passwd 1 ,
+.Xr pkg_add 1 ,
+.Xr ps 1 ,
+.Xr ssh 1 ,
+.Xr su 1 ,
+.Xr systat 1 ,
+.Xr top 1 ,
+.Xr xdm 1 ,
+.Xr ccd 4 ,
+.Xr aliases 5 ,
+.Xr crontab 5 ,
+.Xr dhcpcd.conf 5 ,
+.Xr exports 5 ,
+.Xr fstab 5 ,
+.Xr group 5 ,
+.Xr hosts 5 ,
+.Xr ifconfig.if 5 ,
+.Xr mailer.conf 5 ,
+.Xr named.conf 5 ,
+.Xr nsswitch.conf 5 ,
+.Xr passwd 5 ,
+.Xr printcap 5 ,
+.Xr rc.conf 5 ,
+.Xr resolv.conf 5 ,
+.Xr sshd_config 5 ,
+.Xr wpa_supplicant.conf 5 ,
+.Xr wscons.conf 5 ,
+.Xr hier 7 ,
+.Xr hostname 7 ,
+.Xr pkgsrc 7 ,
+.Xr tests 7 ,
+.Xr amd 8 ,
+.Xr ccdconfig 8 ,
+.Xr chown 8 ,
+.Xr devpubd 8 ,
+.Xr dhcpcd 8 ,
+.Xr dhcpd 8 ,
+.Xr dmesg 8 ,
+.Xr groupadd 8 ,
+.Xr ifconfig 8 ,
+.Xr inetd 8 ,
+.Xr kerberos 8 ,
+.Xr lpd 8 ,
+.Xr mdnsd 8 ,
+.Xr mount 8 ,
+.Xr mrouted 8 ,
+.Xr mtree 8 ,
+.Xr named 8 ,
+.Xr nis 8 ,
+.Xr ntpd 8 ,
+.Xr ntpdate 8 ,
+.Xr rbootd 8 ,
+.Xr rc 8 ,
+.Xr rdate 8 ,
+.Xr rmt 8 ,
+.Xr route 8 ,
+.Xr rpc.bootparamd 8 ,
+.Xr rpcbind 8 ,
+.Xr sshd 8 ,
+.Xr timed 8 ,
+.Xr umount 8 ,
+.Xr useradd 8 ,
+.Xr vipw 8 ,
+.Xr wpa_cli 8 ,
+.Xr wpa_supplicant 8 ,
+.Xr yp 8 ,
+.Xr ypbind 8
+.Sh HISTORY
+This document first appeared in
+.Ox 2.2 .
+It has been adapted to
+.Nx
+and first appeared in
+.Nx 2.0 .
generated by cgit v1.2.3 (git 2.46.0) at 2026-05-15 13:00:29 +0000