Complete instructions for correcting and fixing items is not provided. There are manual pages and other methodologies available for doing that. For example, to view the man page for the ls(1) command, type:
man 1 ls
Administrators will rapidly become more familiar with NetBSD if they get used to using the manual pages.
http://www.NetBSD.org/support/security/
.
It is recommended that you check this page regularly.
/etc/ssh/sshd_config
file and set
PermitRootLogin
to
``yes''
(see
sshd_config(5)).
The default is to not permit root logins over the network
after fresh install in
NetBSD.
Upon successful login on the console, you may see the message ``We recommend creating a non-root account...''. For security reasons, it is bad practice to login as root during regular use and maintenance of the system. In fact, the system will only let you login as root on a secure terminal. By default, only the console is considered to be a secure terminal. Instead, administrators are encouraged to add a ``regular'' user, add said user to the ``wheel'' group, then use the su(1) command when root privileges are required. This process is described in more detail later.
It is a good idea to always specify the full path name for both the
passwd(1)
and
su(1)
commands as this inhibits the possibility of files placed in your execution
PATH
for most shells.
Furthermore, the superuser's
PATH
should never contain the current directory
(``.''.)
/etc/localtime
to the correct time zone in the
/usr/share/zoneinfo
directory.
Examples:
/etc/wscons.conf
.
wscons.conf(5) contains more information about this file.
/etc/rc.conf
or edit the
/etc/myname
file to have it stick around for the next reboot.
Note that
``hostname''
is supposed include a domainname, and that this should
not be confused with YP (NIS)
domainname(1).
If you are using
dhclient(8)
to configure network interfaces, it might override these local hostname
settings if your DHCP server specifies client's hostname with other network
configurations.
/etc/ifconfig.
interface
or the corresponding
``ifconfig_interface''
variable in
rc.conf(5)
(where
interface
is the interface name, e.g.,
``le0'')
and then using
ifconfig(8)
to manually configure it
if you do not wish to reboot.
Alternatively, you can configure interfaces automatically via DHCP with
dhclient(8)
if you have a DHCP server running somewhere on your network.
To get
dhclient(8)
to start automatically on boot,
you will need to have this line in
/etc/rc.conf
:
dhclient=YES
See dhclient(8) and dhclient.conf(5) for more information on setting up a DHCP client.
You can add new
``virtual interfaces''
by adding the required entries to
/etc/ifconfig.
interface.
Read the
ifconfig.if(5)
man page for more information on the format of
/etc/ifconfig.
interface
files.
The loopback interface will look something like:
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
an Ethernet interface something like:
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1
and a PPP interface something like:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000
See mrouted(8) for instructions on configuring multicast routing.
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 192.168.4.254 UGS 0 11098028 - le0
127 127.0.0.1 UGRS 0 0 - lo0
127.0.0.1 127.0.0.1 UH 3 24 - lo0
192.168.4 link#1 UC 0 0 - le0
192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0
192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0
Internet6:
Destination Gateway Flags Refs Use Mtu Interface
::/96 ::1 UGRS 0 0 32972 lo0 =>
::1 ::1 UH 4 0 32972 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0
fc80::/10 ::1 UGRS 0 0 32972 lo0
fe80::/10 ::1 UGRS 0 0 32972 lo0
fe80::%le0/64 link#1 UC 0 0 1500 le0
fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0
ff01::/32 ::1 U 0 0 32972 lo0
ff02::%le0/32 link#1 UC 0 0 1500 le0
ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0
The default gateway address is stored in the
``defaultroute''
variable in
/etc/rc.conf
,
or in the file
/etc/mygate
.
If you need to edit this file, a painless way to reconfigure the network
afterwards is to issue
/etc/rc.d/network restart
Or, you may prefer to manually configure using a series of route add and route delete commands (see route(8)). If you run dhclient(8) you will have to kill it by running
/etc/rc.d/dhclient stop
If you wish to route packets between interfaces, add one or both
of the following directives (depending on whether IPv4 or IPv6 routing
is required) to
/etc/sysctl.conf
:
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
As an alternative, compile a new kernel with the GATEWAY option. Packets are not forwarded by default, due to RFC requirements.
/etc/rc.conf
and then starting the server with the command
/etc/rc.d/sshd start
The first time the server is started, it will generate a new keypair,
which will be stored inside the directory
/etc/ssh
.
/etc/resolv.conf
file.
It may look something like:
domain some.thing.dom
nameserver 192.168.0.1
nameserver 192.168.4.55
search some.thing.dom. thing.dom.
For further details, see resolv.conf(5). Note the name service lookup order is set via nsswitch.conf(5) mechanism.
If using a caching name server add the line "nameserver 127.0.0.1" first.
To get a local caching name server to run
you will need to set "named=yes" in
/etc/rc.conf
and create the
named.conf
file in the appropriate place for
named(8),
usually in
/etc/namedb
.
The same holds true if the machine is going to be a
name server for your domain.
In both these cases, make sure that
named(8)
is running
(otherwise there are long waits for resolver timeouts).
/etc/rc.conf
:
rpcbind=YES
/etc/defaultdomain
file or by setting the
``domainname''
variable in
/etc/rc.conf
.
The
/etc/rc.d/network
script reads this file on bootup to determine and set the domain name.
You may also set the running system's domain name with the
domainname(1)
command.
To start YP client services, simply run
ypbind,
then perform the remaining
YP activation as described in
passwd(5)
and
group(5).
In particular, to enable YP passwd support, you'll need to update
/etc/nsswitch.conf
to include
``nis''
for the
``passwd''
and
``group''
entries.
A traditional way to accomplish the same thing is to
add following entry to local passwd database via
vipw(8):
+:*::::::::
There are many more YP man pages available to help you. You can find more information by starting with yp(8).
/etc/fstab
file against the output of the
mount(8)
and
df(1)
commands.
Example:
#
cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0b none swap sw
/dev/sd0e /usr ffs rw 1 2
/dev/sd0f /var ffs rw 1 3
/dev/sd0g /tmp ffs rw 1 4
/dev/sd0h /home ffs rw 1 5
#
mount
/dev/sd0a on / type ffs (local)
/dev/sd0e on /usr type ffs (local)
/dev/sd0f on /var type ffs (local)
/dev/sd0g on /tmp type ffs (local)
/dev/sd0h on /home type ffs (local)
#
df
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/sd0a 22311 14589 6606 69% /
/dev/sd0e 203399 150221 43008 78% /usr
/dev/sd0f 10447 682 9242 7% /var
/dev/sd0g 18823 2 17879 0% /tmp
/dev/sd0h 7519 5255 1888 74% /home
#
pstat -s
Device 512-blocks Used Avail Capacity Priority
/dev/sd0b 131072 84656 46416 65% 0
Edit
/etc/fstab
and use the
mount(8)
and
umount(8)
commands as appropriate.
Refer to the above example and
fstab(5)
for information on the format of this file.
You may wish to do NFS mounts now too, or you can do them later.
/etc/ccd.conf
.
You may wish to take a look to
ccdconfig(8)
for more information about this file.
Use the
ccdconfig -U
command to unload and the
ccdconfig -C
command to create tables internal to the kernel for the concatenated disks.
You then
mount(8),
umount(8),
and edit
/etc/fstab
as needed.
/etc/amd
directory, copy example config files from
/usr/share/examples/amd
to
/etc/amd
and customize them as needed.
Alternatively, you can get your maps with YP.
/etc/rc.conf
contains the following:
ntpdate=yes
ntpd=yes
See date(1), ntpdate(8), ntpd(8), rdate(8), and timed(8) for more information on setting the system's date.
Note that the
/etc/motd
file is modified by
/etc/rc.d/motd
whenever the system is booted.
To keep any custom message intact, ensure that you leave two blank lines
at the top, or your message will be overwritten.
/etc/passwd
file
and edit
/etc/group
by hand to add new groups.
The manual page for
su(1),
tells you to make sure to put people in
the
`wheel'
group if they need root access (non-Kerberos).
For example:
wheel:*:0:root,myself
Follow instructions for kerberos(8) if using Kerberos for authentication.
/etc/rc
and the
/etc/rc.d/*
scripts are invoked at boot time after single user mode has exited,
and at shutdown.
The whole process is controlled by the master script
/etc/rc
.
This script should not be changed by administrators.
The directory
/etc/rc.d
contains a series of scripts used at startup/shutdown, called by
/etc/rc
.
/etc/rc
is in turn influenced by the configuration variables present in
/etc/rc.conf
.
The script
/etc/rc.local
is run as the last thing during multiuser boot, and is provided
to allow any other local hooks necessary for the system.
/etc/rc.conf
.
You can take a look at
/etc/defaults/rc.conf
to see a list of default system variables, which you can override in
/etc/rc.conf
.
Note you are
not
supposed to change
/etc/defaults/rc.conf
directly, edit only
/etc/rc.conf
.
See
rc.conf(5)
for further information.
If you've installed X, you may want to turn on
xdm(1),
the X Display Manager.
To do this, set the variable
``xdm''
to yes in
/etc/rc.conf
,
i.e.:
``xdm=yes''
/etc/printcap
and
/etc/hosts.lpd
to get any printers set up.
Consult
lpd(8)
and
printcap(5)
if needed.
/etc/inetd.conf
comment out any extra entries you do not need, and only add things
that are really needed.
Note that by default all services are disabled for security reasons.
/etc/kerberosV
and configure.
Remember to get a
srvtab
from the master so that the remote commands work.
/etc/mail/aliases
and update appropriately if you want e-mail to be routed
to non-local addresses or to different users.
Run newaliases(1) after changes.
/etc/postfix/main.cf
and
/etc/postfix/master.cf
.
If you wish to use a different MTA (e.g., sendmail), install your MTA of
choice and edit
/etc/mailer.conf
to point to the proper binaries.
/etc/dhcpd.conf
and
/etc/dhcpd.interfaces
as needed.
You will have to make sure
/etc/rc.conf
has "dhcpd=yes"
or run
dhcpd(8)
manually.
/etc/bootparams
as needed.
You will have to turn it on in
/etc/rc.conf
by adding "bootparamd=yes".
/etc/rc.conf
has:
nfs_server=yes
mountd=yes
rpcbind=yes
Edit
/etc/exports
and get it correct.
After this, you can start the server by issuing:
/etc/rc.d/rpcbind start
/etc/rc.d/mountd start
/etc/rc.d/nfsd start
/etc/rbootd.conf
if needed for remote booting.
If you do not have HP computers doing remote booting, do not enable this.
/etc/daily.conf
, /etc/weekly.conf
,
and
/etc/monthly.conf
configuration files.
You can check which values you can set by looking
to their matching files in
/etc/defaults
.
Your site specific things should go into
/etc/daily.local
, /etc/weekly.local
,
and
/etc/monthly.local
.
These scripts have been limited so as to keep the system running without filling up disk space from normal running processes and database updates. (You probably do not need to understand them.)
/etc
and edit them as needed.
(Do not edit files ending in
.db
-- like
pwd.db
, spwd.db
,
nor
localtime
,
nor
rmt
,
nor any directories.)
30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out
30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
See crontab(5).
var/mail:
permissions (0755, 0775)
etc/daily:
user (0, 3)
The best bet is to follow the advice in that list.
The recommended setting is the first item in parentheses, while
the current setting is the second one.
This list is generated by
mtree(8)
using
/etc/mtree/special
.
Use
chmod(1),
chgrp(1),
and
chown(8)
as needed.
ftp://ftp.NetBSD.org/pub/NetBSD/packages/
or a mirror, and install using
pkg_add(1).
See
http://www.NetBSD.org/docs/pkgsrc/
and
pkgsrc/doc/pkgsrc.txt
for more details.
Copy vendor binaries and install them. You will need to install any shared libraries, etc. (Hint: man -k compat to find out how to install and use compatibility mode.)
There is also other third-party software that is available in source form only, either because it has not been ported to NetBSD yet, because licensing restrictions make binary redistribution impossible, or simply because you want to build your own binaries. Sometimes checking the mailing lists for past problems that people have encountered will result in a fix posted.
First, review the system message buffer in
/var/run/dmesg.boot
and by using the
dmesg(8)
command to find out information on your system's devices as probed by the
kernel at boot.
In particular, note which devices were not configured.
This information will prove useful when editing kernel configuration files.
To compile a kernel inside a writable source tree, do the following:
$ cd /usr/src/sys/arch/SOMEARCH/conf
$ cp GENERIC SOMEFILE (only the first time)
$ vi SOMEFILE (adapt to your needs)
$ config SOMEFILE
$ cd ../compile/SOMEFILE
$ make depend
$ make
where SOMEARCH is the architecture (e.g., i386), and SOMEFILE should be a name indicative of a particular configuration (often that of the hostname).
If you are building your kernel again, before you do a make you should do a make clean after making changes to your kernel options.
After either of these two methods, you can place the new kernel (called
netbsd
)
in
/
(i.e.,
/netbsd
)
by issuing
make install
and the system will boot it next time.
The old kernel is stored as
/onetbsd
so you can boot it in case of failure.
If you are using toolchain to build your kernel, you will also need to
build a new set of toolchain binaries.
You can do it by changing into
/usr/src
and issuing:
$ cd /usr/src
$ K=sys/arch/`uname -m`/conf
$ cp $K/GENERIC $K/SOMEFILE
$ vi $K/SOMEFILE (adapt to your needs)
$ ./build.sh tools
$ ./build.sh kernel=SOMEFILE
/usr/tests/
,
assuming that you installed the
tests.tgz
set.
If not, you can install it now by running:
# cd /
# tar xzpf /path/to/tests.tgz
Once done, edit the
/etc/atf/NetBSD.conf
file to tune the configuration of the test suite, go to
/usr/tests/
hierarchy and use the
atf-run(1)
and
atf-report(1)
utilities to run all the tests in an automated way:
# cd /usr/tests/
# atf-run | atf-report
Should any problems appear when running the test suite, please let the NetBSD developers know by sending a message to the appropriate mailing list or by sending a problem report. For more details see:
http://www.netbsd.org/mailinglists/
http://www.netbsd.org/support/send-pr.html