diff options
Diffstat (limited to 'build_tools/clarch/larch/docs/html/larch_ssh.html')
| -rw-r--r-- | build_tools/clarch/larch/docs/html/larch_ssh.html | 205 |
1 files changed, 205 insertions, 0 deletions
diff --git a/build_tools/clarch/larch/docs/html/larch_ssh.html b/build_tools/clarch/larch/docs/html/larch_ssh.html new file mode 100644 index 0000000..f7db018 --- /dev/null +++ b/build_tools/clarch/larch/docs/html/larch_ssh.html @@ -0,0 +1,205 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> + +<head> + <meta content="text/html;charset=UTF-8" http-equiv="Content-Type" /> + <title>larch ssh access</title> + <meta content="gradgrind" name="author"> +</head> + +<body> + +<table style="text-align: left; width: 100%;" border="1" cellpadding="2" cellspacing="2"> + <tbody> + <tr> + <td><a href="larch_sessionsave.html">Previous: Session saving</a></td> + + <td><a href="larch_docindex.html">Table of Contents</a></td> + + <td><a href="larch_running.html">Next: Running larch</a></td> + </tr> + </tbody> +</table> + +<br /> +<h1><big>larch</big> – a do-it-yourself live <em>Arch Linux</em> CD</h1> + +<img style="border: 0px solid ; width: 320px; height: 320px;" alt="" src="larch1.jpg" + name="graphics1" align="right" hspace="10" vspace="10" /> +<br /><br /> + +<h2>ssh access</h2> +<br /> + +<p>One feature I wanted in my live system was the ability to +access and control it remotely via <em>ssh</em>. <em>ssh</em> is +generally very useful, but here it also gives my installation CD a rare +advantage over most others - using it I can install <em>Arch Linux</em> +to a computer which has no keyboard or monitor. Insert the CD, boot up +the computer (assuming it is configured to boot from CD), and log in +via the network using another computer. Isn't <em>Linux</em> great! +</p> + +<p>Well, it doesn't quite work out of the box, though it could be +tweaked so that - in the right environment - it would. Firstly, there +must be a network connection which gets set up automatically - +the easiest is probably <em>DHCP</em> (so long as +you can then find the address of the live system), +but by tweaking <strong>rc.conf</strong> (via <strong>rcconfx</strong> +in the <em>profile</em> or by using the session saving feature) +a static address is also easy to set up. +Secondly you must provide the live system with your public key, so +that you are allowed access (using public key authentication), or else +set a password for the <em>larch</em> root user (probably easiest using the +session saving feature). +</p> + +<h4>id_rsa.pub & authorized_keys</h4> + +<p><strong>id_rsa.pub</strong> +is a public key, and it can be used to allow the user (on the remote machine) +whose key this is to <em>ssh</em> into the live system. +If you leave passwordless logins disabled (the +default), then so long as no root password is set, +the only way in (to the root account) is via public key authentication. +Of course, if you change the root password, anyone (who knows the +password) can log in via <em>ssh</em> +(if the <em>sshd</em> daemon is running). +</p> + +<p>To generate this key for your user (assuming you don't already +have one, in <strong>~/.ssh</strong>): +</p> + +<pre style="margin-left: 80px;">ssh-keygen -t rsa</pre> + +<p>Use the default destination file and empty passphrase +(normally you wouldn't do that, +but I think it is appropriate in this case). +</p> + +<p>In order to enable <em>ssh</em> to the root account on the live +system, the contents of this file (a single text line) must be placed in +the <em>larch</em> system's <strong>/root/.ssh/authorized_keys</strong> file. +This file will probably not yet +exist, so the 'id_rsa.pub' can be simply copied to it. +If doing this before building the live-CD, copy the file to this +position in the 'overlay' directory in the <em>profile</em>, being +careful to get ownerships (root:root) and permissions (644) correct. +To do this in a running <em>larch</em> system, copy the file to this location - +session saving will then preserve it. +</p> + +<p>If you don't need <em>sshd</em> on the live system, you can +remove it from the daemons in <strong>rc.conf</strong>.</p> +</p> + +<h4>/etc/hosts.allow</h4> + +<p> +This must be edited to allow <i>ssh</i> +access to the live system: +</p> + +<pre style="margin-left: 80px;"> +# To allow ssh in from anywhere +sshd: ALL +</pre> + +<p>If that is too radical for you, you might be able to restrict +it somewhat - that depends on your exact circumstances. For example: +</p> + +<pre style="margin-left: 80px;"> +# To allow ssh in from local net (example) +sshd: 192.168.1. +</pre> + +<h4>ssh host keys</h4> + +<p>The files +<strong>/etc/ssh/ssh_host_dsa_key</strong> +<strong>/etc/ssh/ssh_host_dsa_key.pub</strong>, +<strong>/etc/ssh/ssh_host_rsa_key</strong>, +<strong>/etc/ssh/ssh_host_rsa_key.pub</strong>, +<strong>/etc/ssh/ssh_host_key</strong>, +and +<strong>/etc/ssh/ssh_host_key.pub</strong> +are normally (in a hard-disk based system) generated on the first run of +<strong>/etc/rc.d/sshd</strong>, i.e. during the first boot after a new +installation. This only needs to be done once. However in a live-CD system +changes are generally lost when the system shuts down, so this would need +to be done at every boot, which takes a while, so I prefer to pregenerate them. +At present this is +done during the first phase of the live-CD build (the <em>Arch Linux</em> +installation phase). What this means is that all live-CDs generated from +this base will have the same ssh host keys. If security is important to +you, these should be regenerated, e.g. for the running <em>larch</em> system +as follows: +</p> + +<pre style="margin-left: 80px;"> +rm /etc/ssh/ssh_host_* +/etc/rc.d/sshd restart +</pre> + +<h3><a name="ssh_x11"></a><em>ssh</em> and <em>X11</em></h3> + +<p> +If you have set up 'X11 Forwarding' (see below), you can run X11 applications on the +live system from your remote system. This is very neat! Before <em>xorg</em> reached +version 7 there were complications due to the location of its <em>xauth</em> +program, but since that version this is at the <em>ssh</em> +default position, <strong>/usr/bin/xauth</strong>, so all should now be well. +</p> + +<p> +Bear in mind that this will only work if you use the -Y option to <em>ssh</em>, +or set up its configuration file properly. +</p> + +[ +<p style="margin-left: 40px;"> +If, for some reason you are not using Xorg7(+), you may need to set the <em>xauth</em> +path in <strong>/etc/ssh/sshd_config</strong> +and/or <strong>/etc/ssh/ssh_config</strong> (or set a <em>symlink</em> from <strong>/usr/bin/xauth</strong> to <strong>/usr/X11R6/bin/xauth</strong>): +</p> + +<pre style="margin-left: 80px;">XAuthLocation /usr/X11R6/bin/xauth</pre> +] + +<h4>/etc/ssh/sshd_config</h4> + +<p>This file is changed to allow X applications to run on the +live system but display on another: +</p> + +<pre style="margin-left: 80px;">X11Forwarding yes</pre> + +<p> +This will only work if you use the -Y option to <em>ssh</em> +on the system from which you log in, and on which +you want to display the X windows (e.g. 'ssh -Y +root@192.168.0.201'). Alternatively you can put the +following in <em>its</em> <strong>etc/ssh/ssh_config</strong>: +</p> + +<pre style="margin-left: 80px;"> +ForwardX11 yes +ForwardX11Trusted yes +</pre> + +<table style="text-align: left; width: 100%;" border="1" cellpadding="2" cellspacing="2"> + <tbody> + <tr> + <td><a href="larch_sessionsave.html">Previous: Session saving</a></td> + + <td><a href="larch_docindex.html">Table of Contents</a></td> + + <td><a href="larch_running.html">Next: Running larch</a></td> + </tr> + </tbody> +</table> + +</body> +</html> |