name="graphics1" align="right" hspace="10" vspace="10" />

ssh access

One feature I wanted in my live system was the ability to
access and control it remotely via ssh. ssh is
generally very useful, but here it also gives my installation CD a rare
advantage over most others - using it I can install Arch Linux
to a computer which has no keyboard or monitor. Insert the CD, boot up
the computer (assuming it is configured to boot from CD), and log in
via the network using another computer. Isn't Linux great!

Well, it doesn't quite work out of the box, though it could be
tweaked so that - in the right environment - it would. Firstly, there
must be a network connection which gets set up automatically -
the easiest is probably DHCP (so long as
you can then find the address of the live system),
but by tweaking rc.conf (via rcconfx
in the profile or by using the session saving feature)
a static address is also easy to set up.
Secondly you must provide the live system with your public key, so
that you are allowed access (using public key authentication), or else
set a password for the larch root user (probably easiest using the
session saving feature).

id_rsa.pub & authorized_keys

id_rsa.pub
is a public key, and it can be used to allow the user (on the remote machine)
whose key this is to ssh into the live system.
If you leave passwordless logins disabled (the
default), then so long as no root password is set,
the only way in (to the root account) is via public key authentication.
Of course, if you change the root password, anyone (who knows the
password) can log in via ssh
(if the sshd daemon is running).

To generate this key for your user (assuming you don't already
have one, in ~/.ssh):

ssh-keygen -t rsa

Use the default destination file and empty passphrase
(normally you wouldn't do that,
but I think it is appropriate in this case).

In order to enable ssh to the root account on the live
system, the contents of this file (a single text line) must be placed in
the larch system's /root/.ssh/authorized_keys file.
This file will probably not yet
exist, so the 'id_rsa.pub' can be simply copied to it.
If doing this before building the live-CD, copy the file to this
position in the 'overlay' directory in the profile, being
careful to get ownerships (root:root) and permissions (644) correct.
To do this in a running larch system, copy the file to this location -
session saving will then preserve it.

If you don't need sshd on the live system, you can
remove it from the daemons in rc.conf.

/etc/hosts.allow

This must be edited to allow ssh
access to the live system:

# To allow ssh in from anywhere
sshd: ALL

If that is too radical for you, you might be able to restrict
it somewhat - that depends on your exact circumstances. For example:

# To allow ssh in from local net (example)
sshd: 192.168.1.

ssh host keys

The files
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub,
/etc/ssh/ssh_host_rsa_key,
/etc/ssh/ssh_host_rsa_key.pub,
/etc/ssh/ssh_host_key,
and
/etc/ssh/ssh_host_key.pub
are normally (in a hard-disk based system) generated on the first run of
/etc/rc.d/sshd, i.e. during the first boot after a new
installation. This only needs to be done once. However in a live-CD system
changes are generally lost when the system shuts down, so this would need
to be done at every boot, which takes a while, so I prefer to pregenerate them.
At present this is
done during the first phase of the live-CD build (the Arch Linux
installation phase). What this means is that all live-CDs generated from
this base will have the same ssh host keys. If security is important to
you, these should be regenerated, e.g. for the running larch system
as follows:

rm /etc/ssh/ssh_host_*
/etc/rc.d/sshd restart

ssh and X11

If you have set up 'X11 Forwarding' (see below), you can run X11 applications on the
live system from your remote system. This is very neat! Before xorg reached
version 7 there were complications due to the location of its xauth
program, but since that version this is at the ssh
default position, /usr/bin/xauth, so all should now be well.

Bear in mind that this will only work if you use the -Y option to ssh,
or set up its configuration file properly.

[

If, for some reason you are not using Xorg7(+), you may need to set the xauth
path in /etc/ssh/sshd_config
and/or /etc/ssh/ssh_config (or set a symlink from /usr/bin/xauth to /usr/X11R6/bin/xauth):

XAuthLocation /usr/X11R6/bin/xauth

]

/etc/ssh/sshd_config

This file is changed to allow X applications to run on the
live system but display on another:

X11Forwarding yes

This will only work if you use the -Y option to ssh
on the system from which you log in, and on which
you want to display the X windows (e.g. 'ssh -Y
[email protected]'). Alternatively you can put the
following in its etc/ssh/ssh_config:

ForwardX11 yes
ForwardX11Trusted yes