The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Install/Finishing"
(before improving entropy user should aware what is it and be sure if it's really needed) |
m (TPM - example of hardware RNG) |
||
Line 96: | Line 96: | ||
<!--T:20--> | <!--T:20--> | ||
To compensate for low entropy it is possible to use a hardware random number generator, use [https://www.schneier.com/academic/fortuna/ a secure pseudorandom number generator] or enable a user-space entropy generator at boot time. We will use {{c|haveged}} in this example, although others are available, such as mentioned before {{c|rng-tools}}. | To compensate for low entropy it is possible to use a hardware random number generator (e.g. [https://en.wikipedia.org/wiki/Trusted_Platform_Module TPM]), use [https://www.schneier.com/academic/fortuna/ a secure pseudorandom number generator] or enable a user-space entropy generator at boot time. We will use {{c|haveged}} in this example, although others are available, such as mentioned before {{c|rng-tools}}. | ||
<!--T:21--> | <!--T:21--> |
Revision as of 19:54, March 3, 2020
Install Guide: Finishing Up
Install Guide, Chapter 16 | < Prev | Next > |
Set your root password
It's imperative that you set your root password before rebooting so that you can log in.
chroot # passwd New password: ********** Retype new password: ********** passwd: password updated successfully
Create a Regular User
It's also a good idea to create a regular user for daily use. If you're using GNOME, this is a requirement as you cannot log in to GDM (The GNOME Display Manager) as root. This can be accomplished as follows:
chroot # useradd -m drobbins
You will also likely want to add your primary user to one or more supplemental groups. Here is a list of important groups and their effect:
Group | Description |
---|---|
wheel | Allows your user account to 'su ' to root. Recommended on your primary user account for easy maintenance. Also used with sudo . |
audio | Allows your user account to directly access audio devices. Required if using ALSA; otherwise optional. |
plugdev | Allows your user account work with various removable devices. Allows adding of a WiFi network in GNOME without providing root password. Recommended for desktop users. |
portage | Allows extended use of Portage as regular user. Recommended. |
To add your user to multiple groups, use the usermod
command, specifying a complete group list:
chroot # usermod -G wheel,audio,plugdev,portage drobbins
As with your root account, don't forget to set a password:
chroot # passwd drobbins New password: ********** Retype new password: ********** passwd: password updated successfully
Secure SSH server
sshd
is a member of OpenRC's default runlevel. It means that after reboot it will be possible to connect to your host via SSH (with valid credentials). You should think about securing your SSH server or even consider if it's really needed (e.g. for desktops).
Common practice is to disable root login and enable public key authentication. You can read more about securing SSH service in Gentoo Security Handbook or in our wiki page about OpenSSH.
If you don't need to connect to your new Funtoo host run this:
chroot # rc-update del sshd default
Install an Entropy Generator (if really needed)
The Linux kernel uses various sources such as user input to generate entropy, which is in turn used for generating random numbers. Encrypted communications can use a lot of entropy, and often the amount of entropy generated by your system will not be sufficient. This is commonly an issue on headless server systems, which can also include ARM systems such as Raspberry Pi, and can result in slower than normal ssh connections among other issues.
chroot # cat /proc/sys/kernel/random/entropy_avail
This read-only file gives the available entropy (in bits). If it is below 1000 you can think about improving entropy.
In order to check how your machine deals with FIPS 140-2 standard rng-tools
can be used
chroot # emerge rng-tools chroot # rngtest -c 1000 < /dev/random
To identify the different sources of entropy available in the system, use
chroot # rngd -l
To compensate for low entropy it is possible to use a hardware random number generator (e.g. TPM), use a secure pseudorandom number generator or enable a user-space entropy generator at boot time. We will use haveged
in this example, although others are available, such as mentioned before rng-tools
.
chroot # emerge haveged chroot # rc-update add haveged default
Haveged will now start at boot and will augment the Linux kernel's entropy pool.
Restart your system
Now is the time to leave chroot, to unmount Funtoo Linux partitions and files and to restart your computer. When you restart, the GRUB boot loader will start, load the Linux kernel and initramfs, and your system will begin booting.
Leave the chroot, change directory to /mnt, unmount your Funtoo partitions, and reboot.
chroot # exit root # cd /mnt root # umount -lR funtoo root # reboot
The Funtoo LiveCD will gracefully unmount your new Funtoo filesystems as part of its normal shutdown sequence.
You should now see your system reboot, the GRUB boot loader appear for a few seconds, and then see the Linux kernel and initramfs loading. After this, you should see Funtoo Linux itself start to boot, and you should be greeted with a login:
prompt. Funtoo Linux has been successfully installed!
Install Guide, Chapter 16 | < Prev | Next > |