Tuesday, January 02, 2007

Making a secure bootable cd with sshd and my ssh keys

Update: ddclient doesn't seem to work. I don't have time to figure out why, the rest works fine though. Update: slax is currently "frozen", I've updated the links in this doc to point to the legacy hosting service. Also, it seems that they have messed with the sshd config and possibly broken it in the latest version.

I've built a headless box that's going to live in Japan when I go back to Ireland. There'll be no one in Japan to fix it if it goes bad. The best I can do is get someone to insert a CD and reboot but after some searching and some asking it seems none of the bootable CDs will boot the machine into a useful state for remote admin. slax was recommended to me on TLUG as a good customisable distro. It turned out to be pretty easy thanks to slax's rootcopy feature which allows you to make minor modifications without digging around (too much) in the compressed package files. I've broken the process down into a few steps, with a quick bash script for each one.

Create a directory to work in and cd into it

mkdir slax cd slax

Get a copy of the .iso

You need slax-frodo-x.y.z.iso, you can get it from the slax download page. The frodo edition is the minimal version on which all the others are based.

Make a copy of the files from the CD

This is necessary because we need to add some files. So I ran this as ./prep_image.sh ~/slax-frodo-5.1.8.iso

#! /bin/bash iso=$1 shift if [ "$iso" = '' ]; then echo 1>&2 Usage: echo 1>&2 "$0 " exit 1 fi mkdir slax.mnt mount -t iso9660 $iso slax.mnt -o loop cp -v -Tr --preserve=all slax.mnt slax umount slax.mnt

Enable SSH

It's disabled by default (rc.sshd is not executable), so I replace it with one that is executable. I also turn off password logins because everyone knows the root password for slax. Finally I include an authorized_keys file so that I can ssh in with my ssh key. I ran this script as ./enable_ssh.sh ~/.ssh/authorized_keys

#! /bin/bash auth_keys=$1 shift if [ "$auth_keys" = '' ]; then echo 1>&2 Usage: echo 1>&2 "$0 <path/to/auth_keys_file<" exit 1 fi # make rc.sshd executable and stop root logins using a password # # extract rc.sshd from the module and tweak the permissions mkdir 02_core.mnt mount -t squashfs slax/base/02_core.mo 02_core.mnt -o loop mkdir -p rootcopy/etc/rc.d cp 02_core.mnt/etc/rc.d/rc.sshd rootcopy/etc/rc.d chmod 700 rootcopy/etc/rc.d/rc.sshd # disable password logins mkdir -p rootcopy/etc/ssh cp 02_core.mnt/etc/ssh/sshd_config rootcopy/etc/ssh cat >> rootcopy/etc/ssh/sshd_config <<EOM # since we're starting sshd by default, don't allow root logins with # passwd, must use ssh keys PasswordAuthentication no EOM # install keys file mkdir -p rootcopy/root/.ssh chmod 700 rootcopy/root/.ssh cp $auth_keys rootcopy/root/.ssh chmod 600 rootcopy/root/.ssh/authorized_keys cp -r --preserve=all rootcopy/* slax/rootcopy umount 02_core.mnt

Update a dyndns entry

The machine is on a cable modem and doesn't have a fixed IP, so I need to know where it is. I downloaded the ddclient module and the following script puts it in place, puts your ddclient.conf file into /etc and makes sure that it gets started on boot (I assumed it would start by itself actually, I'm not sure if that's a bug or not). I invoked this script as ./ddclient.sh ddclient.conf

#! /bin/bash conf=$1 shift if [ "$conf" = '' ]; then echo 1>&2 Usage: echo 1>&2 "$0 " exit 1 fi cp ddclient_3_7_0.mo slax/base mkdir -p rootcopy/etc/ cp $conf rootcopy/etc/ddclient.conf mkdir -p rootcopy/etc/rc.d cat > rootcopy/etc/rc.d/rc.local <<EOM #! /bin/bash /etc/rc.d/rc.ddclient start EOM chmod 755 rootcopy/etc/rc.d/rc.local

Add any other modules

There doesn't appear to be an editor in the slax-frodo image so I grabbed joe and copied the .mo into slax/base/

Move files into place and create a new .iso

So far everything we've done has been in a rootcopy/ directory in the current directory. Now it's time to move that into place in slax/ and invoke the iso building script with the following script which outputs it to slax-ssh.iso in the current directory.

#! /bin/bash rm -rf slax/rootcopy cp -r --preserve=all rootcopy slax cd slax ./make_iso.sh ../slax-ssh.iso

Test it in qemu

qemu -cdrom slax-ssh.iso should boot up. I never figured out how to get qemu bring up a real IP interface - the virtual machine can connect to the outside world but I can't connect to it. I tested it by setting up an ssh tunnel connecting port 22 on the VM to port 2022 on the host machine with ssh -R2022:localhost:22 fergal@my.host.machine.ip. Then I did ssh -p 2022 root@localhost with my ssh keys loaded and in I went. When my keys aren't loaded, I don't get a password prompt so I can't get in. Perfect.

Post a Comment