<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type" />
<title>larch ssh access</title>
<meta content="gradgrind" name="author">
</head>
<body>
<table style="text-align: left; width: 100%;" border="1" cellpadding="2" cellspacing="2">
<tbody>
<tr>
<td><a href="larch_sessionsave.html">Previous: Session saving</a></td>
<td><a href="larch_docindex.html">Table of Contents</a></td>
<td><a href="larch_running.html">Next: Running larch</a></td>
</tr>
</tbody>
</table>
<br />
<h1><big>larch</big> – a do-it-yourself live <em>Arch Linux</em> CD</h1>
<img style="border: 0px solid ; width: 320px; height: 320px;" alt="" src="larch1.jpg"
name="graphics1" align="right" hspace="10" vspace="10" />
<br /><br />
<h2>ssh access</h2>
<br />
<p>One feature I wanted in my live system was the ability to
access and control it remotely via <em>ssh</em>. <em>ssh</em> is
generally very useful, but here it also gives my installation CD a rare
advantage over most others - using it I can install <em>Arch Linux</em>
to a computer which has no keyboard or monitor. Insert the CD, boot up
the computer (assuming it is configured to boot from CD), and log in
via the network using another computer. Isn't <em>Linux</em> great!
</p>
<p>Well, it doesn't quite work out of the box, though it could be
tweaked so that - in the right environment - it would. Firstly, there
must be a network connection which gets set up automatically -
the easiest is probably <em>DHCP</em> (so long as
you can then find the address of the live system),
but by tweaking <strong>rc.conf</strong> (via <strong>rcconfx</strong>
in the <em>profile</em> or by using the session saving feature)
a static address is also easy to set up.
Secondly you must provide the live system with your public key, so
that you are allowed access (using public key authentication), or else
set a password for the <em>larch</em> root user (probably easiest using the
session saving feature).
</p>
<h4>id_rsa.pub & authorized_keys</h4>
<p><strong>id_rsa.pub</strong>
is a public key, and it can be used to allow the user (on the remote machine)
whose key this is to <em>ssh</em> into the live system.
If you leave passwordless logins disabled (the
default), then so long as no root password is set,
the only way in (to the root account) is via public key authentication.
Of course, if you change the root password, anyone (who knows the
password) can log in via <em>ssh</em>
(if the <em>sshd</em> daemon is running).
</p>
<p>To generate this key for your user (assuming you don't already
have one, in <strong>~/.ssh</strong>):
</p>
<pre style="margin-left: 80px;">ssh-keygen -t rsa</pre>
<p>Use the default destination file and empty passphrase
(normally you wouldn't do that,
but I think it is appropriate in this case).
</p>
<p>In order to enable <em>ssh</em> to the root account on the live
system, the contents of this file (a single text line) must be placed in
the <em>larch</em> system's <strong>/root/.ssh/authorized_keys</strong> file.
This file will probably not yet
exist, so the 'id_rsa.pub' can be simply copied to it.
If doing this before building the live-CD, copy the file to this
position in the 'overlay' directory in the <em>profile</em>, being
careful to get ownerships (root:root) and permissions (644) correct.
To do this in a running <em>larch</em> system, copy the file to this location -
session saving will then preserve it.
</p>
<p>If you don't need <em>sshd</em> on the live system, you can
remove it from the daemons in <strong>rc.conf</strong>.</p>
</p>
<h4>/etc/hosts.allow</h4>
<p>
This must be edited to allow <i>ssh</i>
access to the live system:
</p>
<pre style="margin-left: 80px;">
# To allow ssh in from anywhere
sshd: ALL
</pre>
<p>If that is too radical for you, you might be able to restrict
it somewhat - that depends on your exact circumstances. For example:
</p>
<pre style="margin-left: 80px;">
# To allow ssh in from local net (example)
sshd: 192.168.1.
</pre>
<h4>ssh host keys</h4>
<p>The files
<strong>/etc/ssh/ssh_host_dsa_key</strong>
<strong>/etc/ssh/ssh_host_dsa_key.pub</strong>,
<strong>/etc/ssh/ssh_host_rsa_key</strong>,
<strong>/etc/ssh/ssh_host_rsa_key.pub</strong>,
<strong>/etc/ssh/ssh_host_key</strong>,
and
<strong>/etc/ssh/ssh_host_key.pub</strong>
are normally (in a hard-disk based system) generated on the first run of
<strong>/etc/rc.d/sshd</strong>, i.e. during the first boot after a new
installation. This only needs to be done once. However in a live-CD system
changes are generally lost when the system shuts down, so this would need
to be done at every boot, which takes a while, so I prefer to pregenerate them.
At present this is
done during the first phase of the live-CD build (the <em>Arch Linux</em>
installation phase). What this means is that all live-CDs generated from
this base will have the same ssh host keys. If security is important to
you, these should be regenerated, e.g. for the running <em>larch</em> system
as follows:
</p>
<pre style="margin-left: 80px;">
rm /etc/ssh/ssh_host_*
/etc/rc.d/sshd restart
</pre>
<h3><a name="ssh_x11"></a><em>ssh</em> and <em>X11</em></h3>
<p>
If you have set up 'X11 Forwarding' (see below), you can run X11 applications on the
live system from your remote system. This is very neat! Before <em>xorg</em> reached
version 7 there were complications due to the location of its <em>xauth</em>
program, but since that version this is at the <em>ssh</em>
default position, <strong>/usr/bin/xauth</strong>, so all should now be well.
</p>
<p>
Bear in mind that this will only work if you use the -Y option to <em>ssh</em>,
or set up its configuration file properly.
</p>
[
<p style="margin-left: 40px;">
If, for some reason you are not using Xorg7(+), you may need to set the <em>xauth</em>
path in <strong>/etc/ssh/sshd_config</strong>
and/or <strong>/etc/ssh/ssh_config</strong> (or set a <em>symlink</em> from <strong>/usr/bin/xauth</strong> to <strong>/usr/X11R6/bin/xauth</strong>):
</p>
<pre style="margin-left: 80px;">XAuthLocation /usr/X11R6/bin/xauth</pre>
]
<h4>/etc/ssh/sshd_config</h4>
<p>This file is changed to allow X applications to run on the
live system but display on another:
</p>
<pre style="margin-left: 80px;">X11Forwarding yes</pre>
<p>
This will only work if you use the -Y option to <em>ssh</em>
on the system from which you log in, and on which
you want to display the X windows (e.g. 'ssh -Y
root@192.168.0.201'). Alternatively you can put the
following in <em>its</em> <strong>etc/ssh/ssh_config</strong>:
</p>
<pre style="margin-left: 80px;">
ForwardX11 yes
ForwardX11Trusted yes
</pre>
<table style="text-align: left; width: 100%;" border="1" cellpadding="2" cellspacing="2">
<tbody>
<tr>
<td><a href="larch_sessionsave.html">Previous: Session saving</a></td>
<td><a href="larch_docindex.html">Table of Contents</a></td>
<td><a href="larch_running.html">Next: Running larch</a></td>
</tr>
</tbody>
</table>
</body>
</html>