My FreeBSD Post-Installation Steps

Updated: 22. September 2024   #freebsd

Whenever I install a FreeBSD server, I usually perform the same steps right after installation. This post outlines these steps, for me to remember. Nothing new or complex, all of this has been shared already somewhere.

Note: This has been tested on FreeBSD 14.1.

Copy SSH Key

For key-based SSH login, the public SSH key is to be copied from a local machine to the post installation machine. In order to do this, copy the public key from a local machine where SSH key is already configured to your <user> on the remote <host>:

ssh-copy-id <user>@<host>

Disable SSH Password authentication

Configure SSH to accept key-based authentication and to disable password-based authentication. Ensure that root cannot login through SSH.

vi /etc/ssh/sshd_config

UsePAM no                                                                                                                                  
PasswordAuthentication no                                                                                                                  
PermitRootLogin no                                                                                                                         
PubkeyAuthentication yes

Check that the config is good:

sshd -T | grep -E -i 'PubkeyAuthentication|PasswordAuthentication|UsePAM|PermitRootLogin'

Output should be this:

usepam no
permitrootlogin no
pubkeyauthentication yes
passwordauthentication no

Configure doas

Package installations and doas configuration must be done as root, therefore su - to become root.

su -
pkg install doas

Create a 'doasconfiguration file. Thenopass` variant is not recommended since it skips password check.

vi /usr/local/etc/doas.conf

permit :wheel
# permit nopass :wheel

Test doasconfiguration:

doas id

Note: this requires $USER to be member of the wheel group. I usually configure that during installing FreeBSD, when adding a non-privileged user.

Update and Upgrade FreeBSD

Update:

doas freebsd-update fetch
doas freebsd-update install

Upgrade, if needed:

# e.g. <release> = 13.2-RELEASE
doas freebsd-update -r <release> upgrade
doas freebsd-update install
doas reboot
# login after reboot
doas freebsd-update install

Always update before upgrade.

Enable NTP

This is only needed if ntpd has not been configured during installing FreeBSD.

doas sysrc ntpd_enable="YES"
doas sysrc ntpd_sync_on_start="YES"
doas service ntpd start
service ntpd status # check if ntpd is running

By default ntpd will use NTP time servers assigned via the freebsd.pool.ntp.org pool.

Install packages

doas pkg install git vim htop

Change shell

doas chsh -s /usr/local/bin/bash $USER

Yes, I still use bash as my interactive shell. Call me old-fashioned.

Disable MOTD and fortune

doas chmod -x /usr/bin/fortune
doas touch /root/.hushlogin
touch ~/.hushlogin

Disable atime on zroot

It is a good idea to disable atime if FreeBSD is installed with a ZFS root filesystem. It is not particularly interesting to record when a file was read the last time.

Check that atime is off:

zfs get all|grep atime

Done.