- 论坛徽章:
- 0
|
闲来无事,装个OpenBSD琢磨一下,顺带着练习鸟文。翻译的不好之处,请大家指正。
====
AFTERBOOT( 8 ) OpenBSD System Manager's Manual AFTERBOOT( 8 )
AFTERBOOT( 8 ) OpenBSD系统管理员指南 AFTERBOOT( 8 )
NAME:
名字:
afterboot - things to check after the first complete boot
afterboot - 首次启动之后需要检查的事情。
DESCRIPTION:
描述:
Starting out
开始
This document attempts to list items for the system administrator to
check and set up after the installation and first complete boot of the
system. The idea is to create a list of items that can be checked off so
that you have a warm fuzzy feeling that something obvious has not been
missed. A basic knowledge of UNIX is assumed, otherwise type
# help
这篇文档尝试给系统管理员列举一些在安装完毕(OpenBSD)并首次启功系统之后,
需要检查和配置的内容。这个想法是创建一个可以被核对(check off)的列表项,
使你们(当前的使用者)对一些很明显不能被遗漏的事情(状态/情况),有一个
模糊的感性认识。这被假定是一个基本的UNIX知识,否则,输入命令:
# help
Complete instructions for correcting and fixing items is not provided.
There are manual pages and other methodologies available for doing that.
For example, to view the man page for the ls(1) command, type:
# man 1 ls
(查阅)那些没有(在这里)显示(或提供)的正确、固定的全部(命令/配置文件的)
用法。指南页和其他的方法可以有效地做到那些。例如:查阅ls命令的指南页,输入
命令:
# man 1 ls
Administrators will rapidly become more familiar with OpenBSD if they get
used to using the high quality manual pages.
如果管理员习惯于(get used to)利用高质量的指南页,管理员将会迅速的成为
OpenBSD的高手(OpenBSD熟客??)。
Errata
勘误表
By the time that you have installed your system, it is quite likely that
bugs in the release have been found. All significant and easily fixed
problems will be reported at http://www.openbsd.org/errata.html. The web
page will mention if a problem is security related. It is recommended
that you check this page regularly.
在安装完你们的系统的时候,它(指勘误表)是完整的,就好像在发行版中被找到的
bugs(或者翻译成臭虫们?^_^)那样。在http://www.openbsd.org/errata.html报告
了所有重大的、已经修复的问题。
<说明一下:我在http://www.openbsd.org/errata38.html(我用的版本)中,看到的
只有5个fix项目,因此我认为,这里面指的fixed problems,只是既重大,又被修复了
的问题,或者叫bugs。有不同意见的兄弟可以提出来讨论,以便我修正。>
Login
登录
Log in as ``root''. You can do so on the console, or over the network
using ssh(1). If you wish to deny root logins over the network, edit the
/etc/ssh/sshd_config file and set PermitRootLogin to ``no'' (see
sshd_config(5)).
用“root”登录。你能(以root身份)在控制台上登录,或者通过网络用ssh登录。
如果你希望拒绝“root”通过网络登录,编辑/etc/ssh/sshd_config文件,设置
PermitRootLogin(参数)为“no”(见sshd_config)。
这里面需要说明的一个语法问题(菜鸟之见),在“Log in as ``root''. You can
do so on the console, or over the network using ssh(1)”一句中,原本我没太
明白do so的意思,还以为只是想说明在console上要做的事情,想来想去,很不理解。
看到下半句话——or over the network using ssh(1),才琢磨过来,原来是要说有
两种可行的登录方式。这鸟文真是很差啊,注意力也不集中!
For security reasons, it is bad practice to log in as root during regular
use and maintenance of the system. Instead, administrators are encour-
aged to add a ``regular'' user, add said user to the ``wheel'' group,
then use the su(1) and sudo(8 ) commands when root privileges are re-
quired. This process is described in more detail later.
基于安全的考虑,在正常的系统使用和维护过程中,使用root用户登录是个错误的习
惯。代替的,我们(这里指OpenBSD的开发团队,或者叫发行者、前辈...)鼓励管理
员(们)增加一个“正常”的用户,把这个用户添加到“wheel”用户组,当需要root
权限的时候,使用su和sudo命令(转换成root用户)。这个过程在后面有更详细的描述。
Root password
Root口令
Change the password for the root user. (Note that throughout the docu-
mentation, the term ``superuser'' is a synonym for the root user.)
Choose a password that has numbers, digits, and special characters (not
space) as well as from the upper and lower case alphabet. Do not choose
any word in any language. It is common for an intruder to use dictionary
attacks. Type the command /usr/bin/passwd to change it.
改变root用户的口令。(注意:贯穿文档的“superuser(超级用户)”,和root用户
是同义词)。选择密码,需要包含:数字、字符和特殊字符(不包括空格),最好是大
小写混合。不要选择任何(语言中的)单词(作为密码),使用字典攻击是入侵者一致
的行为(或者说基本的行为?)。使用/usr/bin/passwd命令修改密码。
It is a good idea to always specify the full path name for both the
passwd(1) and su(1) commands as this inhibits the possibility of files
placed in your execution PATH for most shells. Furthermore, the superus-
er's PATH should never contain the current directory (``.'').
在大多数shell中,为了防止passwd和su命令在你的执行PATH(直译为路径,这里应该
是指PATH环境变量)里面出现被替换的可能,总是使用全路径名称执行他们是一个好的
选择。此外,超级用户的PATH里面不应该包含当前目录(“.”)。
System date
系统日期(与时间)
Check the system date with the date(1) command. If needed, change the
date, and/or change the symbolic link of /etc/localtime to the correct
time zone in the /usr/share/zoneinfo directory.
使用date命令检查系统时间。如果需要的话,修改时间,和/或修改/etc/localtime(文
件)的字符链接,使其链接到/usr/share/zoneinfo目录下的正确的时区(文件)。
Examples:
举例:
Set the current date to January 27th, 1999 3:04pm:
设置当前时间为1999年1月27日下午3:04分:
# date 199901271504
Set the time zone to Atlantic Standard Time:
设置时区为亚特兰大标准时间:
# ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime
Check hostname
检查主机名
Use the hostname command to verify that the name of your machine is cor-
rect. See the man page for hostname(1) if it needs to be changed. You
will also need to edit the /etc/myname file to have it stick around for
the next reboot.
使用hostname命令验证你的计算机名称是否正确。如果需要改变它,查阅hostname
(命令)的指南页。你需要编辑/etc/myname文件,使得主机名在下一次重启之后
生效。
Verify network interface configuration
检验网络接口配置
The first thing to do is an ifconfig -a to see if the network interfaces
are properly configured. Correct by editing /etc/hostname.interface
(where interface is the interface name, e.g., ``le0'') and then using
ifconfig( 8 ) to manually configure it if you do not wish to reboot. Read
the hostname.if(5) man page for more information on the format of
/etc/hostname.interface files. The loopback interface will look some-
thing like:
如果网络接口被完全配置过,那么第一件事情就是用ifconfig -a(命令)看(接口
信息/状态)。(通过)编辑/etc/hostname是正确的(修改接口的方法)。如果你希
望不用通过重启(就能使修改生效),你可以通过ifconfig命令手动的修改(相应的)
接口(这里所说的接口,是指接口的名字,例如:“le0”)。阅读hostname.if的指
南页,你可以获得关于/etc/hostname.interface文件格式的更多信息。回环接口会看
到如下信息:
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
an Ethernet interface something like:
以太网接口的信息如下:
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1
and a PPP interface something like:
点对点(通信协议的)的接口信息如下:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000
See netstart( 8 ) for instructions on configuring multicast routing.
想了解多播的配置,请查阅netstart(的指南页)。
See dhcp( 8 ) for instructions on configuring interfaces with DHCP.
想了解DHCP的接口配置,请查阅dhcp(的指南页)。
Check routing tables
检查路由表
Issue a netstat -rn command. The output will look something like:
执行netstat -rn命令,输出(显示)的内容如下:
Routing tables ## 路由表
Internet: ## Internet协议,也就是我们通常说的IPv4。
Destination Gateway Flags Refs Use Mtu Interface
default 192.168.4.254 UGS 0 11098028 - le0
127 127.0.0.1 UGRS 0 0 - lo0
127.0.0.1 127.0.0.1 UH 3 24 - lo0
192.168.4 link#1 UC 0 0 - le0
192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0
192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0
名词解释:
mtu:Maximum Transmission Unit,是某特定接口可以处理的最大分组大小,以字节计。
Internet6: ## Internet协议版本6,也就是我们通常说的IPv6。
Destination Gateway Flags Refs Use Mtu Interface
::/96 ::1 UGRS 0 0 32972 lo0 =>
::1 ::1 UH 4 0 32972 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0
fc80::/10 ::1 UGRS 0 0 32972 lo0
fe80::/10 ::1 UGRS 0 0 32972 lo0
fe80::%le0/64 link#1 UC 0 0 1500 le0
fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0
ff01::/32 ::1 U 0 0 32972 lo0
ff02::%le0/32 link#1 UC 0 0 1500 le0
ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0
The default gateway address is stored in the /etc/mygate file. If you
need to edit this file, a painless way to reconfigure the network after-
wards is route flush followed by a sh -x /etc/netstart command. Or, you
may prefer to manually configure using a series of route add and route
delete commands (see route( 8 )). If you run dhclient( 8 ) you will have to
kill it by running kill `cat /var/run/dhclient.pid` after you flush the
routes.
缺省网关地址被保存在/etc/mygate文件中。如果你由于需要而编辑了这个文件,那
么简单的重新配置网络方法是,执行route flush,然后执行sh -x /etc/netstart命
令。或者说,你更喜欢使用一系列route add和route delete命令(见route指南页)
来手工配置(路由表)。如果你运行了dhclient(DHCP客户端工具),在清空了所有
的路由表的内容之后你将不得不通过kill `cat /var/run/dhclient.pid`命令来杀掉
这个进程。
If you wish to route packets between interfaces, add one or both of the
following directives (depending on whether IPv4 or IPv6 routing is re-
quired) to /etc/sysctl.conf:
如果你希望在两个接口之间路由(或者说交换)数据包,需要在/etc/sysctl.conf
文件中增加一个或者两个参数说明(增加的参数取决于IPv4或IPv6的需要)
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
Packets are not forwarded by default, due to RFC requirements.
由于RFC(Request For Comments,Internet标准(草案))的要求,缺省情况下,
数据包不会被转发。
Check disk mounts
检查磁盘安装(挂接)
Check that the disks are mounted correctly by comparing the /etc/fstab
file against the output of the mount( 8 ) and df(1) commands. Example:
依赖于mount和df命令的输出,与/etc/fatab文件进行对比,检查磁盘是否被正确
的安装。举例:
# cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0d /usr ffs rw,nodev 1 2
/dev/sd0e /var ffs rw,nodev,nosuid 1 3
/dev/sd0g /tmp ffs rw,nodev,nosuid 1 4
/dev/sd0h /home ffs rw,nodev,nosuid 1 5
# mount
/dev/sd0a on / type ffs (local)
/dev/sd0d on /usr type ffs (local, nodev)
/dev/sd0e on /var type ffs (local, nodev, nosuid)
/dev/sd0g on /tmp type ffs (local, nodev, nosuid)
/dev/sd0h on /home type ffs (local, nodev, nosuid)
# df
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/sd0a 22311 14589 6606 69% /
/dev/sd0d 203399 150221 43008 78% /usr
/dev/sd0e 10447 682 9242 7% /var
/dev/sd0g 18823 2 17879 0% /tmp
/dev/sd0h 7519 5255 1888 74% /home
# pstat -s
Device 512-blocks Used Avail Capacity Priority
swap_device 131072 84656 46416 65% 0
Edit /etc/fstab and use the mount( 8 ) and umount( 8 ) commands as appropri-
ate. Refer to the above example and fstab(5) for information on the for-
mat of this file.
你可以适当的编辑/etc/fstab文件和使用mount与umount命令(对磁盘进行操作)。
通过查阅上面的例子和fstab的指南页,可以获得关于这个文件更多的信息。
You may wish to do NFS partitions now too, or you can do them later.
你可能也希望现在安装NFS分区,或许以后你能够做到。
Check the running system
检查运行的系统
You can use ps(1), netstat(1), and fstat(1) to check on running process-
es, network connections, and opened files, respectively.
你能够用ps、netstat和fstat命令,分别检查运行的进程、网络连接和打开的文件。
CHANGING /etc FILES
改变/etc(目录)的文件
The system should be usable now, but you may wish to do more customizing,
such as adding users, etc. Many of the following sections may be skipped
if you are not using that package (for example, skip the Kerberos section
if you won't be using Kerberos). We suggest that you cd /etc and edit
most of the files in that directory.
现在,系统应该是可用的,但是你也许希望进行更多的定制,诸如:增加用户等等。
如果你不使用那个包,下面的小节中的大多数是可以跳过去(不看)的(例如:如
果你不像使用Kerberos,你就可以越过去不看)。我们建议你进入/etc目录,并编
辑那个目录中的大多数文件。
Note that the /etc/motd file is modified by /etc/rc whenever the system
is booted. To keep any custom message intact, ensure that you leave two
blank lines at the top, or your message will be overwritten.
注意:只要(或者说无论何时)系统被启动,/etc/motd文件会被/etc/rc修改。要
想保留任何完整的定制信息,确认你已经在文件的顶部留下了两行空行,否则,你
的信息将会被覆盖。
Add new users
添加新用户
Add users. There is an adduser( 8 ) script. You may use vipw( 8 ) to add
users to the /etc/passwd file and edit /etc/group by hand to add new
groups. You may also wish to edit /etc/login.conf and tune some of the
limits documented in login.conf(5). The manual page for su(1) tells you
to make sure to put people in the `wheel' group if they need root access
(non-Kerberos). For example:
增加用户。有一个adduser脚本。你可能用vipw来增加用户到/etc/passwd文件,并
通过手工的方式编辑/etc/group增加新的用户组。你可能也希望编辑/etc/login.conf
对login.conf中的xxxx(没翻译明白)限制进行调整。su的指南页会告诉你,如
果你需要root访问权限(非Kerberos方式),需要确认将该用户放进“wheel”用户
组。例如:
wheel:*:0:root,myself
Follow instructions for login_krb5( 8 ) if using Kerberos for authentica-
tion.
如果使用Kerberos作为认证方式,后面将会介绍login_krb5。
====
上班偷偷搞D,下班了。
未完,待续...
[ 本帖最后由 落魄北京 于 2006-3-14 17:07 编辑 ] |
|
免费注册
发表于 2006-03-12 01:02
发表于 2006-03-12 01:04
