From Funtoo
< Install
Revision as of 20:34, March 3, 2020 by Mrl5 (talk | contribs) (more meaningful info: entropy_avail/poolsize)
Jump to navigation Jump to search
Other languages:

Install Guide: Finishing Up

Install Guide, Chapter 16 < Prev Next >

Set your root password

It's imperative that you set your root password before rebooting so that you can log in.

chroot # passwd
New password: **********
Retype new password: **********
passwd: password updated successfully

Create a Regular User

It's also a good idea to create a regular user for daily use. If you're using GNOME, this is a requirement as you cannot log in to GDM (The GNOME Display Manager) as root. This can be accomplished as follows:

chroot # useradd -m drobbins

You will also likely want to add your primary user to one or more supplemental groups. Here is a list of important groups and their effect:

wheelAllows your user account to 'su' to root. Recommended on your primary user account for easy maintenance. Also used with sudo.
audioAllows your user account to directly access audio devices. Required if using ALSA; otherwise optional.
plugdevAllows your user account work with various removable devices. Allows adding of a WiFi network in GNOME without providing root password. Recommended for desktop users.
portageAllows extended use of Portage as regular user. Recommended.

To add your user to multiple groups, use the usermod command, specifying a complete group list:

chroot # usermod -G wheel,audio,plugdev,portage drobbins

As with your root account, don't forget to set a password:

chroot # passwd drobbins
New password: **********
Retype new password: **********
passwd: password updated successfully

Secure SSH server

sshd is a member of OpenRC's default runlevel. It means that after reboot it will be possible to connect to your host via SSH (with valid credentials). You should think about securing your SSH server or even consider if it's really needed (e.g. for desktops).

Common practice is to disable root login and enable public key authentication. You can read more about securing SSH service in Gentoo Security Handbook or in our wiki page about OpenSSH.

If you don't need to connect to your new Funtoo host run this:

chroot # rc-update del sshd default

Install an Entropy Generator (if really needed)

The Linux kernel uses various sources such as user input to generate entropy, which is in turn used for generating random numbers. Encrypted communications can use a lot of entropy, and often the amount of entropy generated by your system will not be sufficient. This is commonly an issue on headless server systems, which can also include ARM systems such as Raspberry Pi, and can result in slower than normal ssh connections among other issues.

chroot # echo $(cat /proc/sys/kernel/random/entropy_avail)/$(cat /proc/sys/kernel/random/poolsize)

This gives the available entropy (in bits) and size of the entropy pool. If it is below 1000 you can think about improving entropy.

In order to check how your machine deals with FIPS 140-2 standard rng-tools can be used

chroot # emerge rng-tools
chroot # rngtest -c 1000 < /dev/random

To identify the different sources of entropy available in the system, use

chroot # rngd --list

To compensate for low entropy it is possible to use a hardware random number generator (e.g. TPM), use a secure pseudorandom number generator or enable a user-space entropy generator at boot time. We will use haveged in this example, although others are available, such as mentioned before rng-tools.

chroot # emerge haveged
chroot # rc-update add haveged default

Haveged will now start at boot and will augment the Linux kernel's entropy pool.

Restart your system

Now is the time to leave chroot, to unmount Funtoo Linux partitions and files and to restart your computer. When you restart, the GRUB boot loader will start, load the Linux kernel and initramfs, and your system will begin booting.

Leave the chroot, change directory to /mnt, unmount your Funtoo partitions, and reboot.

chroot # exit
root # cd /mnt
root # umount -lR funtoo
root # reboot

The Funtoo LiveCD will gracefully unmount your new Funtoo filesystems as part of its normal shutdown sequence.

You should now see your system reboot, the GRUB boot loader appear for a few seconds, and then see the Linux kernel and initramfs loading. After this, you should see Funtoo Linux itself start to boot, and you should be greeted with a login: prompt. Funtoo Linux has been successfully installed!

Install Guide, Chapter 16 < Prev Next >