- NetBSD Manual Pages
AFTERBOOT(8) NetBSD System Manager's Manual AFTERBOOT(8)
Powered by man-cgi (2021-06-01).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.
afterboot -- things to check after the first complete boot
This document attempts to list items for the system administrator to
check and set up after the installation and first complete boot of the
system. The idea is to create a list of items that can be checked off so
that you have a warm fuzzy feeling that something obvious has not been
missed. A basic knowledge of UNIX is assumed.
Complete instructions for correcting and fixing items is not provided.
There are manual pages and other methodologies available for doing that.
For example, to view the man page for the ls(1) command, type:
man 1 ls
Administrators will rapidly become more familiar with NetBSD if they get
used to using the manual pages.
By the time that you have installed your system, it is quite likely that
bugs in the release have been found. All significant and easily fixed
problems will be reported at http://www.NetBSD.org/support/security/. It
is recommended that you check this page regularly.
Login as ``root''. You can do so on the console, or over the network
using ssh(1). If you have enabled the ssh daemon and wish to allow root
logins over the network, edit the /etc/ssh/sshd_config file and set
PermitRootLogin to ``yes'' (see sshd_config(5)). The default is to not
permit root logins over the network after fresh install in NetBSD.
Upon successful login on the console, you may see the message ``We
recommend creating a non-root account...''. For security reasons, it is
bad practice to login as root during regular use and maintenance of the
system. In fact, the system will only let you login as root on a secure
terminal. By default, only the console is considered to be a secure ter-
minal. Instead, administrators are encouraged to add a ``regular'' user,
add said user to the ``wheel'' group, then use the su(1) command when
root privileges are required. This process is described in more detail
Change the password for the root user. (Note that throughout the docu-
mentation, the term ``superuser'' is a synonym for the root user.)
Choose a password that has numbers, digits, and special characters (not
space) as well as from the upper and lower case alphabet. Do not choose
any word in any language. It is common for an intruder to use dictionary
attacks. Type the command /usr/bin/passwd to change it.
It is a good idea to always specify the full path name for both the
passwd(1) and su(1) commands as this inhibits the possibility of files
placed in your execution PATH for most shells. Furthermore, the supe-
ruser's PATH should never contain the current directory (``.'').
Check the system date with the date(1) command. If needed, change the
date, and/or change the symbolic link of /etc/localtime to the correct
time zone in the /usr/share/zoneinfo directory.
Set the current date to May 10th, 2002 6:20pm.
ln -fs /usr/share/zoneinfo/Europe/Helsinki /etc/localtime
Set the time zone to Eastern Europe Summer Time.
One of the first things you will likely need to do is to set up your key-
board map (and maybe some other aspects about the system console). To
change your keyboard encoding, edit the ``encoding'' variable found in
wscons.conf(5) contains more information about this file.
Use the hostname command to verify that the name of your machine is cor-
rect. See the man page for hostname(1) if it needs to be changed. You
will also need to change the contents of the ``hostname'' variable in
/etc/rc.conf or edit the /etc/myname file to have it stick around for the
next reboot. Note that hostname is supposed include a domainname, and
that this should not be confused with YP (NIS) domainname(1). If you are
using dhclient(8) to configure network interfaces, it might override
these local hostname settings if your DHCP server specifies client's
hostname with other network configurations.
Verify network interface configuration
The first thing to do is an ifconfig -a to see if the network interfaces
are properly configured. Correct by editing /etc/ifconfig.interface or
the corresponding ``ifconfig_interface'' variable in rc.conf(5) (where
interface is the interface name, e.g., ``le0'') and then using
ifconfig(8) to manually configure it if you do not wish to reboot.
Alternatively, you can configure interfaces automatically via DHCP with
dhclient(8) if you have a DHCP server running somewhere on your network.
To get dhclient(8) to start automatically on boot, you will need to have
this line in /etc/rc.conf:
See dhclient(8) and dhclient.conf(5) for more information on setting up a
You can add new ``virtual interfaces'' by adding the required entries to
/etc/ifconfig.interface. Read the ifconfig.if(5) man page for more
information on the format of /etc/ifconfig.interface files. The loopback
interface will look something like:
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
an Ethernet interface something like:
inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1
and a PPP interface something like:
inet 184.108.40.206 --> 220.127.116.11 netmask 0xffff0000
See mrouted(8) for instructions on configuring multicast routing.
Check routing tables
Issue a netstat -rn command. The output will look something like:
Destination Gateway Flags Refs Use Mtu Interface
default 192.168.4.254 UGS 0 11098028 - le0
127 127.0.0.1 UGRS 0 0 - lo0
127.0.0.1 127.0.0.1 UH 3 24 - lo0
192.168.4 link#1 UC 0 0 - le0
192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0
192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0
Destination Gateway Flags Refs Use Mtu Interface
::/96 ::1 UGRS 0 0 32972 lo0 =>
::1 ::1 UH 4 0 32972 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0
fc80::/10 ::1 UGRS 0 0 32972 lo0
fe80::/10 ::1 UGRS 0 0 32972 lo0
fe80::%le0/64 link#1 UC 0 0 1500 le0
fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0
ff01::/32 ::1 U 0 0 32972 lo0
ff02::%le0/32 link#1 UC 0 0 1500 le0
ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0
The default gateway address is stored in the ``defaultroute'' variable in
/etc/rc.conf, or in the file /etc/mygate. If you need to edit this file,
a painless way to reconfigure the network afterwards is to issue
Or, you may prefer to manually configure using a series of route add and
route delete commands (see route(8)). If you run dhclient(8) you will
have to kill it by running
after you flush the routes.
If you wish to route packets between interfaces, add one or both of the
following directives (depending on whether IPv4 or IPv6 routing is
required) to /etc/sysctl.conf:
As an alternative, compile a new kernel with the GATEWAY option. Packets
are not forwarded by default, due to RFC requirements.
Secure Shell (ssh)
By default, all services are disabled in a fresh NetBSD installation, and
ssh is no exception. You may wish to enable it so you can remotely con-
trol your system. Set ``sshd=yes'' in /etc/rc.conf and then starting the
server with the command
The first time the server is started, it will generate a new keypair,
which will be stored inside the directory /etc/ssh.
BIND Name Server (DNS)
If you are using the BIND Name Server, check the /etc/resolv.conf file.
It may look something like:
search some.thing.dom. thing.dom.
For further details, see resolv.conf(5). Note the name service lookup
order is set via nsswitch.conf(5) mechanism.
If using a caching name server add the line "nameserver 127.0.0.1" first.
To get a local caching name server to run you will need to set
"named=yes" in /etc/rc.conf and create the named.conf file in the appro-
priate place for named(8), usually in /etc/namedb. The same holds true
if the machine is going to be a name server for your domain. In both
these cases, make sure that named(8) is running (otherwise there are long
waits for resolver timeouts).
RPC-based network services
Several services depend on the RPC portmapper rpcbind(8) - formerly known
as portmap - being running for proper operation. This includes YP (NIS)
and NFS exports, among other services. To get the RPC portmapper to
start automatically on boot, you will need to have this line in
YP (NIS) Setup
Check the YP domain name with the domainname(1) command. If necessary,
correct it by editing the /etc/defaultdomain file or by setting the
``domainname'' variable in /etc/rc.conf. The /etc/rc.d/network script
reads this file on bootup to determine and set the domain name. You may
also set the running system's domain name with the domainname(1) command.
To start YP client services, simply run ypbind, then perform the remain-
ing YP activation as described in passwd(5) and group(5).
In particular, to enable YP passwd support, you'll need to update
/etc/nsswitch.conf to include ``nis'' for the ``passwd'' and ``group''
entries. A traditional way to accomplish the same thing is to add fol-
lowing entry to local passwd database via vipw(8):
Note this entry has to be the very last one. This traditional way works
with the default nsswitch.conf(5) setting of ``passwd'', which is
There are many more YP man pages available to help you. You can find
more information by starting with yp(8).
Check disk mounts
Check that the disks are mounted correctly by comparing the /etc/fstab
file against the output of the mount(8) and df(1) commands. Example:
# cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0b none swap sw
/dev/sd0e /usr ffs rw 1 2
/dev/sd0f /var ffs rw 1 3
/dev/sd0g /tmp ffs rw 1 4
/dev/sd0h /home ffs rw 1 5
/dev/sd0a on / type ffs (local)
/dev/sd0e on /usr type ffs (local)
/dev/sd0f on /var type ffs (local)
/dev/sd0g on /tmp type ffs (local)
/dev/sd0h on /home type ffs (local)
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/sd0a 22311 14589 6606 69% /
/dev/sd0e 203399 150221 43008 78% /usr
/dev/sd0f 10447 682 9242 7% /var
/dev/sd0g 18823 2 17879 0% /tmp
/dev/sd0h 7519 5255 1888 74% /home
# pstat -s
Device 512-blocks Used Avail Capacity Priority
/dev/sd0b 131072 84656 46416 65% 0
Edit /etc/fstab and use the mount(8) and umount(8) commands as appropri-
ate. Refer to the above example and fstab(5) for information on the for-
mat of this file.
You may wish to do NFS mounts now too, or you can do them later.
Concatenated disks (ccd)
If you are using ccd(4) concatenated disks, edit /etc/ccd.conf. You may
wish to take a look to ccdconfig(8) for more information about this file.
Use the ccdconfig -U command to unload and the ccdconfig -C command to
create tables internal to the kernel for the concatenated disks. You
then mount(8), umount(8), and edit /etc/fstab as needed.
Automounter daemon (AMD)
To use the amd(8) automounter, create the /etc/amd directory, copy exam-
ple config files from /usr/share/examples/amd to /etc/amd and customize
them as needed. Alternatively, you can get your maps with YP.
In order to make sure the system clock is synchronized to that of a pub-
licly accessible NTP server, make sure that /etc/rc.conf contains the
See date(1), ntpdate(8), ntpd(8), rdate(8), and timed(8) for more infor-
mation on setting the system's date.
CHANGING /etc FILES
The system should be usable now, but you may wish to do more customizing,
such as adding users, etc. Many of the following sections may be skipped
if you are not using that package (for example, skip the Kerberos section
if you won't be using Kerberos). We suggest that you cd /etc and edit
most of the files in that directory.
Note that the /etc/motd file is modified by /etc/rc.d/motd whenever the
system is booted. To keep any custom message intact, ensure that you
leave two blank lines at the top, or your message will be overwritten.
Add new users
To add new users and groups, there are useradd(8) and groupadd(8), see
also user(8) for further programs for user and group manipulation. You
may use vipw(8) to add users to the /etc/passwd file and edit /etc/group
by hand to add new groups. The manual page for su(1), tells you to make
sure to put people in the `wheel' group if they need root access (non-
Kerberos). For example:
Follow instructions for kerberos(8) if using Kerberos for authentication.
System boot scripts and /etc/rc.local
/etc/rc and the /etc/rc.d/* scripts are invoked at boot time after single
user mode has exited, and at shutdown. The whole process is controlled
by the master script /etc/rc. This script should not be changed by
The directory /etc/rc.d contains a serie of scripts used at startup/shut-
down, called by /etc/rc. /etc/rc is in turn influenced by the configura-
tion variables present in /etc/rc.conf.
The script /etc/rc.local is run as the last thing during multiuser boot,
and is provided to allow any other local hooks necessary for the system.
To enable or disable various services on system startup, corresponding
entries can be made in /etc/rc.conf. You can take a look at
/etc/defaults/rc.conf to see a list of default system variables, which
you can override in /etc/rc.conf. Note you are not supposed to change
/etc/defaults/rc.conf directly, edit only /etc/rc.conf. See rc.conf(5)
for further information.
If you've installed X, you may want to turn on xdm(1), the X Display Man-
ager. To do this, set the variable ``xdm'' to yes in /etc/rc.conf, i.e.:
Edit /etc/printcap and /etc/hosts.lpd to get any printers set up. Con-
sult lpd(8) and printcap(5) if needed.
Tighten up security
In /etc/inetd.conf comment out any extra entries you do not need, and
only add things that are really needed. Note that by default all ser-
vices are disabled for security reasons.
If you are going to use Kerberos for authentication, see kerberos(8) and
``info heimdal'' for more information. If you already have a Kerberos
master, change directory to /etc/kerberosV and configure. Remember to
get a srvtab from the master so that the remote commands work.
Check /etc/mail/aliases and update appropriately if you want e-mail to be
routed to non-local address or to different users.
Run newaliases(1) after changes.
NetBSD comes also with Postfix in the base system. You may wish to set
it up in favor of sendmail. Take a look to /etc/postfix/main.cf and
enable the daemon in /etc/rc.conf using "postfix=yes". It is very impor-
tant to configure /etc/mailer.conf to point to Postfix binaries.
If this is a DHCP server, edit /etc/dhcpd.conf and /etc/dhcpd.interfaces
as needed. You will have to make sure /etc/rc.conf has "dhcpd=yes" or
run dhcpd(8) manually.
If this is a Bootparam server, edit /etc/bootparams as needed. You will
have to turn it on in /etc/rc.conf by adding "bootparamd=yes".
If this is an NFS server, make sure /etc/rc.conf has:
Edit /etc/exports and get it correct. After this, you can start the
server by issuing:
which will also start dependencies.
HP remote boot server
Edit /etc/rbootd.conf if needed for remote booting. If you do not have
HP computers doing remote booting, do not enable this.
Daily, weekly, monthly scripts
Look at and possibly edit the /etc/daily.conf, /etc/weekly.conf, and
/etc/monthly.conf configuration files. You can check which values you
can set by looking to their matching files in /etc/defaults. Your site
specific things should go into /etc/daily.local, /etc/weekly.local, and
These scripts have been limited so as to keep the system running without
filling up disk space from normal running processes and database updates.
(You probably do not need to understand them.)
Other files in /etc
Look at the other files in /etc and edit them as needed. (Do not edit
files ending in .db -- like pwd.db, spwd.db, nor localtime, nor rmt, nor
Crontab (background running processes)
Check what is running by typing crontab -l as root and see if anything
unexpected is present. Do you need anything else? Do you wish to change
things? For example, if you do not like root getting standard output of
the daily scripts, and want only the security scripts that are mailed
internally, you can type crontab -e and change some of the lines to read:
30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out
30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
Next day cleanup
After the first night's security run, change ownerships and permissions
on files, directories, and devices; root should have received mail with
subject: "<hostname> daily insecurity output.". This mail contains a set
of security recommendations, presented as a list looking like this:
permissions (0755, 0775)
user (0, 3)
The best bet is to follow the advice in that list. The recommended set-
ting is the first item in parentheses, while the current setting is the
second one. This list is generated by mtree(8) using /etc/mtree/special.
Use chmod(1), chgrp(1), and chown(8) as needed.
Install your own packages. The NetBSD packages collection, pkgsrc,
includes a large set of third-party software. A lot of it is available
as binary packages that you can download from
ftp://ftp.NetBSD.org/pub/NetBSD/packages/ or a mirror, and install using
pkg_add(1). See http://www.NetBSD.org/docs/pkgsrc/ and
pkgsrc/doc/pkgsrc.txt for more details.
Copy vendor binaries and install them. You will need to install any
shared libraries, etc. (Hint: man -k compat to find out how to install
and use compatibility mode.)
There is also other third-party software that is available in source form
only, either because it has not been ported to NetBSD yet, because
licensing restrictions make binary redistribution impossible, or simply
because you want to build your own binaries. Sometimes checking the
mailing lists for past problems that people have encountered will result
in a fix posted.
Check the running system
You can use ps(1), netstat(1), and fstat(1) to check on running pro-
cesses, network connections, and opened files, respectively. Other tools
you may find useful are systat(1) and top(1).
COMPILING A KERNEL
Note: The standard NetBSD kernel configuration (GENERIC) is suitable for
First, review the system message buffer in /var/run/dmesg.boot and by
using the dmesg(8) command to find out information on your system's
devices as probed by the kernel at boot. In particular, note which
devices were not configured. This information will prove useful when
editing kernel configuration files.
To compile a kernel inside a writable source tree, do the following:
$ cd /usr/src/sys/arch/SOMEARCH/conf
$ cp GENERIC SOMEFILE (only the first time)
$ vi SOMEFILE (adapt to your needs)
$ config SOMEFILE
$ cd ../compile/SOMEFILE
$ make depend
where SOMEARCH is the architecture (e.g., i386), and SOMEFILE should be a
name indicative of a particular configuration (often that of the host-
If you are building your kernel again, before you do a make you should do
a make clean after making changes to your kernel options.
After either of these two methods, you can place the new kernel (called
netbsd) in / (i.e., /netbsd) by issuing make install and the system will
boot it next time. The old kernel is stored as /onetbsd so you can boot
it in case of failure.
If you are using toolchain to build your kernel, you will also need to
build a new set of toolchain binaries. You can do it by changing into
/usr/src and issuing:
$ cd /usr/src
$ K=sys/arch/`uname -m`/conf
$ cp $K/GENERIC $K/SOMEFILE
$ vi $K/SOMEFILE (adapt to your needs)
$ ./build.sh tools
$ ./build.sh kernel=SOMEFILE
At this point, the system should be fully configured to your liking. It
is now a good time to ensure that the system behaves according to its
specifications and that it is stable on your hardware. You can easily do
so by running the test suites available at /usr/tests/, assuming that you
installed the tests.tgz set. If not, you can install it now by running:
# cd /
# tar xzpf /path/to/tests.tgz
Once done, edit the /etc/atf/NetBSD.conf file to tune the configuration
of the test suite, go to /usr/tests/ hierarchy and use the atf-run(1) and
atf-report(1) utilities to run all the tests in an automated way:
# cd /usr/tests/
# atf-run | atf-report
Should any problems appear when running the test suite, please let the
NetBSD developers know by sending a message to the appropriate mailing
list or by sending a problem report. For more details see:
atf-report(1), atf-run(1), chgrp(1), chmod(1), config(1), crontab(1),
date(1), df(1), domainname(1), hostname(1), make(1), man(1), netstat(1),
newaliases(1), passwd(1), su(1), ccd(4), aliases(5), crontab(5),
exports(5), fstab(5), group(5), krb.conf(5), krb.realms(5),
mailer.conf(5), passwd(5), rc.conf(5), resolv.conf(5), hier(7),
hostname(7), pkgsrc(7), adduser(8), amd(8), bootparamd(8), ccdconfig(8),
chown(8), dhcpd(8), ifconfig(8), inetd(8), kerberos(8), mount(8),
mrouted(8), mtree(8), named(8), rbootd(8), rc(8), rmt(8), route(8),
umount(8), vipw(8), ypbind(8)
This document first appeared in OpenBSD 2.2. It has been adapted to
NetBSD and first appeared in NetBSD 2.0.
NetBSD 5.0 October 20, 2008 NetBSD 5.0