SSH ramdisk environment (Was: Background fsck is broken)
Adrian Steinmann
ast at marabu.ch
Wed Dec 15 09:16:19 PST 2004
In message <43574.1103107578 at critter.freebsd.dk> it was mentioned that
in message <m33by7zula.fsf at merlin.emma.line.org>, Matthias Andree wrote:
>On my wishlist, I've always wanted a "networked single user mode"
>(i. e. only sshd running, only root login with key possible), and I've
>always wondered why the whole system recovery is focused so much on the
>principle of a "single-user console".
To which "Poul-Henning Kamp" <phk at phk.freebsd.dk> responds:
Implement it! I've wanted that for a long time too.
We have something like this is our STYX system (STYX is a Remote
Managed Firewall Service based is a hardened/reduced FreeBSD System).
What we do is create two files
/boot/maint/k.gz
/boot/maint/fs.gz
which are loaded via /boot/maint/loader.rc which contains:
unload
load /boot/maint/k
load -t md_image /boot/maint/fs
autoboot
this boots the system into a ramdisk "maintenance" mode, networked
and running a sshd. If you replace /boot/loader.rc with
/boot/maint/loader.rc and reboot, you go into this maintenance
mode.
You can then ssh as root with the correct SSH private key, and from
there, you can mess up the system at will.
This has been working nicely on 4.x and recently we got "STYX 5.3"
build working for "-current" (after we burnt the bridge to not
support having the full /boot/* including /boot/maint/* on one
floppy).
I was hoping to get geom gmirror/gbde to work in the ramdisk crunch
environment, but the geom_* programs are practically impossible to
crunch.
We haven't evangelized this work too much for lack of time, but I'd
be happy to furnish the scripts if there is interest.
Adrian
_______________________________________________
Adrian Steinmann Apollostrasse 21 8032 Zurich
Tel +41 44 380 30 80 Mailto:ast at marabu.ch
More information about the freebsd-current
mailing list