OpenBSD on Vultr

I wanted to spin up an OpenBSD VM and had heard that you could do that at Vultr as a custom install. These are some notes I made along the way.

I found that Vultr now supports OpenBSD directly, not just as a custom option (their support document appears to be a little out of date). So, you can spin up an OpenBSD instance as you would any other instance from their console.

Logging in

I added an SSH key when setting up my instance, but wasn't able to authenticate by public key after the install completed, so I did a hard reboot of the VM from Vultr's dashboard, then immediately opened the console and selected single-user mode at the boot prompt.

boot> boot -s

You only get a few seconds to do this before normal boot proceeds, so I was carefuly not to dally in clicking the Console button when the reboot kicks off.

This brought the system up in single-user mode. I pressed return at the prompt.

Enter pathname of shell or RETURN for sh:

Following the OpenBSD FAQ, I mounted the root and usr filesystems, updated the root password, and rebooted.

# fsck -p / && mount -uw /
# fsck -p /usr/local && mount /usr/local
# passwd
# reboot

After the reboot, I was able to log in by ssh using password authentication. I checked the .ssh/authorized_keys file and it was empty, explaining why public key authentication didn't work.

Add a user

I prefer not to work as root unless necessary, so I created a user.

vultr# adduser 
Use option ``-silent'' if you don't want to see all warnings and questions.

Reading /etc/shells
Check /etc/master.passwd
Check /etc/group

Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: user
Enter full name []: User
Enter shell csh ksh nologin sh [ksh]: 
Uid [1000]: 
Login group user [user]: 
Login group is ``user''. Invite user into other groups: guest no 
[no]: wheel
Login class authpf bgpd daemon default pbuild staff unbound 
[default]: staff
Enter password []: 
Enter password again []: 

Name:	     user
Password:    ****
Fullname:    User
Uid:	     1000
Gid:	     1000 (user)
Groups:	     user wheel
Login Class: staff
HOME:	     /home/user
Shell:	     /bin/ksh
OK? (y/n) [y]: 
Added user ``user''
Copy files from /etc/skel to /home/user
Add another user? (y/n) [y]: n

I set the user's login class to staff and added it to the wheel group. Otherwise, I took the defaults. I added my public SSH key to ~user/.ssh/authorized_keys and checked that I could log in as the new user with public key authentication and switch users to root if necessary.

SSH config

I updated /etc/ssh/sshd_config to deny root logins and allow only public key authentication. Then I restarted sshd.

vultr# kill -HUP `cat /var/run/`

After that, I confirmed that I wasn't able to log in as root or use password authentication via ssh.

What else?

I took a look at the mail that was waiting for root. It included the install output and some advice on getting started with OpenBSD. I checked some of the suggested items as well as those listed in the afterboot manual page.

Quiet down daily

I noticed that I was getting a daily email from the system. By default, daily runs every day to do some valuable system checks. It also provides some informational output which can be disabled so that root will only receive mail from the script when something is wrong, rather than every day. The informational output is disabled by creating /etc/daily.local and setting the appropriate variable.


Package management and installurl

I was looking to install some packages, but none of the package management tools were able to find any packages. I noticed that /etc/installurl was empty. This is where the package management tools look for an URL for the package mirror server URL. I updated it with the example given in the manual page.

Cleaning up unwanted packages

I noticed that there were some packages already installed that I wasn't interested in: python and wget had been installed manually (I found these with pkg_info -m). I removed these two packages then any packages that were no longer required and were not manually installed (their dependencies).

pkg_delete -c python wget
pkg_delete -a

In closing

I hope that you found this helpful. If this is the kind of thing you're into, you may also enjoy some of my other articles. If you have any questions or comments, please feel free to drop me an e-mail.

Aaron D. Parks