Archive
So You Want A FreeBSD Debugging Kernel…
Installing a debugging kernel in FreeBSD
The Use Case
There are numerous reasons for needing a debugging kernel. For example, during a kernel panic. This was the case with us. Therefore, we installed a kernel with DDB enabled. In the event of a kernel panic, the system would drop to the debugger and the software engineers were then able to begin diagnosing the problem.
Preparing To Build The Kernel
Prerequisites
- FreeBSD source tree
- A kernel config
FreeBSD Sources
Operators can use cvs or Subversion to install the sources. Information on FreeBSD source trees can be found here.
The Kernel Config
Create a kernel config by opening /usr/src/sys/${arch}/conf/DEBUG. Where ${arch} is the machine architecture the kernel is to be built for. In this case, we build an amd64 kernel on an amd64 machine. The kernel config should appear as follows:
include GENERIC
options KDB_UNATTENDED
options DDB
Compiling and Installing The Kernel
Compiling and installing the debugging kernel is as simple as executing:
# cd /usr/src
# make buildkernel KERNCONF=DEBUG INSTKERNNAME=DEBUG
# make installkernel KERCONF=DEBUG INSTKERNNAME=DEBUG
Executing/Using The Kernel
From the loader menu
At the loader menu, press 6 to escape to the loader(8) prompt and type:
boot DEBUG
From the running system
The DEBUG kernel can be loaded by default by adding/modifying the kernel directive in loader.conf as follows. Each subsequent boot will load the DEBUG kernel.
kernel=DEBUG
Dropping into the debugger
During a kernel panic, it will simply reboot unless debug.debugger_on_panic is enabled. To enable this execute:
sysctl debug.debugger_on_panic=1
To induce a panic:
sysctl debug.kdb.panic=1
Installing FreeBSD 8.x Distributions After Installation
Installing Distributions After The Fact
FreeBSD 8.x [ and earlier ] media contain distributions one can select to install via sysinstall(8). This is accomplished via GUI or automated scripting requiring an install.cfg.
This image shows a typical FreeBSD installation where a kernel/distribution is extracted onto disk, What is an admin to do when they later find that they need to install a distribution after the fact? There are two methods to installing media distributions after the fact.
Using the Command Line
This is my preferred method as it does not require using sysinstall‘s graphical interface, but I am sure both have their merits. In this example, we install lib32. First, download the distribution from FreeBSD.org…
echo CHECKSUM.SHA256 CHECKSUM.MD5 install.sh lib32.a{a,b,c,d,e,f,g,h,i,j,k,l,m} lib32.inf lib32.mtree | xargs -n 1 -I%s fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/8.2-RELEASE/lib32/%s
The next step is to install the distribution…
./install.sh
and you’re done…
Using sysinstall(8)
Start the procedure by executing sysinstall. It opens an interactive GUI interface. The Following procedure installs the distribution…
Select “Configure”…
Select “Distributions”…
Select the distribution to install…
Select install media (this example uses ftp)…
Select ftp location (This step may differ depending on the media selected above)…
If networking is configured, select yet. Otherwise, select no and sysinstall will prompt for network configuration…
The distribution installs…
…and when completed, exit sysinstall.
References
* The command line used can be referenced in the FreeBSD Forums
Encrypting User Password Strings
Encrypting User Password Strings
The Use Case
User account passwords can be set during systems provisioning in multiple ways. Setting a host’s root password is a common use case. During a FreeBSD 8.x install, one can set root’s password (or other user account password) executing the following within the install.cfg:
/bin/sh -c ‘echo passwd |pw mod user username -h 0’
Unfortunately, doing so exposes the user’s account password. Therefore, the recommendation is to use an encrypted hash as follows:
/usr/bin/chpass -p $1$nPUexUs5$O4JuN.Ed/LqWHJKmf8K0h0 root
Encrypting The Password
The use case begs the question: How does one ascertain an encrypted hash given a string?
On FreeBSD, there are varying methods to ascertain an encrypted hash. Here are just two of the many.
openssl
# openssl passwd -1 MySecret
$1$YRth1v3T$MvGupL8n.VBjvM12JhR4G0
openssl(1) returns the entire encrypted hash. The character between the first and second dollar signs identifies the crypt mechanism. The following eight characters are the salt. The remaining characters following the third dollar sign are the encrypted string.
md5
# md5 -s MySecret
MD5 (“MySecret”) = 4132d75e6cb04073cc7756707057027f
md5(1) returns a partial encrypted hash. In the key-value pair, the key is the crypt mechanism. The first 8 characters of the value are the salt. The remaining characters are the encrypted string.
In this method, one must prepend $1$ to the value before feeding it into chpass(1).
Related Documentation
* Chapter 15, Security, of the FreeBSD handbook explains identifying a host’s crypt mechanism.
hostileadmin 