Jag's World Header

 

 

 

Mad With Macintosh

 

OpenBSD 68k Mac Tips

Use this web page to go by as you set up your OpenBSD Mac

Buy Your Unix For 68k Macs and Support the Red Cross! 

 See My Linux Page for 68k Macs

 

 

All about the Mac port

OpenBSD/mac68k runs on many of the Motorola 680x0-based Macintosh machines. It requires a Motorola 68020, 68030, or a 68040 processor. If you have a 68020, it will also need a Motorola 68851 PMMU (note that this is different from the 68881, which is an FPU). While the system is quite useful (it's being run as an internet server and router), there is still plenty of work to be done. Please jump in and become a part of the action!

History and Status:

The mac68k port of OpenBSD was derived from NetBSD/mac68k, and it supports most of the same hardware as NetBSD. This does not mean that OpenBSD is the same as NetBSD. Far from it. The kernel makes up only a small part of the full system.

Supported Hardware:

OpenBSD/mac68k now runs on most 680x0 Macintoshes. Specifically, it should work on:

The following Macintosh models are "fully" supported. This means that at least the SCSI controller, ADB (keyboard and mouse), and some sort of display will function on these models. On some of these machines, a PMMU and/or FPU are required if they are not provided by default with the machine.

 

 

Supported devices on all of the above systems include:

 

Some systems will boot and are usable from an external terminal (serial tty or SL/IP):

 

What isn't supported, but often asked about:

Current information and help with installing can be found in the INSTALL.mac68k document distributed with the most recent release of OpenBSD. Also, be sure to see the most recent mac68k errata on the OpenBSD errata page. It contains some information vitally important to correctly installing the system from the CDROMs.

There is a list of changes in the machine-independent portions of the system. Check it out.

There is a mailing list devoted to OpenBSD/mac68k at mac68k@openbsd.org. To join the OpenBSD/mac68k mailing list, send a message body of "help" to majordomo@openbsd.org and you will receive a reply outlining all of your options.

To learn how to obtain the most recent release of OpenBSD/mac68k, please see the page we have on FTP'ing OpenBSD or ordering OpenBSD on CDROM.

There is currently no official maintainer for the mac68k port.

What To Do After You Get It Installed

Booting

First you need to boot BSD. This demands that you make a simple change in the BSD booter application that runs under Mac OS. Launch BSD Booter. Go to 'Options/Booting' from the Mac menu bar. Change the BSD DEvice Kernel name to bsd. Now you can boot by choosing it under the options menu.

After the boot

This document attempts to list items for the system administrator to check and set up after the installation and first complete boot of the system. The idea is to create a list of items that can be checked off so that you have a warm fuzzy feeling that something obvious has not been missed. A basic knowledge of UNIX is assumed, otherwise type

# help 

Complete instructions for correcting and fixing items is not provided. There are manual pages and other methodologies available for doing that. For example, to view the man page for the ls(1) command, type:

man 1 ls

Administrators will rapidly become more familiar with OpenBSD if they get used to using the high quality manual pages.

 

Errata

By the time that you have installed your system, it is quite likely that bugs in the release have been found. All significant and easily fixed problems will be reported at http://www.openbsd.org/errata.html. The web page will mention if a problem is security related. It is recommended that you check this page regularly.

 

Login

Login as ``root''. You can do so on the console, or over the network us- ing ssh(1). If you wish to deny root logins over the network, edit the /etc/sshd_config file and set PermitRootLogin to ``no'' (see sshd(8)). 

Upon successful login on the console, you may see the message ``Don't login as root, use su''. For security reasons, it is bad practice to lo- gin as root during regular use and maintenance of the system. Instead, administrators are encouraged to add a ``regular'' user, add said user to the ``wheel'' group, then use the su and sudo commands when root privi- leges are required. This process is described in more detail later.

Root password

Change the password for the root user. (Note that throughout the docu- mentation, the term ``superuser'' is a synonym for the root user.) Choose a password that has numbers, digits, and special characters (not space) as well as from the upper and lower case alphabet. Do not choose any word in any language. It is common for an intruder to use dictionary attacks. Type the command /usr/bin/passwd to change it. 

It is a good idea to always specify the full path name for both the pass- wd(1) and su(1) commands as this inhibits the possibility of files placed in your execution PATH for most shells. Furthermore, the superuser's PATH should never contain the current directory (``.'').

 

Starting X Windows

1. Mac68k setup is not required. NOTHING needs to be nor can be done beyond package installation. There are no configuration files for X on mac68k machines.

See the Xmac68k(1) manual page for information on middle and right mouse button emulation.

2. Start xdm, the X display manager by activating the xdm_flags option in /etc/rc.conf. To do this, type

vi /etc/rc.conf

This opens the rc.conf file. Scroll down by using the arrow down key until you see

xdm_flags=NO

on the left had side. Move the cursor to the letter 'O' of the word NO. Now hit the x key to delete the 'O'. Hit the x key again to delete the 'N'. Now hit the 'i' key to insert the word YES. Move the cursor over to the right one space and type YES. Now save the file by hitting the escape key, then the colon (:) key. Now type

wq!

to write the file and quit.

You may need to disable the console getty in /etc/ttys.

If you encounter a problem, you can browse the entire documentation at

http://www.xfree86.org/XFree86/3.3.6/

 

System date

Check the system date with the date(1) command. If needed, change the date, and/or change the symbolic link of /etc/localtime to the correct time zone in the /usr/share/zoneinfo directory.

 

Examples:

 

date 199901271504

 

Sets the current date to January 27th, 1999 3:04pm.

 

ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime

Set the time zone to Atlantic Standard Time.

 

Check hostname

Use the hostname command to verify that the name of your machine is cor- rect. See the man page for hostname(1) if it needs to be changed. You will also need to edit the /etc/myname file to have it stick around for the next reboot.

Verify network interface configuration

The first thing to do is an ifconfig -a to see if the network interfaces are properly configured. Correct by editing /etc/hostname.interface (where interface is the interface name, e.g., ``le0'') and then using if- config(8) to manually configure it if you do not wish to reboot. Read the hostname.if(5) man page for more information on the format of /etc/hostname.interface files. The loopback interface will look something like:

 

lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3

inet6 ::1 prefixlen 128

inet 127.0.0.1 netmask 0xff000000

 

an Ethernet interface something like:

 

le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>

inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255

inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1

 

and, a PPP interface something like:

 

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>

inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000

 

If you wish to turn on multicast routing, see the section titled

``Multicast routing.'' in /etc/netstart.

 

See dhcp(8) for instructions on configuring interfaces with DHCP.

 

Check routing tables

Issue a netstat -rn command. The output will look something like:

 

Routing tables

 

Internet:

Destination Gateway Flags Refs Use Mtu Interface

default 192.168.4.254 UGS 0 11098028 - le0

127 127.0.0.1 UGRS 0 0 - lo0

127.0.0.1 127.0.0.1 UH 3 24 - lo0

192.168.4 link#1 UC 0 0 - le0

192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0

192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0

 

Internet6:

Destination Gateway Flags Refs Use Mtu Interface

::/96 ::1 UGRS 0 0 32972 lo0 =>

::1 ::1 UH 4 0 32972 lo0

::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0

fc80::/10 ::1 UGRS 0 0 32972 lo0

fe80::/10 ::1 UGRS 0 0 32972 lo0

fe80::%le0/64 link#1 UC 0 0 1500 le0

fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0

ff01::/32 ::1 U 0 0 32972 lo0

ff02::%le0/32 link#1 UC 0 0 1500 le0

ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0

 

The default gateway address is stored in the /etc/mygate file. If you need to edit this file, a painless way to reconfigure the network after- wards is route flush followed by a sh -x /etc/netstart command. Or, you may prefer to manually configure using a series of route add and route delete commands (see route(8)).

If you wish to route packets between interfaces, add the directive 

net.inet.ip.forwarding=1

 

or

 

net.inet6.ip6.forwarding=1

 

to /etc/sysctl.conf, or by compiling a new kernel with the GATEWAY op- tion. Packets are not forwarded by default, due to RFC requirements.

 

You can add new ``virtual interfaces'' by adding the required entries to

/etc/hostname.if.

BIND Name Server (DNS)

If you are using the BIND Name Server, check the /etc/resolv.conf file.

It may look something like:

 

domain nts.umn.edu

nameserver 128.101.101.101

nameserver 134.84.84.84

search nts.umn.edu. umn.edu.

lookup file bind

If using a caching name server add the line "nameserver 127.0.0.1" first. To get a local caching name server to run you will need to set "named_flags" in /etc/rc.conf and create the named.boot file in the ap- propriate place for named(8). The same holds true if the machine is going to be a name server for your domain. In both these cases, make sure that named(8) is running (otherwise there are long waits for resolver time- outs).

 

YP Setup

Check the YP domain name with the domainname(1) command. If necessary, correct it by editing the /etc/defaultdomain file. The /etc/netstart script reads this file on bootup to determine and set the domain name. You may also set the running system's domain name with the domainname(1) command. To start YP client services, simply run ypbind, then perform the remaining YP activation as described in passwd(5) and group(5).

 

In particular, to enable YP passwd support, you'll need to add the fol-

lowing line to /etc/master.passwd:

 

+:*::::::::

 

You do this by using vipw(8), once this is done, you'll need to run pwd_mkdb /etc/master.passwd to regenerate the password databases.

There are many more YP man pages available to help you. You can find more information by starting with yp(8).

Check disk mounts

Check that the disks are mounted correctly by comparing the /etc/fstab file against the output of the mount(8) and df(1) commands. Example:

 

# cat /etc/fstab

/dev/sd0a / ffs rw 1 1

/dev/sd0b none swap sw 0 0

/dev/sd0d /usr ffs rw 1 2

/dev/sd0e /var ffs rw 1 3

/dev/sd0g /tmp ffs rw 1 4

/dev/sd0h /home ffs rw 1 5

# mount

/dev/sd0a on / type ffs (local)

/dev/sd0d on /usr type ffs (local)

/dev/sd0e on /var type ffs (local)

/dev/sd0g on /tmp type ffs (local)

/dev/sd0h on /home type ffs (local)

# df

Filesystem 1024-blocks Used Avail Capacity Mounted on

/dev/sd0a 22311 14589 6606 69% /

/dev/sd0d 203399 150221 43008 78% /usr

/dev/sd0e 10447 682 9242 7% /var

/dev/sd0g 18823 2 17879 0% /tmp

/dev/sd0h 7519 5255 1888 74% /home

# pstat -s

Device 512-blocks Used Avail Capacity Priority

/dev/sd0b 131072 84656 46416 65% 0

 

Edit /etc/fstab and use the mount(8) and umount(8) commands as appropri- ate. Refer to the above example and fstab(5) for information on the for- mat of this file.

You may wish to do NFS partitions now too, or you can do them later.

 

Concatenated disks (ccd)

If you are using ccd(4) concatenated disks, edit /etc/ccd.conf. Use the ccdconfig -U command to unload and the ccdconfig -C command to create ta- bles internal to the kernel for the concatenated disks. You then mount(8), umount(8), and edit /etc/fstab as needed.

 

Automounter daemon (AMD)

If using the amd(8) package, go into the /etc/amd directory and set it up by renaming master.sample to master and editing it and creating other maps as needed. Alternatively, you can get your maps with YP.

 

CHANGING /ETC FILES

The system should be usable now, but you may wish to do more customizing, such as adding users, etc. Many of the following sections may be skipped if you are not using that package (for example, skip the Kerberos section if you won't be using Kerberos). We suggest that you cd /etc and edit most of the files in that directory.

Note that the /etc/motd file is modified by /etc/rc whenever the system is booted. To keep any custom message intact, ensure that you leave two blank lines at the top, or your message will be overwritten.

 

Add new users

Add users. There is an adduser(8) script. You may use vipw(8) to add users to the /etc/passwd file and edit /etc/group by hand to add new groups. The manual page for su(1), tells you to make sure to put people in the `wheel' group if they need root access (non-Kerberos). For example:

 

wheel:*:0:root,myself

Follow instructions for kerberos(1) if using Kerberos for authentication.

 

rc.conf, rc.local, rc.securelevel, rc.shutdown

Check for any local changes needed in the files /etc/rc.conf, /etc/rc.local, /etc/rc.securelevel, and /etc/rc.shutdown. Turning on something like the Network Time Protocol in /etc/rc.conf requires making sure the package is installed. If you've installed X, you may want to turn on xdm(1), the X Display Manager. To do this, change the value of xdm_flags in /etc/rc.conf.

 

Printers

Edit /etc/printcap and /etc/hosts.lpd to get any printers set up. Con- sult lpd(8) and printcap(5) if needed.

 

Tighten up security

You might wish to tighten up security more by editing /etc/fbtab as when installing X. In /etc/inetd.conf comment out any extra entries you do not need, and only add things that are really needed. Note that by de- fault the telnetd(8) and ftpd(8) daemons are not enabled in favor of SSH

(Secure Shell).

 

Kerberos

If you are going to use kerberos(1) for authentication, and you already have a Kerberos master, change directory to /etc/kerberosIV and config- ure. Remember to get a srvtab from the master so that the remote com- mands work.

 

Mail Aliases

Edit /etc/mail/aliases and set the three standard aliases to go to either a mailing list, or the system administrator.

 

# Well-known aliases -- these should be filled in!

root: sysadm

manager: sysadm

dumper: sysadm

 

Run newaliases(8) after changes.

 

Sendmail

OpenBSD ships with a default /etc/mail/sendmail.cf file that will work for simple installations; it was generated from openbsd-proto.mc in /usr/share/doc/smm/08.sendmailop/op.me for information on generating your own sendmail configuration files. For the default installation, sendmail is configured to only process jobs that have been the queued and to not accept messages over the network. This makes it possible to send mail locally, but not receive mail from remote servers, which is ideal if you have one central incoming mail machine and several clients. To cause sendmail to accept network connections, modify the ``sendmail_flags'' variable in /etc/rc.conf in accordance with the comments therein. Note that sendmail now also listens on port 587 by default. This is to imple- ment the RFC2476 message submission protocol. You may disable this via the ``no_default_msa'' option in your sendmail .mc file. See

/usr/share/sendmail/README for more information.

 

DHCP server

If this is a DHCP server, edit /etc/dhcpd.conf and /etc/dhcpd.interfaces as needed. You will have to make sure /etc/rc.conf has:

 

dhcpd_flags=-q

 

or run dhcpd(8) manually.

 

BOOTP server

If this is a BOOTP server, edit /etc/bootptab as needed. You will have to turn it on in /etc/inetd.conf or run bootpd(8) in its standalone mode.

 

NFS server

If this is an NFS server make sure /etc/rc.conf has:

 

nfs_server=YES

 

Edit /etc/exports and get it correct. It is probably easier to reboot than to get the daemons running manually, but you can get the order correct by looking at /etc/netstart.

 

HP remote boot server

Edit /etc/rbootd.conf if needed for remote booting. If you do not have HP computers doing remote booting, do not enable this.

 

Daily, weekly, monthly scripts

Look at and possibly edit the /etc/daily, /etc/weekly, and /etc/monthly scripts. Your site specific things should go into /etc/daily.local, /etc/weekly.local, and /etc/monthly.local.

These scripts have been limited so as to keep the system running without filling up disk space from normal running processes and database updates.

(You probably do not need to understand them.)

The /altroot filesystem can optionally be used to provide a backup of the root filesystem on a daily basis. To take advantage of this, you must have an entry in /etc/fstab with ``xx'' for the mount option:

 

/dev/wd0j /altroot ffs xx 0 0

and you must add a line to root's crontab:

 

ROOTBACKUP=1

so that the /etc/daily script will make a daily backup of the root filesystem.

 

Other files in /etc

Look at the other files in /etc and edit them as needed. (Do not edit files ending in .db -- like pwd.db, spwd.db, nor localtime, nor rmt, nor any directories.)

 

Crontab (background running processes)

Check what is running by typing crontab -l as root and see if anything unexpected is present. Do you need anything else? Do you wish to change things? e.g., if you do not like root getting standard output of the daily scripts, and want only the security scripts that are mailed inter- nally, you can type crontab -e and change some of the lines to read:

 

30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out

30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out

30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out

See crontab(5).

Next day cleanup

After the first night's security run, change ownerships and permissions on files, directories, and devices; root should have received mail with subject: "<hostname> daily insecurity output.". This mail contains a set of security recommendations, presented as a list looking like this:

 

var/mail:

permissions (0755, 0775)

etc/daily:

user (0, 3)

The best bet is to follow the advice in that list. The recommended setting is the first item in parentheses, while the current setting is the second one. This list is generated by mtree(8) using /etc/mtree/special.

Use chmod(1), chgrp(1), and chown(8) as needed.

Packages

Install your own packages. The OpenBSD ports collection includes a large set of Third-Party software. A lot of it is available as binary packages, that you can download from ftp://ftp.openbsd.org or a mirror, and install using pkg_add(1). See http://www.openbsd.org/ports.html and packages(7) for more details.

Copy vendor binaries and install them. You will need to install any shared libraries, etc. (Hint: man -k compat to find out how to install and use compatibility mode.)

There is also other Third-Party Software that is available in source form only, either because it has not been ported to OpenBSD yet, or because licensing restrictions make binary redistribution impossible. Sometimes checking the mailing lists for past problems that people have encountered will result in a fix posted.

COMPILING A KERNEL

First, review the system message buffer using the dmesg(8) command to find out information on your system's devices as probed by the kernel at boot. In particular, note which devices were not configured. This in- formation will prove useful when editing kernel configuration files.

To compile a kernel inside a writable source tree, do the following:

 

# cd /usr/src/sys/arch/somearch/conf

# vi SOMEFILE (to make any changes)

# config SOMEFILE

# cd ../compile/SOMEFILE

# make

 

where somedir is a writable directory, somearch is the architecture (e.g. i386), and SOMEFILE should be a name indicative of a particular configu- ration (often that of the hostname). You can also do a make depend so that you will have dependencies there the next time you do a compile.

If you are building your kernel again, before you do a make you should do a make depend after making changes (including updates or patches) to your kernel source, or a make clean after making changes to your kernel op- tions.

After either of these two methods, you can place the new kernel (called bsd) in / (i.e. /bsd) and the system will boot it next time. Most people save their backup kernels as /bsd.1, /bsd.2, etc.

It is not always necessary to recompile the kernel if only configuration changes are required. With config(8), you can change the device configu- ration in the kernel file directly: 

# config -e -o bsd.new /bsd

OpenBSD 2.7-beta (GENERIC.rz0) #0: Mon Oct 4 03:57:22 MEST 1999

root@winona:/usr/src/sys/arch/pmax/compile/GENERIC.rz0

Enter 'help' for information

ukc>

 

Additionally, you can permanently save the changes made with UKC during boot time in the kernel image.

 

©1996-04 JagWerks Media