Autosshd with the second session

Tue, 21 Jun 2005 07:09:59 -0700 

Hello,
this technique for starting opensshd requires only a two-line edit in the current build scripts. 

In the autosshd script, replace these two lines:

              if cat /proc/cmdline | grep -q "autosshd"; then
                      echo "root:lfs" | chpasswd

with:

              if [ -f /autosshd ] ; then


Then clean up /boot/isolinux/isolinux.cfg to always start linux, not 
linux-autosshd (you can drop linux-autosshd completely).



That's all! I was wrong about the need to swap anything in initramfs 
mount of unioinfs.


HOWTO use:


As you can see, there's no /autosshd file on the official LFS CD. You 
have to customize the CD by appending a second session to it.


First, burn the official ISO image in a multi-session mode:

cdrecord dev=/dev/cdrom driveropts=burnfree -v -multi -tao \
        lfslivecd-x86-6.1-1-rc1-with-this-mod.iso

Then, prepare a second session:

mkdir second-session
mkdir -m 700 second-session/root
mkdir second-session/root/.ssh
cp ~/.ssh/id_dsa.pub second-session/root/.ssh/authorized_keys
mkdir second-session/etc/sysconfig/network-devices/
# edit second-session/etc/sysconfig/network-devices/ifconfig.eth0
# edit second-session/etc/sysconfig/network
# add whatever else you want, e.g. modified /etc/shadow

The main thing:

touch second-session/autosshd

Create the ISO for the second session:

mkisofs -M lfslivecd-x86-6.1-1-rc1-with-this-mod.iso \
        -C `cdrecord -msinfo dev=/dev/cdrom` \
        -R -o second-session.iso second-session

Append it to the CD you just burned:

cdrecord dev=/dev/cdrom driveropts=burnfree -v -multi -tao \
        second-session.iso


Then boot the CD, and the SSH daemon will start. It will let you in with 
your SSH key or a password if you have modified /etc/shadow.


Advantages over the current autosshd method:


1) Better security: the LFS team and hackers who read the LFS lists 
don't know your password/key.

2) No unexpected autosshd startup.

3) Ability to configure the IP address (so that a DHCP server that hansd 
out a know address isn't needed).
4) Ability to supply supply your own ssh host keys instead of relying 
upon the generated ones.


--
Alexander E. Patrakov
--
http://linuxfromscratch.org/mailman/listinfo/livecd
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page






















					Reply via email to