8.0 - General Questions

8.1 - What are these Kerberos warning when I first login?

NB: This section 8.1 becomes obsolete if you have upgraded to 2.8-stable (patch: ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/008_kerberos.patch).

When you first install your system you will most likely notice a warning message that is something like this:


Well since you probably haven't set up Kerberos on your system, you wouldn't be getting a ticket. If you do have Kerberos running, you need to check into that. See faq10 Kerberos Setup FAQ. If you can't STAND that warning and never plan on using Kerberos here is how to get rid of it for good.

8.2 - How do I change virtual terminals?

Simply type [ctrl] - [alt] - [One of the function keys] (i386)

Only the i386 arch has virtual terminal capabilities. You can also use virtual terminals when using X. For example, If you start X on term 1, and switch with [ctrl]-[alt]-[F2] to term 2, X will seem to disapear and will not come back by simply switching back to term 1. You must [ctrl]-[alt]-[F5] to get your X display back.

8.3 - I forgot my root password, what do I do now?

A few steps to recovery

  1. Boot into single user mode. For i386 arch type boot -s at the boot prompt.
  2. mount the drives.
  3. If /usr is not the same partition that / is (and it shouldn't be) then you will need to mount it, also
  4. run passwd(1)
  5. boot into mulituser mode.. and remember your password!

8.4 - X won't start, I get lots of error messages

If you have X completely set up and you are using an XF86Config that you know works then the problem most likely lies in the machdep.allowaperture. You also need to make sure that both:

are in your kernel configuration. [BOTH of these are in the GENERIC kernel]

Then you need to edit /etc/sysctl.conf and set machdep.allowaperture=1. This will allow X to access the aperture driver. This would be set up if the question during install about whether or not you would be running X was answered correctly. OpenBSD requires for all X servers that the aperture driver be set, because it controls access to the I/O ports on video boards.

For other X problems on the i386, consult the XFree86 FAQ at http://www.xfree86.org/FAQ/.

8.5 - What is CVS? and How do I use it?

CVS is what the OpenBSD project uses to control changes to the source code. CVS stands for Concurrent Versions System. You can read more about CVS at http://www.cyclic.com/. CVS can be used by the end user to keep up to date with source changes, and changes in the ports tree. CVS makes it extremely simple to download the source via one of the many CVS mirrors for the project.

How to initially setup your CVS environment

There are a few ways to initially set up your CVS environment. To start off, you will need an initial CVS checkout of the sources. If you bought the CD, you're in luck, because it holds the CVS checkout for that release. You can extract it from your CD by doing one of the following:

1) copy the tree off it, (assuming the CD is mounted on /mnt):

2) Or, alternatively, use a union mount with the CD below a writable directory. However, be aware that the union filesystem code is not flawless.

after this, /usr/src will be a nice checkout area where all cvs(1) commands will work OK.

If you don't have an OpenBSD CD, you will have to retrieve the sources from on of the OpenBSD AnonCVS servers. These servers are listed on http://www.openbsd.org/anoncvs.html Once you have chosen a server you need to choose which module you are going to retrieve. There are three main modules available for checkout from the CVS tree. These are:

Now that you have decided which module that you wish to retrieve, there is one more step left before you can retrieve it. You must decide which method to use. CVS by default retrieves files using rsh(1), but some AnonCVS servers don't allow for this so in most cases it's best to use ssh. For those of you behind a firewall there are also the options of pserver and some AnonCVS servers run ssh on port 2022. Be sure to check http://www.openbsd.org/anoncvs.html for which servers support what protocols. Next I will show how to do a simple source checkout. Here I will be using an AnonCVS server located in the U.S., but remember that if you are outside of the U.S you need to use a server that is located nearby. There are many AnonCVS servers located throughout the world, so choose one nearest you. I will also be using ssh to retrieve the files.

Notice here also that I set the CVSROOT environmental variable. This is the variable that tells cvs(1) which AnonCVS server to use. This can also be specified using the -d option. For example:

These commands should be run in /usr, which will then create the directories of /usr/src, /usr/ports, and /usr/www. Depending, of course, on which module you checkout. You can download these modules to anywhere, but if you wanted to do work with them (ie make build ), it is expected that they be at the place above.

Keeping your CVS tree up-to-date

Once you have your initial tree setup, keeping it up-to-date is the easy part. You can update your tree at any time you choose, some AnonCVS servers update more often then others, so again check http://www.openbsd.org/anoncvs.html. In this example I will be updating my www module from anoncvs.usa.openbsd.org. Notice the -q option that I use, this makes the output not so verbose coming from the server.

Other cvs options

For some, bandwidth and time are serious problems when updating repositories such as these. So CVS has a -z[1-9] option which uses gzip to compress the data. To use it, do -z[compression-level], for instance, -z3 for a compression level of 3.

8.6 - What is the ports tree?

The ports tree is a set of Makefiles that download, patch, configure and install userland programs so you can run them in OpenBSD environment without having to do all that by hand. You can get the ports tree from any of the OpenBSD ftp servers in /pub/OpenBSD/2.6/ports.tar.gz. The most recent ports are available via the 'ports' cvs tree, or /pub/OpenBSD/snapshots/ports.tar.gz. For most of you however, packages will be a much better option. Packages are created from ports and are already compiled and ready to use. To read more on packages read FAQ8.7.

Obtaining the Latest Version of the Ports Tree

If you are planning on running the latest version of the Ports Tree, you should have the latest release of OpenBSD. This is because of constant changing and fixing of the ports tree to help with its interaction with the rest of your OpenBSD system. If you don't follow this guideline, you can expect some minor problems while upgrading.

The best way to stay current with your OpenBSD Ports Tree is to use via cvs(1). OpenBSD has a whole group of Anonymous CVS servers that are available to anyone. To read more about cvs look over www.openbsd.org/anoncvs.html and Faq8.5.

Though, if you do not have the ports tree at all, you can download it via any of OpenBSD's ftp servers. You can get a list at www.openbsd.org/ftp.html. From here download /pub/OpenBSD/2.5/ports.tar.gz and untar this in /usr/ports. For example:

Once this is done, you can use cvs(1) to update your Ports Tree. If you started with a base Ports Tree of 2.5 there will be a few changes that you will need to make. Most notably /usr/share/mk, which holds files used by make(1) , will need to be updated. If you have the src tree on your system, you can update /usr/share/mk via cvs(1) and simply:

This will put the proper files into place. After this is done, you might also need the latest version of the make(1) binary. You will have to create this, if you don't have the src tree on your system you can grab it via cvs(1) and compile it. Example:

If you already have the src on your machine, simply update make and install it. For now, this should be all you need to do to have the ports tree working properly.

A snapshot of the ports tree is also created daily and can be downloaded from any of the OpenBSD ftp servers as /pub/OpenBSD/snapshots/ports.tar.gz.

What ports are available? and how do i find them?

There are two ways of searching for ports. The first way is to check www.openbsd.org/portstat.html. There you will find a list of what ports are currently available. The other way is to actually use the ports tree to search for keywords. To do this use make search key="searchkey". Here is an example of a search for 'samba':

Installing Ports

Ports are set up to be EXTREMELY easy to make and install. Here is an example install for someone wanting to install the X11 program xfig. You'll notice the dependencies are automatically detected and completed:

First you need to cd to the dir of the program you want. If you are searching for a program, you can either update your locate database, or use the search function talked about below. Once you are in the dir of the program you want, you can just type make install. For example.

Listing Installed ports/packages

You can see a list of both ports and packages by using the pkg_info command.

Other Information

More information about the ports can be found in the ports(7) man page.

Our ports tree is constantly being expanded, and if you would like to help please see: http://www.openbsd.org/ports.html

8.7 - What are packages?

Packages are the precompiled binaries of some of the most used programs. They are ready for use on an OpenBSD system. Again, like the ports, packages are very easy to maintain and update. Packages are constantly being added so be sure to check each release for additional packages.

Here is a list of tools used in managing packages.

Where to find packages

If you are a smart user and bought one of the OpenBSD CD, then packages can be found on both CD's depending on your architecture. If you don't have an OpenBSD CD in your posession you can download packages from any of the ftp mirrors. You can get a list of mirrors http://www.openbsd.org/ftp.html. Packages are located at /pub/OpenBSD/2.6/packages from there packages are broken down depending on architecture.

Installing Packages

To install packages, the utility pkg_add(1) is used. pkg_add(1) is an extremely easy utility to use, in the following two examples pkg_add(1) will be used to install a package. The first example will show pkg_add(1) installing a package that resides on a local disk, the second example will show an installation of a package via ftp. In both examples screen-3.7.6 will be installed.

In this example the -v flag was used to give a more verbose output, this option is not needed, but is helpful for debugging and was used here to give a little more insight into what pkg_add(1) is actually doing. Notice however, that there are some valid messages given out mentioning /etc/screenrc. Messages like this will be given to you whether or not you use the -v flag.

In this example you can see that I installed the i386 package, you should substitute this with your architecture. Notice: Not all architectures have the same packages. Some ports don't work on certain architectures. In this example the -v flag wasn't used, so only NEEDED messages are shown.

Viewing and Deleting Installed Packages

The utility pkg_info(1) is used to view a list of packages that are already installed on your system. This is usually needed to find out the correct name of a package before you remove that package. To see what packages are installed on your system simple use:

To delete a package, simple take the proper name of the package as shown by pkg_info(1) and use pkg_delete(1) to remove the package. In the below example, the screen package is being removed. Notice that on some occations there are instructions of extra objects that need to be removed that pkg_delete(1) did not remove for you. As with the pkg_add(1) utility, you can use the -v flag to get more verbose output.

8.8 - Is there any way to use my floppy drive if it's not attached during boot?

Sure. You need to add "flags 0x20" at the end of the fd* entry and recompile your kernel. The line should be read:

After that you would be able to use the floppy drive all the times. It doesn't matter if you plugged it in after boot.

8.9 - Boot time Options - Using the OpenBSD bootloader

When booting your OpenBSD system, you have probably noticed the boot prompt.

For most people, you won't have to do anything here. It will automatically boot if no commands are given. But sometimes problems arise, or special functions are needed. That's where these options will come in handy. To start off, you should read through the boot(8) man page. Here we will go over the most common used commands for the bootloader.

To start off, if no commands are issued, the bootloader will automatically try to boot /bsd. If that fails it will try /obsd, and so on till it finds a bootable kernel. You can specify this by hand by typing:


This will work if device wd0a is configured as your root device.

Here is a brief list of options you can use with the OpenBSD kernel.

These are entered in the format of: boot [ image [-abcds]]

For further reading you can read boot_i386(8) man page

8.10 - S/Key

S/Key is a ``one-time password'' scheme. This allows for one-time passwords for use on un-secured channels. This can come very handy for those who don't have the ability to use ssh or any other encrypted channels. OpenBSD's S/Key implementation can use a variety of algorithms as the one-way hash. Here is the list of algorithms available:

Setting up S/Key - The first steps

To start off the file /etc/skeykeys must exist. If this file is not in existence, have the super-user create it. This can be done simply by doing:

Once that file is in existence, you can initalize your S/Key. To do this you will have to use skeyinit(1). With skeyinit(1), you will first be prompted for your password to the system. This is the same password that you used to log into the system. Running skeyinit(1) over an insecure channel is completely not recommended, so this should be done over a secure channel (such as ssh) or the console. Once you have authorized yourself with your system password you will be asked for yet another password. This password is the secret password, and is NOT your system password. The secret password is not limited to 8 characters like system passwords, actually it must be at least 10 characters. A few word phrases are suggested. Here is an example user being added.

One line of particular importance in here is ID ericj skey is otp-md5 99 oshi45820. This gives a lot of information to the user. Here is a breakdown of the sections and their importance.

But of more immediate importance is your password. Your password consists of 6 small words, combined together this is your password, spaces and all.

Actually using S/Key to login.

By now your skey has been initialized, and you have your password. You're ready to login. Here is an example session using s/key to login.

Some of you might have noticed that my sequence number has changed. otp-md5 96 oshi45820. This is because by now I have used s/key to login several times. But how do you get your password after you've logged in once? Well to do this, you'll need to know what sequence number you're using and your key. As you're probably thinking, how can you remember which sequence number you're on? Well this is simple, use skeyinfo(1), and it will tell you what to use. For example here, I need to generate another password for a login that I might have to make in the future. (remember I'm doing this from a secure channel).

From this I can create the password for my next login. To do so, I'll use skey(1). I can use exactly that output from above to create my password.

I'm sure many of you won't always have a secure connect to create these passwords, and creating them over an insecure connection isn't feasible, so how can you create multiple passwords at one time? Well you can supply skey(1) with a number of how many passwords you want created. This can then be printed out and taken with you wherever you go.

Notice here though, that the bottom password should be the first used, because we are counting down from 100.

Using S/Key with telnet(1), ssh(1), and rlogin(1)

Using S/Key with telnet(1), ssh(1), or rlogin(1) is done in pretty much the same fashion as with ftp, only your first password must be "s/key". Example:

Controlling S/Key

For more control over S/Key there is the /etc/skey.access file. (This does not exist by default, so it must be created.) This file can restrict S/Key in three primary ways.

If I wanted to allow one single user ( ericj ), from a certain IP ( ), I would create a file like so.

8.11 - Why is my Macintosh losing so much time?

This is caused by a hardware bug. OpenBSD uses clock interrupts to keep track of the current time, but these interrupts have the lowest priority in Apple's architecture. So, under heavy load, (such as disk or network activity) clock interrupts will be lost and the Unix clock will not advance as it should.

MacOS gets around the time problem by always reading the hardware clock. OpenBSD only reads the hardware clock at boot time and thereafter ignores it. You may notice that, at shutdown, the kernel is not confident enough to write the Unix time back into the hardware clock because this time loss problem is well known.

The best solution is to run xntpd (found in the ports collection) and just deal with the occasional lossage. Sometimes the lossage is so bad that even xntpd is afraid to skip the time. In this case, add the -g option to ntpd in /etc/rc.securelevel to force tracking.

Another simpler but less precise solution is to run rdate(8) on a regular basis, for example by having a crontab entry for it, preferably with the -a option so there is no "jump" in time. Another good place to launch rdate(8) is in your /etc/ppp/ppp.linkup file if you are not permanently connected and are a PPP user.

See also: http://www.macbsd.com/macbsd/macbsd-docs/faq/faq-3.html#ss3.17

8.12 - Will OpenBSD run on multiprocessor machines?

No. OpenBSD/i386 will not make use of multiple processors, but will run using one processor on a multi-processor system board. OpenBSD/sparc will not run on a multi-processor sparc system at all. No other platforms currently support multi-processor capabilities.

The reason is quite simple: there are not enough developers who have access to MP machines. If you want to donate MP hardware, please refer to http://www.openbsd.org/donations.html. Our developers are currently asking for i386, sparc, hppa, and other multi-processor hardware donations to begin SMP support. A project to bring multi-processor support to OpenBSD is underway, and progress can be check at http://www.openbsd.org/smp.html.

8.13 - I get Input/output error when trying to use my tty devices

As of OpenBSD 2.6, you need to use /dev/cuaXX for connections initiated from the OpenBSD system, the /dev/ttyXX devices are intended only for terminal or dial-in usage. While it was possible to use the tty devices in the past, the OpenBSD kernel is no longer compatible with this usage.

From cua(4):

For hardware terminal ports, dial-out is supported through matching device nodes called calling units. For instance, the terminal called /dev/tty03 would have a matching calling unit called /dev/cua03. These two devices are normally differentiated by creating the calling unit device node with a minor number 128 greater than the dial-in device node. Whereas the dial-in device (the tty) normally requires a hardware signal to indicate to the system that it is active, the dial-out device (the cua) does not, and hence can communicate unimpeded with a device such as a modem. This means that a process like getty(8) will wait on a dial-in device until a connection is established. Meanwhile, a dial-out connection can be established on the dial-out device (for the very same hardware terminal port) without disturbing anything else on the system. The getty(8) process does not even notice that anything is happening on the terminal port. If a connecting call comes in after the dial-out connection has finished, the getty(8) process will deal with it properly, without having noticed the intervening dial-out action.

8.14 - Where can I find a Netscape binary for OpenBSD?

There is no OpenBSD Netscape binary. However since OpenBSD supports binary emulation of many other operating systems we are able to use other binaries.

Using the Ports System you can install these with no hassle. The Navigator Port and Communicator Ports are located at /usr/ports/www/netscape Once you have the ports tree installed.

8.15 - How do I use the mg editor which is now part of OpenBSD (post-2.6!!)?

Mg is a micro Emacs-style text editor. Micro means that it's small (Emacs is very large!) For the basics, read the mg(1) manual page and the tutorial, as included with the source code. For more interesting questions (such as, "I don't have a Meta key!") check out the Emacs FAQ.

Note that since mg is a small Emacs implementation, which is mostly similar to the text editor features of Emacs 17, it does not implement many of Emacs' other functionality. (Including mail and news functionality, as well as modes for Lisp, C++, Lex, Awk, Java, etc...)

8.16 - Ksh does not appear to read my .profile!

There are two possible reasons for this.

8.17 - Why does my /etc/motd file get written over when I modified it?

The /etc/motd file is edited upon every boot of the system, replacing the first line with the systems kernel version information. When editing this file, make sure that you start 2 lines from the top, to keep /etc/rc from deleting these lines when it edits /etc/motd upon boot.

8.18 - Why does www.openbsd.org run on Solaris?

Although none of the developers think it is particularly relevent, this question comes up frequently enough in the mailling lists that it is answered here. www.openbsd.org and the main OpenBSD ftp site are hosted at a SunSITE at the University of Alberta, Canada. These sites are hosted on a large Sun system, which has access to lots of storage space and Internet bandwidth. The presence of the SunSITE gives the OpenBSD group access to this bandwidth. This is why the main site runs here. Many of the OpenBSD mirror sites run OpenBSD, but since they do not have guaranteed access to this large amount of bandwidth, the group has chosen to run the main site at the University of Alberta SunSITE.

8.19 - I'm having problems with my PCI devices being detected in OpenBSD 2.8.

There exists a condition in OpenBSD 2.8 where some machines might not detect some PCI devices properly, or might freeze while detecting multiple NIC's in one machine. This is the fault of PCIBIOS, and involves a simple workaround to make work properly. Simply enter the boot time configuration and disable PCIBIOS. An example is below:

Once this is done, you can follow the directions in FAQ 5.6 to create a new kernel so that you don't have to worry about this in the future.

[Back to Main Index] [To Section 7.0 - Keyboard controls] [To Section 9.0 - Tips for linux users]

[back] www@openbsd.org
$OpenBSD: faq8.html,v 1.59 2001/01/27 22:19:48 ericj Exp $