OpenBSD¶

What’s missing (end of 2017)?¶

Bluetooth
TRIM support for SSDs
Adobe Flash

Filesystem tweaks¶

Configure soft updates everywhere (softdep)
Disable access time logging (noatime)
If possible mount with noexec, nosuid, nodev

<duid> /home ffs rw,nodev,nosuid,noatime,softdep 1 2

Ports and packages¶

Packages dont get security updates!
Therefore configure ports to use packages if possible
And follow the stable ports branch

echo "FETCH_PACKAGES=yes" >> /etc/mk.conf
cd /usr
cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_9 -P ports

Which packages / ports need to be updated?

/usr/ports/infrastructure/bin/out-of-date

Update a port

cd /usr/ports/<portname>
make update

Possible binary updates through packages from https://stable.mtier.org/ and https://mtier.org/solutions/apps/openup/

Update base system¶

Follow patch branch

cd /usr
cvs -qd anoncvs@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_9 -P src
cd /usr/src/sys/arch/$(uname -m)/conf
config GENERIC
cd /usr/src/sys/arch/$(uname -m)/compile/GENERIC
make clean && make
make install
reboot
rm -rf /usr/obj/*
cd /usr/src
make obj
cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
cd /usr/src
make build

Upgrade to a new release¶

Refer to the upgrade documentation e.g. http://www.openbsd.org/faq/upgrade59.html
If you cannot upgrade by CD / USB / PXE use the Upgrade without the Install Kernel documentation

Set clock to localtime¶

ln -sf /usr/share/zoneinfo/right/CET /etc/localtime
rdate -ncv time.fu-berlin.de

Increase / derease volumne¶

mixerctl outputs.master=100,100

WPA-PSK¶

Create /etc/hostname.<ifname>

nwid <ssid>
wpa
wpakey <passphrase>
dhcp

WPA enterprise¶

Install wpa-supplicant
Create /etc/wpa-supplicant.conf

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

ap_scan=0
eapol_version=1
fast_reauth=1

network={
      key_mgmt=WPA-EAP
      proto=WPA2
      eap=PEAP # or TTLS
      pairwise=CCMP
      group=CCMP
      phase1="peaplabel=0"
#     phase1="tls_disable_tlsv1=1 tls_disable_tlsv1_1=2" # if only sslv3 is supported
      phase2="auth=MSCHAPV2"
      ca_cert="/etc/certs/QV2.pem"
      ssid="<ssid>"
      identity="<username>"
      password="<mysecetpass>"
}

You must setup wiki card before running wpa_supplicant!
It is better to set the bssid
wpaakms must be configure otherwise wpa_supplicant will fail!

ifconfig urtwn0 nwid <ssid> bssid <mac_of_ap> wpa wpaakms 802.1x up
wpa_supplicant -B -c /etc/wpa_supplicant.conf -D openbsd -i urtwn0

Connect to a Cisco Anyconnect VPN¶

Install vpnc
Edit /etc/vpnc/my.conf

IPSec gateway vpn-gw-name
IPSec ID groupname
IPSec secret grouppassword
Xauth username your-username
Xauth password your-password

UTF-8 system-wide¶

echo 'export LC_ALL="en_US.UTF-8"' >> /etc/profile
echo 'export LC_ALL="en_US.UTF-8"' >> ~/.xsession

Adjust max memory size¶

Edit /etc/login.conf

:datasize-max=1024M:\
:datasize-cur=1024M:\

Or set infinity: as value

NTFS¶

Built-in NTFS support is read-only
Install ntfs-3g from ports to get write support

Flash support¶

Adobe and Chrome flash plugins do not work on OpenBSD
But you can use Gnash in Firefox

pkg_add gnash
mkdir /home/<user>/.mozilla/firefox/<account_id>.default/plugins
cd /home/<user>/.mozilla/firefox/<account_id>.default/plugins
ln -s /usr/local/lib/mozilla/plugins/libgnashplugin.so

Permanently disable kernel features like ACPI¶

mv /bsd /bsd.old
config -e -o /bsd /bsd.old
ukc>disable acpi
ukc>quit

Automatically adjust cpufreq¶

Edit /etc/rc.conf.local

apmd_flags="-A"

List all available disks¶

sysctl hw.disknames

Ksh config¶

~/.kshrc

export PS1='\[\t\] \u@\h:\w\$ '
export EDITOR=/usr/local/bin/zile

set -o emacs

alias cp='cp -i'
alias mv='mv -i'
alias rm='rm -i'

If you use tmux or screen put the following into ~/.profile

export ENV=~/.kshrc

Which program is listening on port x?¶

Install lsof

lsof -i :<port>

Readmes for packages¶

Can be found in /usr/local/share/doc/pkg-readmes

Fix arrow keys in Emacs under Xorg¶

(if (not window-system)                        ;; Only use in tty-sessions.
  (progn
    (defvar arrow-keys-map (make-sparse-keymap) "Keymap for arrow keys")
    (define-key esc-map "[" arrow-keys-map)
    (define-key arrow-keys-map "A" 'previous-line)
    (define-key arrow-keys-map "B" 'next-line)
    (define-key arrow-keys-map "C" 'forward-char)
    (define-key arrow-keys-map "D" 'backward-char)))

Automatic installation over PXE¶

Possible with autoinstall
http://www.bsdnow.tv/tutorials/autoinstall

Tracing kernel calls¶

Comparable to strace on Linux

ktrace -t cn <program>
kdump | less

Building images for cloud and embedded devices¶

Read http://stable.rcesoftware.com/resflash/

Login using Google authenticator or freeotp¶

pkg_add login_oath

Edit /etc/login.conf

otp:\
      :auth=-totp-and-pwd:\
      :tc=default:

Change users login class

usermod -L otp username

Generate random key

openssl rand -base64 20 > ~/.totp-key
chmod 700 /home/username
chmod 700 /home/username/.totp-key