ssh access

One feature I wanted in my live system was the ability to access and control it remotely via ssh. ssh is generally very useful, but in the case of a live CD (etc.) it allows operations to be carried out on a remote computer, even one without keyboard or monitor. Insert the CD, boot up the computer (assuming it is configured to boot from CD), and log in via the network using another computer. Isn't Linux great!

Well, it doesn't quite work out of the box, though it could be tweaked so that - in the right environment - it would. Firstly, there must be a network connection which gets set up automatically - the easiest is probably DHCP (so long as you can then find the address of the live system), but by tweaking rc.conf in the profile (or by using the session saving feature) a static address is also easy to set up. Secondly you must provide the live system with your public key, so that you are allowed access (using public key authentication), or else set a password for the larch root user (probably easiest using the session saving feature).

id_rsa.pub and authorized_keys

id_rsa.pub is a public key, and it can be used to allow the user (on the remote machine) whose key this is to ssh into the live system. If you leave passwordless logins disabled (the default), then so long as no root password is set, the only way in (to the root account) is via public key authentication. Of course, if you change the root password, anyone (who knows the password) can log in via ssh (if the sshd daemon is running).

To generate this key for your user (assuming you don't already have one, in ~/.ssh) do something like:

ssh-keygen -t rsa

Use the default destination file and empty passphrase (normally you wouldn't do that, but I think it is appropriate in this case). See the ssh man-page for more information.

In order to enable ssh to the root account on the live system, the contents of this file (a single text line) must be placed in the larch system's /root/.ssh/authorized_keys file. This file will probably not yet exist, so the 'id_rsa.pub' can be simply copied to it. If doing this before building the live system, copy the file to this position in the 'rootoverlay' directory in the profile, being careful to get the permissions (644) correct. To do this in a running larch system, copy the file to this location - session saving will then preserve it.

If you don't need sshd on the live system, you can remove it from the daemons in rc.conf.

/etc/hosts.allow

This must be edited to allow ssh access to the live system:

# To allow ssh in from anywhere
sshd: ALL

If that is too radical for you, you might be able to restrict it somewhat - that depends on your exact circumstances. For example:

# To allow ssh in from local net (example)
sshd: 192.168.1.

ssh host keys

The files /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_key, and /etc/ssh/ssh_host_key.pub are normally (in a hard-disk based system) generated on the first run of /etc/rc.d/sshd, i.e. during the first boot after a new installation. This only needs to be done once. However in a live system changes are generally lost when the system shuts down, so this would need to be done at every boot, which takes a while, so I prefer to pregenerate them. The larch gui offers a checkbox to enable this pregeneration on the 'larchify' page. To regenerate these manually (while running the live system) you can do the following:

rm /etc/ssh/ssh_host_*
/etc/rc.d/sshd restart

ssh and X11

If you have set up 'X11 Forwarding' (see below), you can run X11 applications on the live system from your remote system. This is very neat!

/etc/ssh/sshd_config

This file is changed to allow X applications to run on the live system but display on another:

X11Forwarding yes

This will only work if you use the -Y option to ssh on the system from which you log in, and on which you want to display the X windows (e.g. 'ssh -Y root@192.168.0.201'). Alternatively you can put the following in its etc/ssh/ssh_config:

ForwardX11 yes
ForwardX11Trusted yes