Previous: Session saving Table of Contents Next: Running larch

larch – a do-it-yourself live Arch Linux CD



ssh access


One feature I wanted in my live system was the ability to access and control it remotely via ssh. ssh is generally very useful, but here it also gives my installation CD a rare advantage over most others - using it I can install Arch Linux to a computer which has no keyboard or monitor. Insert the CD, boot up the computer (assuming it is configured to boot from CD), and log in via the network using another computer. Isn't Linux great!

Well, it doesn't quite work out of the box, though it could be tweaked so that - in the right environment - it would. Firstly, there must be a network connection which gets set up automatically - the easiest is probably DHCP (so long as you can then find the address of the live system), but by tweaking rc.conf (via rcconfx in the profile or by using the session saving feature) a static address is also easy to set up. Secondly you must provide the live system with your public key, so that you are allowed access (using public key authentication), or else set a password for the larch root user (probably easiest using the session saving feature).

id_rsa.pub & authorized_keys

id_rsa.pub is a public key, and it can be used to allow the user (on the remote machine) whose key this is to ssh into the live system. If you leave passwordless logins disabled (the default), then so long as no root password is set, the only way in (to the root account) is via public key authentication. Of course, if you change the root password, anyone (who knows the password) can log in via ssh (if the sshd daemon is running).

To generate this key for your user (assuming you don't already have one, in ~/.ssh):

ssh-keygen -t rsa

Use the default destination file and empty passphrase (normally you wouldn't do that, but I think it is appropriate in this case).

In order to enable ssh to the root account on the live system, the contents of this file (a single text line) must be placed in the larch system's /root/.ssh/authorized_keys file. This file will probably not yet exist, so the 'id_rsa.pub' can be simply copied to it. If doing this before building the live-CD, copy the file to this position in the 'overlay' directory in the profile, being careful to get ownerships (root:root) and permissions (644) correct. To do this in a running larch system, copy the file to this location - session saving will then preserve it.

If you don't need sshd on the live system, you can remove it from the daemons in rc.conf.

/etc/hosts.allow

This must be edited to allow ssh access to the live system:

# To allow ssh in from anywhere
sshd: ALL

If that is too radical for you, you might be able to restrict it somewhat - that depends on your exact circumstances. For example:

# To allow ssh in from local net (example)
sshd: 192.168.1.

ssh host keys

The files /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_key, and /etc/ssh/ssh_host_key.pub are normally (in a hard-disk based system) generated on the first run of /etc/rc.d/sshd, i.e. during the first boot after a new installation. This only needs to be done once. However in a live-CD system changes are generally lost when the system shuts down, so this would need to be done at every boot, which takes a while, so I prefer to pregenerate them. At present this is done during the first phase of the live-CD build (the Arch Linux installation phase). What this means is that all live-CDs generated from this base will have the same ssh host keys. If security is important to you, these should be regenerated, e.g. for the running larch system as follows:

rm /etc/ssh/ssh_host_*
/etc/rc.d/sshd restart

ssh and X11

If you have set up 'X11 Forwarding' (see below), you can run X11 applications on the live system from your remote system. This is very neat! Before xorg reached version 7 there were complications due to the location of its xauth program, but since that version this is at the ssh default position, /usr/bin/xauth, so all should now be well.

Bear in mind that this will only work if you use the -Y option to ssh, or set up its configuration file properly.

[

If, for some reason you are not using Xorg7(+), you may need to set the xauth path in /etc/ssh/sshd_config and/or /etc/ssh/ssh_config (or set a symlink from /usr/bin/xauth to /usr/X11R6/bin/xauth):

XAuthLocation /usr/X11R6/bin/xauth
]

/etc/ssh/sshd_config

This file is changed to allow X applications to run on the live system but display on another:

X11Forwarding yes

This will only work if you use the -Y option to ssh on the system from which you log in, and on which you want to display the X windows (e.g. 'ssh -Y root@192.168.0.201'). Alternatively you can put the following in its etc/ssh/ssh_config:

ForwardX11 yes
ForwardX11Trusted yes
Previous: Session saving Table of Contents Next: Running larch