Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "Install/Finishing"

From Funtoo
Jump to navigation Jump to search
m (more meaningful info: entropy_avail/poolsize)
m (Reverted edits by Mrl5 (talk) to last revision by Kyetoy)
Tag: Rollback
Line 59: Line 59:
}}
}}


===Secure SSH server === <!--T:23-->
===Install an Entropy Generator === <!--T:18-->
 
<!--T:24-->
{{c|sshd}} is a member of [[OpenRC_(Funtoo)|OpenRC]]'s default runlevel. It means that after reboot it will be possible to connect to your host via SSH (with valid credentials). You should think about securing your SSH server or even consider if it's really needed (e.g. for desktops).
 
Common practice is to disable root login and enable public key authentication. You can read more about securing SSH service in [https://wiki.gentoo.org/wiki/Security_Handbook/Securing_services#SSH Gentoo Security Handbook] or in our [[Package:OpenSSH|wiki page about OpenSSH]].
 
If you don't need to connect to your new Funtoo host run this:
{{console|body=
%chroot% ##i##rc-update del sshd default
}}
 
===Install an Entropy Generator (if really needed) === <!--T:25-->


<!--T:19-->
<!--T:19-->
The Linux kernel uses various sources such as user input to generate entropy, which is in turn used for generating random numbers. Encrypted communications can use a lot of entropy, and often the amount of entropy generated by your system will not be sufficient. This is commonly an issue on headless server systems, which can also include ARM systems such as Raspberry Pi, and can result in slower than normal ssh connections among other issues.
The Linux kernel uses various sources such as user input to generate entropy, which is in turn used for generating random numbers. Encrypted communications can use a lot of entropy, and often the amount of entropy generated by your system will not be sufficient. This is commonly an issue on headless server systems, which can also include ARM systems such as Raspberry Pi, and can result in slower than normal ssh connections among other issues.
<!--T:26-->
{{console|body=
%chroot% ##i##echo $(cat /proc/sys/kernel/random/entropy_avail)/$(cat /proc/sys/kernel/random/poolsize)
}}
This gives the available entropy (in bits) and size of the entropy pool. If it is [https://developers.redhat.com/blog/2017/10/05/entropy-rhel-based-cloud-instances/ below 1000] you can think about improving entropy.
<!--T:27-->
In order to check how your machine deals with [https://en.wikipedia.org/wiki/FIPS_140-2 FIPS 140-2 standard] {{c|rng-tools}} can be used
{{console|body=
%chroot% ##i##emerge rng-tools
%chroot% ##i##rngtest -c 1000 < /dev/random
}}
<!--T:28-->
To identify the different sources of entropy available in the system, use
{{console|body=
%chroot% ##i##rngd --list
}}


<!--T:20-->
<!--T:20-->
To compensate for low entropy it is possible to use a hardware random number generator (e.g. [https://en.wikipedia.org/wiki/Trusted_Platform_Module TPM]), use [https://www.schneier.com/academic/fortuna/ a secure pseudorandom number generator] or enable a user-space entropy generator at boot time. We will use {{c|haveged}} in this example, although others are available, such as mentioned before {{c|rng-tools}}.
To compensate for this, a user-space entropy generator can be emerged and enabled at boot time. We will use {{c|haveged}} in this example, although others are available, such as {{c|rng-tools}}.


<!--T:21-->
<!--T:21-->

Revision as of 19:48, March 26, 2020

Other languages:

Install Guide: Finishing Up

Install Guide, Chapter 16 < Prev Next >

Set your root password

It's imperative that you set your root password before rebooting so that you can log in.

chroot # passwd
New password: **********
Retype new password: **********
passwd: password updated successfully

Create a Regular User

It's also a good idea to create a regular user for daily use. If you're using GNOME, this is a requirement as you cannot log in to GDM (The GNOME Display Manager) as root. This can be accomplished as follows:

chroot # useradd -m drobbins

You will also likely want to add your primary user to one or more supplemental groups. Here is a list of important groups and their effect:

GroupDescription
wheelAllows your user account to 'su' to root. Recommended on your primary user account for easy maintenance. Also used with sudo.
audioAllows your user account to directly access audio devices. Required if using ALSA; otherwise optional.
plugdevAllows your user account work with various removable devices. Allows adding of a WiFi network in GNOME without providing root password. Recommended for desktop users.
portageAllows extended use of Portage as regular user. Recommended.

To add your user to multiple groups, use the usermod command, specifying a complete group list:

chroot # usermod -G wheel,audio,plugdev,portage drobbins

As with your root account, don't forget to set a password:

chroot # passwd drobbins
New password: **********
Retype new password: **********
passwd: password updated successfully

Install an Entropy Generator

The Linux kernel uses various sources such as user input to generate entropy, which is in turn used for generating random numbers. Encrypted communications can use a lot of entropy, and often the amount of entropy generated by your system will not be sufficient. This is commonly an issue on headless server systems, which can also include ARM systems such as Raspberry Pi, and can result in slower than normal ssh connections among other issues.

To compensate for this, a user-space entropy generator can be emerged and enabled at boot time. We will use haveged in this example, although others are available, such as rng-tools.

chroot # emerge haveged
chroot # rc-update add haveged default

Haveged will now start at boot and will augment the Linux kernel's entropy pool.

Restart your system

Now is the time to leave chroot, to unmount Funtoo Linux partitions and files and to restart your computer. When you restart, the GRUB boot loader will start, load the Linux kernel and initramfs, and your system will begin booting.

Leave the chroot, change directory to /mnt, unmount your Funtoo partitions, and reboot.

chroot # exit
root # cd /mnt
root # umount -lR funtoo
root # reboot
   Note

The Funtoo LiveCD will gracefully unmount your new Funtoo filesystems as part of its normal shutdown sequence.

You should now see your system reboot, the GRUB boot loader appear for a few seconds, and then see the Linux kernel and initramfs loading. After this, you should see Funtoo Linux itself start to boot, and you should be greeted with a login: prompt. Funtoo Linux has been successfully installed!

Install Guide, Chapter 16 < Prev Next >