Installing OpenBSD 7.1

This article covers the basic steps needed for downloading OpenBSD 7.1, installing a basic command-line configuration, and setting up users with privileges. For the best installation experience I recommend using an ethernet connection during the installation process. The OpenBSD site (as well as their excellent manual page) offers a wealth of knowledge and are great resources for learning about anything immediately related to the operating of OpenBSD. For more information regarding the setup of a GUI (using xfce or similar packages), commands, and further documentation- please refer to www.openbsd.org and https://man.openbsd.org/.

Overview

• Downloading OpenBSD

• Installing OpenBSD

• Adding accounts

• Configuring the doas utility
  

Step 1: Downloading OpenBSD and editing console settings Begin the installation by downloading OpenBSD from the website www.openbsd.org.

• Once you confirm that OpenBSD is officially supported for the platform that you are using (by navigating to https://www.openbsd.org/plat.html), download the install71.img file that matches your systems architecture.
  

Make sure to also download the checksum file and follow the tutorial that is

immediately underneath the ‘installation image’ section of the OpenBSD Installation Guide to verify file integrity. The SHA 256 signature can be found by replacing the last line of the copied download link to “.../SHA256.sig/”, like the image below:

Once file integrity is verified , copy the install71.img file to a USB drive and insert the drive into an empty USB slot on the target computer. Assign the drive as the first in the boot order and then reboot the computer. *NOTE: For ARM based machines, once rebooted and OpenBSD begins loading, interrupt the boot process by pressing any key and follow the rest of step 1. Then edit the boot configuration to enable the console display.

#set tty fb0 #boot

Press “Return” and start the installation.

Step 2: Installing OpenBSD Perform a basic command-line installation of OpenBSD.

Select the (I) option to install OpenBSD. Continue by configuring the desired system hostname, setting the root password, and selecting the default options for anything else.

Make sure to select the disk you intend to install OpenBSD on and continue accepting the default choices. Once the installation of the sets begins, you can list the available HTTP servers by using the “?” and then selecting the appropriate option.

After the sets have finished installing, accept the default answer for the remaining options and reboot the system.

• Now OpenBSD is installed on your system! Make sure to remove the installation drive and re-configure the boot order to place the drive containing OpenBSD as first. After the system has rebooted, login the root account and run the commands below to update the system. #syspatch && fw_update For ARM based machines download your favorite text editor and edit the boot.conf file to prevent OpenBSD from booting into serial console mode. #touch /etc/boot.conf && nano /etc/boot.conf Add the lines “set tty fb0” and “boot” into the boot.conf file and reboot the system again without needing to interrupt the boot process.

This finishes the basic installation of OpenBSD. #reboot

Step 3: Adding Users

Add users, assign privileges, and configure the doas utility.

• Add users in interactive mode by not specifying any flags after the adduser command. #adduser Setup the account by entering the user information into “adduser” command. Assign privileges by selecting group membership for the user.
  

*Note: More information regarding groups, login class, and other variables can be found in the OpenBSD Manual under group(5), adduser(8), and useradd(8). Users can also be added by using the “adduser” command with the following syntax to add the user to a specified group with the -G flag and enable creation of a home directory with the -m flag: adduser -m -G [Group] [Username] Assign a password to the newly make account account by running the command “passwd” in the following syntax: passwd [user name]

*NOTE: It is generally best practice to add users with doas permission to the default “wheel” group.

Step 4: Configuring the doas utility

Enable the doas utility to execute commands as root (similar to the sudo command) by using your text editor of choice to edit and then create the doas.conf file.

• The file /etc/doas.conf enables the doas utility and manages the frequency in which the user is prompted for their password before executing commands as root. It is recommended that most users use the “permit persist :wheel” option. #nano /etc/doas.conf - Gives users of the wheel group the permission to execute doas commands: permit :wheel - Password prompts before doas execution are less frequent: permit persist :wheel - No requirement to verify passwords for doas permission: premit nopass :wheel This is a highly configurable document that allows for setting user, group, and command permissions. For more information please refer to the doas.conf(5) entry in the OpenBSD manual.

Save and test the configuration file with the following command. Validation will

return a silent response. #doas -C /etc/doas.conf

Test account creation and doas permission. Switch to an account that is a member of the group that you just gave permission

to use the doas utility.

#su User #id User Test permission escalation by starting daemons with the rcctl utility. #rcctl -f start unbound #doas rcctl -f start unbound Stop Unbound and switch to an account that does not have permission to use the doas utility to confirm proper access control. #su Snort #id Snort #rcctl -f start unbound

This enables and confirms the use of the doas utility. Group membership information can be viewed or edited by accessing /etc/group/ file and password logs are kept in /var/log/ location.