initital import

1 files changed, 205 insertions, 0 deletions

diff --git a/build_tools/clarch/larch/docs/html/larch_ssh.html b/build_tools/clarch/larch/docs/html/larch_ssh.html
new file mode 100644
index 0000000..f7db018
--- /dev/null
+++ b/build_tools/clarch/larch/docs/html/larch_ssh.html
@@ -0,0 +1,205 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+
+<head>
+  <meta content="text/html;charset=UTF-8" http-equiv="Content-Type" />
+  <title>larch ssh access</title>
+  <meta content="gradgrind" name="author">
+</head>
+
+<body>
+
+<table style="text-align: left; width: 100%;" border="1" cellpadding="2" cellspacing="2">
+  <tbody>
+    <tr>
+      <td><a href="larch_sessionsave.html">Previous: Session saving</a></td>
+
+      <td><a href="larch_docindex.html">Table of Contents</a></td>
+
+      <td><a href="larch_running.html">Next: Running larch</a></td>
+    </tr>
+  </tbody>
+</table>
+
+<br />
+<h1><big>larch</big> &ndash; a do-it-yourself live <em>Arch Linux</em> CD</h1>
+
+<img style="border: 0px solid ; width: 320px; height: 320px;" alt="" src="larch1.jpg"
+  name="graphics1" align="right" hspace="10" vspace="10" />
+<br /><br />
+
+<h2>ssh access</h2>
+<br />
+
+<p>One feature I wanted in my live system was the ability to
+access and control it remotely via <em>ssh</em>. <em>ssh</em> is
+generally very useful, but here it also gives my installation CD a rare
+advantage over most others - using it I can install <em>Arch Linux</em>
+to a computer which has no keyboard or monitor. Insert the CD, boot up
+the computer (assuming it is configured to boot from CD), and log in
+via the network using another computer. Isn't <em>Linux</em> great!
+</p>
+
+<p>Well, it doesn't quite work out of the box, though it could be
+tweaked so that - in the right environment - it would. Firstly, there
+must be a network connection which gets set up automatically -
+the easiest is probably <em>DHCP</em> (so long as
+you can then find the address of the live system),
+but by tweaking <strong>rc.conf</strong> (via <strong>rcconfx</strong>
+in the <em>profile</em> or by using the session saving feature)
+a static address is also easy to set up.
+Secondly you must provide the live system with your public key, so
+that you are allowed access (using public key authentication), or else
+set a password for the <em>larch</em> root user (probably easiest using the
+session saving feature).
+</p>
+
+<h4>id_rsa.pub & authorized_keys</h4>
+
+<p><strong>id_rsa.pub</strong>
+is a public key, and it can be used to allow the user (on the remote machine)
+whose key this is to <em>ssh</em> into the live system.
+If you leave passwordless logins disabled (the
+default), then so long as no root password is set,
+the only way in (to the root account) is via public key authentication.
+Of course, if you change the root password, anyone (who knows the
+password) can log in via <em>ssh</em>
+(if the <em>sshd</em> daemon is running).
+</p>
+
+<p>To generate this key for your user (assuming you don't already
+have one, in <strong>~/.ssh</strong>):
+</p>
+
+<pre style="margin-left: 80px;">ssh-keygen -t rsa</pre>
+
+<p>Use the default destination file and empty passphrase
+(normally you wouldn't do that,
+but I think it is appropriate in this case).
+</p>
+
+<p>In order to enable <em>ssh</em> to the root account on the live
+system, the contents of this file (a single text line) must be placed in
+the <em>larch</em> system's <strong>/root/.ssh/authorized_keys</strong> file.
+This file will probably not yet
+exist, so the 'id_rsa.pub' can be simply copied to it.
+If doing this before building the live-CD, copy the file to this
+position in the 'overlay' directory in the <em>profile</em>, being
+careful to get ownerships (root:root) and permissions (644) correct.
+To do this in a running <em>larch</em> system, copy the file to this location -
+session saving will then preserve it.
+</p>
+
+<p>If you don't need <em>sshd</em> on the live system, you can
+remove it from the daemons in <strong>rc.conf</strong>.</p>
+</p>
+
+<h4>/etc/hosts.allow</h4>
+
+<p>
+This must be edited to allow <i>ssh</i>
+access to the live system:
+</p>
+
+<pre style="margin-left: 80px;">
+# To allow ssh in from anywhere
+sshd: ALL
+</pre>
+
+<p>If that is too radical for you, you might be able to restrict
+it somewhat - that depends on your exact circumstances. For example:
+</p>
+
+<pre style="margin-left: 80px;">
+# To allow ssh in from local net (example)
+sshd: 192.168.1.
+</pre>
+
+<h4>ssh host keys</h4>
+
+<p>The files
+<strong>/etc/ssh/ssh_host_dsa_key</strong>
+<strong>/etc/ssh/ssh_host_dsa_key.pub</strong>,
+<strong>/etc/ssh/ssh_host_rsa_key</strong>,
+<strong>/etc/ssh/ssh_host_rsa_key.pub</strong>,
+<strong>/etc/ssh/ssh_host_key</strong>,
+and
+<strong>/etc/ssh/ssh_host_key.pub</strong>
+are normally (in a hard-disk based system) generated on the first run of
+<strong>/etc/rc.d/sshd</strong>, i.e. during the first boot after a new
+installation. This only needs to be done once. However in a live-CD system
+changes are generally lost when the system shuts down, so this would need
+to be done at every boot, which takes a while, so I prefer to pregenerate them.
+At present this is
+done during the first phase of the live-CD build (the <em>Arch Linux</em>
+installation phase). What this means is that all live-CDs generated from
+this base will have the same ssh host keys. If security is important to
+you, these should be regenerated, e.g. for the running <em>larch</em> system
+as follows:
+</p>
+
+<pre style="margin-left: 80px;">
+rm /etc/ssh/ssh_host_*
+/etc/rc.d/sshd restart
+</pre>
+
+<h3><a name="ssh_x11"></a><em>ssh</em> and <em>X11</em></h3>
+
+<p>
+If you have set up 'X11 Forwarding' (see below), you can run X11 applications on the
+live system from your remote system. This is very neat! Before <em>xorg</em> reached
+version 7 there were complications due to the location of its <em>xauth</em>
+program, but since that version this is at the <em>ssh</em>
+default position, <strong>/usr/bin/xauth</strong>, so all should now be well.
+</p>
+
+<p>
+Bear in mind that this will only work if you use the -Y option to <em>ssh</em>,
+or set up its configuration file properly.
+</p>
+
+[
+<p style="margin-left: 40px;">
+If, for some reason you are not using Xorg7(+), you may need to set the <em>xauth</em>
+path in <strong>/etc/ssh/sshd_config</strong>
+and/or <strong>/etc/ssh/ssh_config</strong> (or set a <em>symlink</em> from <strong>/usr/bin/xauth</strong> to <strong>/usr/X11R6/bin/xauth</strong>):
+</p>
+
+<pre style="margin-left: 80px;">XAuthLocation /usr/X11R6/bin/xauth</pre>
+]
+
+<h4>/etc/ssh/sshd_config</h4>
+
+<p>This file is changed to allow X applications to run on the
+live system but display on another:
+</p>
+
+<pre style="margin-left: 80px;">X11Forwarding yes</pre>
+
+<p>
+This will only work if you use the -Y option to <em>ssh</em>
+on the system from which you log in, and on which
+you want to display the X windows (e.g. 'ssh -Y
+root@192.168.0.201'). Alternatively you can put the
+following in <em>its</em> <strong>etc/ssh/ssh_config</strong>:
+</p>
+
+<pre style="margin-left: 80px;">
+ForwardX11 yes
+ForwardX11Trusted yes
+</pre>
+
+<table style="text-align: left; width: 100%;" border="1" cellpadding="2" cellspacing="2">
+  <tbody>
+    <tr>
+      <td><a href="larch_sessionsave.html">Previous: Session saving</a></td>
+
+      <td><a href="larch_docindex.html">Table of Contents</a></td>
+
+      <td><a href="larch_running.html">Next: Running larch</a></td>
+    </tr>
+  </tbody>
+</table>
+
+</body>
+</html>