Difference between pages "Package:OpenSSH" and "Repository Configuration"

(Difference between pages)
m
 
(Undo revision 9202 by Duncan.britton (talk))
 
Line 1: Line 1:
{{Ebuild
+
{{Warning|This article is a work-in-progress referring to a future Portage version. It does not apply to the current Funtoo Portage version. Please do not update your configuration yet.}}
|Summary=Port of OpenBSD's free SSH release
+
|CatPkg=net-misc/openssh
+
|Homepage=http://www.openssh.com/
+
}}
+
  
= Introduction =
+
Starting with Portage-2.3.8, a switch to a new repository configuration framework is complete and users may want to update their configuration files. This document aims to describe the goals for the new framework and how to use it.
SSH is a cryptographically confidential network protocol for data transmission between 2 networked computers. There are 2 protocol versions; SSH-1 and SSH-2.
+
  
= Default Installation =
+
== Multiple repository layout ==
Funtoo uses the OpenSSH daemon (sshd) to provide the SSH service by default. sshd is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel.
+
One of the most important changes is the switch from the old ''overlay'' layout to a new cleaner ''repository'' system. The new layout is more flexible and more predictable. For example, repositories can now use resources (eclasses, for example) provided by other repositories.
  
By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.
+
The old layout was based on the concept of one ''main tree'' and optionally a number of overlays. The main tree provided base system ebuilds, eclasses, profiles, while overlays mostly were able to provide their own ebuilds. The ebuild provided by overlays overrode the ebuilds in main tree to the extend of making it impossible to install the main tree version. Overlays could also provide eclasses for their own ebuilds and package.* entries that applied to all overlays and to the main tree. The Package Manager is responsible for updating the main tree, while overlays are managed externally.
  
= Service configuration =
+
The new layout is based on the concept of one or more configurable repositories. Each repository can either be stand-alone or depend upon other repositories. The distribution provides a repository called ''funtoo'' (a drop-in replacement for Gentoo's ''gentoo'' repository). Users can install more repositories at they will, the repositories providing their own ebuilds, eclasses and profiles as necessary and/or using them from other repositories. Users can explicitly choose the repository they want to install packages from. The Package Manager can update all repositories.
There are 2 means of configuring <code>sshd</code>. The first is required, the second is optional.
+
  
# <code>sshd</code> reads its configuration data from <code>/etc/ssh/sshd_config</code> by '''''default'''''.
+
== Portage configuration ==
# <code>sshd</code> may be configured to use PAM.<br/>Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.
+
=== New repository layout ===
 +
The repository configuration should be stored in <code>/etc/portage/repos.conf</code>. It can be either a single file or a directory containing one or more ''.conf'' files.
  
= Protocol version selection =
+
The default configuration is installed as <code>/usr/share/portage/config/repos.conf</code>. This file is internal configuration file installed with portage ebuild and should '''not''' be modified. Instead, the configuration in <code>/etc/portage/repos.conf</code> can override the defaults specified there.
The '''''default''''' protocol version is SSH-2. SSH-1 requires explicit activation. To select a protocol version, use the <code>Protocol</code> directive.
+
  
e.g. <code>Protocol 2</code>
+
The configuration uses format similar to Windows .ini files. Each section heading (repository name in square brackets) signifies a single repository, followed by one or more key-value option pairs. For example, the following file copies default configuration for Funtoo repository:
  
= Cipher selection =
+
{{file|name=/etc/portage/repos.conf/funtoo.conf|desc=Example configuration override for Funtoo repository to move it to non-standard location|body=
The <code>Ciphers</code> directive specifies the ciphers allowed for protocol version 2.
+
[funtoo]
 +
# moved to non-standard location!
 +
location = /var/db/repos/funtoo
 +
sync-type = git
 +
sync-uri = git://github.com/funtoo/ports-2015.git
 +
auto-sync = yes
 +
}}
  
= User Authentication =
+
The most useful repository configuration options are listed below:
== Single authentication method ==
+
;location: ''Obligatory.'' Specifies the directory where repository is/will be stored. If Portage knows how to sync the repository and the location does not exist, it will be created on next ''emerge --sync''. Otherwise, the directory must exist.
# Password authentication<br/>This is enabled by '''''default''''', it is configured using the <code>PasswordAuthentication</code> directive. Valid parameters are <code>yes</code> or <code>no</code>.<br/>When <code>PasswordAuthentication yes</code> is configured, the state of the <code>PermitEmptyPasswords</code> directive is evaluated.
+
;priority: Specifies the priority used for ordering ebuilds from different repositories. If two repositories provide an ebuild with matching versions, the repository with higher priority will be used.
# Public key authentication
+
;auto-sync: Specifies whether ''emerge --sync'' should update the repository. Defaults to ''yes'' if ''sync-type'' is specified, ''no'' otherwise.
This is enabled with combinations of <code>AuthorizedKeysFile</code>, <code>AuthorizedKeysCommand</code> and <code>AuthorizedKeysCommandUser</code>.
+
;sync-depth: Specifies ''--depth'' for git clone. Used only on initial sync. Defaults to 1. Can be set to 0 to force full clone (not pass ''--depth'' at all).
 +
;sync-type: Specifies syncing/update method. Can be one of: ''cvs'', ''git'', ''rsync'', ''svn''.
 +
;sync-umask: Specifies the umask used when updating/syncing the repository.
 +
;sync-uri: Specifies remote URI from which the repository will be cloned/synced. Can use any syntax valid for a particular syncing method.
 +
;sync-user: Specifies the user[:group] used to update/sync the repository. If ''FEATURES=usersync'' is used, defaults to the credentials of directory owner.
  
=== Passwordless Authentication ===
+
Additionally a <code>[DEFAULT]</code> section may be specified. Options in this section are used as defaults for all repositories.
==== Client ====
+
on your client run
+
<console>###i## ssh-keygen -t rsa</console>
+
Dialogs will be presented, you can press enter several times to accept defaults.
+
  
<code>~/.ssh/id_rsa.pub</code> will be generatedCopy or append the contents of this file to the servers <code>~/.ssh/authorized_keys</code>
+
=== Migrating existing configurations ===
 +
The new configuration format provides replacement for existing configuration done through <code>/etc/portage/make.conf</code> and environment variables. While the variables are still supported for backwards compatibility, users are recommended to move to the new configuration scheme. Funtoo portage ebuild is planned to make the migration unattended (repos.conf installed automatically to ease the config steps) with the following file:
 +
 +
{{file|name=/etc/portage/repos.conf/funtoo.conf|body=
 +
[funtoo]
 +
location = /usr/portage
 +
sync-type = git
 +
sync-uri = git://github.com/funtoo/ports-2015.git
 +
auto-sync = yes
 +
}}
 +
The following replacements are provided for existing variables:
 +
;PORTDIR: Used to specify main tree location. Replaced by ''location'' key in the section corresponding to the default repository (<code>[funtoo]</code> by default).
 +
;PORTDIR_OVERLAY: Used to specify locations of overlays. Each of the paths needs to be replaced with a separate repository section, with the path placed in ''location'' key. Additionally, ''priority'' may be used to force specific ordering of ebuild overrides.
 +
;SYNC: Used to specify URI for syncing the main repository, also implied a protocol for doing that. Replaced by the ''sync-uri'' and ''sync-type'' keys in the default repository section.
 +
;SYNC_UMASK: Used to specify umask for syncing repositories. Replaced by ''sync-umask'' key in repository configuration. Can be specified in <code>[DEFAULT]</code> section to apply to all repositories.
 +
;SYNC_USER: Used to specify user credentials for syncing repositories. Replaced by ''sync-user'' key in repository configuration. Can be specified in <code>[DEFAULT]</code> section to apply to all repositories.
  
==== Server ====
+
{{file|name=/etc/portage/make.conf|desc=Example old make.conf file|body=
Create a user, or select which user the client will be accessing the server as,  then place clients id_rsa.pub file into the users <code>~/.ssh/authorized_keys</code>
+
# user changed PORTDIR location
 +
PORTDIR="/var/db/repos/funtoo"
 +
PORTDIR_OVERLAY="/var/db/repos/foo /var/db/repos/bar"
  
==== Single Machine Testing ====
+
SYNC="git://github.com/funtoo/ports-2015.git"
<console>###i## ssh-keygen -t rsa</console>
+
SYNC_USER="oleg"
Press enter several times to accept default settings.
+
SYNC_UMASK="022"
<console>###i## cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys</console>
+
}}
<console>###i## ssh localhost</console>
+
  
# Host-based authentication
+
{{file|name=/etc/portage/repos.conf|desc=Replacement repos.conf file|body=
== Requiring multiple authentication factors ==
+
[DEFAULT]
These options are only available for SSH-2. The '''''default''''' is not to require multiple authentication. To identify to the daemon that you wish to require more than one authentication, you must use the <code>AuthenticationMethods</code> directive. This directive is followed by one or more comma separated lists of authentication method names. Lists are separated with a space. Successful authentication requires completion of every method in at least one of these lists.
+
sync-user = oleg
 +
sync-umask = 022
  
# password
+
[funtoo]
# publickey
+
location = /var/db/repos/funtoo
# keyboard-interactive
+
sync-type = git
 +
sync-uri = git://github.com/funtoo/ports-2015.git
  
e.g. <code>AuthenticationMethods "password,publickey password,keyboard-interactive"</code>
+
[foo]
== Password authentication using <code>sshd_config</code> ==
+
location = /var/db/repos/foo
The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within <code>sshd_config</code>. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form <code>USER@HOST</code> then access is restricted to the <code>USER</code> when originating from the <code>HOST</code>.
+
priority = 1
  
;<code>DenyUsers PATTERN PATTERN ...</code>
+
[bar]
:Login is forbidden for users whose username matches one of the patterns
+
location = /var/db/repos/bar
 +
priority = 2
 +
}}
  
;<code>AllowUsers PATTERN PATTERN ...</code>  
+
The <code>repos.conf</code> configuration can be further extended with ''sync-type'' and ''sync-uri'' for overlays to get ''emerge --sync'' updating them automatically.
:Login is permitted to users whose username matches one of the patterns
+
  
;<code>DenyGroups PATTERN PATTERN ...</code>
+
let's see a real example of tree and overlays added.  
:Login is forbidden for users whose primary group or supplementary group list matches one of the patterns
+
{{file|name=/etc/portage/repos.conf|desc=Replacement repos.conf file|body=
  
;<code>AllowGroups PATTERN PATTERN ...</code>
+
[gentoo]
:Login is permitted to users whose primary group or supplementary group list matches one of the patterns
+
location = /usr/portage
 
+
sync-type = git
== Public key authentication ==
+
sync-uri = git://github.com/funtoo/ports-2012.git
<code>AuthorizedKeysFile</code>
+
<code>AuthorizedKeysCommand</code>
+
[funtoo-overlay]
<code>AuthorizedKeysCommandUser</code>
+
location = /root/git/funtoo-overlay
 
+
 
+
[funtoo-gnome]
== Host based authentication ==
+
location = /root/git/funtoo-gnome-overlay
 
+
}}
= Access control =
+
funtoo-overlay and funtoo-gnome-overlay are an overlays added on top of regular portage tree.
== Controlling root access ==
+
[[Category:Portage]]
Access by the root user can be controlled using the <code>PermitRootLogin</code> directive.
+
=== Permit empty passwords ===
+
Access to accounts with empty (i.e. blank) passwords can be controlled using the <code>PermitEmptyPasswords</code> directive.
+
 
+
 
+
ChallengeResponseAuthentication
+
Ciphers
+
 
+
GSSAPIAuthenticaion
+
GSSAPICleanupCredentials
+
GSSAPIStrictAcceptorCheck
+
HostBasedAuthentication
+
HostBasedUsesNameFromPacketOnly
+
HostCertificate
+
HostKey
+
HostKeyAgent
+
LoginGraceTime
+
MAC
+
MaxAuthTries
+
MaxSessions
+
MaxStartups
+
PasswordAuthentication
+
PermitEmptyPasswords
+
PubkeyAuthentication
+
RevokedKeys
+
RhostsRSAAuthentication
+
RSAAuthentication
+
TrustedUserCAKeys
+
UseLogin
+
UsePAM
+
 
+
= X11 Forwarding =
+
 
+
By default X11 forwarding is disabled in OpenSSHd,
+
 
+
If you would like to forward X11 from your Funtoo box to a remote system you must first edit your /etc/ssh/sshd_config file
+
 
+
change
+
<pre>
+
#X11Forwarding no
+
#X11DisplayOffset 10
+
#X11UseLocalhost yes
+
</pre>
+
to<br />
+
<pre>
+
X11Forwarding yes
+
X11DisplayOffset 10
+
X11UseLocalhost yes
+
</pre>
+
 
+
 
+
X forwarding will now be enabled from that machine, so if you connect from your remote with 'ssh -X <user>@<ipaddress>' X sessions will be forwarded
+
 
+
== Intrusion Prevention ==
+
ssh is a commonly attacked service. {{package|app-admin/sshguard}} monitors logs, and black list remote users who have repeatedly failed to login.
+
 
+
[[Category:Networking]]
+
 
+
{{EbuildFooter}}
+

Latest revision as of 04:52, February 27, 2015

Warning

This article is a work-in-progress referring to a future Portage version. It does not apply to the current Funtoo Portage version. Please do not update your configuration yet.

Starting with Portage-2.3.8, a switch to a new repository configuration framework is complete and users may want to update their configuration files. This document aims to describe the goals for the new framework and how to use it.

Multiple repository layout

One of the most important changes is the switch from the old overlay layout to a new cleaner repository system. The new layout is more flexible and more predictable. For example, repositories can now use resources (eclasses, for example) provided by other repositories.

The old layout was based on the concept of one main tree and optionally a number of overlays. The main tree provided base system ebuilds, eclasses, profiles, while overlays mostly were able to provide their own ebuilds. The ebuild provided by overlays overrode the ebuilds in main tree to the extend of making it impossible to install the main tree version. Overlays could also provide eclasses for their own ebuilds and package.* entries that applied to all overlays and to the main tree. The Package Manager is responsible for updating the main tree, while overlays are managed externally.

The new layout is based on the concept of one or more configurable repositories. Each repository can either be stand-alone or depend upon other repositories. The distribution provides a repository called funtoo (a drop-in replacement for Gentoo's gentoo repository). Users can install more repositories at they will, the repositories providing their own ebuilds, eclasses and profiles as necessary and/or using them from other repositories. Users can explicitly choose the repository they want to install packages from. The Package Manager can update all repositories.

Portage configuration

New repository layout

The repository configuration should be stored in /etc/portage/repos.conf. It can be either a single file or a directory containing one or more .conf files.

The default configuration is installed as /usr/share/portage/config/repos.conf. This file is internal configuration file installed with portage ebuild and should not be modified. Instead, the configuration in /etc/portage/repos.conf can override the defaults specified there.

The configuration uses format similar to Windows .ini files. Each section heading (repository name in square brackets) signifies a single repository, followed by one or more key-value option pairs. For example, the following file copies default configuration for Funtoo repository:

/etc/portage/repos.conf/funtoo.conf - Example configuration override for Funtoo repository to move it to non-standard location
[funtoo]
# moved to non-standard location!
location = /var/db/repos/funtoo
sync-type = git
sync-uri = git://github.com/funtoo/ports-2015.git
auto-sync = yes

The most useful repository configuration options are listed below:

location
Obligatory. Specifies the directory where repository is/will be stored. If Portage knows how to sync the repository and the location does not exist, it will be created on next emerge --sync. Otherwise, the directory must exist.
priority
Specifies the priority used for ordering ebuilds from different repositories. If two repositories provide an ebuild with matching versions, the repository with higher priority will be used.
auto-sync
Specifies whether emerge --sync should update the repository. Defaults to yes if sync-type is specified, no otherwise.
sync-depth
Specifies --depth for git clone. Used only on initial sync. Defaults to 1. Can be set to 0 to force full clone (not pass --depth at all).
sync-type
Specifies syncing/update method. Can be one of: cvs, git, rsync, svn.
sync-umask
Specifies the umask used when updating/syncing the repository.
sync-uri
Specifies remote URI from which the repository will be cloned/synced. Can use any syntax valid for a particular syncing method.
sync-user
Specifies the user[:group] used to update/sync the repository. If FEATURES=usersync is used, defaults to the credentials of directory owner.

Additionally a [DEFAULT] section may be specified. Options in this section are used as defaults for all repositories.

Migrating existing configurations

The new configuration format provides replacement for existing configuration done through /etc/portage/make.conf and environment variables. While the variables are still supported for backwards compatibility, users are recommended to move to the new configuration scheme. Funtoo portage ebuild is planned to make the migration unattended (repos.conf installed automatically to ease the config steps) with the following file:

/etc/portage/repos.conf/funtoo.conf
[funtoo]
location = /usr/portage
sync-type = git
sync-uri = git://github.com/funtoo/ports-2015.git
auto-sync = yes

The following replacements are provided for existing variables:

PORTDIR
Used to specify main tree location. Replaced by location key in the section corresponding to the default repository ([funtoo] by default).
PORTDIR_OVERLAY
Used to specify locations of overlays. Each of the paths needs to be replaced with a separate repository section, with the path placed in location key. Additionally, priority may be used to force specific ordering of ebuild overrides.
SYNC
Used to specify URI for syncing the main repository, also implied a protocol for doing that. Replaced by the sync-uri and sync-type keys in the default repository section.
SYNC_UMASK
Used to specify umask for syncing repositories. Replaced by sync-umask key in repository configuration. Can be specified in [DEFAULT] section to apply to all repositories.
SYNC_USER
Used to specify user credentials for syncing repositories. Replaced by sync-user key in repository configuration. Can be specified in [DEFAULT] section to apply to all repositories.
/etc/portage/make.conf - Example old make.conf file
# user changed PORTDIR location
PORTDIR="/var/db/repos/funtoo"
PORTDIR_OVERLAY="/var/db/repos/foo /var/db/repos/bar"

SYNC="git://github.com/funtoo/ports-2015.git"
SYNC_USER="oleg"
SYNC_UMASK="022"
/etc/portage/repos.conf - Replacement repos.conf file
[DEFAULT]
sync-user = oleg
sync-umask = 022

[funtoo]
location = /var/db/repos/funtoo
sync-type = git
sync-uri = git://github.com/funtoo/ports-2015.git

[foo]
location = /var/db/repos/foo
priority = 1

[bar]
location = /var/db/repos/bar
priority = 2

The repos.conf configuration can be further extended with sync-type and sync-uri for overlays to get emerge --sync updating them automatically.

let's see a real example of tree and overlays added.

/etc/portage/repos.conf - Replacement repos.conf file
[gentoo]
location = /usr/portage
sync-type = git
sync-uri = git://github.com/funtoo/ports-2012.git
 
[funtoo-overlay]
location = /root/git/funtoo-overlay
 
[funtoo-gnome]
location = /root/git/funtoo-gnome-overlay

funtoo-overlay and funtoo-gnome-overlay are an overlays added on top of regular portage tree.