sshramdisk general information

To: tech-install%netbsd.org@localhost
Subject: sshramdisk general information
From: Tim Rightnour <root%garbled.net@localhost>
Date: Wed, 20 Mar 2013 09:56:38 -0700 (MST)

Recently, I added some code to evbarm to allow installation via sysinst over
sshd.  This allows a user to boot a headless Raspberry PI, ssh into it as
"sysinst" with a password of "netbsd", and have it launch sysinst to begin the
installation.  It also supports the console, so if they don't want to ssh in,
they can still install normally.

There are a few reasons I think this is useful:

1) It's kinda annoying to buy an HDMI cable and USB keyboard just to install
the PI, and then immediately disconnect them and toss them.

2) I envision this could be really useful, on a system like an NSLU2, where our
current install instructions tell the user to solder a serial port onto the
device.  In this instance, they could instead boot the image, and just ssh in
to kick sysinst off.

3) I wouldn't actually mind if other ports had this ability, as I could toss
the cd in, boot, and go back to my desk rather than standing in front of my
machine rack.


How does it work?

The embedded ramdisk contains dhcpcd, and sshd. Once the ramdisk boots, it
fires up dhcpcd, gets an address, and then launches sshd.  The master.passwd
file has a sysinst user, with a homedir of /inst.  /inst contains a profile
that just kicks off sysinst.  The user then installs normally.

Putting sshd on the ramdisk image is a little tricky, as normally sshd pulls in
30-40 libraries.  To cut that down, you need to disable PAM for the sshd build.

Security implications:

It's not secure.  We are freely giving out the password for the installer in
the install instructions.  This is not a solution for network installs on an
open network.  This is designed for home users to be able to simply install
certain consumer hardware devices without needing to modify the device, or
jumping through hoops.

We could additionally add a build option that lets you set the encrypted
password used for the sysinst account. That would not be particularly difficult
to add.

The goal of this is to make it easier for users with devices like the PI, or an
NSLU2 to install netbsd.  In the case of NSLU2, I find the idea of soldering
completely unacceptable, and I suspect that is why ~nobody runs netbsd on one.

Possible improvements:

We could add and start mdnsd before sshd to broadcast the name of the installer.

Add ssh-keygen to the ramdisk, and install the resulting host keys.

Probably alot more.  It is by no means perfect, it just solves a small corner
case.

---
Tim Rightnour <root%garbled.net@localhost>
NetBSD: Free multi-architecture OS http://www.netbsd.org/
Genecys: Open Source 3D MMORPG: http://www.genecys.org/

Follow-Ups:
- Re: sshramdisk general information
  - From: Greg Troxel

Prev by Date: Re: RFC: move md_init() in sysinst
Next by Date: Re: sshramdisk general information
Previous by Thread: RFC: move md_init() in sysinst
Next by Thread: Re: sshramdisk general information
Indexes:

Home | Main Index | Thread Index | Old Index