NOTE: if upgrading or restoring files, it appears that some group numbers have been changed. ----------------------------------------------------------------------------- New installation checklist, after install and multi-user boot. (Instructions for correcting not given.) 1) Login on console as "root". 2) Check the system date. Type "date". If necessary, set the system date, and/or change the symbolic link to get the correct Time Zone. 3) Put a password on root. Run "passwd". 4) Check hostname. Type "hostname". (man "hostname" if need to change, and you also need to edit /etc/myname.) 5) Verify network interfaces configured correctly. a) "ifconfig -a". Correct by editing /etc/hostname.{INTERFACE} and via "ifconfig" if you do not with to reboot. Loopback interface will look something like: lo0: flags=8009<UP,LOOPBACK,MULTICAST> inet 127.0.0.1 netmask 0xff000000 An ethernet interface something like: le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,LINK0,MULTICAST> inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255 [Will someone else fill in the ppp and slip interfaces.] b) You may wish to turn off multicast routing in /etc/netstart by commenting out (place a # sign at start of line) the line: # route add -net 224.0.0.0 -interface $hostname c) Check for routing. ("netstat -r -n") It will look something like: Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 192.168.4.254 UGS 0 11098028 - le0 127 127.0.0.1 UGRS 0 0 - lo0 127.0.0.1 127.0.0.1 UH 3 24 - lo0 192.168.4 link#1 UC 0 0 - le0 192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0 192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0 Fix via editing /etc/mygate, and using "route delete" and "route add" if you do not wish to reboot. d) If using the Bind Name Server (DNS), check /etc/resolv.conf. It might look something like: domain nts.umn.edu nameserver 128.101.101.101 nameserver 134.84.84.84 search nts.umn.edu. umn.edu. If using a caching name server add the line "nameserver 127.0.0.1" first. (Of course, you need to change "named_flags" in /etc/rc.conf and add the named.boot file in the appropriate place. Same holds true if this is the name server for you domain. Also make sure "named" is running. [Otherwise there are long waits while timeouts happen.]) e) If using "NIS" (old yellow pages), check "domainname" and edit /etc/defaultdomain to correct. [Will someone else fill in more here. I refuse to use this package.] 6) Check disks correct. a) cat /etc/fstab b) df Edit "/etc/fstab" and "umount" and "mount" as necessary. (See man pages.) c) You may want to do NFS partitions later, but you may do them now. d) If you are using concatenated disks, edit /etc/ccd.conf and use "ccdconfig -U" and "ccdconfig -C" till you have it correct. ("umount" and "mount" and edit /etc/fstab as needed.) e) Go into the "amd" directory if using this package. [Will someone else fill in more here. I do not use this package.] 7) The system should be usable now, but you may with to do more customizing, adding of users, etc. Many sections may be skipped if you are not using that package (for example kerberos!). My suggestions are to go into /etc ("cd /etc") and: a) Edit motd to make lawyers comfortable and make sure that no mention of the word "Welcome" appears. (Some U.S. lawyers have stated that the word "Welcome" is an invitation to come on in.) b) Add users. There is a "adduser" script. You can use "vipw", and edit "/etc/group" if you desire. Make sure to put people in "/etc/group", under the "wheel" group if they need root access (non-kerberos). Something like: wheel:*:0:root,m4 c) Check for any local changes needed in /etc/rc.conf, /etc/netstart, /etc/rc.local, rc.securelevel.. Turning on something like the Network Time Protocol in /etc/rc.local and /etc/rc.securelevel requires: A) Making sure the package is installed. (see http://www.openbsd.org under "Ports: a Nice Way to Get Third-Party Software). B) Uncommenting the lines in rc.local (delete the # signs). if [ -f /usr/local/etc/httpd/httpd ]; then echo -n ' httpd'; /usr/local/etc/httpd/httpd fi C) Uncommenting the lines in rc.securelevel (delete the # signs). if [ -x /usr/local/sbin/xntpd ]; then /usr/local/sbin/tickadj -Aq echo -n ' xntpd'; /usr/local/sbin/xntpd fi d) Edit /etc/printcap and /etc/hosts.lpd to get printers set up. e) You might want to tighten up security by editing: fbtab Set security for X -- when you install X ... . inetd.conf Turn off extra stuff, add that which is really needed. f) Go into /etc/kerberosIV and configure kerberos. Remember to get a srvab. g) Edit /etc/aliases. Set postmaster, etc. Run newaliases after changes. h) If this is a bootp server, edit /etc/bootptab. You will have to turn it on in /etc/inetd.conf, or run "bootpd" in stand-a-lone mode. i) If this is an NFS server A) make sure /etc/rc.conf has "nfs_server=YES". B) Edit /etc/exports and get correct. It is probably easier to reboot than get the daemons running, manually, but you can get the order correct by looking at /etc/netstart. j) Edit /etc/rbootd.config if needed for remote booting (ethernet MAC address to IP tranlation). k) Look at and possibly edit the /etc/daily, /etc/weekly, and /etc/monthly scripts. Your site specific things should go in /etc/daily.local, /etc/weekly.local, and /etc/monthly.local. l) Look at the other files in /etc and edit as needed. (Do not edit files ending in ".db" -- like aliases.db, pwd.db, spwd.db, nor localtime, nor rmt, nor any directories.) 8) Check what is running via crontab "crontab -l". Do you need anything else? Do you wish to change things? For example: 30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out 30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out 30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out 9) After the first nights security run, change ownerships and permissions on things. Best bet is to have permissions as in the security list (the first of the two listed permissions, and the first group number of the two). Use "chmod" and "chgrp" as needed. 10) Install packages to make the system more useful. A) Install your own. Easiest way is to copy source and compile it. B) Copy vendor binaries and install them. You will need to install any shared libraries, etc. (hint: "man -k compat") C) Install any of a large number of Third-Party Software that is available in source form. (See http://www.openbsd.org under "Ports: a Nice Way to Get Third-Party Software). You may have "fun" installing due to various compiling errors. Don't get discouraged easily! Sometimes checking the mailing lists for past problems that people have encountered will result in a fix posted.