Thursday, December 02, 2004
On the server:
Edit /etc/ssh/sshd_config. Make sure X11forwarding=yes is uncommented.
Make sure compression=yes is uncommented. Restart the server.
Make sure your firewall is off. If you use shorewall, run shorewall clear after shutting it off, otherwise all access is denied by default.
If you use tcpwrappers, make sure you have the proper access controls for the remote clients. If you want to test it from the same machine, you need to add 127.0.0.1 to /etc/hosts.allow
emerge tightvnc (i used ~x86), make sure tcpd is enabled for extra security (assuming you configured /etc/hosts.allow and /etc/hosts.deny
Comment out these two lines in /etc/security/pam_env.conf
REMOTEHOST ......
DISPLAY .....
Make sure those lines are commented out, or X11 forwarding will not work!
run Xvnc :1 as root (not 100% sure this is necessary, but had problems until I did this)
This will create a config file in /root/.vnc/ . If you want to run a window manager you will want to edit this file. It's obvious what to do, just put your windowmanger of choice in place of twm. Run something light like fluxbox, everything else is very slow when you use ssh.
After the config is created just run vncserver to start the server.
On the client:
emerge tightvnc
You want to create an encrypted ssh tunnel.
To do this, do something like this.
ssh -C -L 5902:vnc-server1:5901 vnc-server1
This uses compression (-C) and sets up a tunnel that starts at port 5902 on your client and ends at port 5901 on the vnc server.
Now the cool part...
vncviewer localhost:5902
that connects to port 5092 on your client (over the loopback interface so no unencrypted traffic hits the net), then ssh captures the traffic and encrypts it, transmitting through the tunnel to 5901 on your vnc server.
If all goes well you will be prompted for the password on your server and get the window manager you configured to run previously (twm is the default if you don't change it).
Just remember once you create the ssh tunnel in a command window, you are connected to the server in that console. You need to open another console to run the vncviewer, otherwise you will be running it on the server.
I think this documentation is pretty complete, but let me know if I missed something.
Thursday, November 11, 2004
Gentoo Install Guide
This guide has tips for installing Gentoo Linux, for a very cutting edge system. Many options here are optional, but there's a good bit more here than what is in the basic installation guide.
Assuming Stage 1 installation
Choose Install Media
LiveCDMinimal for most installs
LiveCD Universal sometimes works when minimal does not
Knoppix cd sometimes has better hardware support, full GUI for install
(if using knoppix cd, see alternative install guide on Gentoo site)
Custom LiveCD's currently needed if using Reiser4 FS
Boot cd, remember to use special options for smp support, latest kernel(knoppix), etc.
set root password
ifconfig to make sure networking is up.
Some network modules are not loaded automatically..modprobe and start /etc/init.d/net.eth0. Some network cards are detected as eth1 or something else instead of eth0. Copy /etc/init.d/net.eth0 to new script with corresponding name such as /etc/init.d/net.eth1 and edit /etc/conf.d/net to reflect changes. Then restart the proper init script.
start sshd and begin install from remote machine
Use fdisk to create partitions
make /boot, / ,and /usr separate partitions if space is available
create swap partition (type 82)
toggle /boot bootable
make filesystems on each partition
use mkfs.xfs -f for xfs ...
I never use ext3 for anything! XFS, Reiser3, Reiser4, JFS order of preference. R4 does not currently support ACL's or extended attributes.
swapon /dev/hdxx
mount root partition to /mnt/gentoo
mkdir /mnt/gentoo/boot
create any other directories mounted separately such as /usr
mount other partitions such as boot to appropriate directory
if mounting /tmp separately, must be chmod 1777 after mounting
date (make sure time is correct)
set time if necessary.
date MMDDhhmmYYYY
cd /mnt/gentoo
Use links2 to download stage1 tarball and md5
md5sum -c stage1.tar.bz2.md5
tar -xvjpf stage1.tar.bz2
nano -w /mnt/gentoo/etc/make.conf
use Os option for old machines and laptops
adjust lines below accordingly
CFLAGS="-O3 -march=pentium4 -pipe -fomit-frame-pointer -mmmx -msse -msse2"
CHOST="i686-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j3"
GENTOO_MIRRORS="ftp://ftp.uwsg.iu.edu/pub/linux/gentoo"
LDFLAGS="-Wl,-O1" (not proven yet)
Typical use flags
USE=”-gnome -fortran X X509 acl acpi alsa apache2 arts audiofile avi bash-completion bzlib cdr chroot cups divx4linux dvd dvdr exif fbcon ftp gd gif gnustep gphoto2 gtk gtk2 gtkhtml imagemagick java jikes jpeg justify kde kerberos ldap memlimit mime mmx mng mozilla mpeg ncurses nls nptl nptlonly objc offensive openal opengl pam pcmcia(laptops) pdflib perl php png pnp(laptop only) posix python qt quicktime readline samba sdl skey spell sse ssl svg svga szip tcltk tcpd tiff truteype unicode usb wifi (laptop only) wmf wxwindows xine xml xml2 xmms xvid zlib x86”
These are not at all inclusive, just ones I typically use...varies drastically depending on machine I am building...always check latest and do -pv or -av with emerges
edit /mnt/gentoo/etc/make.conf to include GENTOO_MIRRORS=”ftp://ftp.uwsg.iu.edu mirror”.
Cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
mount -t proc none /mnt/gentoo/proc
chroot /mnt/gentoo /bin/bash
env-update
source /etc/profile
emerge sync
create directory /etc/portage
create files in this directory – package.use, package.keywords, package.mask, package.unmask.
edit /etc/portage/package.use
#start code
sys-libs/glibc userlocales
#finish code
edit /etc/locales.build
#start code
en_US/ISO-8859-1
en_US.UTF-8/UTF-8
#finish code
emerge -C linux-headers (remove old linux 2.4 headers)
emerge --nodeps linux26-header
add "nptl nptlonly" to useflags (native posix threads library, performance boost)
add below to /etc/packages.keywords
#start code
sys-devel/gcc ~x86
sys-libs/libstdc++-v3 ~x86
sys-libs/glibc ~x86
#finish code
rm "/etc/make.profile"
ln -s "../usr/portage/profiles/gcc34-x86-2004.2/" "/etc/make.profile"
cd /usr/portage
scripts /bootstrap.sh (use -f if downloading first)
NOTE: add pentium-m to optimization for laptop with new compiler after building new compiler 1st time (bootstrap)
make sure /etc/locales.build hasn't changed...if so edit again as mentioned previously
re-emerge gcc, then glibc, then binutils(this is to rebuild these with the new compiler)
make sure (again) /etc/locales.build hasn't changed...if so edit again as mentioned previously
emerge -av system (watch for any new flags)
ln -sf /usr/share/zoneinfo/EST /etc/localtime
ACCEPT_KEYWORDS=”~x86” emerge -av gentoo-dev-sources (or other)
configure kernel
Kernel Notes:
If using Reiser4, must disable 4k stacks in kernel hacking to be able to choose Reiser4. Currently only mm-sources, and some other sources like speedy and nitro support R4.
Must patch mm-sources for splash, must patch sources on laptop for mppe for VPN
ramdisk support and mount at boot
do not use /dev at all anymore
framebuffer and bootsplash
mmap under networking is supposed to be faster, causes problems in some kernel versions
Make -j3 && make modules_install
emerge hotplug
rc-update add hotplug default
emerge nvidia-kernel and nvidia-glx if needed
if installing extra modules or building important things as modules put them in /etc/modules.autoload.d/kernel-2.6 (usually not necessary if auto module loading is configured in kernel) run modules-update after doing this
nano -w /etc/fstab
make sure boot partition is dumped
set root to be scanned 1st, everything else scanned second or not at all
noatime for most
notail for reiser partitions improves performance but uses more space
echo hostname > /etc/hostname
echo domainname > /etc/dnsdomainname
rc-update add domainname default
nano -w /etc/conf.d/net
rc-update add net.eth0 default (or appropriate interface)
nano -w /etc/hosts
put in fully qualified domain name first
127.0.0.1 name.domain name localhost
set root passwd
nano -w /etc/rc.conf
emerge metalog or syslog-ng
rc-update add metalog default
emerge vixie-cron
rc-update add vixie-cron default
emerge slocate if it hasn't been already.
emerge fileutils such as xfsprogs, reiserprogs, reiser4progs, jfsutils, etc.
emerge dhcpcd if not already
emerge grub
cp /boot/grub/grub.conf.example /boot/grub/grub.conf
Password protect grub.conf see man pages for good descriptions
Grub md5crypt creates encrypted password
nano -w /boot/grub/grub.conf
Copy password from above command to grub on line password –md5 encrypted password
(see notes at end of document for more detailed info)
sample code below:
#start code
# Boot automatically after 30 secs. timeout 30 splashimage=(hd1,0)/grub/splash.xpm.gz
password –md5 encrypted password
title Gentoo Linux 2.6.8-gentoo-r10 root (hd1,0) kernel /kernel-2.6.8-gentoo-r10 root=/dev/sdb2 video=vesafb:ywrap,mtrr,1280x1024-32@60 splash=silent,theme:emergence initrd (hd1,0)/boot/fbsplash-emergence-1280x1024#finish code
grub
root (hd0,0) (where /boot resides)
setup (hd0) (install grub in MBR of first disk)
quit
emerge -av ntp
setup /etc/conf.d/ntp-client
rc-update add ntp-client default
rc-update add sshd default
add regular user
# useradd -m -G users,wheel,audio,tty -s /bin/bash john
# passwd john
emerge corefonts
emerge urw-fonts
emerge sharefonts
emerge udev (I do this before rebooting since I'm not using /dev at all in the kernel)
emerge dbus, hal, and ivman (use ~x86 for all)(this is my favorite combo for replacing supermount, doesn't require kernel patch, dbus and hal are used by other things, and ivman is small)
Configuring X
X -configure or xorgcfg or xorgconfig (xorgconfig still works best)
add ZAxisMapping "4 5" for mouse scroll
add glx and/or dri
add Option DPMS to monitor section
add Option OffTime "15" to server layout section to turnoff backlight
Sync range for NEC 1980sx 31-82 horizontal
60 vertical
Post Install Configuration
customize logging
always install and run localepurge, setting locales in /etc/locales.build does not always work properly.
configure /etc/hosts.allow and /etc/hosts.deny
configure sshd to allow X11 forwarding and to use compression
emerge gdm
edit /etc/rc.conf and make gdm the login manager
do rc-update add xdm default
edit /usr/share/xsession files..must add .desktop entries for some managers
emerge gdm-themes
use gdmsetup or gdmconfig to change theme
emerge alsa-lib and alsa-utils, rc-update add alsasound boot (sets mixer levels on boot)
emerge and setup windowmaker (fast emerge)
emerge iptables and shorewall if desired. Configure shorewall
emerge mozilla-firefox
emerge kde
emerge sun-jre-bin
emerge knemo (the ultimate network monitor, remember wifi for laptop)
emerge smb4k
configure firefox (especially security settings)
install custom icon packs stored on my server (currently about 6 that I use)
File associations in Konqueror...open applications with openoffice, image viewer, video player, etc. and save association.
In konqueror, set file protocols under metadata to show thumbnails properly, turn on all protocols.
Configure various kde options (power management, fonts, panels and sizes, menus, etc)
Set KDE power management in control center
Set kde fonts, including anti-aliasing and sub pixel hinting
set screensaver
Set key bindings in kde such as Windows-L key to lock screen
Customize terminal session style, and fonts to use anti-aliasing
Post Install Applications (many are already installed at this point)
Office
openoffice or openoffice-bin
koffice
Removable media apps.
Hotplug
dbus
hal
ivman
(this combo seems to work best for cd-roms and usb devices, use ~x86 for all)
emerge coldplug and acpi?????
Window Managers
1.Fluxbox (very light,easy to configure, good to use as backup)(use ~x86)
2.KDE
3.Windowmaker (use ~x86) applets >> wmbluecpu, wmclockmon, wmmemload, wmnetload
4.Xfce4 (use ~x86)
5.Rox (still figuring out if it's usable as a window manager), need to emerge rox and rox-session
If using manager other than KDE, emerge xlockmore, xscreensaver for more advanced lock screen capabilities.
Graphics
nvidia-kernel, nvidia-glx (use ~x86)
splashutils
splash-themes-livecd
bootsplash-themes
bootsplash-themes-livecd
xvidcap --- excellent video screen capture utility
imagemagick --- has good screen capture capabilities from command line, good graphics utility for all window managers, nice for scripting
xv very useful for all window managers
xpaint
gimp
fbgrab can do screen captures from framebuffer consoles
eog (very good simple image viewer)
Video/Audio/CD/DVD
K3B
alsa-utils, alsa-lib (must be re-emerged with every kernel update)
xine-ui
mplayer
kaffeine (optional)
kmplayer (optional)
xmms
aviplay
kaboodle
juk
Linuxvideostudio (binary is studio after it is installed)
kivo
Network applications & servers
rdesktop
grdesktop
smb4k (like much better than LinNeighborhood or xsmbrowser for browsing and mounting windows shares)
mozilla-firefox
mozilla (backup)
gftp
kbear
nmap
xnetload
ndiswrapper (laptop, allow use of windows driver for 802.11g cards)
knemo (best network monitor applet for kde)
samba
webmin
vsftp server (fastest and most secure)
proftpd and pureftpd are ok
apache2
lsof (very useful)
Firewalls
iptables
shorewall (best, use ~x86, get templates from website)
firehol is ok if gui is desired
FileManagers
xfe
rox
Fonts
artwiz-fonts??
corefonts
freefonts
sharefonts
ttf-bitstream-vera
urw-fonts
Games
pysol
lbreakout2
lincity (no ebuild)
frozen-bubble
tuxracer
billardgl
Benchmarking (optional)
bonnie
bonnie++
iozone
Other apps.
Parted and qtparted (probably have to use ~x86 in most cases)
f-prot (anti-virus)
gentoolkit
Ggv postscript viewer
xnetload
xosview
udev
shfs (ssh filesystem support)
openoffice-bin
nmap
distcc
gnome-system-tools (useful management tools, doesn't require gnome)
localepurge (can be used to remove unecessary locales if /etc/locales.build was not edited at start)
evolution (Outlook clone)
limewire (file sharing)
tightvnc (? new version easier to setup over ssh)
pine
ximian-connector(for exchange server access), use ~x86
dia (flowcharting, diagrams)
gnucash
rssh (restricted shell for setting up restricted sftp access)
Applications requiring further testing
arson (cd burning) **** looks nice
karchiver
file-roller
konserve (don't have much use for)
gedit (nice editor)
endeavour (file manager, need to test more)
gnomame (need more testing)
gxmame (need more testing)
xmame (need more testing)
ksensors (lmsensors front end)
postfix vs. sendmail for mail servers (currently prefer postfix)...other options such as qmail, courier
flphoto (used, not sure if needed)
gimageview (used, not sure if needed)
gphoto2
gthumb(rarely used)
gtksee (nice but rarely used)
igal (nice but rarely used. for creating image galleries)
realone (need lots of testing)
xsmbrowser (similar to Linneighborhood, never works as well)
tightvnc (need to test latest integration with ssh)
test more wireless monitoring tools on laptop
MISC. NOTES
remember rsync for backups ...very easy to use
Securing Grub
Here's another cool little trick you can try. Not very important for home, but critical in most other environments. Bootloaders are a pretty big security risk. In case you haven't noticed, anyone can boot your machine and actually get to data on your drives via grub. You can set an encrypted password for grub.
Just type grub as root. This will give you a grub command prompt. Type md5crypt at that command prompt. It will prompt you for a password. Make sure you enter the password you want to set correctly, and remember it, it doesn't ask you twice. Grub will then use md5 to encrypt that password and give you the output. Copy the "encrypted password" to a new line in grub.conf. Put this line below the timeout line. This way if you need to reboot remotely, it will timeout and boot the default option.
password --md5 encrypted-password
This will prevent anyone from getting a command prompt without the password. Some other things you should do if you are paranoid like me. . No one else needs access to it. Also under the Title line for other boot options you can put a couple lines like this.
lock
password --md5 encrypted-password
The encrypted password can be the same as the one to ge the command line. This prevents someone from even booting that option without the password. You probably don't need that because someone would need a username/password to do anything once they boot the OS anyway.
Configuring Metalog
Setting up USB flash for easy mounting
udevinfo -a -p `udevinfo -q path -n /dev/sdc`(change sdx to where usb is currently plugged in, may have to guess)
Look for 'SYSFS{serial}="0402170100000020EB5D000"'.
Use this serial number to make udev rule
nano -w /etc/udev/rules.d/10-local.rules
BUS="usb", SYSFS{serial}="0402170100000020EB5D000", KERNEL="sd?1", NAME="%k", SYMLINK="usbdrive"USB flash will now always be linked to /dev/usbdrive ...can setup appropriate line in /etc/fstab
/dev/usbdrive /media/usbdisk vfat noatime,sync,exec,user,noauto 0 0
obviously make sure /media/usbdisk is created
Configuring vsftpd
Configuring Apache
Using shfs
Assuming sshd is running on server
Client configuration:
emerge shfs
modprobe shfs
add shfs to /etc/modules.autoload
mkdir /mnt/shfs or whatever
shfsmount username@server:/path/path/ /mnt/shfs
or mount -t shfs username@server:/path/path/ /mnt/shfs
Using file as loopback device
Create empty file
dd if=/dev/zero of=/mnt/testfile seek=5000 count=1 bs=1K
(creates 5000K file)
mount file to loopback
losetup /dev/loop0 /mnt/testfile
make filesystem
mke2fs /dev/loop0
mount to filesystem
mount /dev/loop0 /mnt/testdirectory
Using crypto loop to store encrypted data in loopback device
Useful commands
lsof -i (listening ports with known names (i.e ssh for port 22)
lsof -Pi (listening ports without names)
netstat -l
netstat -nl
