My FreeBSD Post-Installation Steps

Updated: 1. April 2025   #freebsd

Whenever I install a FreeBSD server, I usually perform the same steps right after installation. This post outlines these steps, for me to remember. Nothing new or complex, all of this has been shared already somewhere.

Note: This has been tested on FreeBSD 14.1 and FreeBSD 14.2.

Copy SSH Key

For key-based SSH login, the public SSH key is to be copied from a local machine to the post installation machine. In order to do this, copy the public key from a local machine where SSH key is already configured to your <user> on the remote <host>:

ssh-copy-id <user>@<host>

Disable SSH Password authentication

Configure SSH to accept key-based authentication and to disable password-based authentication. Ensure that root cannot login through SSH.

vi /etc/ssh/sshd_config 

UsePAM no                                                                                                                                  
PasswordAuthentication no                                                                                                                  
PermitRootLogin no                                                                                                                         
PubkeyAuthentication yes

Check that the config is good:

sshd -T | grep -E -i 'PubkeyAuthentication|PasswordAuthentication|UsePAM|PermitRootLogin'

Output should be this:

usepam no
permitrootlogin no
pubkeyauthentication yes
passwordauthentication no

Configure doas

Package installations and doas configuration must be done as root, therefore su - to become root.

su -
pkg install doas

Create a doas configuration file. The nopass variant is not recommended since it skips password check.

vi /usr/local/etc/doas.conf

permit :wheel
# permit nopass :wheel

exit from root. Test doas configuration:

doas id

Note: this requires $USER to be member of the wheel group. I usually configure that during installing FreeBSD, when adding a non-privileged user. Configure on the root console: pw usermod bernd -G wheel

Update and Upgrade FreeBSD

Update:

doas freebsd-update fetch
doas freebsd-update install

Upgrade, if needed:

# e.g. <release> = 14.1-RELEASE
doas freebsd-update -r <release> upgrade
doas freebsd-update install
doas reboot
# login after reboot
doas freebsd-update install

Always update before upgrade.

Update and Upgrade installed Packages

doas pkg update
doas pkg upgrade

Enable NTP

This is only needed if ntpd has not been configured during installing FreeBSD.

doas sysrc ntpd_enable="YES"
doas sysrc ntpd_sync_on_start="YES"
doas service ntpd start
service ntpd status # check if ntpd is running

By default ntpd will use NTP time servers assigned via the freebsd.pool.ntp.org pool.

Install packages

doas pkg install git vim htop bash tmux

Change shell

doas chsh -s /usr/local/bin/bash $USER

Yes, I still use bash as my interactive shell. Call me old-fashioned.

Disable MOTD and fortune

doas chmod -x /usr/bin/fortune
doas touch /root/.hushlogin
touch ~/.hushlogin

Disable atime on zroot

It is a good idea to disable atime if FreeBSD is installed with a ZFS root filesystem. It is not particularly interesting to record when a file was read the last time.

Check that atime is off:

doas zfs get all|grep atime

Done.