DSL hard drive install 'improvement' ideas
Forum: DSL Tips and Tricks
Topic: DSL hard drive install 'improvement' ideas
started by: lucky13
Posted by lucky13 on April 29 2008,21:28I've finally posted a slimmed down 'hardening' guide for DSL hard drive installs. I focused primarily on updating a few things that can be important on a networked computer, including one that surfs the Internet. That includes upgrading zlib , SSL, and SSH. Hopefully Robert will consider either updating some or all of these or using a smaller replacement like dropbear (has this been considered before?) in DSL 4.x. I also cover a few things that I think should be changed on a hard drive install such as tightening sudoers and reconfiguring ssh/d. I like to keep my secure shell secure.
My own preference is to use as little from MyDSL on hard drive install as possible. With my most recent install (yesterday), I installed GNU utils and gcc. No UCIs. These can be made to work on hard drive installs, but they're not ideal (imo).
Default kernels are for the widest (sensible) array of possible hardware on which it can be used. That's important and ideal for a live CD, but maybe not so good on a fixed hard drive. To make my point, I also compiled a kernel this afternoon to show how wide the differences between the default kernel and one compiled for a particular computer can range. In my case, I was using 16MB of RAM upon booting into runlevel 3 with an updated version of BASH and 25MB after startx and my new modules take up less than 8.5% of the hard drive space used by the default (could've been even smaller) DSL modules. This is fully functional for that particular computer. I have an image showing before and after data, but the before includes a lot more running processes instead of at boot (I'll boot the DSL kernel again and update that).
(Since someone mentioned RAM use in one of the Eee threads, those RAM numbers above include cached -- which the default torsmorc excludes from what gets displayed on your screen.)
As I note, these aren't shortcomings in DSL. You just have to remember that DSL and Knoppix were engineered to run in a completely different form from a standard hard drive install. If you use it as intended, these things don't matter so much and would be impractical -- what good would it be to set up strong passwords on a live CD anyway? When you install DSL to hard drive, you're undoing some of that CD-based engineering. You can't reboot into a restored state, you have the same issues where you left off. I left out a lot more I wanted to write about some of the scripts which are ideal if you want to use DSL as it's intended to be used but can be less than ideal -- IMO -- on a hard drive install.
The page is here:
< http://lucky13linux.wordpress.com/dsl-hard-drive-tweaks/ >
Posted by roberts on April 30 2008,15:12Dropbear and new Busybox are both likely for next 4.x
Posted by roberts on May 07 2008,02:36I have put the latest dropbear into DSL v4.4-testing and Tiny Core.
Does save us some space and much newer too.
Thanks for the suggestion.
Now on to the busybox update.
Posted by lucky13 on May 07 2008,15:19
Did you build MULTI=1 a la busybox? Did you leave out any of the program options (maybe leave out x forwarding since it only offers server?), reduce the number of encryption algorithms, or set small code? About the small code, I'm curious how accurate the comments in options.h (slows symmetrical ciphers by 50%) are. I might experiment more with it this weekend.
One more issue: sshfs. Since dropbear doesn't include sftp-server, this might be a problem for keeping sshfs (short of keeping sftp and any libs it requires -- libssh?). I don't know if there are any acceptable alternatives to openssh sftp. I'd hate to lose sshfs, but as long as I can scp I'm happy. If it is problematic, should fuse/sshfs and openssh be moved to extension?
Posted by roberts on May 08 2008,02:33I did a MULTI build. But now I see that dropbear does indeed break sshfs. I don't want to remove current features from 4.x. So, I am going to back out dropbear from 4.x and use it in tiny core only.
Tiny core is made to be small with most everything an extension. Therefore a full openssh/fuse/sshfs can be an extension for the new system.
Posted by lucky13 on May 16 2008,21:12Sort of off-topic but I mentioned the need for updating zlib+ssl+ssh in this thread and want to update something related to that.
Debian has issued an advisory about a vulnerability in their implementation of SSL. This affects Debian and all of its derivatives using their SSL package including Ubuntu. The package starts with OpenSSL version 0.9.8c-1, which was uploaded to the unstable (Etch) distribution on 2006-09-17, and subsequent versions through 16 May 2007. This doesn't affect DSL directly (see below) because DSL uses a Woody-era OpenSSL package.
Lines of code were removed that affect random number generation. Accordingly, the keys generated are guessable and susceptible to cracking, interception, etc. Debian is advising updating OpenSSL and regenerating "SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections."
This will also indirectly affect others whether they use Debian, its derivatives, any other distro, or any other operating system because many secure sites need new certificates. You may be warned that some sites you visit have new/altered certificates in the coming days (I've been flagged for a couple already, finding out that one site I use runs its servers on Ubuntu).
I have more on this on by blog.
< http://lucky13linux.wordpress.com/2008....dvisory >