Recently I've been getting into OpenBSD just for kicks, and want to document some items for myself. That's what is hosting this blog. I've also been wanting to just write a bit more hence the new blogging site. I also came across this: https://100daystooffload.com. Inspiring!
Without further adieu, welcome to my listicle.
There are not a whole lot of OpenBSD providers out there, sadly Lightsail with AWS is not supported, although they do have FreeBSD. I went with vultr.com as they allowed uploading custom isos (which I used for OpenBSD 7.1) but openbsd.amsterdam and arpnetworks.com looked nice as well.
I did a pretty bog standard installation, also creating a non-root user during the installation while having sshd running.
At this point you can ssh into your new box via root (and your other user you created), but it will ask for your password and while you hopefully picked a strong password why not make it more secure? Imagine if you didn't need a password?
Your VM provider might allow access to a console without having to SSH in to instead complete this step. You can use that as an alternative.
If you don't want to use vim installed with openbsd to edit these files consider installing nano via pkg_add nano.
Ssh into your new OpenBSD vm as root if you haven't already. If on a unix-y desktop or laptop you can copy over your ~/.ssh/id_rsa.pub file into /home/*username*/.ssh/authorized_keys where *username* was the user you created during install. If you do not have the ~/.ssh/id_rsa.pub file run ssh-keygen and don't set a passphrase. If you are on Windows I am unsure about how you would go about this, but I've heard Putty is the way to go.
Ensure these are set correctly:
These ensure that root can not log in via ssh, and that we do not use passwords, only the public keys that were added in the previous steps.
Execute cp /etc/examples/doas.conf /etc/doas.conf. This enables use of the doas command which allows you to execute commands that would normally need root. This is important, as we will soon not be able to log in as root!
If you are still logged in as root via ssh, execute rcctl restart sshd and then exit. You can now log in a bit safer with your public key via ssh (and no passwords that could be guessed) with the non-root user created during setup, with root disabled.
© 2024 radq.ca