How To: Install & Use the Ultra-Secure Operating System OpenBSD in VirtualBox

Install & Use the Ultra-Secure Operating System OpenBSD in VirtualBox

OpenBSD implements security in its development in a way that no other operating system on the planet does. Learning to use the Unix-like operating system can help a hacker understand secure development, create better servers, and improve their understanding of the BSD operating system. Using VirtualBox, the OS can be installed within a host to create a full-featured test environment.

This extremely secure operating system boasts features with which no other OS can compare. While OpenBSD is often regarded as a server OS, it can also be used on the desktop or within a virtual machine and still offer these same security features to regular users. This can be valuable to a device that stands at a higher risk of being attacked or to anyone who wants greater protection against the possibility of remote code execution exploits such as those found in Microsoft Windows.

OpenBSD is derived from the Berkeley Software Distribution, or BSD, a Unix-like operating system developed initially at the University of California, Berkeley. Theo de Raadt forked OpenBSD from NetBSD in 1995, and the project continues to develop and grow today. The OpenBSD project also maintains several other popular tools, including OpenSSH and LibreSSL.

The OpenBSD development team's focus on security has led to an extensive amount of specific changes to the OS. These modifications include memory protections during compilations to prevent buffer or integer overflow attacks, extensive use of cryptography, randomization of various system signatures, and extensive privilege separation. These factors combine to form an extremely secure operating system for servers and desktops alike. The OpenBSD homepage itself boasts that the system has had "only two remote holes in the default install, in a heck of a long time!"

To test and learn more about the OpenBSD operating system, you can install and use it within a virtual machine, in our case, VirtualBox.

Step 1: Download an OpenBSD Image

OpenBSD can be downloaded from one of its HTTP/FTP mirrors. Select the location of the mirror closest to your location if you wish for the fastest speed.

Once you've selected a mirror, you will be brought to a page with several directories. To download the most recent disk image, select the highest release number. The "6.7" folder should include the most recently updated version as of August 2020, but if you see anything newer, use that.

Once in the most recent version directory, there should be subdirectories for different system architectures. For most users, amd64 or i386 images will be the most useful. After selecting a system architecture subdirectory, a number of files will be available for download.

Among this set, the "install67.iso" file represents the installation image for version 6.7 of OpenBSD. Click on this file to download and save it onto your system.

Step 2: Prepare VirtualBox

VirtualBox is one of the simplest virtualization environments for Windows, macOS, and Linux. It can be downloaded from VirtualBox's website, or it can be installed on Debian-based Linux distros like Ubuntu by using apt as in the command below.

~$ sudo apt install virtualbox

Once VirtualBox is downloaded, installed, and opened, click the "New" button at the top of the window to begin creating the new virtual machine.

A window will open, requesting a name, type, and version. Typing OpenBSD into the Name field should lead to the automatic population of the following two selections, but if not, set Type to "BSD" and Version to "OpenBSD" 32- or 64-bit, whichever is appropriate for your system. Hit "Continue."

The next portion of the virtual machine configuration is memory allocation. Generally speaking, the more memory one can grant to a virtual machine, the faster the VM will be able to run. The amount of memory one is willing to provide to the VM generally depends on the amount of RAM available on the host machine, shown at the right end of the memory slider bar within VirtualBox. A relatively lightweight operating system such as OpenBSD can function with a limited amount of memory if necessary. Choose your RAM and hit "Continue."

At the Hard disk step, choose to "Create a virtual hard disk now." OpenBSD will need to be installed within the virtual machine, so a virtual hard drive to install this to will be required. Hit "Create."

If you have no need to move the virtual machine image between different virtualization tools, it's best to leave VDI selected for the Hard disk file type selection step. Hit "Continue."

The next selection is between a dynamically allocated or fixed size virtual hard disk. For most users, "Dynamically allocated" is the most simple to use, as it requires the least configuration. Hit "Continue."

Lastly, the maximum size and storage location of the virtual hard drive can be set. This may be an external hard drive or a specific spot on a local drive. The size is the maximum size to which the virtual hard drive can grow, so if there are considerable size restraints based on hard drive size, it may be worthwhile to limit this amount. The base installation size of OpenBSD will be relatively small, so this limit could easily be set to only a few GB. Choose and hit "Create."

Now the OpenBSD VM should be available from the main VirtualBox menu to be started. To launch it, simply click the "Start" button at the top of the interface while the OpenBSD virtual machine is selected. You can also double-click on it to start it.

Once the virtual machine is started, it will request a boot medium to start the virtual machine from.

Click on the folder icon to open a file selector. Click "Add," then browse to and select the OpenBSD ISO image downloaded earlier. Click "Open," then "Choose."

Now, click "Start" to launch the virtual machine. The OpenBSD installer should begin to boot.

Step 3: Install OpenBSD

On first boot, the OpenBSD image will load a text-based installer environment, as shown in the image below. To begin the installation process, type i and press Enter.

This process includes many questions and configuration options, each of which is explained with a short statement. The first prompt requests the preferred keyboard layout. Type L or ? and press Enter if you wish to list all available options, or simply type us or uk to set the keyboard layout to US or UK English.

At any prompt except password prompts you can escape to a shell by
typing '!'. Default answers are shown in []'s and are selected by
pressing RETURN. You can exit this program at any time by pressing
Control-C, but this can leave your system in an inconsistent state.

Choose your keyboard layout ('?' or 'L' for list) [default] ?

Available layouts: be be.swapctrlcaps br cf cf.nodead de de.nodead dk dk.nodead
ee ee.nodead es fr fr.dvorak fr.swapctrlcaps fr.swapctrlcaps.dvorak hu is is.nodead
it jp jp.swapctrlcaps la lt lv nl nl.nodead no no.nodead pl pt ru sf sf.nodead sg
sg.nodead si sv sv.nodead tr tr.nodead ua uk uk.swapctrlcaps us us.colemak
us.declk us.dvorak us.iopener us.swapctrlcaps us.swapctrlcaps.colemak
us.swapctrlcaps.dvorak us.swapctrlcaps.iopener

Choose your keyboard layout ('?' or 'L' for list) [default] us

Then, give the hostname a name. I'm just going with openbsd.

System hostname? (short form, e.g., 'foo') openbsd

The next questions regard network configuration. Within a virtual machine, the network settings are relatively simple to set. Each option, beginning with Available network interfaces until DNS domain name, can be responded with by merely pressing Enter, as the default network configuration options should be suitable for most users. On a hardware install, it may be worth taking more care when choosing these settings, depending on your network configuration.

Available network interfaces are: em0 vvlan0.
Which network interface do you wish to configure? (or 'done') [em0]

IPv4 address for em0? (or 'dhcp' or 'none') [dhcp]
emo: 10.0.2.15 lease accepted from 10.0.2.2 (XX.XX.XX.XX.XX.XX)

IPv6 address for em0? (or 'autoconf' or 'none') [done]

Available network interfaces are: em0 vvlan0.
Which network interface do you wish to configure? (or 'done') [done]

DNS domain name? (e.g. 'example.com') [my.domain]
Using DNS nameservers at 8.8.8.8 8.8.4.4

The next option, Password for root account, allows one to set the root password. The "will not echo" string denotes that when pressing the keys for the password, it will not be visible, nor will it be returned to the user after entering. The root password should generally be strong, especially for a server or internet-connected system.

Password for root account? (will not echo)
Password for root account? (again)

After entering the root password twice, the installer asks if you would like to start the SSH daemon, or background service, by default. While this is not necessary, it may be useful. To enable it, press Enter.

Start sshd(8) by default? [yes]

The following two questions regard the graphical configuration of the system. If you'd like to use a graphical interface, enable the X Window System by pressing Enter. The next question asks if you would like the X Window System to be started by the xenodm login manager. While this isn't necessary, it will make installing a different desktop environment easier, as shown later in this tutorial. To enable it, type yes and press Enter.

Do you expect to run the X Window System? [yes]

Do you want the X Window System to be started by xenodm(1)? [no] yes

Next, enter a name and password for a standard-level user. For security reasons, it's best not to run as the root user, so this user will be used for most standard desktop operations. For most users, it will also be worth denying root SSH login for security reasons.

Setup a user? (enter a lower-case loginname, or 'no') [no] nullbyte

Full name for user nullbyte? [nullbyte] nullbytehacker

Password for user nullbyte? (will not echo)
Password for user nullbyte? (again)

WARNING: root is targeted by password guessing attacks, pubkeys are safer.
Allow root ssh login? (yes, no, prohibit-password) [no}

For the last question in this set, enter ? to see the available time zones, then type your preferred choice from the list or press Enter to continue with the default selection. Then, so the same thing with the sub-time zone.

What timezone are you in? ('?' for list) [US/Eastern] ?

Africa/     Chile/      GB-Eire     Israel      Navajo      US/
America/    Cuba        GMT         Jamaica     PRC         UTC
Antarctica/ EET         GMT+0       Japan       PST8PDT     Universal
Arctic/     EST         GMT-0       Kwajalein   Pacific/    W-SU
Asia/       EST5EDT     GMT0        Libya       Poland      WET
Atlantic/   Egypt       Greenwich   MET         Portugal    Zulu
Australia/  Eire        HST         MST         ROC         posixrules
Brazil/     Etc/        Hongkong    MST7MDT     ROK
CET         Europe/     Iceland     Mexico/     Singapore
CST6CDT     Factory     Indian/     NZ          Turkey
Canada/     GB          Iran        NZ-CHAT     UCT

What timezone are you in? ('?' for list) [US/Eastern] America

What sub-timezone of 'America' are you in? ('?' for list) ?

Argentina/      Curacao         Iqaluit         Montserrat      Santo_Domingo
Aruba           Danmarkshavn    Jamaica         Nassau          Sao_Paulo
Asuncion        Dawson          Jujuy           New_York        Scoresbysund
Atikokan        Dawson_Creek    Juneau          Nipigon         Shiprock
Atka            Denver          Kentucky/       Nome            Sitka
Bahia           Detroit         Knox_IN         Noronha         St_Barthelemy
Bahia_Banderas  Dominica        Kralendijk      North_Dakota/   St_Johns
Barbados        Edmonton        La_Paz          Nuuk            St_Kitts
Belem           Eirunepe        Lima            Ojinaga         St_Lucia
Belize          El_Salvador     Los_Angeles     Panama          St_Thomas
Blanc_Sablon    Ensenada        Louisville      Pangnirtung     St_Vincent
Boa_Vista       Fort_Nelson     Lower_Princes   Paramaribo      Swift_Current
Bogota          Fort_Wayne      Maceio          Phoenix         Tegucigalpa
Boise           Fortaleza       Managua         Port-au-Prince  Thule
Buenos_Aires    Glace_Bay       Manaus          Port-of-Spain   Thunder_Bay
Cambridge_Bay   Godthab         Marigot         Porto_Acre      Tijuana
Campo_Grande    Goose_Bay       Martinique      Porto_Velho     Toronto
Cancun          Grand_Turk      Matamoros       Puerto_Rico     Tortola
Caracas         Grenada         Mazatlan        Punta_Arenas    Vancouver
Catamarca       Guadeloupe      Mendoza         Rainy_River     Virgin
Cayenne         Guatemala       Menominee       Rankin_Inlet    Whitehorse
Cayman          Guayaquil       Merida          Recife          Winnipeg
Chicago         Guyana          Metlakatla      Regina          Yakutat
Chihuahua       Halifax         Mexico_City     Resolute        Yellowknife

What sub-timezone of 'America' are you in? ('?' for list) New_York

Next, the installer will partition the disks. In general, the only disk available for the virtual machine will be fine for the installation — hit Enter.

While custom partitioning works even within the virtual machine environment, the default Whole disk MBR selection, abbreviated to w, is an ideal selection for the virtual machine. Press Enter again to continue the installation.

Available disks are: wd0
Which disk is the root disk? ('?' for details) [wd0]

No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] w
Setting OpenBSD MBR partition to whole wd0...done.
The auto-allocated layout for wd0 is:
#           size        offset      fstype  [fsize  bsize   cpg]
  a:      429.8M            64      4.2BSD    2048  16384     1 # /
  b:      639.7M        880352        swap
  c:    16384.0M             0      unused
  d:      567.7M       2190432      4.2BSD    2048  16384     1 # /tmp
  e:      807.6M       3353120      4.2BSD    2048  16384     1 # /var
  f:     2059.7M       5007008      4.2BSD    2048  16384     1 # /usr
  g:      551.9M       9225216      4.2BSD    2048  16384     1 # /usr/X11R6
  h:     1863.5M       10355488     4.2BSD    2048  16384     1 # /usr/local
  i:     1411.9M       14171936     4.2BSD    2048  16384     1 # /usr/src
  j:     5343.9M       17063552     4.2BSD    2048  16384     1 # /ussr/obj
  k:     2703.1M       28007776     4.2BSD    2048  16384     1 # /home

Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a]

The next portion of the installation allows for "sets" of packages to be selected, downloaded, and installed. To download them from the internet, enter http when prompted for the location of the sets.

Let's install the sets!
Location of sets? (cd0 disk http nfs or 'done') [cd0] http

You can define your preferred HTTP proxy and server, but the default setting with no proxy will work for most users.

HTTP proxy URL? (e.g. 'http://prozy:8080', or 'non') [none]

HTTP Server? (hostname, list#, 'done' or '?') ?

    1. mirrors.sonic.net/pub/OpenBSD            San Francisco, CA,  USA
    2. ... (there are many more to choose from, but I'm not writing them all here)

HTTP Server? (hostname, list#, 'done' or '?') 1

HTTP Server? (hostname, list#, 'done' or '?') [mirrors.sonic.net]

Server directory? [pub/OpenBSD/6.7/amd64]

Next, sets can be selected, or you can simply install all of them. Hit Enter to begin installing the sets. After the sets finish installing, hit Enter again to choose "done" for the location of the sets.

Select sets by entering a set name, a file name pattern or 'all'. De-select
sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'.
    [X] bsd             [X] comp67.tgz      [X] xbase67.tgz     [X] xserv67.tgz
    [X] bsd.rd          [X] man67.tgz       [X] xshare67.tgz
    [X] base67.tgz      [X] games67.tgz     [X] xfont67.tgz
Set name(s)? (or 'abort' or 'done') [done]

Get/Verify SHA256.sig   100% |******************************|    2141       00:00
Signature Verified      100% |******************************|
Get/Verify bsd          100% |******************************|   18117 KB    00:02
Get/Verify bsd.rd       100% |******************************|   10109 KB    00:01
Get/Verify base67.tgz   100% |******************************|     238 MB    00:39
Get/Verify comp67.tgz   100% |******************************|   74451 KB    00:08
Get/Verify man67.tgz    100% |******************************|    7464 KB    00:01
Get/Verify games67.tgz  100% |******************************|    2745 KB    00:00
Get/Verify xbase67.tgz  100% |******************************|   22912 KB    00:03
Get/Verify xshare67.tgz 100% |******************************|    4499 KB    00:01
Get/Verify xfont67.tgz  100% |******************************|   39342 KB    00:05
Get/Verify xserv67.tgz  100% |******************************|   16767 KB    00:03
Installing bsd          100% |******************************|   18117 KB    00:00
Installing bsd.rd       100% |******************************|   10109 KB    00:00
Installing base67.tgz   100% |******************************|     238 MB    00:17
Extracting etc.tgz      100% |******************************|     261 KB    00:00
Installing comp67.tgz   100% |******************************|   74451 KB    00:08
Installing man67.tgz    100% |******************************|    7464 KB    00:01
Installing games67.tgz  100% |******************************|    2745 KB    00:00
Installing xbase67.tgz  100% |******************************|   22912 KB    00:02
Extracting etc.tgz      100% |******************************|    7023       00:00
Installing xshare67.tgz 100% |******************************|    4499 KB    00:00
Installing xfont67.tgz  100% |******************************|   39342 KB    00:02
Installing xserv67.tgz  100% |******************************|   16767 KB    00:01

Location of sets? (cd0 disk http nfs or 'done') [done]

If a time option appears, just hit Enter. Then, the OpenBSD installation should be complete! To start it, hit Enter to select "Reboot" and wait for the system to load.

Time appears wrong. Set to 'Fri Aug 21 17:22:11 EDT 2020'? [yes]

Saving configuration files... done.
Making all devices nodes... done.
Relinking to create unique kernel... done.

CONGRATULATIONS! Your OpenBSD install has been successfully completed!

When you login to your new system the first time, please read your mail
using the 'mail' command.

Exit to (S)hell, (H)alt or (R)eboot? [reboot]

Step 4: Delete the Install File

You may find that the system boots back into the installation screen, most likely due to the initial installation media still being loaded, rather than the virtual hard drive. If this is the case, power down the OpenBSD VM.

Then, within VirtualBox, select the OpenBSD virtual machine and click "Settings."

Under the "Storage" menu, right-click on the ISO installation file shown under Storage Devices, and click "Remove Attachment." Hit "Remove" on the prompt, and "OK" to exit the settings. Then, restart the virtual machine.

If a login screen such as the one below appears, OpenBSD has installed and booted from its virtual hard drive. Now, we can log in to the OpenBSD desktop environment and begin making changes to the operating system.

Step 5: Configure & Use OpenBSD

After logging in using the username and password defined during the installation process, the OpenBSD X Window System and the fvwm window manager will load. This is a very basic graphical environment, but it does create a stacking window manager which can be used for visual tasks. A left-click menu and Control-click menu are available when clicking on the default desktop.

Opening an XTerm window from this menu will help us install additional packages, some of which will allow us to add additional elements to the desktop environment. Once a terminal window is open, we'll use pkg_add to install additional packages. First, run su in a new terminal window to gain superuser privileges. If you logged in as root, you won't need to use su.

~$ su
Password:

Now we can install some additional packages. To replace the default window manager, we'll install the Xfce desktop environment, the Leafpad text editor, the Thunar file manager, consolekit2 to assist with login session management, and the Firefox web browser. I'll also add in nano because why not.

~# pkg_add xfce xfce-extras leafpad thunar firefox consolekit2 nano

After these packages are installed, we can return to our regular user terminal session by typing exit and pressing Enter. After this, we can create a "xsession" startup file, which will launch Xfce at the next login, by running the command below. This command "echoes" the statement within the quotation marks into the file ".xsession."

~# exit
~$ echo "exec ck-launch-session startxfce4" > .xsession

Now, you can restart the system. To restart the system, you need to have root privileges, so first sun su once again to regain a root terminal window, then type reboot and press Enter to reboot the system.

~$ su
Password:
~# reboot

When the virtual machine reboots, Xfce should automatically start.

Once the desktop environment is installed, OpenBSD is ready to be used much like any other Unix-like operating system, including Linux.

The OpenBSD operating system has software in its repository to do practically any task of other operating systems, including word processors, image editors, and even games. If a tool isn't already available, it can very likely be compiled if the source code is available.

Using OpenBSD

With Xfce installed, the graphical usage of OpenBSD should be relatively familiar for users of Linux distributions or Unix-like operating systems. The command-line environment, ksh, will also generally be familiar to users of Bash. OpenBSD offers extensive documentation, with pages that thoroughly explain the often unfamiliar components of the operating system, such as package management and system administration. A complete user's guide is also available. OpenBSD is a very powerful, extensible system, and becoming familiar with it is a useful skill for any system administrator, security engineer, or hacker!

I hope that you enjoyed this tutorial on OpenBSD! If you have any questions about this tutorial or OpenBSD usage, feel free to leave a comment or reach me on Twitter @tahkion.

Just updated your iPhone? You'll find new features for TV, Messages, News, and Shortcuts, as well as important bug fixes and security patches. Find out what's new and changed on your iPhone with the iOS 17.6 update.

Cover image by NOAA's National Ocean Service/Flickr; Screenshots by TAKHION/Null Byte

3 Comments

It may be ultra-secure in the program's world, but it can be easily by-passed just by standing behind the user.

A good exercise would have been to have the user validate the signatures of the ISO file before installing! There is a portable `signify` for linux distros!

Is it more secure than Qubes OS? And why? Thanks!

Share Your Thoughts

  • Hot
  • Latest